From d7838ad37a7d6c3abfc1f2df067a48ed13fb116b Mon Sep 17 00:00:00 2001 From: Johnson Shih Date: Thu, 19 Dec 2019 13:39:40 -0800 Subject: [PATCH 001/217] Add autologon account information Add autologon account information --- windows/client-management/mdm/assignedaccess-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index b8eb37197c..846086718a 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -1221,7 +1221,7 @@ ShellLauncherConfiguration Add ``` -ShellLauncherConfiguration Add AutoLogon +ShellLauncherConfiguration Add AutoLogon, this will create an autologon account (standard user, no password) on your behalf. The autologon account is managed by AssignedAccessCSP so the account name is not exposed. ``` From 4ce116228da67eb2cbe833129d0547eae050d0c9 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com> Date: Tue, 25 Aug 2020 10:25:04 +0530 Subject: [PATCH 002/217] Github-update-app-v-windows10-PR Updated the tables under "Management server database requirements" and "Reporting server database requirements" with SQL Server 2019 info. --- .../app-v/appv-supported-configurations.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/application-management/app-v/appv-supported-configurations.md b/windows/application-management/app-v/appv-supported-configurations.md index 340244864b..bfd278de1c 100644 --- a/windows/application-management/app-v/appv-supported-configurations.md +++ b/windows/application-management/app-v/appv-supported-configurations.md @@ -51,7 +51,7 @@ The following table lists the SQL Server versions that the App-V Management data |SQL Server version|Service pack|System architecture| |---|---|---| -|Microsoft SQL Server 2019||32-bit or 64-bit| +|Microsoft SQL Server 2019|CU4|32-bit or 64-bit| |Microsoft SQL Server 2017||32-bit or 64-bit| |Microsoft SQL Server 2016|SP2|32-bit or 64-bit| |Microsoft SQL Server 2014||32-bit or 64-bit| @@ -90,6 +90,7 @@ The following table lists the SQL Server versions that are supported for the App |SQL Server version|Service pack|System architecture| |---|---|---| +|Microsoft SQL Server 2019|CU4|32-bit or 64-bit| |Microsoft SQL Server 2017||32-bit or 64-bit| |Microsoft SQL Server 2016|SP2|32-bit or 64-bit| |Microsoft SQL Server 2014||32-bit or 64-bit| From 8ce5c04f2b37b761fe6a1562bdbfc4f07776c342 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 8 Sep 2020 17:42:07 +0530 Subject: [PATCH 003/217] Update-bl-mgep-4318240 made minor changes in language --- .../bitlocker-management-for-enterprises.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index 78eb7b7715..8791e6cf7a 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -17,11 +17,11 @@ ms.reviewer: ms.custom: bitlocker --- -# BitLocker Management for Enterprises +# BitLocker management for enterprises -The ideal for BitLocker management is to eliminate the need for IT admins to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, Secure Boot, and other hardware improvements, for example, has helped to alleviate the support burden on the helpdesk, and we are seeing a consequent decrease in support call volumes, yielding improved user satisfaction. Windows continues to be the focus for new features and improvements for built-in encryption management, such as automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1. +The ideal solution for BitLocker management is to eliminate the need for IT administrators to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, secure boot, and other hardware improvements, for example, have helped to alleviate the support burden on the helpdesk, and we are seeing a consequent decrease in support-call volumes, yielding improved user satisfaction. Windows continues to be the focus for new features and improvements for built-in encryption management, such as automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1. -Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently-asked questions, and also provides BitLocker recommendations for different types of computers. +Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently asked questions, and also provides BitLocker recommendations for different types of computers. > [!IMPORTANT] @@ -31,39 +31,39 @@ Though much Windows BitLocker [documentation](bitlocker-overview.md) has been pu Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://docs.microsoft.com/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://docs.microsoft.com/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings/). -Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](https://support.microsoft.com/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201/) or they can receive extended support until April 2026. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD). +Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker which are domain-joined on-premises until [mainstream support ends in July 2019](https://support.microsoft.com/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201/) or they can receive extended support until April 2026. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD). ## Managing devices joined to Azure Active Directory Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Without Windows 10, version 1809, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider/), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access/) to services like Exchange Online and SharePoint Online. -Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider/) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp/). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 and on Windows phones. +Starting with Windows 10, version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider/) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp/). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 and on Windows phones. -For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD. +For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. The Azure AD provides a portal where recovery keys are also backed up; thus, users can retrieve their own recovery keys for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10, version 1703 (the Windows 10 Creators Update), administrators can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD. This is applicable to Azure Hybrid AD as well. ## Managing workplace-joined PCs and phones -For Windows PCs and Windows Phones that enroll using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Azure AD. +For Windows PCs and Windows Phones that are enrolled using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Azure AD. ## Managing servers -Servers are often installed, configured, and deployed using PowerShell, so the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server, so follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC. +Servers are often installed, configured, and deployed using PowerShell; therefore, the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server; therefore, follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC. -The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-core/) installation, you must add the necessary GUI components first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images](https://blogs.technet.microsoft.com/server_core/2012/11/05/using-features-on-demand-with-updated-systems-and-patched-images/) and [How to update local source media to add roles and features](https://blogs.technet.microsoft.com/joscon/2012/11/14/how-to-update-local-source-media-to-add-roles-and-features/). +The minimal server interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-core/) installation, you must add the necessary GUI components first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images](https://blogs.technet.microsoft.com/server_core/2012/11/05/using-features-on-demand-with-updated-systems-and-patched-images/) and [How to update local source media to add roles and features](https://blogs.technet.microsoft.com/joscon/2012/11/14/how-to-update-local-source-media-to-add-roles-and-features/). If you are installing a server manually, such as a stand-alone server, then choosing [Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience/) is the easiest path because you can avoid performing the steps to add a GUI to Server Core. - Additionally, lights out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). + Additionally, lights-out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). For more information, see the Bitlocker FAQs article and other useful links in [Related Articles](#related-articles).   ## PowerShell examples -For Azure AD-joined computers, including virtual machines, the recovery password should be stored in Azure Active Directory. +For Azure AD-joined computers, including virtual machines, the recovery password should be stored in Azure AD. *Example: Use PowerShell to add a recovery password and back it up to Azure AD before enabling BitLocker* ```powershell From 6b209962f6599188ba2f461f510079e9c4d2e283 Mon Sep 17 00:00:00 2001 From: Joseph Knierman Date: Wed, 16 Dec 2020 08:24:58 -0800 Subject: [PATCH 004/217] added draft changes to Assigned Access Configuration section --- windows/client-management/mdm/assignedaccess-csp.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index 3a48ac399e..7eb3a57caf 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -75,6 +75,10 @@ The supported operations are Add, Delete, Get and Replace. When there's no confi **./Device/Vendor/MSFT/AssignedAccess/Configuration** Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd). +Supports Microsoft Edge kiosk mode, which allows Microsoft Edge to be the specified kiosk application. For details about configuring Microsoft Edge kiosk mode, see [Create a Windows 10 kiosk that runs Microsoft Edge](https://docs.microsoft.com/windows/configuration/test). + +Allows for configuration of the breakout sequence. The breakout sequence specifies the keyboard shortcut that returns a kiosk session to the lock screen. By default this is set to ctrl+alt+delete. For details on how to customize a breakout sequence, see [Create a custom breakout sequence for a kiosk](https://docs.microsoft.com/windows/configuration/test). + > [!Note] > In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk. > From 86847b0904ed624e0abfbd05fa067a821c9ec329 Mon Sep 17 00:00:00 2001 From: Joseph Knierman Date: Wed, 16 Dec 2020 08:54:50 -0800 Subject: [PATCH 005/217] added draft changes to Assigned Access Configuration XML --- .../mdm/assignedaccess-csp.md | 46 ++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index 7eb3a57caf..b2005cb0ae 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -77,7 +77,7 @@ Added in Windows 10, version 1709. Specifies the settings that you can configure Supports Microsoft Edge kiosk mode, which allows Microsoft Edge to be the specified kiosk application. For details about configuring Microsoft Edge kiosk mode, see [Create a Windows 10 kiosk that runs Microsoft Edge](https://docs.microsoft.com/windows/configuration/test). -Allows for configuration of the breakout sequence. The breakout sequence specifies the keyboard shortcut that returns a kiosk session to the lock screen. By default this is set to ctrl+alt+delete. For details on how to customize a breakout sequence, see [Create a custom breakout sequence for a kiosk](https://docs.microsoft.com/windows/configuration/test). +Allows for configuration of the breakout sequence. The breakout sequence specifies the keyboard shortcut that returns a kiosk session to the lock screen. By default the breakout sequence is set to ctrl+alt+delete. For details on how to customize a breakout sequence, see [Create a custom breakout sequence for a kiosk](https://docs.microsoft.com/windows/configuration/test). > [!Note] > In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk. @@ -516,6 +516,7 @@ To authorize a compatible configuration XML that includes 1809 or prerelease ele ## Example AssignedAccessConfiguration XML +Example XML configuration for a multi app kiosk. ```xml @@ -567,6 +568,49 @@ To authorize a compatible configuration XML that includes 1809 or prerelease ele ``` +Example XML configuration for a Microsoft Edge kiosk. This Edge kiosk s configure to launch www.bing.com on startup. +```xml + + + + + + + + + + EdgeKioskUser + + + + +``` + +Example XML configuration for setting a breakout sequence to be Shift+Windows on a Microsoft Edge kiosk. Note BreakoutSequence can be applied to any kiosk type not just an Edge kiosk. +```xml + + + + + + + + + + + EdgeKioskUser + + + + +``` + ## Configuration examples XML encoding (escaped) and CDATA of the XML in the Data node both ensure that DM client can properly interpret the SyncML and send the configuration xml as string (in original format, unescaped) to AssignedAccess CSP to handle. From e5a3daaefd6ad20add89cda0ac18aafe8a21c134 Mon Sep 17 00:00:00 2001 From: Joseph Knierman Date: Wed, 16 Dec 2020 13:31:47 -0800 Subject: [PATCH 006/217] added draft changes examples added from code --- .../mdm/assignedaccess-csp.md | 4 +- .../mdm/assignedaccess-ddf.md | 175 +++++++++++++++++- 2 files changed, 175 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index b2005cb0ae..0cae125012 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -75,9 +75,7 @@ The supported operations are Add, Delete, Get and Replace. When there's no confi **./Device/Vendor/MSFT/AssignedAccess/Configuration** Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd). -Supports Microsoft Edge kiosk mode, which allows Microsoft Edge to be the specified kiosk application. For details about configuring Microsoft Edge kiosk mode, see [Create a Windows 10 kiosk that runs Microsoft Edge](https://docs.microsoft.com/windows/configuration/test). - -Allows for configuration of the breakout sequence. The breakout sequence specifies the keyboard shortcut that returns a kiosk session to the lock screen. By default the breakout sequence is set to ctrl+alt+delete. For details on how to customize a breakout sequence, see [Create a custom breakout sequence for a kiosk](https://docs.microsoft.com/windows/configuration/test). +Currently in Windows 10 Insider Preview Build is Microsoft Edge kiosk mode. This allows Microsoft Edge to be the specified kiosk application. For details about configuring Microsoft Edge kiosk mode, see [Create a Windows 10 kiosk that runs Microsoft Edge](https://docs.microsoft.com/windows/configuration/test). The Windows 10 Insider Preview Build also allows for configuration of the breakout sequence. The breakout sequence specifies the keyboard shortcut that returns a kiosk session to the lock screen. By default the breakout sequence is set to ctrl+alt+delete. For details on how to customize a breakout sequence, see [Create a custom breakout sequence for a kiosk](https://docs.microsoft.com/windows/configuration/test). > [!Note] > In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk. diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md index 703958aa0e..f5562707ae 100644 --- a/windows/client-management/mdm/assignedaccess-ddf.md +++ b/windows/client-management/mdm/assignedaccess-ddf.md @@ -1,4 +1,4 @@ ---- + --- title: AssignedAccess DDF description: Learn how the OMA DM device description framework (DDF) for the AssignedAccess configuration service provider. ms.assetid: 224FADDB-0EFD-4E5A-AE20-1BD4ABE24306 @@ -195,6 +195,179 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu ``` +The XML below is for Windows 10, version 1909. +```xml + + +]> + + 1.2 + + AssignedAccess + ./Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/4.0/MDM/AssignedAccess + + + + KioskModeApp + + + + + + + + This node can accept and return json string which comprises of account name, and AUMID for Kiosk mode app. + +Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}. + +When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output. + +This node supports Add, Delete, Replace and Get methods. When there's no configuration, "Get" and "Delete" methods fail. When there's already a configuration for kiosk mode app, "Add" method fails. The data pattern for "Add" and "Replace" is the same. + + + + + + + + + + + + + + text/plain + + + + + Configuration + + + + + + + + This node accepts an AssignedAccessConfiguration xml as input. Please check out samples and required xsd on MSDN. + + + + + + + + + + + + + + text/plain + + + + + Status + + + + + This read only node contains kiosk health event xml + + + + + + + + + + + + + + text/plain + + + + + ShellLauncher + + + + + + + + This node accepts a ShellLauncherConfiguration xml as input. Please check out samples and required xsd on MSDN. + + + + + + + + + + + + + + text/plain + + + + + StatusConfiguration + + + + + + + + This node accepts a StatusConfiguration xml as input. Please check out samples and required xsd on MSDN. + + + + + + + + + + + + + + text/plain + + + + + + +``` + ## Related topics From 9376302517f01894cff9c75fec27d1d7c4b99621 Mon Sep 17 00:00:00 2001 From: Joseph Knierman Date: Wed, 16 Dec 2020 14:01:34 -0800 Subject: [PATCH 007/217] draft update guidelines for choosing an app for assigned access --- windows/configuration/guidelines-for-assigned-access-app.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index bbe21777b6..500a3ccc14 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -45,6 +45,8 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t ## Guidelines for web browsers +In Windows 10, Version 1909, Assigned access adds support for the new Microsoft Edge kiosk mode support. [Learn how to deploy Microsoft Edge kiosk mode](https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-configure-kiosk-mode). + In Windows 10, version 1809, Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) In Windows 10, version 1803 and later, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website. From 7c6758fbe221fdf840a8270dec92cdbf67b0851b Mon Sep 17 00:00:00 2001 From: Joseph Knierman Date: Wed, 16 Dec 2020 14:08:12 -0800 Subject: [PATCH 008/217] draft update guidelines for choosing an app for assigned access --- windows/configuration/guidelines-for-assigned-access-app.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index 500a3ccc14..431ffa6832 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -47,7 +47,7 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t In Windows 10, Version 1909, Assigned access adds support for the new Microsoft Edge kiosk mode support. [Learn how to deploy Microsoft Edge kiosk mode](https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-configure-kiosk-mode). -In Windows 10, version 1809, Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) +In Windows 10, version 1809, Microsoft Edge includes support for legacy kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) In Windows 10, version 1803 and later, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website. From ed0180bdc5ea15106bf7137f86a133cf495f701c Mon Sep 17 00:00:00 2001 From: Joseph Knierman Date: Thu, 17 Dec 2020 07:39:14 -0800 Subject: [PATCH 009/217] draft update 1 for set up a single-app kiosk --- .../guidelines-for-assigned-access-app.md | 6 +++ windows/configuration/kiosk-xml.md | 51 ++++++++++++++++--- 2 files changed, 51 insertions(+), 6 deletions(-) diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index 431ffa6832..1270ea3283 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -156,6 +156,12 @@ You can create your own web browser Windows app by using the WebView class. Lear Avoid selecting Windows apps that may expose the information you don’t want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access. +## Customize your breakout sequence + +Assigned access allows for the specification of a new breakout sequence. A breakout sequence is a keyboard shortcut that stops the kiosk experience and brings the user back to the lock screen. By default the breakout sequence is configured to be ctrl+alt+delete, a common windows keyboard shortcut. It is recommended that this is set to a non-standard windows shortcut to prevent disruptions in the kiosk experience. + +The Breakout Sequence can only be customized at the provision time of the kiosk. There is also no GUI for specifying this currently, so it would need to be specified in a provision method like MDM or WMI which allow the user to specify the configuration in an XML format. + ## App configuration Some apps may require additional configurations before they can be used appropriately in assigned access. For example, Microsoft OneNote requires you to set up a Microsoft account for the assigned access user account before OneNote will open in assigned access. diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md index c0eb573c32..1cc2cd11d9 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk-xml.md @@ -254,6 +254,29 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom ``` +## Microsoft Edge Kiosk XML Sample +```xml + + + + + + + + + + + EdgeKioskUser + + + + +``` + ## [Preview] Global Profile Sample XML Global Profile is currently supported in Windows 10 Insider Preview (20H1 builds). Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lockdown mode, or used as mitigation when a profile cannot be determined for a user. @@ -635,12 +658,7 @@ IT Admin now can specify user access to Downloads folder, Removable drives, or n ## XSD for AssignedAccess configuration XML ->[!NOTE] ->Updated for Windows 10, version 1903 and Windows 10 Insider Preview (19H2, 20H1 builds). -Below schema is for AssignedAccess Configuration up to Windows 10 1803 release. - ```xml - + @@ -662,8 +682,14 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release. + + + + + + @@ -672,7 +698,19 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release. - + + + + + + + + + + + + + @@ -773,6 +811,7 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release. + From b2f80a65518eccc03104a32229a61a309326320b Mon Sep 17 00:00:00 2001 From: Joseph Knierman Date: Thu, 17 Dec 2020 07:39:31 -0800 Subject: [PATCH 010/217] draft update 2 for set up a single-app kiosk --- windows/configuration/guidelines-for-assigned-access-app.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index 1270ea3283..5c30c9b7b2 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -160,7 +160,7 @@ Avoid selecting Windows apps that may expose the information you don’t want to Assigned access allows for the specification of a new breakout sequence. A breakout sequence is a keyboard shortcut that stops the kiosk experience and brings the user back to the lock screen. By default the breakout sequence is configured to be ctrl+alt+delete, a common windows keyboard shortcut. It is recommended that this is set to a non-standard windows shortcut to prevent disruptions in the kiosk experience. -The Breakout Sequence can only be customized at the provision time of the kiosk. There is also no GUI for specifying this currently, so it would need to be specified in a provision method like MDM or WMI which allow the user to specify the configuration in an XML format. +There is currently no GUI for customizing the breakout sequence, so it would need to be specified in a provision method where an XML format is used like MDM. ## App configuration From 5a28a0d7d00252e98be1d88f614c13d219fd3a77 Mon Sep 17 00:00:00 2001 From: Joseph Knierman Date: Thu, 17 Dec 2020 08:19:27 -0800 Subject: [PATCH 011/217] fixed links and formatting issues --- .../mdm/assignedaccess-ddf.md | 173 ------------------ 1 file changed, 173 deletions(-) diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md index f5562707ae..790a9fa3ea 100644 --- a/windows/client-management/mdm/assignedaccess-ddf.md +++ b/windows/client-management/mdm/assignedaccess-ddf.md @@ -22,179 +22,6 @@ You can download the DDF files from the links below: - [Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) - [Download all the DDF files for Windows 10, version 1607](https://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) -The XML below is for Windows 10, version 1803. - -```xml - - -]> - - 1.2 - - AssignedAccess - ./Vendor/MSFT - - - - - - - - - - - - - - - com.microsoft/2.0/MDM/AssignedAccess - - - - KioskModeApp - - - - - - - - This node can accept and return json string which comprises of account name, and AUMID for Kiosk mode app. - -Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}. - -When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output. - -This node supports Add, Delete, Replace and Get methods. When there's no configuration, "Get" and "Delete" methods fail. When there's already a configuration for kiosk mode app, "Add" method fails. The data pattern for "Add" and "Replace" is the same. - - - - - - - - - - - - - - text/plain - - - - - Configuration - - - - - - - - This node accepts an AssignedAccessConfiguration xml as input. Please check out samples and required xsd on MSDN. - - - - - - - - - - - - - - text/plain - - - - - Status - - - - - This read only node contains kiosk health event xml - - - - - - - - - - - - - - text/plain - - - - - ShellLauncher - - - - - - - - This node accepts a ShellLauncherConfiguration xml as input. Please check out samples and required xsd on MSDN. - - - - - - - - - - - - - - text/plain - - - - - StatusConfiguration - - - - - - - - This node accepts a StatusConfiguration xml as input. Please check out samples and required xsd on MSDN. - - - - - - - - - - - - - - text/plain - - - - - -``` - The XML below is for Windows 10, version 1909. ```xml From 213e2d3f65479abe2df943dce341252660e29116 Mon Sep 17 00:00:00 2001 From: Joseph Knierman Date: Thu, 17 Dec 2020 08:38:21 -0800 Subject: [PATCH 012/217] removed extra space --- .../mdm/assignedaccess-csp.md | 54 +++++++++++++++++-- 1 file changed, 50 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index 0cae125012..a471243300 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -75,7 +75,7 @@ The supported operations are Add, Delete, Get and Replace. When there's no confi **./Device/Vendor/MSFT/AssignedAccess/Configuration** Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd). -Currently in Windows 10 Insider Preview Build is Microsoft Edge kiosk mode. This allows Microsoft Edge to be the specified kiosk application. For details about configuring Microsoft Edge kiosk mode, see [Create a Windows 10 kiosk that runs Microsoft Edge](https://docs.microsoft.com/windows/configuration/test). The Windows 10 Insider Preview Build also allows for configuration of the breakout sequence. The breakout sequence specifies the keyboard shortcut that returns a kiosk session to the lock screen. By default the breakout sequence is set to ctrl+alt+delete. For details on how to customize a breakout sequence, see [Create a custom breakout sequence for a kiosk](https://docs.microsoft.com/windows/configuration/test). +Updated in Windows 10, version 1909. Added Microsoft Edge kiosk mode. This allows Microsoft Edge to be the specified kiosk application. For details about configuring Microsoft Edge kiosk mode, see [Configure a Windows 10 kiosk that runs Microsoft Edge](https://docs.microsoft.com/DeployEdge/microsoft-edge-configure-kiosk-mode). Windows 10, version 1909 also allows for configuration of the breakout sequence. The breakout sequence specifies the keyboard shortcut that returns a kiosk session to the lock screen. > [!Note] > In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk. @@ -247,7 +247,7 @@ KioskModeApp Replace ## AssignedAccessConfiguration XSD -Below schema is for AssignedAccess Configuration up to Windows 10 1803 release. +Below schema is for AssignedAccess Configuration up to Windows 10 1909 release. ```xml @@ -258,11 +258,13 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release. xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config" xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config" + xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config" targetNamespace="http://schemas.microsoft.com/AssignedAccess/2017/config" > + @@ -272,8 +274,14 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release. + + + + + + @@ -282,7 +290,19 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release. - + + + + + + + + + + + + + @@ -383,6 +403,7 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release. + @@ -421,7 +442,7 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release. - +); ``` Here is the schema for new features introduced in Windows 10 1809 release @@ -499,6 +520,31 @@ Schema for Windows 10 prerelease ``` +Schema for features introduced in Windows 10, version 1909. +```xml + + + + + + + + + + + + + +``` + To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. e.g. to configure auto-launch feature which is added in 1809 release, use below sample, notice an alias r1809 is given to the 201810 namespace for 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline. ```xml Date: Fri, 18 Dec 2020 07:22:49 -0800 Subject: [PATCH 013/217] fixes from PR --- windows/client-management/mdm/assignedaccess-csp.md | 12 ++++++++---- windows/client-management/mdm/assignedaccess-ddf.md | 1 - 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index a471243300..be244e5716 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -560,7 +560,7 @@ To authorize a compatible configuration XML that includes 1809 or prerelease ele ## Example AssignedAccessConfiguration XML -Example XML configuration for a multi app kiosk. +Example XML configuration for a multi-app kiosk: ```xml @@ -633,7 +633,9 @@ Example XML configuration for a Microsoft Edge kiosk. This Edge kiosk s configur ``` -Example XML configuration for setting a breakout sequence to be Shift+Windows on a Microsoft Edge kiosk. Note BreakoutSequence can be applied to any kiosk type not just an Edge kiosk. +Example XML configuration for setting a breakout sequence to be Ctrl+A on a Microsoft Edge kiosk. +[!Note] +**BreakoutSequence** can be applied to any kiosk type, not just an Edge kiosk. ```xml - - + + + diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md index 790a9fa3ea..af05799855 100644 --- a/windows/client-management/mdm/assignedaccess-ddf.md +++ b/windows/client-management/mdm/assignedaccess-ddf.md @@ -192,7 +192,6 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu - ``` ## Related topics From 8805684c54f1c2f621ccc4c29a8391e7e62b3472 Mon Sep 17 00:00:00 2001 From: Joseph Knierman Date: Fri, 18 Dec 2020 07:24:10 -0800 Subject: [PATCH 014/217] removed space --- windows/client-management/mdm/assignedaccess-ddf.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md index af05799855..ad54fb7f07 100644 --- a/windows/client-management/mdm/assignedaccess-ddf.md +++ b/windows/client-management/mdm/assignedaccess-ddf.md @@ -1,4 +1,4 @@ - --- +--- title: AssignedAccess DDF description: Learn how the OMA DM device description framework (DDF) for the AssignedAccess configuration service provider. ms.assetid: 224FADDB-0EFD-4E5A-AE20-1BD4ABE24306 From db13660dbe280756c65702768f1951b12fd98f30 Mon Sep 17 00:00:00 2001 From: Joseph Knierman Date: Fri, 18 Dec 2020 11:30:06 -0800 Subject: [PATCH 015/217] xml format changes added --- windows/client-management/mdm/assignedaccess-csp.md | 3 +-- windows/configuration/kiosk-xml.md | 5 +++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index be244e5716..4712c79d55 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -634,7 +634,7 @@ Example XML configuration for a Microsoft Edge kiosk. This Edge kiosk s configur ``` Example XML configuration for setting a breakout sequence to be Ctrl+A on a Microsoft Edge kiosk. -[!Note] +>[!Note] **BreakoutSequence** can be applied to any kiosk type, not just an Edge kiosk. ```xml @@ -646,7 +646,6 @@ Example XML configuration for setting a breakout sequence to be Ctrl+A on a Micr - diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md index 1cc2cd11d9..278c259d64 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk-xml.md @@ -264,8 +264,9 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom - + + From 2b4ed8fc088a9e340861e9f6c8eb25051fa63e54 Mon Sep 17 00:00:00 2001 From: Joseph Knierman Date: Fri, 18 Dec 2020 11:37:00 -0800 Subject: [PATCH 016/217] xml format changes added --- windows/client-management/mdm/assignedaccess-csp.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index 4712c79d55..a7ba5eae75 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -621,7 +621,8 @@ Example XML configuration for a Microsoft Edge kiosk. This Edge kiosk s configur > - + From 2539d7794a5c97449c75ef648bf443dd107db3ee Mon Sep 17 00:00:00 2001 From: Joseph Knierman Date: Wed, 27 Jan 2021 01:15:26 -0800 Subject: [PATCH 017/217] added changes from PR --- windows/client-management/mdm/assignedaccess-csp.md | 12 ++++++------ .../guidelines-for-assigned-access-app.md | 6 +++--- windows/configuration/kiosk-xml.md | 4 ++-- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index a7ba5eae75..397cc810b3 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -75,7 +75,7 @@ The supported operations are Add, Delete, Get and Replace. When there's no confi **./Device/Vendor/MSFT/AssignedAccess/Configuration** Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd). -Updated in Windows 10, version 1909. Added Microsoft Edge kiosk mode. This allows Microsoft Edge to be the specified kiosk application. For details about configuring Microsoft Edge kiosk mode, see [Configure a Windows 10 kiosk that runs Microsoft Edge](https://docs.microsoft.com/DeployEdge/microsoft-edge-configure-kiosk-mode). Windows 10, version 1909 also allows for configuration of the breakout sequence. The breakout sequence specifies the keyboard shortcut that returns a kiosk session to the lock screen. +Updated in Windows 10, version 1909. Added Microsoft Edge kiosk mode support. This allows Microsoft Edge to be the specified kiosk application. For details about configuring Microsoft Edge kiosk mode, see [Configure a Windows 10 kiosk that runs Microsoft Edge](https://docs.microsoft.com/DeployEdge/microsoft-edge-configure-kiosk-mode). Windows 10, version 1909 also allows for configuration of the breakout sequence. The breakout sequence specifies the keyboard shortcut that returns a kiosk session to the lock screen. The breakout sequence is defined with the format modifiers + keys. An example breakout sequence would look something like "shift+alt+a", where "shift" and "alt" are the modifiers and "a" is the key. > [!Note] > In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk. @@ -247,7 +247,7 @@ KioskModeApp Replace ## AssignedAccessConfiguration XSD -Below schema is for AssignedAccess Configuration up to Windows 10 1909 release. +The schema below is for AssignedAccess Configuration up to Windows 10 20H2 release. ```xml @@ -520,7 +520,7 @@ Schema for Windows 10 prerelease ``` -Schema for features introduced in Windows 10, version 1909. +The schema below is for features introduced in Windows 10, version 1909 which has added support for Microsoft Edge kiosk mode and breakout key sequence customization. ```xml ``` -Example XML configuration for a Microsoft Edge kiosk. This Edge kiosk s configure to launch www.bing.com on startup. +Example XML configuration for a Microsoft Edge kiosk. This Microsoft Edge kiosk is configured to launch www.bing.com on startup in a public browsing mode. ```xml [!Note] -**BreakoutSequence** can be applied to any kiosk type, not just an Edge kiosk. +> [!NOTE] +> **BreakoutSequence** can be applied to any kiosk type, not just an Edge kiosk. ```xml ``` -## [Preview] Global Profile Sample XML -Global Profile is currently supported in Windows 10 Insider Preview (20H1 builds). Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lockdown mode, or used as mitigation when a profile cannot be determined for a user. +## Global Profile Sample XML +Global profile is currently supported in Windows 10, version 2004 and later. Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lockdown mode, or used as mitigation when a profile cannot be determined for a user. This sample demonstrates that only a global profile is used, no active user configured. Global profile will be applied when every non-admin account logs in ```xml From 9f44ce4bca1f30ac0bf9625cf048041564b7bb8f Mon Sep 17 00:00:00 2001 From: Joseph Knierman Date: Fri, 5 Feb 2021 12:26:36 -0800 Subject: [PATCH 018/217] added in note on idle timeout and breakout sequence example --- windows/configuration/kiosk-single-app.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index 92c0f753d1..042dbe70fd 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -267,7 +267,10 @@ If you press **Ctrl + Alt + Del** and do not sign in to another account, after a To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal. - +> [!NOTE] +> **IdleTimeOut** does not apply to the new Microsoft Edge kiosk mode. + + The Breakout Sequence of **Ctrl + Alt + Del** is the default, but this can be configured to be a different sequence of keys. The breakout sequence uses the format **modifiers + keys**. An example breakout sequence would look something like **Shift + Alt + a**, where **Shift** and **Alt** are the modifiers and **A** is the key value. [See how this is configured using in xml](https://docs.microsoft.com/en-us/windows/configuration/kiosk-xml#microsoft-edge-kiosk-xml-sample). From 87ecaced68b764559a616ad9e44fcf7864560b94 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 4 Mar 2021 13:06:46 +0530 Subject: [PATCH 019/217] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 23047bf7f1..fcf11cf7d8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -110,9 +110,8 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes -||||| -|--- |--- |--- |--- | |Encryption Type|Windows 10 and Windows 8.1|Windows 8|Windows 7| +|--- |--- |--- |--- | |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted| |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted| |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A| From c23d0c30324211440291a4d035de7a045f4418bf Mon Sep 17 00:00:00 2001 From: Joseph Knierman Date: Fri, 5 Mar 2021 12:38:56 -0800 Subject: [PATCH 020/217] add in changes from PR comments --- windows/configuration/guidelines-for-assigned-access-app.md | 6 +++--- windows/configuration/kiosk-single-app.md | 2 +- windows/configuration/kiosk-xml.md | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index 907f1635b2..cfbe09c2b5 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -45,7 +45,7 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t ## Guidelines for web browsers -In Windows 10, version 1909, assigned access adds support for the new Microsoft Edge kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode](https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-configure-kiosk-mode). +In Windows 10, version 1909, assigned access adds support for the new Microsoft Edge kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode](https://docs.microsoft.com/DeployEdge/microsoft-edge-configure-kiosk-mode). In Windows 10, version 1809, Microsoft Edge Legacy includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) @@ -158,9 +158,9 @@ Avoid selecting Windows apps that may expose the information you don’t want to ## Customize your breakout sequence -Assigned access allows for the specification of a new breakout sequence. A breakout sequence is a keyboard shortcut that stops the kiosk experience and brings the user back to the lock screen. By default the breakout sequence is configured to be ctrl+alt+delete, a common windows keyboard shortcut. It is recommended that this is set to a non-standard windows shortcut to prevent disruptions in the kiosk experience. +Assigned access allows for the specification of a new breakout sequence. A breakout sequence is a keyboard shortcut that stops the kiosk experience and brings the user back to the lock screen. By default the breakout sequence is configured to be ctrl+alt+delete, a common Windows keyboard shortcut. It is recommended that this is set to a non-standard Windows shortcut to prevent disruptions in the kiosk experience. -There is currently no UI for customizing the breakout sequence in Windows Settings, so it would need to be specified in a provision method where an XML format is used like MDM. +There is currently no user interface for customizing the breakout sequence in Windows settings, so it would need to be specified in a provisioning method where an XML format such as MDM is used. ## App configuration diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index 042dbe70fd..8ea21a80c4 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -270,7 +270,7 @@ To change the default time for assigned access to resume, add *IdleTimeOut* (DWO > [!NOTE] > **IdleTimeOut** does not apply to the new Microsoft Edge kiosk mode. - The Breakout Sequence of **Ctrl + Alt + Del** is the default, but this can be configured to be a different sequence of keys. The breakout sequence uses the format **modifiers + keys**. An example breakout sequence would look something like **Shift + Alt + a**, where **Shift** and **Alt** are the modifiers and **A** is the key value. [See how this is configured using in xml](https://docs.microsoft.com/en-us/windows/configuration/kiosk-xml#microsoft-edge-kiosk-xml-sample). + The Breakout Sequence of **Ctrl + Alt + Del** is the default, but this can be configured to be a different sequence of keys. The breakout sequence uses the format **modifiers + keys**. An example breakout sequence would look something like **Shift + Alt + a**, where **Shift** and **Alt** are the modifiers and **a** is the key value. [See how this is configured in XML](https://docs.microsoft.com/windows/configuration/kiosk-xml#microsoft-edge-kiosk-xml-sample). diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md index 65ecf4cc93..e9bc0774a3 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk-xml.md @@ -279,9 +279,9 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom ``` ## Global Profile Sample XML -Global profile is currently supported in Windows 10, version 2004 and later. Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lockdown mode, or used as mitigation when a profile cannot be determined for a user. +Global Profile is currently supported in Windows 10, version 2004 and later. Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lockdown mode, or it is used as mitigation when a profile cannot be determined for a user. -This sample demonstrates that only a global profile is used, no active user configured. Global profile will be applied when every non-admin account logs in +This sample demonstrates that only a global profile is used, with no active user configured. Global Profile will be applied when every non-admin account logs in. ```xml Date: Fri, 16 Apr 2021 13:06:27 -0700 Subject: [PATCH 021/217] Update windows/client-management/mdm/assignedaccess-ddf.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- windows/client-management/mdm/assignedaccess-ddf.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md index ad54fb7f07..7555504ca8 100644 --- a/windows/client-management/mdm/assignedaccess-ddf.md +++ b/windows/client-management/mdm/assignedaccess-ddf.md @@ -63,7 +63,7 @@ The XML below is for Windows 10, version 1909. This node can accept and return json string which comprises of account name, and AUMID for Kiosk mode app. -Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}. +Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}. When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output. @@ -207,4 +207,3 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu - From 012f2605a8f5f3368cb23c579180f1033f37dbc6 Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Fri, 20 Aug 2021 14:11:38 -0700 Subject: [PATCH 022/217] Update to Certificate definition --- windows/privacy/manage-windows-1709-endpoints.md | 2 ++ windows/privacy/manage-windows-1803-endpoints.md | 2 ++ windows/privacy/manage-windows-1809-endpoints.md | 2 ++ windows/privacy/manage-windows-1903-endpoints.md | 2 +- windows/privacy/manage-windows-1909-endpoints.md | 2 +- windows/privacy/manage-windows-2004-endpoints.md | 2 +- windows/privacy/manage-windows-20H2-endpoints.md | 2 +- 7 files changed, 10 insertions(+), 4 deletions(-) diff --git a/windows/privacy/manage-windows-1709-endpoints.md b/windows/privacy/manage-windows-1709-endpoints.md index 8c9ec8ec64..249701a04b 100644 --- a/windows/privacy/manage-windows-1709-endpoints.md +++ b/windows/privacy/manage-windows-1709-endpoints.md @@ -150,6 +150,8 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper ## Certificates +Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates that are publicly known to be fraudulent. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. + The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. diff --git a/windows/privacy/manage-windows-1803-endpoints.md b/windows/privacy/manage-windows-1803-endpoints.md index 88aab3a7f9..47d72871ce 100644 --- a/windows/privacy/manage-windows-1803-endpoints.md +++ b/windows/privacy/manage-windows-1803-endpoints.md @@ -151,6 +151,8 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper ## Certificates +Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates that are publicly known to be fraudulent. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. + The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md index 3da8139a20..15defa1a52 100644 --- a/windows/privacy/manage-windows-1809-endpoints.md +++ b/windows/privacy/manage-windows-1809-endpoints.md @@ -162,6 +162,8 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper ## Certificates +Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates that are publicly known to be fraudulent. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. + The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md index 6045eb3da4..84fe836e14 100644 --- a/windows/privacy/manage-windows-1903-endpoints.md +++ b/windows/privacy/manage-windows-1903-endpoints.md @@ -67,7 +67,7 @@ The following methodology was used to derive these network endpoints: |Azure |The following endpoints are related to Azure. |HTTPS|wd-prod-*fe*.cloudapp.azure.com| |||HTTPS|ris-prod-atm.trafficmanager.net| |||HTTPS|validation-v2.sls.trafficmanager.net| -|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible turn off traffic to this endpoint, but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| +|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates that are publicly known to be fraudulent. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| |||HTTP|ctldl.windowsupdate.com| |Cortana and Search|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)| ||The following endpoint is used to get images that are used for Microsoft Store suggestions. If you turn off traffic for this endpoint, you will block images that are used for Microsoft Store suggestions.|HTTPS|store-images.*microsoft.com| diff --git a/windows/privacy/manage-windows-1909-endpoints.md b/windows/privacy/manage-windows-1909-endpoints.md index 5ef89fdb59..52426e2f66 100644 --- a/windows/privacy/manage-windows-1909-endpoints.md +++ b/windows/privacy/manage-windows-1909-endpoints.md @@ -54,7 +54,7 @@ The following methodology was used to derive these network endpoints: |||HTTP|tile-service.weather.microsoft.com/en-us/livetile/preinstall| ||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/*| ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLS v1.2|evoke-windowsservices-tas.msedge.net -|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| +|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates that are publicly known to be fraudulent. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| |||HTTP|ctldl.windowsupdate.com| |Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)| ||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|HTTPS|www.bing.com*| diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md index 6e2d31cd9a..4c80cf5104 100644 --- a/windows/privacy/manage-windows-2004-endpoints.md +++ b/windows/privacy/manage-windows-2004-endpoints.md @@ -54,7 +54,7 @@ The following methodology was used to derive these network endpoints: |||HTTP|tile-service.weather.microsoft.com| ||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/* ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2|evoke-windowsservices-tas.msedge.net| -|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| +|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates that are publicly known to be fraudulent. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| |||HTTP|ctldl.windowsupdate.com| |Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)| ||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2|www.bing.com*| diff --git a/windows/privacy/manage-windows-20H2-endpoints.md b/windows/privacy/manage-windows-20H2-endpoints.md index 4378cb0b1d..526e5a2797 100644 --- a/windows/privacy/manage-windows-20H2-endpoints.md +++ b/windows/privacy/manage-windows-20H2-endpoints.md @@ -54,7 +54,7 @@ The following methodology was used to derive these network endpoints: ||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com| ||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net| ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net -|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| +|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates that are publicly known to be fraudulent. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| |||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com| |Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)| ||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*| From d61467798dba76b7319b0dc4db874726e0d57258 Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Fri, 20 Aug 2021 15:04:58 -0700 Subject: [PATCH 023/217] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md Added the Windows Feeds GP. https://microsoft.visualstudio.com/DefaultCollection/OS/_workitems/edit/35115207 --- ...-operating-system-components-to-microsoft-services.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 189ace9071..e57ef99b93 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -855,6 +855,8 @@ Use Settings > Privacy to configure some settings that may be important to yo - [18.23 Voice Activation](#bkmk-voice-act) +- [18.24 News and interests](#bkmk-priv-news) + ### 18.1 General **General** includes options that don't fall into other areas. @@ -1523,6 +1525,13 @@ To turn this Off in the UI: - Create a REG_DWORD registry setting named **LetAppsActivateWithVoiceAboveLock** in **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy** with a **value of 2 (two)** +### 18.24 News and interests + +In the **Windows Feeds** area, you can choose which apps have access to your diagnostic information. + +To turn this off: + +- Create a REG_DWORD registry setting named **EnableFeeds** in **HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Feeds** with a **value of 0 (zero)**. ### 19. Software Protection Platform From f2d9c07dcf4b5183673523db5af65ee30d8a3212 Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Fri, 20 Aug 2021 15:38:48 -0700 Subject: [PATCH 024/217] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md Added troubleshooting links. https://microsoft.visualstudio.com/DefaultCollection/OS/_workitems/edit/34812129 --- ...dows-operating-system-components-to-microsoft-services.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index e57ef99b93..cb2491d5a9 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -54,6 +54,11 @@ The following sections list the components that make network connections to Micr The following table lists management options for each setting, beginning with Windows 10 Enterprise version 1607. + >[!IMPORTANT] +>**If you need assistance with troubleshooting issues, please refer to:**
+> - [Keep your device running smoothly](https://support.microsoft.com/en-us/topic/keep-your-device-running-smoothly-with-recommended-troubleshooting-ec76fe10-4ac8-ce9d-49c6-757770fe68f1)
+> - [CSP - Troubleshooting](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-troubleshooting) + | Setting | UI | Group Policy | Registry | | - | :-: | :-: | :-: | From 82fd7309c3097133c02b94fd4f6cae5d14191f3e Mon Sep 17 00:00:00 2001 From: Joseph Knierman Date: Tue, 14 Sep 2021 15:37:16 -0700 Subject: [PATCH 025/217] added relative links --- windows/client-management/mdm/assignedaccess-csp.md | 2 +- windows/configuration/guidelines-for-assigned-access-app.md | 4 ++-- windows/configuration/kiosk-single-app.md | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index a0f5885385..4b7f2a6f84 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -82,7 +82,7 @@ The supported operations are Add, Delete, Get and Replace. When there's no confi **./Device/Vendor/MSFT/AssignedAccess/Configuration** Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd). -Updated in Windows 10, version 1909. Added Microsoft Edge kiosk mode support. This allows Microsoft Edge to be the specified kiosk application. For details about configuring Microsoft Edge kiosk mode, see [Configure a Windows 10 kiosk that runs Microsoft Edge](https://docs.microsoft.com/DeployEdge/microsoft-edge-configure-kiosk-mode). Windows 10, version 1909 also allows for configuration of the breakout sequence. The breakout sequence specifies the keyboard shortcut that returns a kiosk session to the lock screen. The breakout sequence is defined with the format modifiers + keys. An example breakout sequence would look something like "shift+alt+a", where "shift" and "alt" are the modifiers and "a" is the key. +Updated in Windows 10, version 1909. Added Microsoft Edge kiosk mode support. This allows Microsoft Edge to be the specified kiosk application. For details about configuring Microsoft Edge kiosk mode, see [Configure a Windows 10 kiosk that runs Microsoft Edge](/DeployEdge/microsoft-edge-configure-kiosk-mode). Windows 10, version 1909 also allows for configuration of the breakout sequence. The breakout sequence specifies the keyboard shortcut that returns a kiosk session to the lock screen. The breakout sequence is defined with the format modifiers + keys. An example breakout sequence would look something like "shift+alt+a", where "shift" and "alt" are the modifiers and "a" is the key. > [!Note] > In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk. diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index 2810e1685a..e8b848c1a6 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -45,9 +45,9 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t ## Guidelines for web browsers -In Windows 10, version 1909, assigned access adds support for the new Microsoft Edge kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode](https://docs.microsoft.com/DeployEdge/microsoft-edge-configure-kiosk-mode). +In Windows 10, version 1909, assigned access adds support for the new Microsoft Edge kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode](/DeployEdge/microsoft-edge-configure-kiosk-mode). -In Windows 10, version 1809, Microsoft Edge Legacy includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) +In Windows 10, version 1809, Microsoft Edge Legacy includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) In Windows 10, version 1803 and later, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website. diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index 22eff9f6b2..f3438008cc 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -270,7 +270,7 @@ To change the default time for assigned access to resume, add *IdleTimeOut* (DWO > [!NOTE] > **IdleTimeOut** does not apply to the new Microsoft Edge kiosk mode. - The Breakout Sequence of **Ctrl + Alt + Del** is the default, but this can be configured to be a different sequence of keys. The breakout sequence uses the format **modifiers + keys**. An example breakout sequence would look something like **Shift + Alt + a**, where **Shift** and **Alt** are the modifiers and **a** is the key value. [See how this is configured in XML](https://docs.microsoft.com/windows/configuration/kiosk-xml#microsoft-edge-kiosk-xml-sample). + The Breakout Sequence of **Ctrl + Alt + Del** is the default, but this can be configured to be a different sequence of keys. The breakout sequence uses the format **modifiers + keys**. An example breakout sequence would look something like **Shift + Alt + a**, where **Shift** and **Alt** are the modifiers and **a** is the key value. [See how this is configured in XML](/windows/configuration/kiosk-xml#microsoft-edge-kiosk-xml-sample). From 3f06b869b4cf211cc1d7fcdbfd6723dacbead3a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Notin?= Date: Thu, 16 Sep 2021 15:46:05 +0200 Subject: [PATCH 026/217] Fix SIDs for IUSR and IIS_IUSRS well known security identifiers --- .../identity-protection/access-control/security-identifiers.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md index be0a573f71..0138f2f32f 100644 --- a/windows/security/identity-protection/access-control/security-identifiers.md +++ b/windows/security/identity-protection/access-control/security-identifiers.md @@ -205,7 +205,7 @@ The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SID | S-1-5-13 | Terminal Server User| A group that includes all users who sign in to a server with Remote Desktop Services enabled.| | S-1-5-14 | Remote Interactive Logon| A group that includes all users who log on to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.| | S-1-5-15| This Organization| A group that includes all users from the same organization. Only included with Active Directory accounts and only added by a domain controller.| -| S-1-5-17 | IIS_USRS| An account that is used by the default Internet Information Services (IIS) user.| +| S-1-5-17 | IUSR| An account that is used by the default Internet Information Services (IIS) user.| | S-1-5-18 | System (or LocalSystem)| An identity that is used locally by the operating system and by services that are configured to sign in as LocalSystem.
System is a hidden member of Administrators. That is, any process running as System has the SID for the built-in Administrators group in its access token.
When a process that is running locally as System accesses network resources, it does so by using the computer's domain identity. Its access token on the remote computer includes the SID for the local computer's domain account plus SIDs for security groups that the computer is a member of, such as Domain Computers and Authenticated Users.| | S-1-5-19 | NT Authority (LocalService)| An identity that is used by services that are local to the computer, have no need for extensive local access, and do not need authenticated network access. Services that run as LocalService access local resources as ordinary users, and they access network resources as anonymous users. As a result, a service that runs as LocalService has significantly less authority than a service that runs as LocalSystem locally and on the network.| | S-1-5-20 | Network Service| An identity that is used by services that have no need for extensive local access but do need authenticated network access. Services running as NetworkService access local resources as ordinary users and access network resources by using the computer's identity. As a result, a service that runs as NetworkService has the same network access as a service that runs as LocalSystem, but it has significantly reduced local access.| @@ -240,6 +240,7 @@ The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SID |S-1-5-32-560|Builtin\Windows Authorization Access Group|An alias. Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects.| |S-1-5-32-561|Builtin\Terminal Server License Servers|An alias. A group for Terminal Server License Servers. When Windows Server 2003 Service Pack 1 is installed, a new local group is created.| |S-1-5-32-562|Builtin\Distributed COM Users|An alias. A group for COM to provide computer-wide access controls that govern access to all call, activation, or launch requests on the computer.| +|S-1-5-32-568|Builtin\IIS_IUSRS|An alias. A built-in group account for IIS users.| |S-1-5-32-569|Builtin\Cryptographic Operators|A built-in local group. Members are authorized to perform cryptographic operations.| |S-1-5-32-573|Builtin\Event Log Readers|A built-in local group. Members of this group can read event logs from local computer.| |S-1-5-32-574|Builtin\Certificate Service DCOM Access|A built-in local group. Members of this group are allowed to connect to Certification Authorities in the enterprise.| From e8df71d29947947b671bcb0867741b79bd48afa0 Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Sat, 18 Sep 2021 12:54:50 -0700 Subject: [PATCH 027/217] Replaced the definition of Certificates to remove the word fraudulent Replaced the definition of Certificates to remove the word fraudulent --- .../privacy/manage-windows-1803-endpoints.md | 4 +- .../privacy/manage-windows-1809-endpoints.md | 4 +- .../privacy/manage-windows-1903-endpoints.md | 4 +- .../privacy/manage-windows-1909-endpoints.md | 4 +- .../privacy/manage-windows-2004-endpoints.md | 4 +- .../privacy/manage-windows-20H2-endpoints.md | 4 +- .../privacy/manage-windows-21H1-endpoints.md | 161 ++++++++++++++++++ 7 files changed, 179 insertions(+), 6 deletions(-) create mode 100644 windows/privacy/manage-windows-21H1-endpoints.md diff --git a/windows/privacy/manage-windows-1803-endpoints.md b/windows/privacy/manage-windows-1803-endpoints.md index 47d72871ce..60cfe989fd 100644 --- a/windows/privacy/manage-windows-1803-endpoints.md +++ b/windows/privacy/manage-windows-1803-endpoints.md @@ -151,7 +151,9 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper ## Certificates -Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates that are publicly known to be fraudulent. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. +Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. + +If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md index 15defa1a52..c2c7e42c44 100644 --- a/windows/privacy/manage-windows-1809-endpoints.md +++ b/windows/privacy/manage-windows-1809-endpoints.md @@ -162,7 +162,9 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper ## Certificates -Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates that are publicly known to be fraudulent. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. +Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. + +If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md index 84fe836e14..ac15578eba 100644 --- a/windows/privacy/manage-windows-1903-endpoints.md +++ b/windows/privacy/manage-windows-1903-endpoints.md @@ -67,7 +67,9 @@ The following methodology was used to derive these network endpoints: |Azure |The following endpoints are related to Azure. |HTTPS|wd-prod-*fe*.cloudapp.azure.com| |||HTTPS|ris-prod-atm.trafficmanager.net| |||HTTPS|validation-v2.sls.trafficmanager.net| -|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates that are publicly known to be fraudulent. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| +|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. + +If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| |||HTTP|ctldl.windowsupdate.com| |Cortana and Search|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)| ||The following endpoint is used to get images that are used for Microsoft Store suggestions. If you turn off traffic for this endpoint, you will block images that are used for Microsoft Store suggestions.|HTTPS|store-images.*microsoft.com| diff --git a/windows/privacy/manage-windows-1909-endpoints.md b/windows/privacy/manage-windows-1909-endpoints.md index 52426e2f66..226771442a 100644 --- a/windows/privacy/manage-windows-1909-endpoints.md +++ b/windows/privacy/manage-windows-1909-endpoints.md @@ -54,7 +54,9 @@ The following methodology was used to derive these network endpoints: |||HTTP|tile-service.weather.microsoft.com/en-us/livetile/preinstall| ||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/*| ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLS v1.2|evoke-windowsservices-tas.msedge.net -|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates that are publicly known to be fraudulent. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| +|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. + +If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| |||HTTP|ctldl.windowsupdate.com| |Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)| ||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|HTTPS|www.bing.com*| diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md index 4c80cf5104..80a1d264d1 100644 --- a/windows/privacy/manage-windows-2004-endpoints.md +++ b/windows/privacy/manage-windows-2004-endpoints.md @@ -54,7 +54,9 @@ The following methodology was used to derive these network endpoints: |||HTTP|tile-service.weather.microsoft.com| ||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/* ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2|evoke-windowsservices-tas.msedge.net| -|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates that are publicly known to be fraudulent. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| +|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. + +If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| |||HTTP|ctldl.windowsupdate.com| |Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)| ||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2|www.bing.com*| diff --git a/windows/privacy/manage-windows-20H2-endpoints.md b/windows/privacy/manage-windows-20H2-endpoints.md index 526e5a2797..8d503ed260 100644 --- a/windows/privacy/manage-windows-20H2-endpoints.md +++ b/windows/privacy/manage-windows-20H2-endpoints.md @@ -54,7 +54,9 @@ The following methodology was used to derive these network endpoints: ||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com| ||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net| ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net -|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates that are publicly known to be fraudulent. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| +|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. + +If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| |||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com| |Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)| ||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*| diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md new file mode 100644 index 0000000000..a99b73f3a8 --- /dev/null +++ b/windows/privacy/manage-windows-21H1-endpoints.md @@ -0,0 +1,161 @@ +--- +title: Connection endpoints for Windows 10 Enterprise, version 21H1 +description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 20H2. +keywords: privacy, manage connections to Microsoft, Windows 10 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +audience: ITPro +author: gental-giant +ms.author: tomlayson +manager: mfletcher +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 9/17/2021 +--- + +# Manage connection endpoints for Windows 10 Enterprise, version 21H1 + +**Applies to** + +- Windows 10 Enterprise, version 21H1 + +Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: + +- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. +- Connecting to email servers to send and receive email. +- Connecting to the web for every day web browsing. +- Connecting to the cloud to store and access backups. +- Using your location to show a weather forecast. + +Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). +Where applicable, each endpoint covered in this topic includes a link to the specific details on how to control that traffic. + +The following methodology was used to derive these network endpoints: + +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here. +7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different. +8. These tests were conducted for one week, but if you capture traffic for longer you may have different results. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 10 21H1 Enterprise connection endpoints + +|Area|Description|Protocol|Destination| +|----------------|----------|----------|------------| +|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| +||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com| +||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net| +||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net +|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. + +If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| +|||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com| +|Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)| +||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*| +|||TLSv1.2/HTTPS/HTTP|fp.msedge.net| +|||TLSv1.2|I-ring.msedge.net| +|||HTTPS|s-ring.msedge.net| +|Device authentication|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| +||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*| +|Device metadata|The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)| +|||HTTP|dmd.metaservices.microsoft.com| +|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| +|||TLSv1.2/HTTPS/HTTP|v10.events.data.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|v20.events.data.microsoft.com| +|||HTTP|www.microsoft.com| +||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com| +|||TLS v1.2/HTTPS/HTTP|watson.*.microsoft.com| +|Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will not be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)| +|||HTTPS|fs.microsoft.com| +|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#9-license-manager)| +|||TLSv1.2/HTTPS/HTTP|licensing.mp.microsoft.com| +|Maps|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)| +||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|TLSv1.2/HTTPS/HTTP|maps.windows.com| +|Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)| +||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2/HTTPS|login.live.com| +|Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)| +||This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com| +||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com| +|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTP|go.microsoft.com| +|Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| +||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net| +||The following endpoint is needed to load the content in the Microsoft Store app.|HTTPS|livetileedge.dsx.mp.microsoft.com| +||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|TLSv1.2/HTTPS|*.wns.windows.com| +||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| +||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com| +||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|displaycatalog.mp.microsoft.com| +|||HTTPS|pti.store.microsoft.com| +|||HTTP|share.microsoft.com| +||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com| +|Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)| +||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTPS|www.msftconnecttest.com*| +|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| +|||HTTPS|www.office.com| +|||HTTPS|blobs.officehome.msocdn.com| +|||HTTPS|officehomeblobs.blob.core.windows.net| +|||HTTPS|self.events.data.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|outlookmobile-office365-tas.msedge.net| +|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive)| +|||TLSv1.2/HTTPS/HTTP|g.live.com| +|||TLSv1.2/HTTPS/HTTP|oneclient.sfx.ms| +|||HTTPS| logincdn.msauth.net| +|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| +|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com| +|||HTTPS|settings.data.microsoft.com| +|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| +|||HTTPS/HTTP|*.pipe.aria.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com| +|Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| +|||TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com| +|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)| +|||HTTPS/TLSv1.2|wdcp.microsoft.com| +||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications will not appear.|HTTPS|*smartscreen-prod.microsoft.com| +|||HTTPS/HTTP|checkappexec.microsoft.com| +|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)| +|||TLSv1.2/HTTPS/HTTP|arc.msn.com| +|||HTTPS|ris.api.iris.microsoft.com| +|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)| +|||TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com| +|||HTTP|emdl.ws.microsoft.com| +||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com| +|||HTTP|*.windowsupdate.com| +||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|*.update.microsoft.com| +||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com| +||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com| +|Xbox Live|The following endpoint is used for Xbox Live.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| +|||HTTPS|dlassets-ssl.xboxlive.com| + + +## Other Windows 10 editions + +To view endpoints for other versions of Windows 10 Enterprise, see: + +- [Manage connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) + +To view endpoints for non-Enterprise Windows 10 editions, see: + +- [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md) +- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md) +- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md) +- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) +- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) +- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) + +## Related links + +- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) +- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints) \ No newline at end of file From 9e94bf395e7ba82f6187b4cbd673648cb9ab932a Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Sat, 18 Sep 2021 13:03:30 -0700 Subject: [PATCH 028/217] Update manage-windows-1709-endpoints.md Updated Certificates definition --- windows/privacy/manage-windows-1709-endpoints.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-1709-endpoints.md b/windows/privacy/manage-windows-1709-endpoints.md index 249701a04b..721183b96d 100644 --- a/windows/privacy/manage-windows-1709-endpoints.md +++ b/windows/privacy/manage-windows-1709-endpoints.md @@ -150,7 +150,9 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper ## Certificates -Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates that are publicly known to be fraudulent. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. +Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. + +If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. From af3d264f1939ba3815117093279df0b8c8d8fd5c Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Sat, 18 Sep 2021 13:14:40 -0700 Subject: [PATCH 029/217] Corrected formatting error --- windows/privacy/manage-windows-20H2-endpoints.md | 1 - windows/privacy/manage-windows-21H1-endpoints.md | 3 +-- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/privacy/manage-windows-20H2-endpoints.md b/windows/privacy/manage-windows-20H2-endpoints.md index 8d503ed260..15048c65f7 100644 --- a/windows/privacy/manage-windows-20H2-endpoints.md +++ b/windows/privacy/manage-windows-20H2-endpoints.md @@ -55,7 +55,6 @@ The following methodology was used to derive these network endpoints: ||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net| ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net |Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. - If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| |||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com| |Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)| diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md index a99b73f3a8..544f5742bd 100644 --- a/windows/privacy/manage-windows-21H1-endpoints.md +++ b/windows/privacy/manage-windows-21H1-endpoints.md @@ -1,6 +1,6 @@ --- title: Connection endpoints for Windows 10 Enterprise, version 21H1 -description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 20H2. +description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 21H1. keywords: privacy, manage connections to Microsoft, Windows 10 ms.prod: w10 ms.mktglfcycl: manage @@ -55,7 +55,6 @@ The following methodology was used to derive these network endpoints: ||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net| ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net |Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. - If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| |||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com| |Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)| From 68d45ff38871a0ab115019bd7a533bef898bcf78 Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Sat, 18 Sep 2021 15:50:33 -0700 Subject: [PATCH 030/217] Added additional links for previous versions --- windows/privacy/manage-windows-21H1-endpoints.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md index 544f5742bd..dcd6176934 100644 --- a/windows/privacy/manage-windows-21H1-endpoints.md +++ b/windows/privacy/manage-windows-21H1-endpoints.md @@ -138,6 +138,7 @@ If automatic updates are turned off, applications and websites may stop working To view endpoints for other versions of Windows 10 Enterprise, see: +- [Manage connection endpoints for Windows 10, version 20H2](manage-windows-20H2-endpoints.md) - [Manage connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md) - [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md) - [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) @@ -147,6 +148,7 @@ To view endpoints for other versions of Windows 10 Enterprise, see: To view endpoints for non-Enterprise Windows 10 editions, see: +- [Windows 10, version 20H2, connection endpoints for non-Enterprise editions](windows-endpoints-20H2-non-enterprise-editions.md) - [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md) - [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md) - [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md) From 94740ce346c0b37244df77988eec3f83e22b4680 Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Wed, 22 Sep 2021 21:52:17 -0700 Subject: [PATCH 031/217] Update windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...s-operating-system-components-to-microsoft-services.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index cb2491d5a9..d663011771 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -54,10 +54,10 @@ The following sections list the components that make network connections to Micr The following table lists management options for each setting, beginning with Windows 10 Enterprise version 1607. - >[!IMPORTANT] ->**If you need assistance with troubleshooting issues, please refer to:**
-> - [Keep your device running smoothly](https://support.microsoft.com/en-us/topic/keep-your-device-running-smoothly-with-recommended-troubleshooting-ec76fe10-4ac8-ce9d-49c6-757770fe68f1)
-> - [CSP - Troubleshooting](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-troubleshooting) + > [!IMPORTANT] +> **If you need assistance with troubleshooting issues, please refer to**:
+> - [Keep your device running smoothly](https://support.microsoft.com/topic/keep-your-device-running-smoothly-with-recommended-troubleshooting-ec76fe10-4ac8-ce9d-49c6-757770fe68f1)
+> - [CSP - Troubleshooting](/windows/client-management/mdm/policy-csp-troubleshooting) | Setting | UI | Group Policy | Registry | From f8abb9505eb8cd2285db96be7142065317eb620c Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Wed, 22 Sep 2021 21:52:48 -0700 Subject: [PATCH 032/217] Update windows/privacy/manage-windows-1709-endpoints.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/privacy/manage-windows-1709-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-1709-endpoints.md b/windows/privacy/manage-windows-1709-endpoints.md index 721183b96d..e3021c019c 100644 --- a/windows/privacy/manage-windows-1709-endpoints.md +++ b/windows/privacy/manage-windows-1709-endpoints.md @@ -150,7 +150,7 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper ## Certificates -Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. +Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. From 349dbdee8080561111136bb227879cae1c24e615 Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Wed, 22 Sep 2021 21:53:09 -0700 Subject: [PATCH 033/217] Update windows/privacy/manage-windows-1809-endpoints.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/privacy/manage-windows-1809-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md index c2c7e42c44..e9ea3debad 100644 --- a/windows/privacy/manage-windows-1809-endpoints.md +++ b/windows/privacy/manage-windows-1809-endpoints.md @@ -162,7 +162,7 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper ## Certificates -Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. +Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. From 0b2e6c5bbc6d9081171ecdd61c706f5dbdc1b4a1 Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Wed, 22 Sep 2021 21:55:39 -0700 Subject: [PATCH 034/217] Update windows/privacy/manage-windows-2004-endpoints.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/privacy/manage-windows-2004-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md index 80a1d264d1..61e552e9a8 100644 --- a/windows/privacy/manage-windows-2004-endpoints.md +++ b/windows/privacy/manage-windows-2004-endpoints.md @@ -54,7 +54,7 @@ The following methodology was used to derive these network endpoints: |||HTTP|tile-service.weather.microsoft.com| ||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/* ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2|evoke-windowsservices-tas.msedge.net| -|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. +|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| |||HTTP|ctldl.windowsupdate.com| From 2845c3301f766a88255f69965731ccfb0f8d363f Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Wed, 22 Sep 2021 21:56:02 -0700 Subject: [PATCH 035/217] Update windows/privacy/manage-windows-20H2-endpoints.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/privacy/manage-windows-20H2-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-20H2-endpoints.md b/windows/privacy/manage-windows-20H2-endpoints.md index 15048c65f7..3e6feb3e60 100644 --- a/windows/privacy/manage-windows-20H2-endpoints.md +++ b/windows/privacy/manage-windows-20H2-endpoints.md @@ -54,7 +54,7 @@ The following methodology was used to derive these network endpoints: ||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com| ||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net| ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net -|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. +|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| |||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com| |Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)| From ee8303b7f63f565e8f6260ae10c08c99930a3ffd Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Wed, 22 Sep 2021 21:56:36 -0700 Subject: [PATCH 036/217] Update windows/privacy/manage-windows-1909-endpoints.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/privacy/manage-windows-1909-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-1909-endpoints.md b/windows/privacy/manage-windows-1909-endpoints.md index 226771442a..944768ac5a 100644 --- a/windows/privacy/manage-windows-1909-endpoints.md +++ b/windows/privacy/manage-windows-1909-endpoints.md @@ -54,7 +54,7 @@ The following methodology was used to derive these network endpoints: |||HTTP|tile-service.weather.microsoft.com/en-us/livetile/preinstall| ||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/*| ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLS v1.2|evoke-windowsservices-tas.msedge.net -|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. +|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| |||HTTP|ctldl.windowsupdate.com| From 3b77d9b7e37ef9c43829e7a0399e8391aa671149 Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Wed, 22 Sep 2021 22:02:12 -0700 Subject: [PATCH 037/217] Update windows/privacy/manage-windows-1903-endpoints.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/privacy/manage-windows-1903-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md index ac15578eba..e4d8bdf70f 100644 --- a/windows/privacy/manage-windows-1903-endpoints.md +++ b/windows/privacy/manage-windows-1903-endpoints.md @@ -67,7 +67,7 @@ The following methodology was used to derive these network endpoints: |Azure |The following endpoints are related to Azure. |HTTPS|wd-prod-*fe*.cloudapp.azure.com| |||HTTPS|ris-prod-atm.trafficmanager.net| |||HTTPS|validation-v2.sls.trafficmanager.net| -|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. +|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| |||HTTP|ctldl.windowsupdate.com| From de7b4e9941a22b31ee5fb95085b2a0911308936f Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Wed, 22 Sep 2021 22:02:35 -0700 Subject: [PATCH 038/217] Update windows/privacy/manage-windows-21H1-endpoints.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/privacy/manage-windows-21H1-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md index dcd6176934..46cfe2a3d2 100644 --- a/windows/privacy/manage-windows-21H1-endpoints.md +++ b/windows/privacy/manage-windows-21H1-endpoints.md @@ -51,7 +51,7 @@ The following methodology was used to derive these network endpoints: |Area|Description|Protocol|Destination| |----------------|----------|----------|------------| |Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| -||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com| +||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com| ||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net| ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net |Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. From 9b44def8c1cd30b660f4a22f1b1c2e3f9763192d Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Wed, 22 Sep 2021 22:03:04 -0700 Subject: [PATCH 039/217] Update windows/privacy/manage-windows-21H1-endpoints.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/privacy/manage-windows-21H1-endpoints.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md index 46cfe2a3d2..d37b3382ee 100644 --- a/windows/privacy/manage-windows-21H1-endpoints.md +++ b/windows/privacy/manage-windows-21H1-endpoints.md @@ -52,8 +52,8 @@ The following methodology was used to derive these network endpoints: |----------------|----------|----------|------------| |Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| ||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com| -||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net| -||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net +||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net| +||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net |Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| |||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com| From bc50fa1863f6e8e6c5f8b079a74732e98b07593e Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Wed, 22 Sep 2021 22:03:20 -0700 Subject: [PATCH 040/217] Update windows/privacy/manage-windows-21H1-endpoints.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/privacy/manage-windows-21H1-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md index d37b3382ee..a2925d1b13 100644 --- a/windows/privacy/manage-windows-21H1-endpoints.md +++ b/windows/privacy/manage-windows-21H1-endpoints.md @@ -54,7 +54,7 @@ The following methodology was used to derive these network endpoints: ||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com| ||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net| ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net -|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. +|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| |||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com| |Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)| From ae2450ab5ed0bd0d78335364bacd995bd0cfbff2 Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Wed, 22 Sep 2021 22:03:40 -0700 Subject: [PATCH 041/217] Update windows/privacy/manage-windows-21H1-endpoints.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/privacy/manage-windows-21H1-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md index a2925d1b13..3d74636c9f 100644 --- a/windows/privacy/manage-windows-21H1-endpoints.md +++ b/windows/privacy/manage-windows-21H1-endpoints.md @@ -70,7 +70,7 @@ If automatic updates are turned off, applications and websites may stop working |||TLSv1.2/HTTPS/HTTP|v10.events.data.microsoft.com| |||TLSv1.2/HTTPS/HTTP|v20.events.data.microsoft.com| |||HTTP|www.microsoft.com| -||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com| +||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: **Administrative Templates** > **Windows Components** > **Windows Error Reporting** > **Disable Windows Error Reporting**. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com| |||TLS v1.2/HTTPS/HTTP|watson.*.microsoft.com| |Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will not be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)| |||HTTPS|fs.microsoft.com| From 29c09f6e3021ee1f8214708253f9a7aa69f5c411 Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Wed, 22 Sep 2021 22:05:38 -0700 Subject: [PATCH 042/217] Update windows/privacy/manage-windows-21H1-endpoints.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/privacy/manage-windows-21H1-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md index 3d74636c9f..d85fba8989 100644 --- a/windows/privacy/manage-windows-21H1-endpoints.md +++ b/windows/privacy/manage-windows-21H1-endpoints.md @@ -83,7 +83,7 @@ If automatic updates are turned off, applications and websites may stop working |Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)| ||This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com| ||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com| -|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTP|go.microsoft.com| +|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead, disable the traffic that's getting forwarded.|HTTP|go.microsoft.com| |Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| ||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net| ||The following endpoint is needed to load the content in the Microsoft Store app.|HTTPS|livetileedge.dsx.mp.microsoft.com| From 8e3a643e820172d1fdfc8dde8e8b90c47267502c Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Wed, 22 Sep 2021 22:13:09 -0700 Subject: [PATCH 043/217] Update windows/privacy/manage-windows-21H1-endpoints.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/privacy/manage-windows-21H1-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md index d85fba8989..a091a7b1a0 100644 --- a/windows/privacy/manage-windows-21H1-endpoints.md +++ b/windows/privacy/manage-windows-21H1-endpoints.md @@ -112,7 +112,7 @@ If automatic updates are turned off, applications and websites may stop working |Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| |||HTTPS/HTTP|*.pipe.aria.microsoft.com| |||TLSv1.2/HTTPS/HTTP|config.edge.skype.com| -|Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| +|Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| |||TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com| |Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)| |||HTTPS/TLSv1.2|wdcp.microsoft.com| From d503010897026f2dabf5b7819c216ba47a0ed8b6 Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Wed, 22 Sep 2021 22:13:35 -0700 Subject: [PATCH 044/217] Update windows/privacy/manage-windows-21H1-endpoints.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/privacy/manage-windows-21H1-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md index a091a7b1a0..a1591d8213 100644 --- a/windows/privacy/manage-windows-21H1-endpoints.md +++ b/windows/privacy/manage-windows-21H1-endpoints.md @@ -121,7 +121,7 @@ If automatic updates are turned off, applications and websites may stop working |Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)| |||TLSv1.2/HTTPS/HTTP|arc.msn.com| |||HTTPS|ris.api.iris.microsoft.com| -|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)| +|Windows Update|The following endpoint is used for Windows Update downloads of apps and operating system updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)| |||TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com| |||HTTP|emdl.ws.microsoft.com| ||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com| From ec4ee2d5fb915753a1b95eef6c6d257e94d36fe5 Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Thu, 23 Sep 2021 10:05:28 -0700 Subject: [PATCH 045/217] Update windows/privacy/manage-windows-21H1-endpoints.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/privacy/manage-windows-21H1-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md index a1591d8213..6a2ead3f78 100644 --- a/windows/privacy/manage-windows-21H1-endpoints.md +++ b/windows/privacy/manage-windows-21H1-endpoints.md @@ -109,7 +109,7 @@ If automatic updates are turned off, applications and websites may stop working |Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| |||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com| |||HTTPS|settings.data.microsoft.com| -|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| +|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| |||HTTPS/HTTP|*.pipe.aria.microsoft.com| |||TLSv1.2/HTTPS/HTTP|config.edge.skype.com| |Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| From 7638d8acaf5e81e60b7a251ad60d357280837c0a Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Thu, 23 Sep 2021 10:05:42 -0700 Subject: [PATCH 046/217] Update windows/privacy/manage-windows-21H1-endpoints.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/privacy/manage-windows-21H1-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md index 6a2ead3f78..11ba1b2ffc 100644 --- a/windows/privacy/manage-windows-21H1-endpoints.md +++ b/windows/privacy/manage-windows-21H1-endpoints.md @@ -126,7 +126,7 @@ If automatic updates are turned off, applications and websites may stop working |||HTTP|emdl.ws.microsoft.com| ||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com| |||HTTP|*.windowsupdate.com| -||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com| +||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Microsoft Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com| |||TLSv1.2/HTTPS/HTTP|*.update.microsoft.com| ||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com| ||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com| From ebe2b97325480f8ef827aa34b48c7301ba085d40 Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Thu, 23 Sep 2021 10:06:02 -0700 Subject: [PATCH 047/217] Update windows/privacy/manage-windows-21H1-endpoints.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/privacy/manage-windows-21H1-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md index 11ba1b2ffc..9c284f4cf2 100644 --- a/windows/privacy/manage-windows-21H1-endpoints.md +++ b/windows/privacy/manage-windows-21H1-endpoints.md @@ -158,5 +158,5 @@ To view endpoints for non-Enterprise Windows 10 editions, see: ## Related links -- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) +- [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) - [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints) \ No newline at end of file From 5eb239ce482c044246dddab84636f62874ac8bcd Mon Sep 17 00:00:00 2001 From: bohops Date: Wed, 29 Sep 2021 08:16:37 -0400 Subject: [PATCH 048/217] Update Block Rule Credits - Add James Forshaw James has discovered numerous WDAC bypasses and is credited with the addinprocess* findings. --- .../microsoft-recommended-block-rules.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index d9e8974465..0a04135fbc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -88,6 +88,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you | `Alex Ionescu` | `@aionescu`| | `Brock Mammen`| | | `Casey Smith` | `@subTee` | +| `James Forshaw` | `@tiraniddo` | | `Jimmy Bayne` | `@bohops` | | `Lasse Trolle Borup` | `Langkjaer Cyber Defence` | | `Lee Christensen` | `@tifkin_` | @@ -1555,4 +1556,4 @@ Select the correct version of each .dll for the Windows release you plan to supp ## More information -- [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md) \ No newline at end of file +- [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md) From f7e3dd91d76ac6b6d550936a6588fc9baada5617 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 29 Sep 2021 11:34:11 -0700 Subject: [PATCH 049/217] Update microsoft-recommended-block-rules.md --- .../microsoft-recommended-block-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index 0a04135fbc..d7e11faa0a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -15,7 +15,7 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 08/23/2021 +ms.date: 09/29/2021 --- # Microsoft recommended block rules From 78489ec40abdc1a2b8b84f6c6afd9c7f799e4265 Mon Sep 17 00:00:00 2001 From: Rick Munck <33725928+jmunck@users.noreply.github.com> Date: Tue, 5 Oct 2021 08:10:25 -0500 Subject: [PATCH 050/217] Update security-compliance-toolkit-10.md Updated Office version also --- .../security-compliance-toolkit-10.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md index dc7c58f214..1fb53dc08f 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md @@ -44,7 +44,7 @@ The Security Compliance Toolkit consists of: - Windows Server 2012 R2 - Microsoft Office security baseline - - Office 365 Pro Plus + - M365 Apps for enterprise - Office 2016 - Microsoft Edge security baseline From 4977a99ebc7d9a55d0593860567c64a00ec412ad Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 5 Oct 2021 08:55:35 -0700 Subject: [PATCH 051/217] Update security-compliance-toolkit-10.md changed M365 to Microsoft 365 --- .../security-compliance-toolkit-10.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md index 1fb53dc08f..73c2193d00 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md @@ -44,7 +44,7 @@ The Security Compliance Toolkit consists of: - Windows Server 2012 R2 - Microsoft Office security baseline - - M365 Apps for enterprise + - Microsoft 365 Apps for enterprise - Office 2016 - Microsoft Edge security baseline From f1b755ae2b9ad36fd052ad5c400892b3384bc4b3 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Wed, 6 Oct 2021 13:47:52 -0700 Subject: [PATCH 052/217] updating references for Win11 --- .../update/deploy-updates-configmgr.md | 4 +- .../olympia/olympia-enrollment-guidelines.md | 55 ++++++++++--------- 2 files changed, 32 insertions(+), 27 deletions(-) diff --git a/windows/deployment/update/deploy-updates-configmgr.md b/windows/deployment/update/deploy-updates-configmgr.md index 73f4b8e93f..dc99943d00 100644 --- a/windows/deployment/update/deploy-updates-configmgr.md +++ b/windows/deployment/update/deploy-updates-configmgr.md @@ -15,7 +15,7 @@ ms.topic: article **Applies to** -- Windows 10 -- Windows 11 +- Windows 10 +- Windows 11 See the Microsoft Endpoint Manager [documentation](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) for details about using Configuration Manager to deploy and manage Windows 10 updates. \ No newline at end of file diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md index 1c557d6128..9e9ab9af5d 100644 --- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md +++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md @@ -1,6 +1,6 @@ --- title: Olympia Corp enrollment guidelines -description: Learn about the Olympia Corp enrollment and setting up an Azure Active Directory-REGISTERED Windows 10 device or an Azure Active Directory-JOINED Windows 10 device. +description: Learn about the Olympia Corp enrollment and setting up an Azure Active Directory-REGISTERED Windows client device or an Azure Active Directory-JOINED Windows client device. ms.author: jaimeo ms.topic: article ms.prod: w10 @@ -16,17 +16,22 @@ ms.custom: seo-marvel-apr2020 # Olympia Corp +**Applies to** + +- Windows 10 +- Windows 11 + ## What is Windows Insider Lab for Enterprise and Olympia Corp? Windows Insider Lab for Enterprise is intended for Windows Insiders who want to try new experimental and pre-release enterprise privacy and security features. To get the complete experience of these enterprise features, Olympia Corp, a virtual corporation has been set up to reflect the IT infrastructure of real world business. Selected customers are invited to join Olympia Corp and try these features. As an Olympia user, you will have an opportunity to: -- Use various enterprise features like Windows Information Protection (WIP), Microsoft Defender for Office 365, Windows Defender Application Guard (WDAG), and Application Virtualization (APP-V). -- Learn how Microsoft is preparing for GDPR, as well as enabling enterprise customers to prepare for their own readiness. -- Validate and test pre-release software in your environment. -- Provide feedback. -- Interact with engineering team members through a variety of communication channels. +- Use various enterprise features like Windows Information Protection (WIP), Microsoft Defender for Office 365, Windows Defender Application Guard (WDAG), and Application Virtualization (APP-V). +- Learn how Microsoft is preparing for GDPR, as well as enabling enterprise customers to prepare for their own readiness. +- Validate and test pre-release software in your environment. +- Provide feedback. +- Interact with engineering team members through a variety of communication channels. >[!Note] >Enterprise features might have reduced or different security, privacy, accessibility, availability, and reliability standards relative to commercially provided services and software. We may change or discontinue any of the enterprise features at any time without notice. @@ -39,17 +44,17 @@ To request an Olympia Corp account, fill out the survey at [https://aka.ms/Regis Welcome to Olympia Corp. Here are the steps needed to enroll. -As part of Windows Insider Lab for Enterprise, you can upgrade to Windows 10 Enterprise from Windows 10 Pro. This upgrade is optional. Since certain features such as Windows Defender Application Guard are only available on Windows 10 Enterprise, we recommend you to upgrade. +As part of Windows Insider Lab for Enterprise, you can upgrade to Windows client Enterprise from Windows client Pro. This upgrade is optional. Since certain features such as Windows Defender Application Guard are only available on Windows client Enterprise, we recommend you to upgrade. Choose one of the following two enrollment options: - To set up an AAD-registered device, [follow these steps](#enrollment-keep-current-edition). In this case, you log onto the device by using an existing (non-Olympia) account. -- If you are running Windows 10 Pro, we recommend that you upgrade to Windows 10 Enterprise by following these steps to [set up an Azure Active Directory-joined device](#enrollment-upgrade-to-enterprise). In this case, you will be able to log on to the device with your Olympia account. +- If you are running Windows client Pro, we recommend that you upgrade to Windows client Enterprise by following these steps to [set up an Azure Active Directory-joined device](#enrollment-upgrade-to-enterprise). In this case, you will be able to log on to the device with your Olympia account. -### Set up an Azure Active Directory-REGISTERED Windows 10 device +### Set up an Azure Active Directory-REGISTERED Windows client device This is the Bring Your Own Device (BYOD) method--your device will receive Olympia policies and features, but a new account will not be created. See [Set up Azure Active Directory registered Windows 10 devices](/azure/active-directory/device-management-azuread-registered-devices-windows10-setup) for additional information. @@ -57,26 +62,26 @@ This is the Bring Your Own Device (BYOD) method--your device will receive Olympi ![Settings -> Accounts.](images/1-1.png) -2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**. +2. If you are already connected to a domain, select the existing account and then select **Disconnect**. Select **Restart Later**. -3. Click **Connect** and enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**. +3. Select **Connect** and enter your **Olympia corporate account** (for example, username@olympia.windows.com). Select **Next**. ![Entering account information when setting up a work or school account.](images/1-3.png) -4. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password. +4. Enter the temporary password that was sent to you. Select **Sign in**. Follow the instructions to set a new password. > [!NOTE] > Passwords should contain 8-16 characters, including at least one special character or number. ![Update your password.](images/1-4.png) -5. Read the **Terms and Conditions**. Click **Accept** to participate in the program. +5. Read the **Terms and Conditions**. Select **Accept** to participate in the program. 6. If this is the first time you are logging in, fill in the additional information to help you retrieve your account details. 7. Create a PIN for signing into your Olympia corporate account. -8. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**. +8. Go to **Start > Settings > Update & Security > Windows Insider Program**. Select on the current Windows Insider account, and select **Change**. Sign in with your **Olympia corporate account**. > [!NOTE] > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness). @@ -85,9 +90,9 @@ This is the Bring Your Own Device (BYOD) method--your device will receive Olympi -### Set up Azure Active Directory-JOINED Windows 10 device +### Set up Azure Active Directory-JOINED Windows client device -- This method will upgrade your Windows 10 Pro license to Enterprise and create a new account. See [Set up Azure Active Directory joined devices](/azure/active-directory/device-management-azuread-joined-devices-setup) for more information. +- This method will upgrade your Windows client Pro license to Enterprise and create a new account. See [Set up Azure Active Directory joined devices](/azure/active-directory/device-management-azuread-joined-devices-setup) for more information. > [!NOTE] > Make sure that you save your Pro license key before upgrading to the Enterprise edition. If the device gets disconnected from Olympia, you can use the Pro key to reactivate the license manually in the unlikely event that the license fails to downgrade back to Pro automatically. To reactivate manually, see [Upgrade by manually entering a product key](../../upgrade/windows-10-edition-upgrades.md#upgrade-by-manually-entering-a-product-key). @@ -96,36 +101,36 @@ This is the Bring Your Own Device (BYOD) method--your device will receive Olympi ![Settings -> Accounts.](images/1-1.png) -2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**. +2. If you are already connected to a domain, select the existing account and then select **Disconnect**. Select **Restart Later**. -3. Click **Connect**, then click **Join this device to Azure Active Directory**. +3. Select **Connect**, then select **Join this device to Azure Active Directory**. ![Joining device to Azure AD.]](images/2-3.png) -4. Enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**. +4. Enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Select **Next**. ![Set up a work or school account.](images/2-4.png) -5. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password. +5. Enter the temporary password that was sent to you. Select **Sign in**. Follow the instructions to set a new password. > [!NOTE] > Passwords should contain 8-16 characters, including at least one special character or number. ![Entering temporary password.](images/2-5.png) -6. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**. +6. When asked to make sure this is your organization, verify that the information is correct. If so, select **Join**. 7. If this is the first time you are signing in, fill in the additional information to help you retrieve your account details. 8. Create a PIN for signing into your Olympia corporate account. -9. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**. +9. When asked to make sure this is your organization, verify that the information is correct. If so, select **Join**. 10. Restart your device. -11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your device will upgrade to Windows 10 Enterprise. +11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your device will upgrade to Windows client Enterprise. -12. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**. +12. Go to **Start > Settings > Update & Security > Windows Insider Program**. Select on the current Windows Insider account, and select **Change**. Sign in with your **Olympia corporate account**. > [!NOTE] > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness). @@ -133,4 +138,4 @@ This is the Bring Your Own Device (BYOD) method--your device will receive Olympi 13. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**. >[!NOTE] -> Your Windows 10 Enterprise license will not be renewed if your device is not connected to Olympia. \ No newline at end of file +> Your Windows client Enterprise license will not be renewed if your device is not connected to Olympia. \ No newline at end of file From 51d8f81882e36d581f15b10168fce94356a08f6d Mon Sep 17 00:00:00 2001 From: fmata-ms <91461126+fmata-ms@users.noreply.github.com> Date: Thu, 7 Oct 2021 15:20:39 +0100 Subject: [PATCH 053/217] Update on Network Security Allow Pk2U Mitigation Added the mitigation information and link to the proper CVE for easy identification so that the users can easily understand how to address it if no longer an issue. --- ...ation-requests-to-this-computer-to-use-online-identities.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 671eb87720..1a9ea3a61c 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -86,6 +86,9 @@ If you don't set or you disable this policy, the PKU2U protocol won't be used to If you enable this policy in a hybrid environment, you allow your users to authenticate by using certificates issued by Azure AD and their online identity between the corresponding devices. This configuration allows users to share resources between such devices. Without enabling this policy, remote connections to an Azure AD joined device will not work. +### Fix/Remediation + +This vulnerability was fixed on February 2021 Security Update. More Information on [CVE-2021-25195](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-25195) ## Related topics From b26cfc6926be2e4db2bdc721f9fb332227c920d7 Mon Sep 17 00:00:00 2001 From: fmata-ms <91461126+fmata-ms@users.noreply.github.com> Date: Tue, 12 Oct 2021 11:17:37 +0100 Subject: [PATCH 054/217] Update windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...cation-requests-to-this-computer-to-use-online-identities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 1a9ea3a61c..8327d5e9bc 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -88,7 +88,7 @@ If you enable this policy in a hybrid environment, you allow your users to authe ### Fix/Remediation -This vulnerability was fixed on February 2021 Security Update. More Information on [CVE-2021-25195](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-25195) +This vulnerability was fixed on February 9, 2021, in the [CVE-2021-25195](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-25195) Security Update. ## Related topics From f66d0dd5f9790e79d50f28dca8dfa54ad2589896 Mon Sep 17 00:00:00 2001 From: Gitprakhar13 <45089022+Gitprakhar13@users.noreply.github.com> Date: Tue, 12 Oct 2021 08:56:50 -0700 Subject: [PATCH 055/217] added security considerations --- windows/client-management/mdm/healthattestation-csp.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index e570b9890d..bf1801062d 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -1169,7 +1169,9 @@ xmlns="http://schemas.microsoft.com/windows/security/healthcertificate/validatio ``` - +## Security Considerations +> DHA anchors its trust in the TPM and its measurements. If TPM measurements can be spoofed or tampered, DHA cannot provide any guarantee of device health of that device. +PC Client TPM Certification ## Related topics From 47f7926a946e5d6c4c2e44e8efa3a38c82aa06f8 Mon Sep 17 00:00:00 2001 From: RavennMSFT <37601656+RavennMSFT@users.noreply.github.com> Date: Tue, 12 Oct 2021 23:26:00 -0700 Subject: [PATCH 056/217] Update hello-hybrid-key-trust-dirsync.md Added config details for Alternate ID scenario --- .../hello-for-business/hello-hybrid-key-trust-dirsync.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md index 5acfb06f68..7583001fed 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md @@ -36,6 +36,13 @@ Next, you need to synchronize the on-premises Active Directory with Azure Active
+If the user principal name (UPN) in your on-premises Active Directory is different from the UPN in Azure AD, you also need to complete the following steps - +- Configure Azure AD Connect to sync the user's on-premises UPN to the onPremisesUserPrincipalName attribute in Azure AD. +- Add the domain name of the on-premises UPN as a [verified domain](/azure/active-directory/fundamentals/add-custom-domain) in Azure AD. + +> [!NOTE] +> Windows Hello for Business Hybrid key trust is not supported if your users' on-premises domain cannot be added as a verified domain in Azure AD. +
## Follow the Windows Hello for Business hybrid key trust deployment guide @@ -45,4 +52,4 @@ Next, you need to synchronize the on-premises Active Directory with Azure Active 4. Configure Directory Synchronization (*You are here*) 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) 6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) -7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file +7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) From 76a09e689df665ac5313e2dcc67730eae91a2540 Mon Sep 17 00:00:00 2001 From: RavennMSFT <37601656+RavennMSFT@users.noreply.github.com> Date: Tue, 12 Oct 2021 23:35:44 -0700 Subject: [PATCH 057/217] Update hello-hybrid-key-trust-devreg.md Added note for Alt ID support --- .../hello-hybrid-key-trust-devreg.md | 21 +++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md index 713fcd89a5..8ebe1ed414 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md @@ -33,17 +33,26 @@ You are ready to configure device registration for your hybrid environment. Hybr > * Azure AD joined devices > * Hybrid Azure AD joined devices > -> You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](/azure/active-directory/device-management-introduction) +> You can learn about this and more by reading [What is a device identity](/azure/active-directory/devices/overview) -## Configure Azure for Device Registration +## Configure Hybrid Azure AD join Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD. -To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](/azure/active-directory/devices/device-management-azure-portal). +Follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](/azure/active-directory/devices/hybrid-azuread-join-plan) page. In the **Select your scenario based on your identity infrastructure** section, identify your configuration (either **Managed environment** or **federated environment**) and perform only the steps applicable to your environment. -Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](/azure/active-directory/devices/hybrid-azuread-join-manual) page. In the **Configuration steps** section, identify your configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a check mark. +
+ +If the user principal name (UPN) in your on-premises Active Directory is different from the UPN in Azure AD, you also need to complete the following steps - +- Configure Azure AD Connect to sync the user's on-premises UPN to the onPremisesUserPrincipalName attribute in Azure AD. +- Add the domain name of the on-premises UPN as a [verified domain](/azure/active-directory/fundamentals/add-custom-domain) in Azure AD. + +You can learn more about this scenario by reading [review on-premises UPN support for Hybrid Azure Ad join](azure/active-directory/devices/hybrid-azuread-join-plan#review-on-premises-ad-users-upn-support-for-hybrid-azure-ad-join) + +> [!NOTE] +> Windows Hello for Business Hybrid key trust is not supported if your users' on-premises domain cannot be added as a verified domain in Azure AD. -

+

@@ -54,4 +63,4 @@ Next, follow the guidance on the [How to configure hybrid Azure Active Directory 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) 5. Configure Azure Device Registration (*You are here*) 6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) -7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file +7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) From 6e24a84af731f14e3f372a05acd2b9d06f1fcdf1 Mon Sep 17 00:00:00 2001 From: RavennMSFT <37601656+RavennMSFT@users.noreply.github.com> Date: Wed, 13 Oct 2021 08:13:37 -0700 Subject: [PATCH 058/217] Update windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-key-trust-dirsync.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md index 7583001fed..2a4d5d3c4b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md @@ -36,7 +36,7 @@ Next, you need to synchronize the on-premises Active Directory with Azure Active
-If the user principal name (UPN) in your on-premises Active Directory is different from the UPN in Azure AD, you also need to complete the following steps - +If the user principal name (UPN) in your on-premises Active Directory is different from the UPN in Azure AD, you also need to complete the following steps: - Configure Azure AD Connect to sync the user's on-premises UPN to the onPremisesUserPrincipalName attribute in Azure AD. - Add the domain name of the on-premises UPN as a [verified domain](/azure/active-directory/fundamentals/add-custom-domain) in Azure AD. From a177543be865635b6a518ef10e5c587041280b1f Mon Sep 17 00:00:00 2001 From: RavennMSFT <37601656+RavennMSFT@users.noreply.github.com> Date: Wed, 13 Oct 2021 08:14:08 -0700 Subject: [PATCH 059/217] Update windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-key-trust-devreg.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md index 8ebe1ed414..004c7aae32 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md @@ -38,7 +38,7 @@ You are ready to configure device registration for your hybrid environment. Hybr ## Configure Hybrid Azure AD join Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD. -Follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](/azure/active-directory/devices/hybrid-azuread-join-plan) page. In the **Select your scenario based on your identity infrastructure** section, identify your configuration (either **Managed environment** or **federated environment**) and perform only the steps applicable to your environment. +Follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](/azure/active-directory/devices/hybrid-azuread-join-plan) page. In the **Select your scenario based on your identity infrastructure** section, identify your configuration (either **Managed environment** or **Federated environment**) and perform only the steps applicable to your environment.
From c46110c04db56c4b1d48c13ab33571eab9c1a558 Mon Sep 17 00:00:00 2001 From: RavennMSFT <37601656+RavennMSFT@users.noreply.github.com> Date: Wed, 13 Oct 2021 08:14:15 -0700 Subject: [PATCH 060/217] Update windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-key-trust-devreg.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md index 004c7aae32..948b42c856 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md @@ -42,7 +42,7 @@ Follow the guidance on the [How to configure hybrid Azure Active Directory joine
-If the user principal name (UPN) in your on-premises Active Directory is different from the UPN in Azure AD, you also need to complete the following steps - +If the user principal name (UPN) in your on-premises Active Directory is different from the UPN in Azure AD, you also need to complete the following steps: - Configure Azure AD Connect to sync the user's on-premises UPN to the onPremisesUserPrincipalName attribute in Azure AD. - Add the domain name of the on-premises UPN as a [verified domain](/azure/active-directory/fundamentals/add-custom-domain) in Azure AD. From f41743f6b099451ce98607238753fab144d52f26 Mon Sep 17 00:00:00 2001 From: RavennMSFT <37601656+RavennMSFT@users.noreply.github.com> Date: Wed, 13 Oct 2021 08:14:20 -0700 Subject: [PATCH 061/217] Update windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-key-trust-devreg.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md index 948b42c856..bd42354687 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md @@ -46,7 +46,7 @@ If the user principal name (UPN) in your on-premises Active Directory is differe - Configure Azure AD Connect to sync the user's on-premises UPN to the onPremisesUserPrincipalName attribute in Azure AD. - Add the domain name of the on-premises UPN as a [verified domain](/azure/active-directory/fundamentals/add-custom-domain) in Azure AD. -You can learn more about this scenario by reading [review on-premises UPN support for Hybrid Azure Ad join](azure/active-directory/devices/hybrid-azuread-join-plan#review-on-premises-ad-users-upn-support-for-hybrid-azure-ad-join) +You can learn more about this scenario by reading [Review on-premises UPN support for Hybrid Azure Ad join](azure/active-directory/devices/hybrid-azuread-join-plan#review-on-premises-ad-users-upn-support-for-hybrid-azure-ad-join). > [!NOTE] > Windows Hello for Business Hybrid key trust is not supported if your users' on-premises domain cannot be added as a verified domain in Azure AD. From 18e8e2efc2e71a333fa3aaa4f5ae21ff4fabfbc1 Mon Sep 17 00:00:00 2001 From: RavennMSFT <37601656+RavennMSFT@users.noreply.github.com> Date: Thu, 21 Oct 2021 09:58:51 -0700 Subject: [PATCH 062/217] Update hello-faq.yml Added note about Deploying Certificates to Key Trust Users to Enable RDP --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 213b9c9999..80746566bc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -39,7 +39,7 @@ sections: - question: Can I use Windows Hello for Business key trust and RDP? answer: | - Remote Desktop Protocol (RDP) does not currently support using key-based authentication and self-signed certificates as supplied credentials. RDP with supplied credentials is currently only supported with certificate-based deployments. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). + Remote Desktop Protocol (RDP) does not currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. See [Deploying Certificates to Key Trust Users to Enable RDP](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs). Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). - question: Can I deploy Windows Hello for Business by using Microsoft Endpoint Configuration Manager? answer: | From f8131c6283157d83c8057d9a94c2f3ed0e94e322 Mon Sep 17 00:00:00 2001 From: RavennMSFT <37601656+RavennMSFT@users.noreply.github.com> Date: Thu, 21 Oct 2021 10:42:29 -0700 Subject: [PATCH 063/217] Update hello-faq.yml --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 80746566bc..8ef336a1d1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -39,7 +39,7 @@ sections: - question: Can I use Windows Hello for Business key trust and RDP? answer: | - Remote Desktop Protocol (RDP) does not currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. See [Deploying Certificates to Key Trust Users to Enable RDP](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs). Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). + Remote Desktop Protocol (RDP) does not currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. See [Deploying Certificates to Key Trust Users to Enable RDP](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs). In addition, Windows Hello for Business key trust can be also used with RDP with [Windows Defender Remote Credential Guard](../remote-credential-guard.md) without deploying certificates. - question: Can I deploy Windows Hello for Business by using Microsoft Endpoint Configuration Manager? answer: | From ceef1791cb0c928a1f90b779922d33437016b03f Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 21 Oct 2021 11:44:23 -0700 Subject: [PATCH 064/217] Update hello-faq.yml --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 8ef336a1d1..195b01460a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -39,7 +39,7 @@ sections: - question: Can I use Windows Hello for Business key trust and RDP? answer: | - Remote Desktop Protocol (RDP) does not currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. See [Deploying Certificates to Key Trust Users to Enable RDP](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs). In addition, Windows Hello for Business key trust can be also used with RDP with [Windows Defender Remote Credential Guard](../remote-credential-guard.md) without deploying certificates. + Remote Desktop Protocol (RDP) does not currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. See [Deploying Certificates to Key Trust Users to Enable RDP](hello-deployment-rdp-certs.md). In addition, Windows Hello for Business key trust can be also used with RDP with [Windows Defender Remote Credential Guard](../remote-credential-guard.md) without deploying certificates. - question: Can I deploy Windows Hello for Business by using Microsoft Endpoint Configuration Manager? answer: | From 26065a85bc736705508ec87f989ba429e9ddd922 Mon Sep 17 00:00:00 2001 From: Thomas Maurer Date: Mon, 25 Oct 2021 12:20:49 +0200 Subject: [PATCH 065/217] Security Compliance Toolkit added Windows Server 2022 Added Windows Server 2022 to the list of operating system security baselines in the Security Compliance Toolkit. since it is available here: https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-server-2022-security-baseline/ba-p/2724685 ------- cc: @Dansimp --- .../security-compliance-toolkit-10.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md index 9b329ccb64..bd6f160893 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md @@ -41,6 +41,7 @@ The Security Compliance Toolkit consists of: - Windows 10 Version 1507 - Windows Server security baselines + - Windows Server 2022 - Windows Server 2019 - Windows Server 2016 - Windows Server 2012 R2 From a35efe2f1e13d9305fbefb7db885a49483190d30 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 16 Nov 2021 21:25:48 +0530 Subject: [PATCH 066/217] added windows 11 and its registry keys after reading this article, i found windows 11 is missing so i added windows 11 and its related registry keys. --- .../access-control/security-identifiers.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md index be0a573f71..5506bf2736 100644 --- a/windows/security/identity-protection/access-control/security-identifiers.md +++ b/windows/security/identity-protection/access-control/security-identifiers.md @@ -20,7 +20,9 @@ ms.reviewer: **Applies to** - Windows 10 +- Windows 11 - Windows Server 2016 +- Windows Server 2019 This topic for the IT professional describes security identifiers and how they work in regards to accounts and groups in the Windows operating system. @@ -319,6 +321,19 @@ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCache All Capability SIDs are prefixed by S-1-15-3 +## Examples of registry keys taken from Windows 11, version 21H2, 64-bit Enterprise edition + +You may see the following registry keys under AllCachedCapabilities: + +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock_Internal +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Enterprise +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_General +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Restricted +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Windows + +All Capability SIDs are prefixed by S-1-15-3 + ## See also - [Access Control Overview](access-control.md) From 4a96c0e084f8c364c390a53e53b67f13f2c9fd4c Mon Sep 17 00:00:00 2001 From: PingYanMinamoto <94566757+PingYanMinamoto@users.noreply.github.com> Date: Wed, 17 Nov 2021 14:03:04 -0600 Subject: [PATCH 067/217] Update "Trusted network detection" The original statement of "The VPN stack will look at the DNS suffix on the physical interface" is incorrect. The actual code design is comparing the network name of the physical interface connection profile. --- .../identity-protection/vpn/vpn-auto-trigger-profile.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md index 128afcfee9..1bbb01ee04 100644 --- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md +++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md @@ -78,7 +78,7 @@ Should a management tool remove or add the same profile name back and set **Alwa ## Trusted network detection -This feature configures the VPN such that it would not get triggered if a user is on a trusted corporate network. The value of this setting is a list of DNS suffices. The VPN stack will look at the DNS suffix on the physical interface and if it matches any in the configured list and the network is private or provisioned by MDM, then VPN will not get triggered. +This feature configures the VPN such that it would not get triggered if a user is on a trusted corporate network. The value of this setting is a list of DNS suffices. The VPN stack will look at the network name of the physical interface connection profile and if it matches any in the configured list and the network is private or provisioned by MDM, then VPN will not get triggered. Trusted network detection can be configured using the VPNv2/*ProfileName*/TrustedNetworkDetection setting in the [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp). From ded5d2e20dadd5c597fb2550238896b88e92230a Mon Sep 17 00:00:00 2001 From: PingYanMinamoto <94566757+PingYanMinamoto@users.noreply.github.com> Date: Thu, 18 Nov 2021 10:09:10 -0600 Subject: [PATCH 068/217] Update windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md good catch! thanks! Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../identity-protection/vpn/vpn-auto-trigger-profile.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md index 1bbb01ee04..c0bf853add 100644 --- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md +++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md @@ -78,7 +78,7 @@ Should a management tool remove or add the same profile name back and set **Alwa ## Trusted network detection -This feature configures the VPN such that it would not get triggered if a user is on a trusted corporate network. The value of this setting is a list of DNS suffices. The VPN stack will look at the network name of the physical interface connection profile and if it matches any in the configured list and the network is private or provisioned by MDM, then VPN will not get triggered. +This feature configures the VPN such that it would not get triggered if a user is on a trusted corporate network. The value of this setting is a list of DNS suffixes. The VPN stack will look at the network name of the physical interface connection profile and if it matches any in the configured list and the network is private or provisioned by MDM, then VPN will not get triggered. Trusted network detection can be configured using the VPNv2/*ProfileName*/TrustedNetworkDetection setting in the [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp). From f9268e4095c33658a14536fdf333312702835ae8 Mon Sep 17 00:00:00 2001 From: Andrei-George Stoica <5600871+andreiztm@users.noreply.github.com> Date: Thu, 16 Dec 2021 09:52:59 +0200 Subject: [PATCH 069/217] Add remark regarding underlying OS activation --- windows/deployment/windows-10-subscription-activation.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 97dcacdb84..630120cffe 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -215,6 +215,8 @@ When you have the required Azure AD subscription, group-based licensing is the p If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10/11 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise. +Subscription Activation doesn’t remove the need to activate the underlying operating system, this is still a requirement for running a genuine installation of Windows. + > [!CAUTION] > Firmware-embedded Windows 10 activation happens automatically only when we go through OOBE (Out Of Box Experience). From 5bce39ea1811650839de0e837588d34a7c1aa4e7 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 11 Jan 2022 15:57:04 +0530 Subject: [PATCH 070/217] fixed Acrolinx scores --- ...te-a-package-accelerator-with-powershell.md | 8 ++++---- .../appv-release-notes-for-appv-for-windows.md | 14 +++++++------- .../app-v/appv-technical-reference.md | 18 +++++++++--------- 3 files changed, 20 insertions(+), 20 deletions(-) diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md index 79b713f591..13e617e6bf 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md @@ -22,17 +22,17 @@ App-V Package Accelerators automatically sequence large, complex applications. A 1. Install the App-V sequencer. For more information about installing the sequencer, see [How to install the sequencer](appv-install-the-sequencer.md). 2. To open a Windows PowerShell console, select **Start** and enter **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**. -3. Make sure that you have the .appv package to create an accelerator from the installation media or installation files. You can also optionally use a readme file for the accelerator's users to reference. +3. Ensure you have the .apps package to create an accelerator from the installation media or installation files. You can also optionally use a readme file for the accelerator's users to reference. 4. Enter the **New-AppvPackageAccelerator** cmdlet. The following parameters are required to use the package accelerator cmdlet: - *InstalledFilesPath* specifies the application installation path. - *Installer* specifies the path to the application installer media. - - *InputPackagePath* specifies the path to the .appv package. + - *InputPackagePath* specifies the path to the.appv package. - *Path* specifies the output directory for the package. - The following example cmdlet shows how you can create a package accelerator with an .appv package and the installation media: + The following example cmdlet shows how you can create a package accelerator with .app package and the installation media: ```PowerShell New-AppvPackageAccelerator -InputPackagePath -Installer -Path @@ -46,6 +46,6 @@ App-V Package Accelerators automatically sequence large, complex applications. A -## Related topics +## Related articles - [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md) diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md index bfabcf0c97..908f5748b5 100644 --- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md +++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md @@ -20,13 +20,13 @@ ms.author: greglin The following are known issues and workarounds for Application Virtualization (App-V) running on Windows 10, version 1607. ## Windows Installer packages (.msi files) generated by the App-V sequencer (version 5.1 and earlier) fail to install on computers with the in-box App-V client -MSI packages that were generated using an App-V sequencer from previous versions of App-V (App-V versions 5.1 and earlier) include a check to validate that the App-V client is installed on client devices before allowing the MSI package to install. Now that the App-V client is installed automatically when you upgrade user devices to Windows 10, version 1607, the pre-requisite check fails and causes the MSI to fail. +There are MSI packages generated by an App-V sequencer from previous versions of App-V (Versions 5.1 and earlier). These packages include a check to validate whether the App-V client is installed on client devices, before allowing the MSI package to be installed. As the App-V client gets installed automatically when you upgrade user devices to Windows 10, version 1607, the pre-requisite check fails and causes the MSI to fail. **Workaround**: 1. Install the latest App-V sequencer, which you can get from the Windows Assessment and Deployment Kit (ADK) for Windows 10, version 1607. See [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). For more information, see [Install the App-V Sequencer](appv-install-the-sequencer.md). -2. Ensure that you have installed the **MSI Tools** included in the Windows 10 SDK, available as follows: +2. Ensure that you've installed the **MSI Tools** included in the Windows 10 SDK, available as follows: - For the **Visual Studio Community 2015 with Update 3** client, which includes the latest Windows 10 SDK and developer tools, see [Downloads and tools for Windows 10](https://developer.microsoft.com/en-us/windows/downloads). @@ -44,21 +44,21 @@ MSI packages that were generated using an App-V sequencer from previous versions `Update-AppvPackageMsi -MsiPackage "" -MsSdkPath ""` - where the path is to the new directory (**C:\MyMsiTools\ for this example**). + where the path is to the new directory (**C:\MyMsiTools\ for this example**). ## Error occurs during publishing refresh between App-V 5.0 SP3 Management Server and App-V Client on Windows 10 -An error is generated during publishing refresh when synchronizing packages from the App-V 5.0 SP3 management server to an App-V client on Windows 10. This error occurs because the App-V 5.0 SP3 server does not understand the Windows 10 operating system that is specified in the publishing URL. The issue is fixed for App-V publishing server, but is not backported to versions of App-V 5.0 SP3 or earlier. +An error is generated during publishing refresh when synchronizing packages from the App-V 5.0 SP3 management server to an App-V client on Windows 10. This error occurs because the App-V 5.0 SP3 server doesn't understand the Windows 10-operating system that is specified in the publishing URL. The issue is fixed for App-V publishing server, but isn't backported to versions of App-V 5.0 SP3 or earlier. **Workaround**: Upgrade the App-V 5.0 Management server to the App-V Management server for Windows 10 Clients. ## Custom configurations do not get applied for packages that will be published globally if they are set using the App-V Server If you assign a package to an AD group that contains machine accounts and apply a custom configuration to that group using the App-V Server, the custom configuration will not be applied to those machines. The App-V Client will publish packages assigned to a machine account globally. However, it stores custom configuration files per user in each user’s profile. Globally published packages will not have access to this custom configuration. -**Workaround**: Do one of the following: +**Workaround**: Implement one of the following tasks: -- Assign the package to groups containing only user accounts. This will ensure that the package’s custom configuration will be stored in each user’s profile and will be applied correctly. +- Assign the package to groups containing only user accounts. This assignation ensures that the package’s custom configuration will be stored in each user’s profile and will be applied correctly. -- Create a custom deployment configuration file and apply it to the package on the client using the Add-AppvClientPackage cmdlet with the –DynamicDeploymentConfiguration parameter. See [About App-V Dynamic Configuration](appv-dynamic-configuration.md) for more information. +- Create a custom deployment configuration file and apply it to the package on the client, using the Add-AppvClientPackage cmdlet with the –DynamicDeploymentConfiguration parameter. See [About App-V Dynamic Configuration](appv-dynamic-configuration.md) for more information. - Create a new package with the custom configuration using the App-V Sequencer. diff --git a/windows/application-management/app-v/appv-technical-reference.md b/windows/application-management/app-v/appv-technical-reference.md index 378c6cf052..4eeb5962c1 100644 --- a/windows/application-management/app-v/appv-technical-reference.md +++ b/windows/application-management/app-v/appv-technical-reference.md @@ -24,21 +24,21 @@ This section provides reference information related to managing App-V. - [Performance Guidance for Application Virtualization](appv-performance-guidance.md) - Provides strategy and context for many performance optimizations. Not all practices will be applicable. However, these are tested and supported. Using all suggested practices that are applicable to your organization will provide the optimal end-user experience. + Provides strategy and context for many performance optimizations. Not all practices will be applicable. However, these practices are tested and supported. Using all suggested practices that are applicable to your organization will provide the optimal end-user experience. - [Application Publishing and Client Interaction](appv-application-publishing-and-client-interaction.md) Describes how the following App-V client operations affect the local operating system: - App-V files and data storage locations -- package registry -- package store behavior -- roaming registry and data -- client application lifecycle management -- integration of App-V packages -- dynamic configuration -- side-by-side assemblies -- client logging +- Package registry +- Package store behavior +- Roaming registry and data +- Client application lifecycle management +- Integration of App-V packages +- Dynamic configuration +- Side-by-side assemblies +- Client logging - [Viewing App-V Server Publishing Metadata](appv-viewing-appv-server-publishing-metadata.md) From 441a66e050ebad0da1089e8b66b16fa1239e4904 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 11 Jan 2022 16:16:04 +0530 Subject: [PATCH 071/217] Update appv-release-notes-for-appv-for-windows.md --- .../app-v/appv-release-notes-for-appv-for-windows.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md index 908f5748b5..af731fd9e0 100644 --- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md +++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md @@ -109,9 +109,9 @@ In environments that are running the RDS Client or that have multiple concurrent **Workaround**: Have users log out and then log back in. ## Error message is erroneously displayed when the connection group is published only to the user -When you run Repair-AppvClientConnectionGroup, the following error is displayed, even when the connection group is published only to the user: “Internal App-V Integration error: Package not integrated for the user. Please ensure that the package is added to the machine and published to the user.” +When you run Repair-AppvClientConnectionGroup, the following error is displayed, even when the connection group is published only to the user: “Internal App-V Integration error: Package not integrated for the user. Ensure that the package is added to the machine and published to the user.” -**Workaround**: Do one of the following: +**Workaround**: Execute one of the following tasks: - Publish all packages in a connection group. @@ -119,7 +119,7 @@ When you run Repair-AppvClientConnectionGroup, the following error is displayed, - Repair packages individually using the Repair-AppvClientPackage command rather than the Repair-AppvClientConnectionGroup command. - Determine which packages are available to users and then run the **Repair-AppvClientPackage** command once for each package. Use Windows PowerShell cmdlets to do the following: + Determine which packages are available to users and then run the **Repair-AppvClientPackage** command once for each package. Use Windows PowerShell cmdlets to execute the following tasks: 1. Get all the packages in a connection group. @@ -128,7 +128,7 @@ When you run Repair-AppvClientConnectionGroup, the following error is displayed, 3. If the package is currently published, run **Repair-AppvClientPackage** on that package. ## Icons not displayed properly in Sequencer -Icons in the Shortcuts and File Type Associations tab are not displayed correctly when modifying a package in the App-V Sequencer. This problem occurs when the size of the icons are not 16x16 or 32x32. +Icons in the Shortcuts and File Type Associations tab are not displayed correctly when modifying a package in the App-V Sequencer. This problem occurs when the size of the icons is not 16x16 or 32x32. **Workaround**: Only use icons that are 16x16 or 32x32. From 7a36ba87e8d6f916cbaa91dafad567cef50e3ccc Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 12 Jan 2022 12:44:22 +0530 Subject: [PATCH 072/217] updates --- ...w-search-engine-customization-shortdesc.md | 27 ++++++++++-------- ...ure-additional-search-engines-shortdesc.md | 23 +++++++-------- .../configure-kiosk-mode-shortdesc.md | 28 +++++++++++-------- ...rning-off-required-extensions-shortdesc.md | 23 +++++++-------- 4 files changed, 57 insertions(+), 44 deletions(-) diff --git a/windows/client-management/includes/allow-search-engine-customization-shortdesc.md b/windows/client-management/includes/allow-search-engine-customization-shortdesc.md index 4992a19eab..1ecba430cb 100644 --- a/windows/client-management/includes/allow-search-engine-customization-shortdesc.md +++ b/windows/client-management/includes/allow-search-engine-customization-shortdesc.md @@ -1,11 +1,16 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can add new search engines or change the default search engine, in Settings. With this policy, you can prevent users from customizing the search engine in Microsoft Edge. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, users can execute the following tasks in Settings: +- Add new search engines +- Change the default search engine + +With this policy, you can prevent users from customizing the search engine in the Microsoft Edge browser. diff --git a/windows/client-management/includes/configure-additional-search-engines-shortdesc.md b/windows/client-management/includes/configure-additional-search-engines-shortdesc.md index f4a61c024c..873d33a2f0 100644 --- a/windows/client-management/includes/configure-additional-search-engines-shortdesc.md +++ b/windows/client-management/includes/configure-additional-search-engines-shortdesc.md @@ -1,11 +1,12 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users cannot add, remove, or change any of the search engines in Microsoft Edge, but they can set a default search engine. You can set the default search engine using the Set default search engine policy. However, with this policy, you can configure up to five additional search engines and set any one of them as the default. If you previously enabled this policy and now want to disable it, disabling deletes all configured search engines. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, users can set a default search engine in the Microsoft Edge browser, using the Set default search engine policy. With this policy, you can configure up to five more search engines and set any one of them as the default. If you previously enabled this policy and now want to disable it, disabling deletes all configured search engines. diff --git a/windows/client-management/includes/configure-kiosk-mode-shortdesc.md b/windows/client-management/includes/configure-kiosk-mode-shortdesc.md index 0247b490e6..c76de7864b 100644 --- a/windows/client-management/includes/configure-kiosk-mode-shortdesc.md +++ b/windows/client-management/includes/configure-kiosk-mode-shortdesc.md @@ -1,11 +1,17 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single-app or as one of many apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with a tailored experience for kiosks, or normal browsing in Microsoft Edge. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +For the Microsoft Edge browser, configure a behavior that is to be exhibited in kiosk mode with assigned access. This behavior configuration is for Microsoft Edge as a single-app or as one of many apps running on the kiosk device. + +You can facilitate the following functionalities in the Microsoft Edge browser: +- Execution of InPrivate full screen +- Execution of InPrivate multi-tab with a tailored experience for kiosks +- Provision for normal browsing diff --git a/windows/client-management/includes/prevent-turning-off-required-extensions-shortdesc.md b/windows/client-management/includes/prevent-turning-off-required-extensions-shortdesc.md index 7264330137..b7331dd725 100644 --- a/windows/client-management/includes/prevent-turning-off-required-extensions-shortdesc.md +++ b/windows/client-management/includes/prevent-turning-off-required-extensions-shortdesc.md @@ -1,11 +1,12 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows users to uninstall extensions by default. Enabling this policy prevents users from uninstalling extensions but lets them configure options for extensions defined in this policy, such as allowing InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. If you enabled this policy and now you want to disable it, the list of extension package family names (PFNs) defined in this policy get ignored after disabling this policy. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +The Microsoft Edge browser allows users to uninstall extensions, by default. When the users work with extensions that come under a policy that is enabled, they can configure options for extensions defined in this policy, such as allowing InPrivate browsing. Any extra permissions requested by future updates of the extension get granted automatically. If - at this stage - you disable the policy, the list of extension package family names (PFNs) defined in this policy get ignored. From 48f678b7cdb5a9f4da7617566e0dc4dc04e5348f Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 17 Jan 2022 09:30:11 +0530 Subject: [PATCH 073/217] Update appv-create-a-package-accelerator-with-powershell.md --- .../appv-create-a-package-accelerator-with-powershell.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md index 79b713f591..2583a8e7d4 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md @@ -22,17 +22,17 @@ App-V Package Accelerators automatically sequence large, complex applications. A 1. Install the App-V sequencer. For more information about installing the sequencer, see [How to install the sequencer](appv-install-the-sequencer.md). 2. To open a Windows PowerShell console, select **Start** and enter **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**. -3. Make sure that you have the .appv package to create an accelerator from the installation media or installation files. You can also optionally use a readme file for the accelerator's users to reference. +3. Ensure you have the .Apps package to create an accelerator from the installation media or installation files. You can also optionally use a readme file for the accelerator's users to reference. 4. Enter the **New-AppvPackageAccelerator** cmdlet. The following parameters are required to use the package accelerator cmdlet: - *InstalledFilesPath* specifies the application installation path. - *Installer* specifies the path to the application installer media. - - *InputPackagePath* specifies the path to the .appv package. + - *InputPackagePath* specifies the path to the.appv package. - *Path* specifies the output directory for the package. - The following example cmdlet shows how you can create a package accelerator with an .appv package and the installation media: + The following example cmdlet shows how you can create a package accelerator with .app package and the installation media: ```PowerShell New-AppvPackageAccelerator -InputPackagePath -Installer -Path @@ -46,6 +46,6 @@ App-V Package Accelerators automatically sequence large, complex applications. A -## Related topics +## Related articles - [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md) From eafb51f24a0ea3c5d7f87d2992c2fbb77abf6858 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 17 Jan 2022 11:36:05 +0530 Subject: [PATCH 074/217] Acrolinx score improvement effort --- .../includes/provision-favorites-shortdesc.md | 30 ++++++++++++------- .../introduction-page-file.md | 2 +- .../disconnecting-from-mdm-unenrollment.md | 21 ++++++------- 3 files changed, 31 insertions(+), 22 deletions(-) diff --git a/windows/client-management/includes/provision-favorites-shortdesc.md b/windows/client-management/includes/provision-favorites-shortdesc.md index 30b9677f92..77281a67f6 100644 --- a/windows/client-management/includes/provision-favorites-shortdesc.md +++ b/windows/client-management/includes/provision-favorites-shortdesc.md @@ -1,11 +1,19 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can customize the Favorites list in Microsoft Edge. With this policy though, you provision a standard list of favorites, which can include folders, to appear in the Favorites list in addition to the user’s favorites. Edge. Once you provision the Favorites list, users cannot customize it, such as adding folders for organizing, and adding or removing any of the favorites configured. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, you can customize the Favorites list in the Microsoft Edge browser. Whatever you customize becomes the standard list. + +> [!NOTE] +> The standard list of favorites can include folders. + +The favorites that you add also become part of this standard list. + +Once your customized Favorites list appears in the Microsoft Edge browser, you cannot customize it again, such as adding folders for organizing, and adding or removing any of the favorites configured. diff --git a/windows/client-management/introduction-page-file.md b/windows/client-management/introduction-page-file.md index 329d185fad..be5ce9c487 100644 --- a/windows/client-management/introduction-page-file.md +++ b/windows/client-management/introduction-page-file.md @@ -35,7 +35,7 @@ For example, the following Windows servers require page files: - Certificate servers - ADAM/LDS servers -This is because the algorithm of the database cache for Extensible Storage Engine (ESENT, or ESE for Microsoft Exchange Server) depends on the "\Memory\Transition Pages RePurposed/sec" performance monitor counter. A page file is required to make sure that the database cache can release memory if other services or applications request memory. +This requirement is because the algorithm of the database cache for Extensible Storage Engine (ESENT, or ESE for Microsoft Exchange Server) depends on the "\Memory\Transition Pages RePurposed/sec" performance monitor counter. A page file is required to ensure that the database cache can release memory if other services or applications request memory. For Windows Server 2012 Hyper-V and Windows Server 2012 R2 Hyper-V, the page file of the management OS (commonly called the host OS) should be left at the default of setting of "System Managed". diff --git a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md index a9e4996ee9..f238066bb2 100644 --- a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md @@ -1,6 +1,6 @@ --- title: Disconnecting from the management infrastructure (unenrollment) -description: Disconnecting may be initiated either locally by the user from the phone or remotely by the IT admin using management server. +description: Disconnecting is initiated either locally by the user using a phone or remotely by the IT admin using management server. MS-HAID: - 'p\_phdevicemgmt.disconnecting\_from\_the\_management\_infrastructure\_\_unenrollment\_' - 'p\_phDeviceMgmt.disconnecting\_from\_mdm\_unenrollment' @@ -18,15 +18,16 @@ ms.date: 06/26/2017 # Disconnecting from the management infrastructure (unenrollment) -Disconnecting may be initiated either locally by the user from the phone or remotely by the IT admin using management server. User-initiated disconnection is performed much like the initial connection, and it is initiated from the same location in the Setting Control Panel as creating the workplace account. Users may choose to disconnect for any number of reasons, including leaving the company or getting a new device and no longer needing access to their LOB apps on the old device. When an administrator initiates a disconnection, the enrollment client performs the disconnection during its next regular maintenance session. Administrators may choose to disconnect a user’s device after they’ve left the company or because the device is regularly failing to comply with the organization’s security settings policy. +The Disconnecting process is done either locally by the user who uses a phone or remotely by the IT administrator using management server. The user-initiated disconnection process is similar to the initial connection, wherein its initiation is from the same location in the Setting Control Panel as creating the workplace account. +The users choose to disconnect for any number of reasons, such as the ones described below: leaving the company or getting a new device or not needing access to their LOB apps on the old device, anymore. When an IT administrator initiates a disconnection, the enrollment client performs the disconnection during the next regular maintenance session. Administrators choose to disconnect users' device after they’ve left the company or because the device is regularly failing to comply with the organization’s security settings policy. -During disconnection, the client does the following: +During disconnection, the client executes the following tasks: - Removes the enterprise application token that allowed installing and running LOB apps. Any business applications associated with this enterprise token are removed as well. - Removes certificates that are configured by MDM server. -- Ceases enforcement of the settings policies that the management infrastructure has applied. +- Ceases enforcement of the settings policies applied by the management infrastructure. - Removes the device management client configuration and other setting configuration added by MDM server, including the scheduled maintenance task. The client remains dormant unless the user reconnects it to the management infrastructure. -- Reports successful initiated disassociation to the management infrastructure if the admin initiated the process. Note that in Windows, user-initiated disassociation is reported to the server as a best effort. +- Reports successfully initiated disassociation to the management infrastructure if the admin initiated the process. In Windows, a user-initiated disassociation is reported to the server as a best effort. ## In this topic @@ -40,7 +41,7 @@ During disconnection, the client does the following: ## User-initiated disconnection -In Windows, after the user confirms the account deletion command and before the account is deleted, the MDM client will send a notification to the MDM server notifying that the server the account will be removed. This is a best effort action as no retry is built-in to ensure the notification is successfully sent to the device. +In Windows, after the user confirms the account deletion command and before the account is deleted, the MDM client will notify to the MDM server that the account will be removed. This is a best-effort action as no retry is built-in to ensure the notification is successfully sent to the device. This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment may succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work. @@ -126,7 +127,7 @@ When the server initiates disconnection, all undergoing sessions for the enrollm If the user is enrolled into MDM using an Azure Active Directory (AAD Join or by adding a Microsoft work account), the MDM account will show up under the Work Access page. However, the **Disconnect** button is greyed out and not accessible. Users can remove that MDM account by removing the AAD association to the device. -You can only use the Work Access page to unenroll under the following conditions: +You can only use the Work Access page to un-enroll under the following conditions: - Enrollment was done using bulk enrollment. - Enrollment was created using the Work Access page. @@ -135,11 +136,11 @@ You can only use the Work Access page to unenroll under the following conditions ## Unenrollment from Azure Active Directory Join -When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data. +When a user is enrolled into MDM through Azure Active Directory Join and later, the enrollment disconnects, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data. ![aadj unenerollment.](images/azure-ad-unenrollment.png) -When a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be re-imaged. When devices are remotely unenrolled from MDM, the AAD association is also removed. This safeguard is in place to avoid leaving the corporated devices in unmanaged state. +At the time a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be reimaged. When devices are remotely unenrolled from MDM, the Azure Active Directory association is also removed. This safeguard is in place to avoid leaving the corporated devices in unmanaged state. Before remotely unenrolling corporate devices, you must ensure that there is at least one admin user on the device that is not part of the Azure tenant, otherwise the device will not have any admin user after the operation. @@ -148,7 +149,7 @@ In mobile devices, remote unenrollment for Azure Active Directory Joined devices ## IT admin–requested disconnection -The server requests an enterprise management disconnection request by issuing an Exec OMA DM SyncML XML command to the device using the DMClient configuration service provider’s Unenroll node during the next client-initiated DM session. The Data tag inside the Exec command should be the value of the provisioned DM server ProviderID. For more information, see the Enterprise-specific DM client configuration topic. +The server requests an enterprise management disconnection by issuing an Exec OMA DM SyncML XML command to the device, using the DMClient configuration service provider’s Unenroll node during the next client-initiated DM session. The Data tag inside the Exec command should be the value of the provisioned DM server ProviderID. For more information, see the Enterprise-specific DMClient configuration topic. When the disconnection is completed, the user is notified that the device has been disconnected from enterprise management. From 19fd32f7c2c4ef4985892877f97e062822083e4c Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 17 Jan 2022 14:26:25 +0530 Subject: [PATCH 075/217] Acrolinx score --- .../mdm/disconnecting-from-mdm-unenrollment.md | 8 ++++---- .../mdm/enrollmentstatustracking-csp.md | 8 ++++---- .../mdm/esim-enterprise-management.md | 8 ++++---- .../mdm/policy-csp-admx-sdiageng.md | 4 ++-- .../mdm/policy-csp-servicecontrolmanager.md | 2 +- .../mdm/push-notification-windows-mdm.md | 8 ++++---- .../client-management/mdm/tenantlockdown-csp.md | 12 ++++++------ windows/client-management/mdm/tpmpolicy-csp.md | 14 +++++++------- 8 files changed, 32 insertions(+), 32 deletions(-) diff --git a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md index f238066bb2..f3e3c24cf9 100644 --- a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md @@ -41,12 +41,12 @@ During disconnection, the client executes the following tasks: ## User-initiated disconnection -In Windows, after the user confirms the account deletion command and before the account is deleted, the MDM client will notify to the MDM server that the account will be removed. This is a best-effort action as no retry is built-in to ensure the notification is successfully sent to the device. +In Windows, after the user confirms the account deletion command and before the account is deleted, the MDM client will notify to the MDM server that the account will be removed. This notification is a best-effort action as no retry is built-in to ensure the notification is successfully sent to the device. This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment may succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work. > [!NOTE] -> The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, refer to the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/). +> The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, see the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/).   The vendor uses the Type attribute to specify what type of generic alert it is. For device initiated MDM unenrollment, the alert type is **com.microsoft:mdm.unenrollment.userrequest**. @@ -127,7 +127,7 @@ When the server initiates disconnection, all undergoing sessions for the enrollm If the user is enrolled into MDM using an Azure Active Directory (AAD Join or by adding a Microsoft work account), the MDM account will show up under the Work Access page. However, the **Disconnect** button is greyed out and not accessible. Users can remove that MDM account by removing the AAD association to the device. -You can only use the Work Access page to un-enroll under the following conditions: +You can only use the Work Access page to unenroll under the following conditions: - Enrollment was done using bulk enrollment. - Enrollment was created using the Work Access page. @@ -140,7 +140,7 @@ When a user is enrolled into MDM through Azure Active Directory Join and later, ![aadj unenerollment.](images/azure-ad-unenrollment.png) -At the time a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be reimaged. When devices are remotely unenrolled from MDM, the Azure Active Directory association is also removed. This safeguard is in place to avoid leaving the corporated devices in unmanaged state. +During the process in which a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be reimaged. When devices are remotely unenrolled from MDM, the Azure Active Directory association is also removed. This safeguard is in place to avoid leaving the corporated devices in unmanaged state. Before remotely unenrolling corporate devices, you must ensure that there is at least one admin user on the device that is not part of the Azure tenant, otherwise the device will not have any admin user after the operation. diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp.md b/windows/client-management/mdm/enrollmentstatustracking-csp.md index 3b4e865ccb..6cf9e1ad93 100644 --- a/windows/client-management/mdm/enrollmentstatustracking-csp.md +++ b/windows/client-management/mdm/enrollmentstatustracking-csp.md @@ -1,6 +1,6 @@ --- title: EnrollmentStatusTracking CSP -description: Learn how to perform a hybrid certificate trust deployment of Windows Hello for Business, for systems with no previous installations. +description: Learn how to execute a hybrid certificate trust deployment of Windows Hello for Business, for systems with no previous installations. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -11,14 +11,14 @@ ms.date: 05/21/2019 # EnrollmentStatusTracking CSP -During Autopilot deployment, you can configure the Enrollment Status Page (ESP) to block the device use until the required apps are installed. You can select the apps that must be installed before using the device. The EnrollmentStatusTracking configuration service provider (CSP) is used by Intune's agents, such as SideCar to configure ESP for blocking the device use until the required Win32 apps are installed. It tracks the installation status of the required policy providers and the apps they install and sends it to ESP, which displays the installation progress message to the user. For more information on ESP, see [Windows Autopilot Enrollment Status page](/windows/deployment/windows-autopilot/enrollment-status). +During Autopilot deployment, you can configure the Enrollment Status Page (ESP) to block the device usage until the required apps are installed. You can select the apps that must be installed before using the device. The EnrollmentStatusTracking configuration service provider (CSP) is used by Intune's agents, such as SideCar, to configure ESP for blocking the device usage until the required Win32 apps are installed. It tracks the installation status of the required policy providers and the apps they install and sends it to ESP, which displays the installation progress message to the user. For more information on ESP, see [Windows Autopilot Enrollment Status page](/windows/deployment/windows-autopilot/enrollment-status). -ESP uses the EnrollmentStatusTracking CSP along with the DMClient CSP to track the installation of different apps. The EnrollmentStatusTracking CSP tracks Win32 apps installations and DMClient CSP tracks MSI and Universal Windows Platform apps installations. In DMClient CSP, the **FirstSyncStatus/ExpectedMSIAppPackages** and **FirstSyncStatus/ExpectedModernAppPackages** nodes list the apps to track their installation. See [DMClient CSP](dmclient-csp.md) for more information. +ESP uses the EnrollmentStatusTracking CSP along with the DMClient CSP to track the installation of different apps. The EnrollmentStatusTracking CSP tracks Win32 apps installations and DMClient CSP tracks MSI and Universal Windows Platform apps installations. In DMClient CSP, the **FirstSyncStatus/ExpectedMSIAppPackages** and **FirstSyncStatus/ExpectedModernAppPackages** nodes list the apps to track their installation. For more information, see [DMClient CSP](dmclient-csp.md). The EnrollmentStatusTracking CSP was added in Windows 10, version 1903. -The following shows the EnrollmentStatusTracking CSP in tree format. +The following example shows the EnrollmentStatusTracking CSP in tree format. ``` ./User/Vendor/MSFT EnrollmentStatusTracking diff --git a/windows/client-management/mdm/esim-enterprise-management.md b/windows/client-management/mdm/esim-enterprise-management.md index f1dd261229..f3e01980bb 100644 --- a/windows/client-management/mdm/esim-enterprise-management.md +++ b/windows/client-management/mdm/esim-enterprise-management.md @@ -12,12 +12,12 @@ ms.topic: conceptual --- # How Mobile Device Management Providers support eSIM Management on Windows -The eSIM Profile Management Solution puts the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to use an already existing solution that customers are familiar with and that they use to manage devices. The expectations from an MDM are that it will use the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and the installation happen in the background without impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management. +The eSIM Profile Management Solution places the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to use an already-existing solution that customers are familiar with and use to manage devices. The expectations from an MDM are that it will use the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and the installation happen in the background without impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management. If you are a Mobile Device Management (MDM) Provider and want to support eSIM Management on Windows, perform the following steps: - Onboard to Azure Active Directory -- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding as well as mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties. Potential orchestrator providers you could contact include: - - [HPE’s Device Entitlement Gateway](https://www.hpe.com/emea_europe/en/solutions/digital-communications-services.html) - - [IDEMIA’s The Smart Connect - Hub](https://www.idemia.com/smart-connect-hub) +- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this capability to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This characteristic makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding and as a mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties. Potential orchestrator providers you could contact include: + - [HPE Device Entitlement Gateway](https://www.hpe.com/emea_europe/en/solutions/digital-communications-services.html) + - [IDEMIA The Smart Connect - Hub](https://www.idemia.com/smart-connect-hub) - Assess solution type that you would like to provide your customers - Batch/offline solution - IT Admin can manually import a flat file containing list of eSIM activation codes, and provision eSIM on LTE enabled devices. diff --git a/windows/client-management/mdm/policy-csp-admx-sdiageng.md b/windows/client-management/mdm/policy-csp-admx-sdiageng.md index d2b7755488..5b902e0ec5 100644 --- a/windows/client-management/mdm/policy-csp-admx-sdiageng.md +++ b/windows/client-management/mdm/policy-csp-admx-sdiageng.md @@ -66,7 +66,7 @@ manager: dansimp -This policy setting allows users who are connected to the Internet to access and search troubleshooting content that is hosted on Microsoft content servers. Users can access online troubleshooting content from within the Troubleshooting Control Panel UI by clicking "Yes" when they are prompted by a message that states, "Do you want the most up-to-date troubleshooting content?" +This policy setting allows Internet-connected users to access and search troubleshooting content that is hosted on Microsoft content servers. Users can access online troubleshooting content from within the Troubleshooting Control Panel UI by clicking "Yes" when they are prompted by a message that states, "Do you want the most up-to-date troubleshooting content?" If you enable or do not configure this policy setting, users who are connected to the Internet can access and search troubleshooting content that is hosted on Microsoft content servers from within the Troubleshooting Control Panel user interface. @@ -116,7 +116,7 @@ This policy setting allows users to access and run the troubleshooting tools tha If you enable or do not configure this policy setting, users can access and run the troubleshooting tools from the Troubleshooting Control Panel. -If you disable this policy setting, users cannot access or run the troubleshooting tools from the Control Panel. +If this policy setting is disabled, the users cannot access or run the troubleshooting tools from the Control Panel. >[!Note] >This setting also controls a user's ability to launch standalone troubleshooting packs such as those found in .diagcab files. diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md index f8b22ff8c3..5b40aa9385 100644 --- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md +++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md @@ -58,7 +58,7 @@ This policy setting enables process mitigation options on svchost.exe processes. If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them. -This includes a policy requiring all binaries loaded in these processes to be signed by Microsoft, and a policy disallowing dynamically generated code. +These stricter security policies include a policy requiring all binaries loaded in these processes to be signed by Microsoft, and a policy disallowing dynamically generated code. > [!IMPORTANT] > Enabling this policy could cause compatibility issues with third-party software that uses svchost.exe processes (for example, third-party antivirus software). diff --git a/windows/client-management/mdm/push-notification-windows-mdm.md b/windows/client-management/mdm/push-notification-windows-mdm.md index 13294f3ce5..0b8ad9e938 100644 --- a/windows/client-management/mdm/push-notification-windows-mdm.md +++ b/windows/client-management/mdm/push-notification-windows-mdm.md @@ -18,17 +18,17 @@ ms.date: 09/22/2017 # Push notification support for device management -The [DMClient CSP](dmclient-csp.md) supports the ability to configure push-initiated device management sessions. Using the [Windows Notification Services (WNS)](/previous-versions/windows/apps/hh913756(v=win.10)), a management server can request a device to establish a management session with the server through a push notification. A device is configured to support push by the management server by providing the device with a PFN for an application. Once the device is configured, it registers a persistent connection with the WNS cloud (Battery Sense and Data Sense conditions permitting). +The [DMClient CSP](dmclient-csp.md) supports the ability to configure push-initiated device management sessions. Using the [Windows Notification Services (WNS)](/previous-versions/windows/apps/hh913756(v=win.10)), a management server can request a device to establish a management session with the server through a push notification. A device is provided with a PFN for an application. This provision results in the device getting configured, to support a push to it by the management server. Once the device is configured, it registers a persistent connection with the WNS cloud (Battery Sense and Data Sense conditions permitting). -To initiate a device management session, the management server must first authenticate with WNS using its SID and client secret. Once authenticated, the server receives a token that it can use to initiate a raw push notification for any ChannelURI. When the management server wants to initiate a device management session with a device, it can utilize its token and the device ChannelURI and begin communicating with the device. +To initiate a device management session, the management server must first authenticate with WNS using its SID and client secret. Once authenticated, the server receives a token to initiate a raw push notification for any ChannelURI. When the management server wants to initiate a management session with a device, it can utilize the token and the device ChannelURI, and begin communicating with the device. For more information about how to get push credentials (SID and client secret) and PFN to use in WNS, see [Get WNS credentials and PFN for MDM push notification](#get-wns-credentials-and-pfn-for-mdm-push-notification). Because a device may not always be connected to the internet, WNS supports caching notifications for delivery to the device once it reconnects. To ensure your notification is cached for delivery, set the X-WNS-Cache-Policy header to Cache. Additionally, if the server wants to send a time-bound raw push notification, the server can use the X-WNS-TTL header that will provide WNS with a time-to-live binding so that the notification will expire after the time has passed. For more information, see [Raw notification overview (Windows Runtime apps)](/previous-versions/windows/apps/jj676791(v=win.10)). -Note the following restrictions related to push notifications and WNS: +The following restrictions are related to push notifications and WNS: -- Push for device management uses raw push notifications. This means that these raw push notifications do not support or utilize push notification payloads. +- Push for device management uses raw push notifications. This restriction means that these raw push notifications do not support or utilize push notification payloads. - Receipt of push notifications are sensitive to the Battery Saver and Data Sense settings on the device. For example, if the battery drops below certain thresholds, the persistent connection of the device with WNS will be terminated. Additionally, if the user is utilizing Data Sense and has exceeded their monthly allotment of data, the persistent connection of the device with WNS will also be terminated. - A ChannelURI provided to the management server by the device is only valid for 30 days. The device automatically renews the ChannelURI after 15 days and triggers a management session on successful renewal of the ChannelURI. It is strongly recommended that, during every management session, the management server queries the ChannelURI value to ensure that it has received the latest value. This will ensure that the management server will not attempt to use a ChannelURI that has expired. - Push is not a replacement for having a polling schedule. diff --git a/windows/client-management/mdm/tenantlockdown-csp.md b/windows/client-management/mdm/tenantlockdown-csp.md index 52db501db8..af816d6d88 100644 --- a/windows/client-management/mdm/tenantlockdown-csp.md +++ b/windows/client-management/mdm/tenantlockdown-csp.md @@ -16,12 +16,12 @@ manager: dansimp > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This CSP was added in Windows 10, version 1809. -The TenantLockdown configuration service provider is used by the IT admin to lock a device to a tenant, which ensures that the device remains bound to the tenant in case of accidental or intentional resets or wipes. +The TenantLockdown configuration service provider is used by the IT admin to lock a device to a tenant, which ensures that the device remains bound to the tenant if accidental or intentional resets or wipes occur. > [!NOTE] > The forced network connection is only applicable to devices after reset (not new). -The following shows the TenantLockdown configuration service provider in tree format. +The following example shows the TenantLockdown configuration service provider in tree format. ``` ./Vendor/MSFT TenantLockdown @@ -31,13 +31,13 @@ TenantLockdown The root node. **RequireNetworkInOOBE** -Specifies whether to require a network connection during the out-of-box experience (OOBE) at first logon. +Specifies whether to require a network connection during the out-of-box experience (OOBE) at first sign in. -When RequireNetworkInOOBE is true, when the device goes through OOBE at first logon or after a reset, the user is required to choose a network before proceeding. There is no "skip for now" option. +When RequireNetworkInOOBE is true, when the device goes through OOBE at first sign in or after a reset, the user is required to choose a network before proceeding. There is no "skip for now" option. Value type is bool. Supported operations are Get and Replace. -- true - Require network in OOBE -- false - No network connection requirement in OOBE +- True - Require network in OOBE +- False - No network connection requirement in OOBE Example scenario: Henry is the IT admin at Contoso. He deploys 1000 devices successfully with RequireNetworkInOOBE set to true. When users accidentally or intentionally reset their device, they are required to connect to a network before they can proceed. Upon successful connection, users see the Contoso branded sign-in experience where they must use their Azure AD credentials. There is no option to skip the network connection and create a local account. diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md index 6c01205868..0c7915fe7c 100644 --- a/windows/client-management/mdm/tpmpolicy-csp.md +++ b/windows/client-management/mdm/tpmpolicy-csp.md @@ -1,6 +1,6 @@ --- title: TPMPolicy CSP -description: The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero exhaust configuration on a Windows device for TPM software components. +description: The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero-exhaust configuration on a Windows device for TPM software components. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -14,11 +14,11 @@ manager: dansimp # TPMPolicy CSP -The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (diagnostic data or otherwise, such as downloading background images, Windows Updates, and so on.) from Windows and inbox applications to public IP addresses unless directly intended by the user. This allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval. +The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero-exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (diagnostic data or otherwise, such as downloading background images, Windows Updates, and so on) from Windows and inbox applications to public IP addresses, unless directly intended by the user. This definition allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval. The TPMPolicy CSP was added in Windows 10, version 1703. -The following shows the TPMPolicy configuration service provider in tree format. +The following example shows the TPMPolicy configuration service provider in tree format. ``` ./Vendor/MSFT TPMPolicy @@ -28,13 +28,13 @@ TPMPolicy

Defines the root node.

**IsActiveZeroExhaust** -

Boolean value that indicates whether network traffic from the device to public IP addresses is not allowed unless directly intended by the user (zero exhaust). Default value is false. Some examples when zero exhaust is configured:

+

Boolean value that indicates that network traffic from the device to public IP addresses is not allowed unless directly intended by the user (zero exhaust). The default value is false. Examples of zero-exhaust configuration and the conditions it requires are described below:

  • There should be no traffic when machine is on idle. When the user is not interacting with the system/device, no traffic is expected.
  • -
  • There should be no traffic during installation of Windows and first logon when local ID is used.
  • -
  • Launching and using a local app (Notepad, Paint, and so on.) should not send any traffic. Similarly, performing common tasks (clicking on start menu, browsing folders, and so on.) should not send any traffic.
  • -
  • Launching and using Internet enabled apps should not send any unexpected traffic (for maintenance, diagnostic data, and so on.) to Microsoft.
  • +
  • There should be no traffic during installation of Windows and first sign in when local ID is used.
  • +
  • Launching and using a local app (Notepad, Paint, and so on) should not send any traffic. Similarly, performing common tasks (clicking on start menu, browsing folders, and so on.) should not send any traffic.
  • +
  • Launching and using Internet enabled apps should not send any unexpected traffic (for maintenance, diagnostic data, and so on) to Microsoft.
Here is an example: From fb92af87d79051b0c9ff2809e3521e0ecb405756 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 17 Jan 2022 14:49:27 +0530 Subject: [PATCH 076/217] Update appv-create-a-package-accelerator-with-powershell.md --- .../appv-create-a-package-accelerator-with-powershell.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md index 13e617e6bf..6c752ffbf6 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md @@ -22,17 +22,17 @@ App-V Package Accelerators automatically sequence large, complex applications. A 1. Install the App-V sequencer. For more information about installing the sequencer, see [How to install the sequencer](appv-install-the-sequencer.md). 2. To open a Windows PowerShell console, select **Start** and enter **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**. -3. Ensure you have the .apps package to create an accelerator from the installation media or installation files. You can also optionally use a readme file for the accelerator's users to reference. +3. Ensure there's the .appv package to create an accelerator from the installation media or installation files. You can also optionally use a readme file for the accelerator's users to reference. 4. Enter the **New-AppvPackageAccelerator** cmdlet. The following parameters are required to use the package accelerator cmdlet: - *InstalledFilesPath* specifies the application installation path. - *Installer* specifies the path to the application installer media. - - *InputPackagePath* specifies the path to the.appv package. + - *InputPackagePath* specifies the path to the .appv package. - *Path* specifies the output directory for the package. - The following example cmdlet shows how you can create a package accelerator with .app package and the installation media: + The following example cmdlet shows how you can create a package accelerator with the .appv package and the installation media: ```PowerShell New-AppvPackageAccelerator -InputPackagePath -Installer -Path From b5fc4de8c076a943adb3cff1959663a4a5576a7b Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 17 Jan 2022 14:56:02 +0530 Subject: [PATCH 077/217] Update appv-create-a-package-accelerator-with-powershell.md --- .../appv-create-a-package-accelerator-with-powershell.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md index 6c752ffbf6..645ed56d14 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md @@ -22,17 +22,17 @@ App-V Package Accelerators automatically sequence large, complex applications. A 1. Install the App-V sequencer. For more information about installing the sequencer, see [How to install the sequencer](appv-install-the-sequencer.md). 2. To open a Windows PowerShell console, select **Start** and enter **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**. -3. Ensure there's the .appv package to create an accelerator from the installation media or installation files. You can also optionally use a readme file for the accelerator's users to reference. +3. Ensure there's the App-V package to create an accelerator from the installation media or installation files. You can also optionally use a readme file for the accelerator's users to reference. 4. Enter the **New-AppvPackageAccelerator** cmdlet. The following parameters are required to use the package accelerator cmdlet: - *InstalledFilesPath* specifies the application installation path. - *Installer* specifies the path to the application installer media. - - *InputPackagePath* specifies the path to the .appv package. + - *InputPackagePath* specifies the path to the App-V package. - *Path* specifies the output directory for the package. - The following example cmdlet shows how you can create a package accelerator with the .appv package and the installation media: + The following example cmdlet shows how you can create a package accelerator with the App-V package and the installation media: ```PowerShell New-AppvPackageAccelerator -InputPackagePath -Installer -Path From eca7661e5574728be0d2cfc797d463b7b0153fc5 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 17 Jan 2022 15:04:29 +0530 Subject: [PATCH 078/217] Delete appv-create-a-package-accelerator-with-powershell.md --- ...e-a-package-accelerator-with-powershell.md | 51 ------------------- 1 file changed, 51 deletions(-) delete mode 100644 windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md deleted file mode 100644 index 2583a8e7d4..0000000000 --- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -title: How to create a package accelerator by using Windows PowerShell (Windows 10/11) -description: Learn how to create an App-v Package Accelerator by using Windows PowerShell. App-V Package Accelerators automatically sequence large, complex applications. -author: greg-lindsay -ms.pagetype: mdop, appcompat, virtualization -ms.mktglfcycl: deploy -ms.sitesec: library -ms.prod: w10 -ms.date: 07/10/2018 -ms.reviewer: -manager: dansimp -ms.author: greglin -ms.topic: article ---- -# How to create a package accelerator by using Windows PowerShell - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -App-V Package Accelerators automatically sequence large, complex applications. Also, when you apply an App-V Package Accelerator, you don't have to manually install an application to create the virtualized package. - -## Create a package accelerator - -1. Install the App-V sequencer. For more information about installing the sequencer, see [How to install the sequencer](appv-install-the-sequencer.md). -2. To open a Windows PowerShell console, select **Start** and enter **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**. -3. Ensure you have the .Apps package to create an accelerator from the installation media or installation files. You can also optionally use a readme file for the accelerator's users to reference. -4. Enter the **New-AppvPackageAccelerator** cmdlet. - - The following parameters are required to use the package accelerator cmdlet: - - - *InstalledFilesPath* specifies the application installation path. - - *Installer* specifies the path to the application installer media. - - *InputPackagePath* specifies the path to the.appv package. - - *Path* specifies the output directory for the package. - - The following example cmdlet shows how you can create a package accelerator with .app package and the installation media: - - ```PowerShell - New-AppvPackageAccelerator -InputPackagePath -Installer -Path - ``` - - You can also use the following optional parameter with the **New-AppvPackageAccelerator** cmdlet: - - - *AcceleratorDescriptionFile* specifies the path to user-created package accelerator instructions. The package accelerator instructions are **.txt** or **.rtf** description files that will be included in the package created by the package accelerator. - - - - - -## Related articles - -- [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md) From 4f4395f6830fb2decab21853dbd87492d91b8b21 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 19 Jan 2022 22:51:05 +0530 Subject: [PATCH 079/217] Acrolinx score enhancement --- ...compatibility-administrator-users-guide.md | 4 +- ...se-management-strategies-and-deployment.md | 43 ++++++++------- ...ection-considerations-for-windows-to-go.md | 6 +-- .../deployment/planning/sua-users-guide.md | 2 +- .../using-the-sdbinstexe-command-line-tool.md | 4 +- .../planning/using-the-sua-wizard.md | 6 +-- .../planning/windows-10-compatibility.md | 10 ++-- .../windows-10-infrastructure-requirements.md | 15 +++--- ...ndows-to-go-frequently-asked-questions.yml | 4 +- .../deployment/update/plan-define-strategy.md | 4 +- .../usmt/understanding-migration-xml-files.md | 4 +- .../usmt-estimate-migration-store-size.md | 20 +++---- .../usmt/usmt-hard-link-migration-store.md | 12 ++--- ...usmt-identify-operating-system-settings.md | 16 +++--- .../deployment/usmt/usmt-scanstate-syntax.md | 8 +-- .../deployment/usmt/xml-file-requirements.md | 8 +-- ...t-to-microsoft-during-activation-client.md | 4 +- .../volume-activation/introduction-vamt.md | 12 ++--- .../manage-activations-vamt.md | 6 +-- .../scenario-proxy-activation-vamt.md | 14 ++--- .../volume-activation/vamt-step-by-step.md | 4 +- .../windows-deployment-scenarios-and-tools.md | 52 +++++++++---------- 22 files changed, 132 insertions(+), 126 deletions(-) diff --git a/windows/deployment/planning/compatibility-administrator-users-guide.md b/windows/deployment/planning/compatibility-administrator-users-guide.md index f0d03186b1..e2e505838d 100644 --- a/windows/deployment/planning/compatibility-administrator-users-guide.md +++ b/windows/deployment/planning/compatibility-administrator-users-guide.md @@ -27,7 +27,7 @@ ms.custom: seo-marvel-mar2020 - Windows Server 2012 - Windows Server 2008 R2 -The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows to your organization. Compatibility Administrator provides the following: +The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows to your organization. Compatibility Administrator provides: - Compatibility fixes, compatibility modes, and AppHelp messages that you can use to resolve specific compatibility issues. @@ -48,4 +48,4 @@ The following flowchart shows the steps for using the Compatibility Administrato |--- |--- | |[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)|This section provides information about using the Compatibility Administrator tool.| |[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)|This section provides information about managing your application-compatibility fixes and custom-compatibility fix databases. This section explains the reasons for using compatibility fixes and how to deploy custom-compatibility fix databases.| -|[Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md)|You must deploy your customized database (.Sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways. Including, by using a logon script, by using Group Policy, or by performing file copy operations.| \ No newline at end of file +|[Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md)|Ensure that you deploy your customized database (.Sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways, including, by using a logon script, by using Group Policy, or by performing file copy operations.| \ No newline at end of file diff --git a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md index 18f52b5803..fae3bcf0a8 100644 --- a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md +++ b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md @@ -4,7 +4,7 @@ ms.assetid: fdfbf02f-c4c4-4739-a400-782204fd3c6c ms.reviewer: manager: laurawi ms.author: greglin -description: Learn about deploying your compatibility fixes as part of an application-installation package or through a centralized compatibility-fix database. +description: Learn how to deploy your compatibility fixes into an application-installation package or through a centralized compatibility-fix database. ms.prod: w10 ms.mktglfcycl: plan ms.pagetype: appcompat @@ -28,40 +28,43 @@ ms.custom: seo-marvel-mar2020 - Windows Server 2012 - Windows Server 2008 R2 -After you determine that you will use compatibility fixes in your application-compatibility mitigation strategy, you must define a strategy to manage your custom compatibility-fix database. Typically, you can use one of two approaches: +To use fixes in application-compatibility mitigation strategy, define a strategy to manage your custom compatibility-fix database. Typically, you can use one of the two following approaches: - Deploying your compatibility fixes as part of an application-installation package. - Deploying your compatibility fixes through a centralized compatibility-fix database. -Regardless of which approach you decide to use in your organization, Microsoft provides the following general recommendations for improving the management of your custom compatibility-fix databases: +Microsoft provides general recommends the following remedies for improving the management of your custom compatibility-fix databases. -- **Define standards for when you will apply compatibility fixes.** +> [!NOTE] +> These recommendations are not based on irrespective of the approach you decide to use. The following are the general recommendations. - You must define the standards and scenarios for using compatibility fixes, based on your specific business and technology needs. +- **Define standards for when you will apply compatibility fixes** -- **Define standards for your custom compatibility-fix databases.** + Ensure that the standards and scenarios for using compatibility fixes are defined, based on your specific business and technology needs. - You must define how to associate your compatibility fixes to particular applications. For example, you might want to ensure that your compatibility fixes always include a version check, so that a fix will not be applied to newer versions of your applications. +- **Define standards for your custom compatibility-fix databases** -- **Define your resources responsible for addressing questions and enforcing your standards.** + Compatibility fixes must include a version check, so that mapping to particular applications becomes easy. Ensure that your compatibility fixes always, so that the fix won't be applied to newer versions of your applications. - You must determine who will be responsible for staying current with the technology and standards related to your compatibility fixes and custom compatibility-fix databases. As your databases are managed over time, you must ensure that someone in your organization stays current with the relevant technology. +- **Define your resources responsible for addressing questions and enforcing your standards** + + Ensure you determine who will be responsible for staying current with the technology and standards that are related to your compatibility fixes and custom compatibility-fix databases. As your databases are managed over time, you must ensure that someone in your organization stays current with the relevant technology. ## Strategies for Deploying Your Compatibility Fixes -We recommend that you use one of two strategies to deploy your compatibility fixes into your organization. They are: +We recommend the usage of one of the two strategies to deploy your compatibility fixes into your organization. They are: - Deploying your compatibility fixes as part of an application-installation package. - Deploying your compatibility fixes through a centralized compatibility-fix database. -You must determine which method best meets your organization's deployment needs. +Determine which method best meets your organization's deployment needs. ### Deploying Fixes as Part of an Application-Installation Package -One strategy for deploying compatibility fixes is to create a custom compatibility-fix database that contains a single entry that is applied directly to the application-installation package. While this is the most straightforward method of deployment, it has been shown that this method can become overly complex, especially if you are fixing a large number of applications. +One strategy to deploy compatibility fixes is to create a custom compatibility-fix database that contains a single entry that is applied directly to the application-installation package. While this is the most straightforward method of deployment, it has been shown that this method can become overly complex, especially if you are fixing a large number of applications. If the following considerations apply to your organization, you should avoid this strategy and instead consider using a centralized compatibility-fix database, as described in the next section. @@ -114,7 +117,7 @@ If you decide to use the centralized compatibility-fix database deployment strat Deploying your custom compatibility-fix database into your organization requires you to perform the following actions: -1. Store your custom compatibility-fix database (.sdb file) in a location that is accessible to all of your organization's computers. +1. Store your custom compatibility-fix database (.sib file) in a location that is accessible to all of your organization's computers. 2. Use the Sdbinst.exe command-line tool to install the custom compatibility-fix database locally. @@ -122,7 +125,7 @@ In order to meet the two requirements above, we recommend that you use one of th - **Using a Windows Installer package and a custom script** - You can package your .sdb file and a custom deployment script into an .msi file, and then deploy the .msi file into your organization. + You can package your .sib file and a custom deployment script into a file with the .msi extension, and then deploy the .msi file into your organization. > [!IMPORTANT] > You must ensure that you mark your custom script so that it does not impersonate the calling user. For example, if you use Microsoft® Visual Basic® Scripting Edition (VBScript), the custom action type would be: @@ -131,16 +134,16 @@ In order to meet the two requirements above, we recommend that you use one of th - **Using a network share and a custom script** -You can store your .sdb file on your network share and then call to a script that resides on your specified computers. +You can store the .sib file on your network share, and then call to a script available on your specified computers. > [!IMPORTANT] -> You must ensure that you call the script at a time when it will receive elevated rights. For example, you should call the script by using computer startup scripts instead of a user logon script. You must also ensure that the installation of the custom compatibility-fix database occurs with Administrator rights. +> Ensure that you call the script at a time when it can receive elevated rights. For example, you should call the script by using computer startup scripts instead of a user logon script. You must also ensure that the installation of the custom compatibility-fix database occurs with Administrator rights. -### Example Script for an Installation of the .sdb File based on an .msi File +### Example Script for installation of .sib File based on .msi File -The following examples show an installation of a custom compatibility-fix database based on an .msi file. +The following examples show an installation of a custom compatibility-fix database based on a .msi file. ``` 'InstallSDB.vbs @@ -161,7 +164,7 @@ End Function ### Initial Deployment and Updates -Most of your testing of application-compatibility issues will happen prior to the deployment of a new Windows operating system into your environment. As such, a common approach is to include the custom compatibility-fix database, which includes all of your known issues, in your corporate image. Then, as you update your compatibility-fix database, you can provide the updates by using one of the two mechanisms described in the "Deploying Your Custom Compatibility Fix Databases" section earlier in this topic. +Application-compatibility is tested, from which issues are reported, even before a new Windows operating system is deployed. To handle these issues, include the custom compatibility-fix database, which includes all of your known issues, in your corporate image. Later, update your compatibility-fix database; provide the updates by using one of the two mechanisms that are described in the "Deploying Your Custom Compatibility Fix Databases" section. -## Related topics +## Related articles [Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md) diff --git a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md index cf91886a29..a40bab3ece 100644 --- a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md +++ b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md @@ -53,20 +53,20 @@ If you are using a host computer running Windows 7 that has BitLocker enabled, We recommend that you use the **NoDefaultDriveLetter** attribute when provisioning the USB drive to help prevent accidental data leakage. **NoDefaultDriveLetter** will prevent the host operating system from assigning a drive letter if a user inserts it into a running computer. This means the drive will not appear in Windows Explorer and an Auto-Play prompt will not be displayed to the user. This reduces the likelihood that an end user will access the offline Windows To Go disk directly from another computer. If you use the Windows To Go Creator to provision a workspace, this attribute will automatically be set for you. -To prevent accidental data leakage between Windows To Go and the host system Windows 8 has a new SAN policy—OFFLINE\_INTERNAL - “4” to prevent the operating system from automatically bringing online any internally connected disk. The default configuration for Windows To Go has this policy enabled. It is strongly recommended you do not change this policy to allow mounting of internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 operating system, mounting the drive will lead to loss of hibernation state and, therefore, user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted. +To prevent accidental data leakage between Windows To Go and the host system Windows 8 has a new SAN policy—OFFLINE\_INTERNAL - “4” to prevent the operating system from automatically bringing online any internally connected disk. The default configuration for Windows To Go has this policy enabled. It is recommended you do not change this policy to allow mounting of internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 operating system, mounting the drive will lead to loss of hibernation state and, therefore, user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted. For more information, see [How to Configure Storage Area Network (SAN) Policy in Windows PE](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825063(v=win.10)). ## Security certifications for Windows To Go -Windows to Go is a core capability of Windows when it is deployed on the drive and is configured following the guidance for the applicable security certification. Solutions built using Windows To Go can be submitted for more certifications by the solution provider that cover the solution provider’s specific hardware environment. For more information about Windows security certifications, see the following topics. +Windows to Go is a core capability of Windows when it is deployed on the drive and is configured following the guidance for the applicable security certification. Solutions built using Windows To Go can be submitted for more certifications by the solution provider that cover the solution provider’s specific hardware environment. For more information about Windows security certifications, see the following articles. - [Windows Platform Common Criteria Certification](/windows/security/threat-protection/windows-platform-common-criteria) - [FIPS 140 Evaluation](/windows/security/threat-protection/fips-140-validation) -## Related topics +## Related articles [Windows To Go: feature overview](windows-to-go-overview.md) diff --git a/windows/deployment/planning/sua-users-guide.md b/windows/deployment/planning/sua-users-guide.md index d3fad3aced..83926ee905 100644 --- a/windows/deployment/planning/sua-users-guide.md +++ b/windows/deployment/planning/sua-users-guide.md @@ -32,7 +32,7 @@ You can use Standard User Analyzer (SUA) to test your applications and monitor A You can use SUA in either of the following ways: -- **Standard User Analyzer Wizard.** A wizard that guides you through a step-by-step process to locate and fix issues, without options for additional analysis. +- **Standard User Analyzer Wizard.** A wizard that guides you through a step-by-step process to locate and fix issues, without options for more analysis. - **Standard User Analyzer Tool.** A full-function tool in which you can perform in-depth analysis and fix issues. diff --git a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md index 3369ff0c1e..46307344ea 100644 --- a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md +++ b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md @@ -28,7 +28,7 @@ ms.topic: article - Windows Server 2012 - Windows Server 2008 R2 -You must deploy your customized database (.sdb) files to other computers in your organization. That is, before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways. By using a logon script, by using Group Policy, or by performing file copy operations. +Deploy your customized database (.sdb) files to other computers in your organization. That is, before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways. By using a logon script, by using Group Policy, or by performing file copy operations. After you deploy and store the customized databases on each of your local computers, you must register the database files. Until you register the database files, the operating system is unable to identify the available compatibility fixes when starting an application. @@ -69,6 +69,6 @@ The following table describes the available command-line options. |-g *GUID*|Specifies the customized database to uninstall by a globally unique identifier (GUID).

For example,
`sdbinst.exe -g 6586cd8f-edc9-4ea8-ad94-afabea7f62e3`| |-n *"name"*|Specifies the customized database to uninstall by file name.

For example,
`sdbinst.exe -n "My_Database"`| -## Related topics +## Related articles [Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) diff --git a/windows/deployment/planning/using-the-sua-wizard.md b/windows/deployment/planning/using-the-sua-wizard.md index 4ee4675b0d..bcbda77946 100644 --- a/windows/deployment/planning/using-the-sua-wizard.md +++ b/windows/deployment/planning/using-the-sua-wizard.md @@ -42,7 +42,7 @@ The following flowchart shows the process of using the SUA Wizard. **To test an application by using the SUA Wizard** -1. On the computer where the SUA Wizard is installed, log on by using a non-administrator account. +1. On the computer where the SUA Wizard is installed, sign in by using a non-administrator account. 2. Run the Standard User Analyzer Wizard. @@ -76,9 +76,9 @@ The following flowchart shows the process of using the SUA Wizard. The SUA Wizard closes the issue as resolved on the local computer. - If the remedies do not fix the issue with the application, click **No** again, and the wizard may offer additional remedies. If the additional remedies do not fix the issue, the wizard informs you that there are no more remedies available. For information about how to run the SUA tool for additional investigation, see [Using the SUA Tool](using-the-sua-tool.md). + If the remedies do not fix the issue with the application, click **No** again, and the wizard may offer another remedies. If the other remedies do not fix the issue, the wizard informs you that there are no more remedies available. For information about how to run the SUA tool for additional investigation, see [Using the SUA Tool](using-the-sua-tool.md). -## Related topics +## Related articles [SUA User's Guide](sua-users-guide.md)   diff --git a/windows/deployment/planning/windows-10-compatibility.md b/windows/deployment/planning/windows-10-compatibility.md index 1689fef566..1544a8ad6a 100644 --- a/windows/deployment/planning/windows-10-compatibility.md +++ b/windows/deployment/planning/windows-10-compatibility.md @@ -27,7 +27,7 @@ Windows 10 will be compatible with most existing PC hardware; most devices runn For full system requirements, see [Windows 10 specifications](https://go.microsoft.com/fwlink/p/?LinkId=625077). Some driver updates may be required for Windows 10. -Existing desktop (Win32) application compatibility is also expected to be strong, with most existing applications working without any changes. Some applications that interface with Windows at a low level, those that use undocumented APIs, or those that do not follow recommended coding practices could experience issues. +Existing desktop (Win32) application compatibility is also expected to be strong, with most existing applications working without any changes. Those applications that interface with Windows at a low level, those applications that use undocumented APIs, or those that do not follow recommended coding practices could experience issues. Existing Windows Store (WinRT) apps created for Windows 8 and Windows 8.1 should also continue to work, because compatibility can be validated against all the apps that have been submitted to the Windows Store. @@ -36,13 +36,13 @@ For web apps and sites, modern HTML5-based sites should also have a high degree ## Recommended application testing process -Historically, organizations have performed extensive, and often exhaustive, testing of the applications they use before deployment of a new Windows version, service pack, or any other significant update. With Windows 10, organizations are encouraged to leverage more optimized testing processes, which reflects the higher levels of compatibility that are expected. At a high level: +Historically, organizations have performed extensive, and often exhaustive, testing of the applications they use before deployment of a new Windows version, service pack, or any other significant update. With Windows 10, organizations are encouraged to use more optimized testing processes, which reflect the higher levels of compatibility that are expected. At a high level: -- Identify mission-critical applications and websites, those that are absolutely essential to the organization’s operations. Focus testing efforts on this subset of applications, early in the Windows development cycle (for example, with Windows Insider Program builds) to identify potential issues. Report any issues you encounter with the Windows Feedback tool, so that these issues can be addressed prior to the next Windows release. +- Identify mission-critical applications and websites, those applications and websites that are essential to the organization’s operations. Focus testing efforts on this subset of applications, early in the Windows development cycle (for example, with Windows Insider Program builds) to identify potential issues. Report any issues you encounter with the Windows Feedback tool, so that these issues can be addressed prior to the next Windows release. -- For less critical applications, leverage an “internal flighting” or pilot-based approach, by deploying new Windows upgrades to groups of machines, growing gradually in size and potential impact, to verify compatibility with hardware and software. Reactively address issues before you expand the pilot to more machines. +- For less critical applications, apply an “internal flighting” or pilot-based approach, by deploying new Windows upgrades to groups of machines, growing gradually in size and potential impact, to verify compatibility with hardware and software. Reactively address issues before you expand the pilot to more machines. -## Related topics +## Related articles [Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md) diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md index 005813b401..b10e9e5164 100644 --- a/windows/deployment/planning/windows-10-infrastructure-requirements.md +++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md @@ -1,6 +1,6 @@ --- title: Windows 10 infrastructure requirements (Windows 10) -description: Review the specific infrastructure requirements to deploy and manage Windows 10, prior to significant Windows 10 deployments within your organization. +description: Review the infrastructure requirements for deployment and management of Windows 10, prior to significant Windows 10 deployments within your organization. ms.assetid: B0FA27D9-A206-4E35-9AE6-74E70748BE64 ms.reviewer: manager: laurawi @@ -22,11 +22,11 @@ ms.topic: article - Windows 10 -There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. +There are specific infrastructure requirements that should be in place for the deployment and management of Windows 10. Fulfill these requirements before any Windows 10-related deployments take place. ## High-level requirements -For initial Windows 10 deployments, as well as subsequent Windows 10 upgrades, ensure that sufficient disk space is available for distribution of the Windows 10 installation files (about 3 GB for Windows 10 x64 images, slightly smaller for x86). Also, be sure to take into account the network impact of moving these large images to each PC; you may need to leverage local server storage. +For initial Windows 10 deployments, and for subsequent Windows 10 upgrades, ensure that sufficient disk space is available for distribution of the Windows 10 installation files (about 3 GB for Windows 10 x64 images, slightly smaller for x86). Also, be sure to take into account the network impact of moving these large images to each PC; you may need to leverage local server storage. For persistent VDI environments, carefully consider the I/O impact from upgrading large numbers of PCs in a short period of time. Ensure that upgrades are performed in smaller numbers, or during off-peak time periods. (For pooled VDI environments, a better approach is to replace the base image with a new version.) @@ -72,7 +72,10 @@ Windows Server Update Services (WSUS) requires some additional configuration to WSUS product list with Windows 10 choices -Because Windows 10 updates are cumulative in nature, each month’s new update will supersede the previous month's. Consider leveraging “express installation” packages to reduce the size of the payload that needs to be sent to each PC each month; see [Express installation files](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd939908(v=ws.10)) for more information. (Note that this will increase the amount of disk storage needed by WSUS, and impacts all operating systems being managed with WSUS.) +Because Windows 10 updates are cumulative in nature, each month’s new update will supersede the previous month's update. Consider using “express installation” packages to reduce the size of the payload that needs to be sent to each PC each month; see [Express installation files](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd939908(v=ws.10)) for more information. + +> [!NOTE] +> The usage of "express installation" packages will increase the amount of disk storage needed by WSUS, and impacts all operating systems being managed with WSUS. ## Activation @@ -93,9 +96,9 @@ Additionally, new product keys will be needed for all types of volume license ac - For KMS keys, click **Licenses** and then select **Relationship Summary**. Click the appropriate active license ID, and then select **Product Keys** near the right side of the page. For KMS running on Windows Server, find the **Windows Srv 2012R2 DataCtr/Std KMS for Windows 10** product key; for KMS running on client operating systems, find the **Windows 10** product key. - For MAK keys, click **Downloads and Keys**, and then filter the list by using **Windows 10** as a product. Click the **Key** link next to an appropriate list entry (for example, **Windows 10 Enterprise** or **Windows 10 Enterprise LTSB**) to view the available MAK keys. (You can also find keys for KMS running on Windows 10 in this list. These keys will not work on Windows servers running KMS.) -Note that Windows 10 Enterprise and Windows 10 Enterprise LTSC installations use different MAK keys. But you can use the same KMS server or Active Directory-based activation environment for both; the KMS keys obtained from the Volume Licensing Service Center will work with both. +Windows 10 Enterprise and Windows 10 Enterprise LTSC installations use different MAK keys. But you can use the same KMS server or Active Directory-based activation environment for both; the KMS keys obtained from the Volume Licensing Service Center will work with both. -## Related topics +## Related articles [Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md)
[Windows 10 deployment considerations](windows-10-deployment-considerations.md)
diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml index 408bcd13d0..a912d623b5 100644 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml +++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml @@ -56,7 +56,7 @@ summary: | - [Why can't I enable BitLocker from Windows To Go Creator?](#why-can-t-i-enable-bitlocker-from-windows-to-go-creator-) - - [What power states does Windows To Go support?](#what-power-states-does-windows-to-go-support-) + - [What power states do Windows To Go support?](#what-power-states-does-windows-to-go-support-) - [Why is hibernation disabled in Windows To Go?](#why-is-hibernation-disabled-in-windows-to-go-) @@ -120,7 +120,7 @@ sections: - question: | Does Windows To Go rely on virtualization? answer: | - No. Windows To Go is a native instance of Windows 10 that runs from a USB device. It is just like a laptop hard drive with Windows 8 that has been put into a USB enclosure. + No. Windows To Go is a native instance of Windows 10 that runs from a USB device. It's just like a laptop hard drive with Windows 8 that has been put into a USB enclosure. - question: | Who should use Windows To Go? diff --git a/windows/deployment/update/plan-define-strategy.md b/windows/deployment/update/plan-define-strategy.md index 289cffc216..4ae3eb751c 100644 --- a/windows/deployment/update/plan-define-strategy.md +++ b/windows/deployment/update/plan-define-strategy.md @@ -21,7 +21,7 @@ ms.collection: m365initiative-coredeploy Traditionally, organizations treated the deployment of operating system updates (especially feature updates) as a discrete project that had a beginning, a middle, and an end. A release was "built" (usually in the form of an image) and then distributed to users and their devices. -Today, more organizations are treating deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. Microsoft has been evolving its Windows 10 release cycles, update mechanisms, and relevant tools to support this model. Feature updates are released twice per year, around March and September. All releases of Windows 10 have 18 months of servicing for all editions. Fall releases of the Enterprise and Education editions have an additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release. +Today, more organizations are treating deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. Microsoft has been evolving its Windows 10 release cycles, update mechanisms, and relevant tools to support this model. Feature updates are released twice per year, around March and September. All releases of Windows 10 have 18 months of servicing for all editions. Fall releases of the Enterprise and Education editions have an extra 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release. Though we encourage you to deploy every available release and maintain a fast cadence for some portion of your environment, we also recognize that you might have a large number of devices, and a need for little or no disruption, and so you might choose to update annually. The 18/30 month lifecycle cadence lets you allow some portion of your environment to move faster while a majority can move less quickly. @@ -41,6 +41,6 @@ This cadence might be most suitable for you if any of these conditions apply: - You want to wait and see how successful other companies are at adopting a Windows 10 feature update. -- You want to go quickly with feature updates, and want the ability to skip a feature update while keeping Windows 10 serviced in case business priorities change. Aligning to the Windows 10 feature update released in the second half of each calendar year, you get additional servicing for Windows 10 (30 months of servicing compared to 18 months). +- You want to go quickly with feature updates, and want the ability to skip a feature update while keeping Windows 10 serviced in case business priorities change. Aligning to the Windows 10 feature update released in the second half of each calendar year, you get extra servicing for Windows 10 (30 months of servicing compared to 18 months). diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md index f6a8ab4221..4c54794786 100644 --- a/windows/deployment/usmt/understanding-migration-xml-files.md +++ b/windows/deployment/usmt/understanding-migration-xml-files.md @@ -168,14 +168,14 @@ The default MigUser.xml file does not migrate the following: - ACLS for files in folders outside the user profile. -You can make a copy of the MigUser.xml file and modify it to include or exclude standard user-profile folders and file name extensions. If you know all of the extensions for the files you want to migrate from the source computer, use the MigUser.xml file to move all of your relevant data, regardless of the location of the files. However, this may result in a migration that contains more files than intended. For example, if you choose to migrate all .jpg files, you may migrate image files such as thumbnails and logos from legacy applications that are installed on the source computer. +You can make a copy of the MigUser.xml file and modify it to include or exclude standard user-profile folders and file name extensions. If you know all of the extensions for the files you want to migrate from the source computer, use the MigUser.xml file to move all of your relevant data, regardless of the location of the files. However, this provision may result in a migration that contains more files than intended. For example, if you choose to migrate all .jpg files, you may migrate image files such as thumbnails and logos from legacy applications that are installed on the source computer. > [!NOTE] > Each file name extension you include in the rules within the MigUser.xml file increases the amount of time needed for the ScanState tool to gather the files for the migration. If you are migrating more than 300 file types, you may experience a slow migration. For more information about other ways to organize the migration of your data, see the [Using multiple XML files](#bkmk-multiple) section of this document. ## Using multiple XML files -You can use multiple XML files with the ScanState and LoadState tools. Each of the default XML files included with or generated by USMT is configured for a specific component of the migration. You can also use custom XML files to supplement these default files with additional migration rules. +You can use multiple XML files with the ScanState and LoadState tools. Each of the default XML files included with or generated by USMT is configured for a specific component of the migration. You can also use custom XML files to supplement these default files with more migration rules. |XML migration file|Modifies the following components:| |--- |--- | diff --git a/windows/deployment/usmt/usmt-estimate-migration-store-size.md b/windows/deployment/usmt/usmt-estimate-migration-store-size.md index 51ea6051cb..7d7d97e2cd 100644 --- a/windows/deployment/usmt/usmt-estimate-migration-store-size.md +++ b/windows/deployment/usmt/usmt-estimate-migration-store-size.md @@ -24,7 +24,7 @@ The disk space requirements for a migration are dependent on the size of the mig - [Hard Disk Space Requirements](#bkmk-spacereqs). Describes the disk space requirements for the migration store and other considerations on the source and destination computers. -- [Calculate Disk Space Requirements Using the ScanState Tool](#bkmk-calcdiskspace). Describes how to use the ScanState tool to determine how big the migration store will be on a particular computer. +- [Calculate Disk Space Requirements Using the ScanState Tool](#bkmk-calcdiskspace). Describes how to use the ScanState tool to determine how large the migration store will be on a particular computer. - [Estimate Migration Store Size](#bkmk-estmigstoresize). Describes how to estimate the average size of migration stores for the computers in your organization, based on your infrastructure. @@ -35,13 +35,13 @@ The disk space requirements for a migration are dependent on the size of the mig - **Source Computer.** The source computer needs enough available space for the following: - - [E250 megabytes (MB) minimum of hard disk space.](#bkmk-estmigstoresize) Space is needed to support the User State Migration Tool (USMT) 10.0 operations, for example, growth in the page file. Provided that every volume involved in the migration is formatted as NTFS, 250 MB should be enough space to ensure success for almost every hard-link migration, regardless of the size of the migration. The USMT tools will not create the migration store if 250 MB of disk space is not available. + - [E250 megabytes (MB) minimum of hard disk space.](#bkmk-estmigstoresize) Space is needed to support the User State Migration Tool (USMT) 10.0 operations, for example, growth in the page file. If every volume involved in the migration is formatted as NTFS, 250 MB should be enough space to ensure success for almost every hard-link migration, regardless of the size of the migration. The USMT tools will not create the migration store if 250 MB of disk space is not available. - - [Temporary space for USMT to run.](#bkmk-estmigstoresize) Additional disk space for the USMT tools to operate is required. This does not include the minimum 250 MB needed to create the migration store. The amount of temporary space required can be calculated using the ScanState tool. + - [Temporary space for USMT to run.](#bkmk-estmigstoresize) Extra disk space for the USMT tools to operate is required. This does not include the minimum 250 MB needed to create the migration store. The amount of temporary space required can be calculated using the ScanState tool. - - [Hard-link migration store.](#bkmk-estmigstoresize) It is not necessary to estimate the size of a hard-link migration store. The only case where the hard-link store can be quite large is when non-NTFS file systems exist on the system and contain data being migrated. + - [Hard-link migration store.](#bkmk-estmigstoresize) It is not necessary to estimate the size of a hard-link migration store. The only case where the hard-link store can be large is when non-NTFS file systems exist on the system and contain data being migrated. -- [Destination computer.](#bkmk-estmigstoresize) The destination computer needs enough available space for the following: +- [Destination computer.](#bkmk-estmigstoresize) The destination computer needs enough available space for the following components: - [Operating system.](#bkmk-estmigstoresize) @@ -49,12 +49,12 @@ The disk space requirements for a migration are dependent on the size of the mig - [Data being migrated.](#bkmk-estmigstoresize) It is important to consider that in addition to the files being migrated, registry information will also require hard disk space for storage. - - [Temporary space for USMT to run.](#bkmk-estmigstoresize) Additional disk space for the USMT tools to operate is required. The amount of temporary space required can be calculated using the ScanState tool. + - [Temporary space for USMT to run.](#bkmk-estmigstoresize) Extra disk space for the USMT tools to operate is required. The amount of temporary space required can be calculated using the ScanState tool. ## Calculate Disk Space Requirements using the ScanState Tool -You can use the ScanState tool to calculate the disk space requirements for a particular compressed or uncompressed migration. It is not necessary to estimate the migration store size for a hard-link migration since this method does not create a separate migration store. The ScanState tool provides disk space requirements for the state of the computer at the time the tool is run. The state of the computer may change during day to day use so it is recommended that you use the calculations as an estimate when planning your migration. +You can use the ScanState tool to calculate the disk space requirements for a particular compressed or uncompressed migration. It is not necessary to estimate the migration store size for a hard-link migration since this method does not create a separate migration store. The ScanState tool provides disk space requirements for the state of the computer at the time the tool is run. The state of the computer may change during day-to-day use so it is recommended that you use the calculations as an estimate when planning your migration. **To run the ScanState tool on the source computer with USMT installed,** @@ -82,7 +82,7 @@ You can use the ScanState tool to calculate the disk space requirements for a pa The migration store will not be created by running this command, but `StorePath` is a required parameter. -The ScanState tool also allows you to estimate disk space requirements based on a customized migration. For example, you might not want to migrate the My Documents folder to the destination computer. You can specify this in a configuration file when you run the ScanState tool. For more information, see [Customize USMT XML Files](usmt-customize-xml-files.md). +The ScanState tool also allows you to estimate disk space requirements based on a customized migration. For example, you might not want to migrate the My Documents folder to the destination computer. You can specify this condition in a configuration file when you run the ScanState tool. For more information, see [Customize USMT XML Files](usmt-customize-xml-files.md). **Note**   To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, the **/p** option, without specifying *<path to a file>* is still available in USMT. @@ -108,7 +108,7 @@ Additionally, USMT performs a compliance check for a required minimum of 250 MB ## Estimate Migration Store Size -Determine how much space you will need to store the migrated data. You should base your calculations on the volume of e-mail, personal documents, and system settings for each user. The best way to estimate these is to survey several computers to arrive at an average for the size of the store that you will need. +Determine how much space you will need to store the migrated data. You should base your calculations on the volume of e-mail, personal documents, and system settings for each user. The best way to estimate the required space is to survey several computers to arrive at an average for the size of the store that you will need. The amount of space that is required in the store will vary, depending on the local storage strategies your organization uses. For example, one key element that determines the size of migration data sets is e-mail storage. If e-mail is stored centrally, data sets will be smaller. If e-mail is stored locally, such as offline-storage files, data sets will be larger. Mobile users will typically have larger data sets than workstation users. You should perform tests and inventory the network to determine the average data set size in your organization. @@ -123,7 +123,7 @@ When trying to determine how much disk space you will need, consider the followi - **User documents**: Frequently, all of a user's documents fit into less than 50 MB of space, depending on the types of files involved. This estimate assumes typical office work, such as word-processing documents and spreadsheets. This estimate can vary substantially based on the types of documents that your organization uses. For example, an architectural firm that predominantly uses computer-aided design (CAD) files needs much more space than a law firm that primarily uses word-processing documents. You do not need to migrate the documents that users store on file servers through mechanisms such as Folder Redirection, as long as users will have access to these locations after the migration. -- **User system settings** Five megabytes is usually adequate space to save the registry settings. This requirement can fluctuate, however, based on the number of applications that have been installed. It is rare, however, for the user-specific portion of the registry to exceed 5 MB. +- **User system settings** Five megabytes is adequate space to save the registry settings. This requirement can fluctuate, however, based on the number of applications that have been installed. It is rare, however, for the user-specific portion of the registry to exceed 5 MB. ## Related topics diff --git a/windows/deployment/usmt/usmt-hard-link-migration-store.md b/windows/deployment/usmt/usmt-hard-link-migration-store.md index 02c53344c8..9bb6d2ba32 100644 --- a/windows/deployment/usmt/usmt-hard-link-migration-store.md +++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md @@ -16,7 +16,7 @@ ms.topic: article # Hard-Link Migration Store -A *hard-link migration store* enables you to perform an in-place migration where all user state is maintained on the computer while the old operating system is removed and the new operating system is installed; this is why it is best suited for the computer-refresh scenario. Use of a hard-link migration store for a computer-refresh scenario drastically improves migration performance and significantly reduces hard-disk utilization, reduces deployment costs, and enables entirely new migration scenarios. +A *hard-link migration store* enables you to perform an in-place migration where all user state is maintained on the computer while the old operating system is removed and the new operating system is installed; this functionality is what makes *hard-link migration store* best suited for the computer-refresh scenario. Use of a hard-link migration store for a computer-refresh scenario drastically improves migration performance and significantly reduces hard-disk utilization, reduces deployment costs, and enables entirely new migration scenarios. ## In this topic @@ -50,7 +50,7 @@ You can use a hard-link migration store when your planned migration meets both o - You are upgrading the operating system on the same volume of the computer. -You cannot use a hard-link migration store if your planned migration includes any of the following: +You cannot use a hard-link migration store if your planned migration includes any of the following tasks: - You are migrating data from one computer to a second computer. @@ -62,7 +62,7 @@ You cannot use a hard-link migration store if your planned migration includes an The hard-link migration store is created using the command-line option, **/hardlink**, and is equivalent to other migration-store types. However, it differs in that hard links are utilized to keep files stored on the source computer during the migration. Keeping the files in place on the source computer eliminates the redundant work of duplicating files. It also enables the performance benefits and reduction in disk utilization that define this scenario. -When you create a hard link, you give an existing file an additional path. For instance, you could create a hard link to c:\\file1.txt called c:\\hard link\\myFile.txt. These are two paths to the same file. If you open c:\\file1.txt, make changes, and save the file, you will see those changes when you open c:\\hard link\\myFile.txt. If you delete c:\\file1.txt, the file still exists on your computer as c:\\hardlink\\myFile.txt. You must delete both references to the file in order to delete the file. +When you create a hard link, you give an existing file one more path. For instance, you could create a hard link to c:\\file1.txt called c:\\hard link\\myFile.txt. These two paths relate to the same file. If you open c:\\file1.txt, make changes, and save the file, you will see those changes when you open c:\\hard link\\myFile.txt. If you delete c:\\file1.txt, the file still exists on your computer as c:\\hardlink\\myFile.txt. You must delete both references to the file in order to delete the file. > [!NOTE] > A hard link can only be created for a file on the same volume. If you copy a hard-link migration store to another drive or external device, the files, and not the links, are copied, as in a non-compressed migration-store scenario. @@ -76,11 +76,11 @@ As a best practice, we recommend that you delete the hard-link migration store a > [!IMPORTANT] > Using the **/c** option will force the Loadstate tool to continue applying files when non-fatal errors occur. If you use the **/c** option, you should verify that no errors are reported in the logs before deleting the hard-link migration store in order to avoid data loss. -Keeping the hard-link migration store can result in additional disk space being consumed or problems with some applications for the following reasons: +Keeping the hard-link migration store can result in extra disk space being consumed or problems with some applications for the following reasons: - Applications reporting file-system statistics, for example, space used and free space, might incorrectly report these statistics while the hard-link migration store is present. The file may be reported twice because of the two paths that reference that file. -- A hard link may lose its connection to the original file. Some applications save changes to a file by creating a temporary file and then renaming the original to a backup filename. The path that was not used to open the file in this application will continue to refer to the unmodified file. The unmodified file that is not in use is taking up additional disk space. You should create the hard-link migration store just before you perform the migration, and not use applications once the store is created, in order to make sure you are migrating the latest versions of all files. +- A hard link may lose its connection to the original file. Some applications save changes to a file by creating a temporary file and then renaming the original to a backup filename. The path that was not used to open the file in this application will continue to refer to the unmodified file. The unmodified file that is not in use is taking up more disk space. You should create the hard-link migration store just before you perform the migration, and not use applications once the store is created, in order to make sure you are migrating the latest versions of all files. - Editing the file by using different paths simultaneously may result in data corruption. @@ -131,7 +131,7 @@ The drive you specify on the command line for the hard-link migration store is i ### Location Modifications -Location modifications that redirect migrated content from one volume to a different volume have an adverse impact on the performance of a hard-link migration. This is because the migrating data that must cross system volumes cannot remain in the hard-link migration store, and must be copied across the system volumes. +Location modifications that redirect migrated content from one volume to a different volume have an adverse impact on the performance of a hard-link migration. This impact is because the migrating data that must cross system volumes cannot remain in the hard-link migration store, and must be copied across the system volumes. ### Migrating Encrypting File System (EFS) Certificates and Files diff --git a/windows/deployment/usmt/usmt-identify-operating-system-settings.md b/windows/deployment/usmt/usmt-identify-operating-system-settings.md index 8165a6d8c3..c6f264b11d 100644 --- a/windows/deployment/usmt/usmt-identify-operating-system-settings.md +++ b/windows/deployment/usmt/usmt-identify-operating-system-settings.md @@ -17,27 +17,27 @@ ms.topic: article # Identify Operating System Settings -When planning for your migration, you should identify which operating system settings you want to migrate and to what extent you want to create a new standard environment on each of the computers. User State Migration Tool (USMT) 10.0 enables you to migrate select settings and keep the default values for all others. The operating system settings include the following: +When planning for your migration, you should identify which operating system settings you want to migrate and to what extent you want to create a new standard environment on each of the computers. User State Migration Tool (USMT) 10.0 enables you to migrate select settings and keep the default values for all others. The operating system settings include the following parameters: -- **Apperance.** +- **Appearance.** - This includes items such as wallpaper, colors, sounds, and the location of the taskbar. + The appearance factor includes items such as wallpaper, colors, sounds, and the location of the taskbar. - **Action.** - This includes items such as the key-repeat rate, whether double-clicking a folder opens it in a new window or the same window, and whether you need to single-click or double-click an item to open it. + The action factor includes items such as the key-repeat rate, whether double-clicking a folder opens it in a new window or the same window, and whether you need to single-click or double-click an item to open it. - **Internet.** - These are the settings that let you connect to the Internet and control how your browser operates. This includes items such as your home page URL, favorites, bookmarks, cookies, security settings, dial-up connections, and proxy settings. + The Internet factor includes the settings that let you connect to the Internet and control how your browser operates. The settings include items such as your home page URL, favorites, bookmarks, cookies, security settings, dial-up connections, and proxy settings. - **Mail.** - This includes the information that you need to connect to your mail server, your signature file, views, mail rules, local mail, and contacts. + The mail factor includes the information that you need to connect to your mail server, your signature file, views, mail rules, local mail, and contacts. -To help you decide which settings to migrate, you should consider any previous migration experiences as well as the results of any surveys and tests that you have conducted. You should also consider the number of help-desk calls related to operating-system settings that you have had in the past, and are able to handle in the future. Also decide how much of the new operating-system functionality you want to take advantage of. +To help you decide which settings to migrate, you should consider any previous migration experiences and the results of any surveys and tests that you have conducted. You should also consider the number of help-desk calls related to operating-system settings that you have had in the past, and are able to handle in the future. Also decide how much of the new operating-system functionality you want to take advantage of. -You should migrate any settings that users need to get their jobs done, those that make the work environment comfortable, and those that will reduce help-desk calls after the migration. Although it is easy to dismiss migrating user preferences, you should consider that users can spend a significant amount of time restoring items such as wallpaper, screen savers, and other customizable user-interface features. Most users do not remember how these settings were applied. Although these items are not critical to migration success, migrating these items increases user productivity and overall satisfaction of the migration process. +You should migrate any settings that users need to get their jobs done, those settings that make the work environment comfortable, and those settings that will reduce help-desk calls after the migration. Although it is easy to dismiss migrating user preferences, you should consider the factor of users spending a significant amount of time restoring items such as wallpaper, screen savers, and other customizable user-interface features. Most users do not remember how these settings were applied. Although these items are not critical to migration success, migrating these items increases user productivity and overall satisfaction of the migration process. **Note**   For more information about how to change the operating-system settings that are migrated, see [User State Migration Tool (USMT) How-to topics](usmt-how-to.md). diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md index 37fb5cbc81..5034c08b18 100644 --- a/windows/deployment/usmt/usmt-scanstate-syntax.md +++ b/windows/deployment/usmt/usmt-scanstate-syntax.md @@ -48,7 +48,7 @@ Before you run the **ScanState** command, note the following: - Unless otherwise noted, you can use each option only once when running a tool on the command line. -- You can gather domain accounts without the source computer having domain controller access. This functionality is available without any additional configuration. +- You can gather domain accounts without the source computer having domain controller access. This functionality is available without any extra configuration. - The [Incompatible Command-Line Options](#bkmk-iclo) table lists which options you can use together and which command-line options are incompatible. @@ -142,7 +142,7 @@ USMT provides several options that you can use to analyze problems that occur du | **/l:**[*Path*]*FileName* | Specifies the location and name of the ScanState log.

You cannot store any of the log files in *StorePath*. *Path* can be either a relative or full path. If you do not specify the *Path* variable, then the log will be created in the current directory. You can use the **/v** option to adjust the amount of output.

If you run the **ScanState** or **LoadState** commands from a shared network resource, you must specify this option or USMT will fail with the following error: "USMT was unable to create the log file(s)". To fix this issue, use the /**l: scan.log** command. | | **/v:***<VerbosityLevel>* | **(Verbosity)**

Enables verbose output in the ScanState log file. The default value is 0.

You can set the *VerbosityLevel* to one of the following levels:

  • **0** - Only the default errors and warnings are enabled.
  • **1** - Enables verbose output.
  • **4** - Enables error and status output.
  • **5** - Enables verbose and status output.
  • **8** - Enables error output to a debugger.
  • **9** - Enables verbose output to a debugger.
  • **12** - Enables error and status output to a debugger.
  • **13** - Enables verbose, status, and debugger output.

For example:
`scanstate \server\share\migration\mystore /v:13 /i:migdocs.xml /i:migapp.xml`| | /**progress**:[*Path*]*FileName* | Creates the optional progress log. You cannot store any of the log files in *StorePath*. *Path* can be either a relative or full path. If you do not specify the *Path* variable, then *FileName* will be created in the current directory.

For example:
`scanstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /progress:prog.log /l:scanlog.log` | -| **/c** | When this option is specified, the **ScanState** command will continue to run, even if non-fatal errors occur. Any files or settings that cause an error are logged in the progress log. For example, if there is a large file that will not fit in the store, the **ScanState** command will log an error and continue with the migration. In addition, if a file is open or in use by an application, USMT may not be able to migrate the file and will log an error. Without the **/c** option, the **ScanState** command will exit on the first error.

You can use the new <**ErrorControl**> section in the Config.xml file to specify which file or registry read/write errors can be safely ignored and which might cause the migration to fail. This enables the /**c** command-line option to safely skip all input/output (I/O) errors in your environment. In addition, the /**genconfig** option now generates a sample <**ErrorControl**> section that is enabled by specifying error messages and desired behaviors in the Config.xml file. | +| **/c** | When this option is specified, the **ScanState** command will continue to run, even if non-fatal errors occur. Any files or settings that cause an error are logged in the progress log. For example, if there is a large file that will not fit in the store, the **ScanState** command will log an error and continue with the migration. In addition, if a file is open or in use by an application, USMT may not be able to migrate the file and will log an error. Without the **/c** option, the **ScanState** command will exit on the first error.

You can use the new <**ErrorControl**> section in the Config.xml file to specify which file or registry read/write errors can be safely ignored and which might cause the migration to fail. This advantage in the Config.xml file enables the /**c** command-line option to safely skip all input/output (I/O) errors in your environment. In addition, the /**genconfig** option now generates a sample <**ErrorControl**> section that is enabled by specifying error messages and desired behaviors in the Config.xml file. | | **/r:***<TimesToRetry>* | **(Retry)**

Specifies the number of times to retry when an error occurs while saving the user state to a server. The default is three times. This option is useful in environments where network connectivity is not reliable.

While storing the user state, the **/r** option will not be able to recover data that is lost due to a network-hardware failure, such as a faulty or disconnected network cable, or when a virtual private network (VPN) connection fails. The retry option is intended for large, busy networks where connectivity is satisfactory, but communication latency is a problem. | | **/w:***<SecondsBeforeRetry>* | **(Wait)**

Specifies the time to wait, in seconds, before retrying a network file operation. The default is 1 second. | | **/p:***<pathToFile>* | When the **ScanState** command runs, it will create an .xml file in the path specified. This .xml file includes improved space estimations for the migration store. The following example shows how to create this .xml file:
`Scanstate.exe C:\MigrationLocation [additional parameters]`
`/p:"C:\MigrationStoreSize.xml"`

For more information, see [Estimate Migration Store Size](usmt-estimate-migration-store-size.md).

To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, you can use the **/p** option, without specifying *"pathtoafile"*, in USMT. If you specify only the **/p** option, the storage space estimations are created in the same manner as with USMT3.x releases. | @@ -156,7 +156,7 @@ By default, all users are migrated. The only way to specify which users to inclu |-----|-----| | /**all** | Migrates all of the users on the computer.

USMT migrates all user accounts on the computer, unless you specifically exclude an account with either the /**ue** or /**uel** options. For this reason, you do not need to specify this option on the command line. However, if you choose to specify the /**all** option, you cannot also use the /**ui**, /**ue** or /**uel** options. | | /**ui**:*<DomainName>*\*<UserName>*
or
/**ui**:*<ComputerName>*\*<LocalUserName>* | **(User include)**

Migrates the specified users. By default, all users are included in the migration. Therefore, this option is helpful only when used with the /**ue** or /**uel** options. You can specify multiple /**ui** options, but you cannot use the /**ui** option with the /**all** option. *DomainName* and *UserName* can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks.
**Note**
If a user is specified for inclusion with the /**ui** option, and also is specified to be excluded with either the /**ue** or /**uel** options, the user will be included in the migration.

For example:
  • To include only User2 from the Fabrikam domain, type:
    `/ue:*\* /ui:fabrikam\user2`
  • To migrate all users from the Fabrikam domain, and only the user accounts from other domains that have been active or otherwise modified in the last 30 days, type:
    `/uel:30 /ui:fabrikam\*`
    In this example, a user account from the Contoso domain that was last modified two months ago will not be migrated.

For more examples, see the descriptions of the /**ue** and /**ui** options in this table. | -| /**uel**:*<NumberOfDays>*
or
/**uel**:*<YYYY/MM/DD>*
or
**/uel:0** | **(User exclude based on last logon)**

Migrates the users that logged on to the source computer within the specified time period, based on the **Last Modified** date of the Ntuser.dat file on the source computer. The /**uel** option acts as an include rule. For example, the **/uel:30** option migrates users who logged on, or whose account was modified, within the last 30 days from the date when the ScanState command is run.

You can specify a number of days or you can specify a date. You cannot use this option with the /**all** option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has logged on to another computer, that logon instance is not considered by USMT.
**Note**
The /**uel** option is not valid in offline migrations.
  • **/uel:0** migrates any users who are currently logged on.
  • **/uel:90** migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.
  • **/uel:1** migrates users whose account has been modified within the last 24 hours.
  • **/uel:2002/1/15** migrates users who have logged on or been modified January 15, 2002 or afterwards.

For example:
`scanstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /uel:0` | +| /**uel**:*<NumberOfDays>*
or
/**uel**:*<YYYY/MM/DD>*
or
**/uel:0** | **(User exclude based on last logon)**

Migrates the users that logged on to the source computer within the specified time period, based on the **Last Modified** date of the Ntuser.dat file on the source computer. The /**uel** option acts as an include rule. For example, the **/uel:30** option migrates users who logged on, or whose account was modified, within the last 30 days from the date when the ScanState command is run.

You can specify the number of days or you can specify a date. You cannot use this option with the /**all** option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has signed in to another computer, that sign-in instance is not considered by USMT.
**Note**
The /**uel** option is not valid in offline migrations.
  • **/uel:0** migrates any users who are currently logged on.
  • **/uel:90** migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.
  • **/uel:1** migrates users whose account has been modified within the last 24 hours.
  • **/uel:2002/1/15** migrates users who have logged on or been modified January 15, 2002 or afterwards.

For example:
`scanstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /uel:0` | | /**ue**:*<DomainName>*\*<UserName>*
-or-

/**ue**:*<ComputerName>*\*<LocalUserName>* | **(User exclude)**

Excludes the specified users from the migration. You can specify multiple /**ue** options. You cannot use this option with the /**all** option. *<DomainName>* and *<UserName>* can contain the asterisk (
) wildcard character. When you specify a user name that contains spaces, you need to surround it with quotation marks.

For example:
`scanstate /i:migdocs.xml /i:migapp.xml \\server\share\migration\mystore /ue:contoso\user1` | ## How to Use /ui and /ue @@ -184,7 +184,7 @@ The /**uel** option takes precedence over the /**ue** option. If a user has logg |--- |--- | |Include only User2 from the Fabrikam domain and exclude all other users.|`/ue:*\* /ui:fabrikam\user2`| |Include only the local user named User1 and exclude all other users.|`/ue:*\* /ui:user1`| -|Include only the domain users from Contoso, except Contoso\User1.|This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following:
  • On the **ScanState** command line, type: `/ue:*\* /ui:contoso\*`
  • On the **LoadState** command line, type: `/ue:contoso\user1`
| +|Include only the domain users from Contoso, except Contoso\User1.|This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following commands:
  • On the **ScanState** command line, type: `/ue:*\* /ui:contoso\*`
  • On the **LoadState** command line, type: `/ue:contoso\user1`
| |Include only local (non-domain) users.|`/ue:*\* /ui:%computername%\*`| ## Encrypted File Options diff --git a/windows/deployment/usmt/xml-file-requirements.md b/windows/deployment/usmt/xml-file-requirements.md index f5afeaa069..468776c419 100644 --- a/windows/deployment/usmt/xml-file-requirements.md +++ b/windows/deployment/usmt/xml-file-requirements.md @@ -1,6 +1,6 @@ --- title: XML File Requirements (Windows 10) -description: Learn about the XML file requirements for creating custom .xml files, like the file must be in UTF-8 and have a unique migration urlid. +description: Learn about the XML file requirements for creating custom .xml files, like the file must be in UTF-8 and have a unique migration URL ID. ms.assetid: 4b567b50-c50a-4a4f-8684-151fe3f8275f ms.reviewer: manager: laurawi @@ -19,20 +19,20 @@ ms.topic: article When creating custom .xml files, note the following requirements: -- **The file must be in Unicode Transformation Format-8 (UTF-8).** You must save the file in this format, and you must specify the following syntax at the beginning of each .xml file: +- **The file must be in Unicode Transformation Format-8 (UTF-8).** Save the file in this format, and you must specify the following syntax at the beginning of each .xml file: ``` xml ``` -- **The file must have a unique migration urlid**. The urlid of each file that you specify on the command line must be different. If two migration .xml files have the same urlid, the second .xml file that is specified on the command line will not be processed. This is because USMT uses the urlid to define the components within the file. For example, you must specify the following syntax at the beginning of each file: +- **The file must have a unique migration URL ID**. The URL ID of each file that you specify on the command line must be different. If two migration .xml files have the same URL ID, the second .xml file that is specified on the command line will not be processed. This is because USMT uses the URL ID to define the components within the file. For example, you must specify the following syntax at the beginning of each file: ``` xml ``` -- **Each component in the file must have a display name in order for it to appear in the Config.xml file.** This is because the Config.xml file defines the components by the display name and the migration urlid. For example, specify the following syntax: +- **Each component in the file must have a display name in order for it to appear in the Config.xml file.** This condition is because the Config.xml file defines the components by the display name and the migration URL ID. For example, specify the following syntax: ``` xml My Application diff --git a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md index 19d405b786..b36419cb21 100644 --- a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md +++ b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md @@ -49,7 +49,7 @@ When you activate a computer running Windows 10, the following information is s - Volume serial number (hashed) of the hard disk drive - The result of the activation check - This includes error codes and the following information about any activation exploits and related malicious or unauthorized software that was found or disabled: + This result includes error codes and the following information about any activation exploits and related malicious or unauthorized software that was found or disabled: - The activation exploit’s identifier - The activation exploit’s current state, such as cleaned or quarantined @@ -63,7 +63,7 @@ Standard computer information is also sent, but your computer’s IP address is ## Use of information Microsoft uses the information to confirm that you have a licensed copy of the software. Microsoft does not use the information to contact individual consumers. -For additional details, see [Windows 10 Privacy Statement](https://go.microsoft.com/fwlink/p/?LinkId=619879). +For more information, see [Windows 10 Privacy Statement](https://go.microsoft.com/fwlink/p/?LinkId=619879). ## See also diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md index 91d2d8540b..d5d2c105b5 100644 --- a/windows/deployment/volume-activation/introduction-vamt.md +++ b/windows/deployment/volume-activation/introduction-vamt.md @@ -17,7 +17,7 @@ ms.topic: article # Introduction to VAMT -The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10,Windows Server 2008 R2, or Windows Server 2012. +The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, or Windows Server 2012. > [!NOTE] > VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated. @@ -34,20 +34,20 @@ The Volume Activation Management Tool (VAMT) enables network administrators and You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios: - **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft. -- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host. +- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host. ## Managing Key Management Service (KMS) Activation -In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010.\ +In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 and Microsoft Office 2010.\ VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types. ## Enterprise Environment -VAMT is commonly implemented in enterprise environments. The following illustrates three common environments—Core Network, Secure Zone, and Isolated Lab. +VAMT is commonly implemented in enterprise environments. The following screenshot illustrates three common environments—Core Network, Secure Zone, and Isolated Lab. ![VAMT in the enterprise.](images/dep-win8-l-vamt-image001-enterprise.jpg) -In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have additional firewall protection. +In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have extra firewall protection. The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab. ## VAMT User Interface @@ -60,7 +60,7 @@ VAMT provides a single, graphical user interface for managing activations, and f - **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query. - **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers. -- **Monitoring activation status.** You can collect activation information about each product, including the last 5 characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information. +- **Monitoring activation status.** You can collect activation information about each product, including the last five characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information. - **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs. - **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format. diff --git a/windows/deployment/volume-activation/manage-activations-vamt.md b/windows/deployment/volume-activation/manage-activations-vamt.md index e1e2f2151e..6c96637ddf 100644 --- a/windows/deployment/volume-activation/manage-activations-vamt.md +++ b/windows/deployment/volume-activation/manage-activations-vamt.md @@ -1,6 +1,6 @@ --- title: Manage Activations (Windows 10) -description: Learn how to manage activations and how to activate a client computer by using a variety of activation methods. +description: Learn how to manage activations and how to activate a client computer by using various activation methods. ms.assetid: 53bad9ed-9430-4f64-a8de-80613870862c ms.reviewer: manager: laurawi @@ -17,7 +17,7 @@ ms.topic: article # Manage Activations -This section describes how to activate a client computer, by using a variety of activation methods. +This section describes how to activate a client computer, by using various activation methods. ## In this Section @@ -25,7 +25,7 @@ This section describes how to activate a client computer, by using a variety of |------|------------| |[Perform Online Activation](online-activation-vamt.md) |Describes how to activate a client computer over the Internet. | |[Perform Proxy Activation](proxy-activation-vamt.md) |Describes how to perform volume activation for client products that do not have Internet access. | -|[Perform KMS Activation](kms-activation-vamt.md) |Describes how perform volume activation using the Key Management Service (KMS). | +|[Perform KMS Activation](kms-activation-vamt.md) |Describes how to perform volume activation using the Key Management Service (KMS). | |[Perform Local Reactivation](local-reactivation-vamt.md) |Describes how to reactivate an operating system or Office program that was reinstalled. | |[Activate an Active Directory Forest Online](activate-forest-vamt.md) |Describes how to use Active Directory-Based Activation to online activate an Active Directory forest. | |[Activate by Proxy an Active Directory Forest](activate-forest-by-proxy-vamt.md) |Describes how to use Active Directory-Based Activation to proxy activate an Active Directory forest that is not connected to the Internet. | diff --git a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md index d3b906680d..3e9a42c319 100644 --- a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md @@ -17,7 +17,7 @@ ms.topic: article # Scenario 2: Proxy Activation -In this scenario, the Volume Activation Management Tool (VAMT) is used to activate products that are installed on workgroup computers in an isolated lab environment. For workgroups which are isolated from the larger network, you can perform proxy activation of Multiple Activation Keys (MAKs), KMS Host keys (CSVLKs), Generic Volume License Keys (GVLKs) (or KMS client keys), or retail keys. Proxy activation is performed by installing a second instance of VAMT on a computer in the isolated workgroup. You can then use removable media to transfer VAMT Computer Information Lists (CILXs) between the instance of VAMT in the isolated workgroup and another VAMT host that has Internet access. The following diagram shows a Multiple Activation Key (MAK) proxy activation scenario: +In this scenario, the Volume Activation Management Tool (VAMT) is used to activate products that are installed on workgroup computers in an isolated lab environment. For workgroups that are isolated from the larger network, you can perform proxy activation of Multiple Activation Keys (MAKs), KMS Host keys (CSVLKs), Generic Volume License Keys (GVLKs) (or KMS client keys), or retail keys. Proxy activation is performed by installing a second instance of VAMT on a computer in the isolated workgroup. You can then use removable media to transfer VAMT Computer Information Lists (CILXs) between the instance of VAMT in the isolated workgroup and another VAMT host that has Internet access. The following diagram shows a Multiple Activation Key (MAK) proxy activation scenario: ![VAMT MAK proxy activation scenario.](images/dep-win8-l-vamt-makproxyactivationscenario.jpg) @@ -45,9 +45,9 @@ In this scenario, the Volume Activation Management Tool (VAMT) is used to activa 2. To open the **Discover Products** dialog box, click **Discover products** in the right-side pane. 3. In the **Discover Products** dialog box, click **Search for computers in the Active Directory** to display the search options, and then click the search options that you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query: - To search for computers in an Active Directory domain, click **Search for computers in the Active Directory**. Then under **Domain Filter Criteria**, in the list of domain names, click the name of the domain that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for specific computers in the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a". - - To search by individual computer name or IP address, click **Manually enter name or IP address**. Then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. Note that both IPv4 and IPv6addressing are supported. + - To search by individual computer name or IP address, click **Manually enter name or IP address**. Then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. Both IPv4 and IPv6addressing are supported. - To search for computers in a workgroup, click **Search for computers in the workgroup**. Then under **Workgroup Filter Criteria**, in the list of workgroup names, click the name of the workgroup that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer in the workgroup. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only those computer names that start with the letter "a". - - To search for computers by using a general LDAP query, click **Search with LDAP query** and enter your query in the text box that appears. VAMT will validate the LDAP query syntax, but will otherwise run the query without additional checks. + - To search for computers by using a general LDAP query, click **Search with LDAP query** and enter your query in the text box that appears. VAMT will validate the LDAP query syntax, but will otherwise run the query without extra checks. 4. Click **Search**. The **Finding Computers** window appears and displays the search progress as the computers are located. @@ -70,9 +70,9 @@ You can sort the list of products so that it is easier to find the computers tha To collect the status from select computers in the database, you can select computers in the product list view by using one of the following methods: - To select a block of consecutively listed computers, click the first computer that you want to select, and then click the last computer while pressing the **Shift** key. -- To select computers which are not listed consecutively, hold down the **Ctrl** ley and select each computer for which you want to collect the status information. +- To select computers that are not listed consecutively, hold down the **Ctrl** key and select each computer for which you want to collect the status information. **To collect status information from the selected computers** -- In the right-side **Actions** pane, click **Update license status** in the **Selected Items** menu and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials that are different from the ones that you used to log on to the computer. Otherwise, click **Current Credentials** and continue to step 2.If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and then click **OK**. +- In the right-side **Actions** pane, click **Update license status** in the **Selected Items** menu and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials that are different from the ones that you used to sign in to the computer. Otherwise, click **Current Credentials** and continue to step 2.If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and then click **OK**. - VAMT displays the **Collecting product information** dialog box while it collects the license status of all supported products on the selected computers. When the process is finished, the updated license status of each product will appear in the product list view in the center pane. **Note** @@ -91,9 +91,9 @@ To collect the status from select computers in the database, you can select comp 1. In the left-side pane, in the **Products** node click the product that you want to install keys onto. 2. If necessary, sort and filter the list of products so that it is easier to find the computers that must have a product key installed. See [Step 5: Sort and Filter the List of Computers](#step-5-sort-and-filter-the-list-of-computers). -3. In the **Products** list view pane, select the individual products which must have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product. +3. In the **Products** list view pane, select the individual products that must have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product. 4. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box. -5. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAKs based on the selected products. If you are installing a MAK you can select a recommended product key or any other MAK from the **All Product Keys List**. If you are not installing a MAK, select a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you have selected the product key that you want to install, click **Install Key**. Note that only one key can be installed at a time. +5. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAKs based on the selected products. If you are installing an MAK, you can select a recommended product key or any other MAK from the **All Product Keys List**. If you are not installing a MAK, select a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you have selected the product key that you want to install, click **Install Key**. Only one key can be installed at a time. 6. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. The same status appears under the **Status of Last Action** column in the product list view in the center pane. diff --git a/windows/deployment/volume-activation/vamt-step-by-step.md b/windows/deployment/volume-activation/vamt-step-by-step.md index ef45dc1c96..da420e7365 100644 --- a/windows/deployment/volume-activation/vamt-step-by-step.md +++ b/windows/deployment/volume-activation/vamt-step-by-step.md @@ -25,9 +25,9 @@ This section provides step-by-step instructions on implementing the Volume Activ |------|------------| |[Scenario 1: Online Activation](scenario-online-activation-vamt.md) |Describes how to distribute Multiple Activation Keys (MAKs) to products installed on one or more connected computers within a network, and how to instruct these products to contact Microsoft over the Internet for activation. | |[Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) |Describes how to use two VAMT host computers — the first one with Internet access and a second computer within an isolated workgroup — as proxies to perform MAK volume activation for workgroup computers that do not have Internet access. | -|[Scenario 3: KMS Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of Windows 10, Windows Vista, Windows® 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. | +|[Scenario 3: Key Management Service (KMS) Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of Windows 10, Windows Vista, Windows® 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. | -## Related topics +## Related articles - [Introduction to VAMT](introduction-vamt.md)     diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md index 70d738e262..1a4195b593 100644 --- a/windows/deployment/windows-deployment-scenarios-and-tools.md +++ b/windows/deployment/windows-deployment-scenarios-and-tools.md @@ -18,16 +18,16 @@ ms.collection: highpri # Windows 10 deployment scenarios and tools -To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment. +To successfully deploy the Windows 10 operating system and applications for your organization, you must know about the available tools to help with the process. In this article, you will learn about the most commonly used tools for Windows 10 deployment. -Microsoft provides many tools, services, and solutions. These tools include Windows Deployment Services (WDS), the Volume Activation Management Tool (VAMT), the User State Migration Tool (USMT), Windows System Image Manager (Windows SIM), Windows Preinstallation Environment (Windows PE), and Windows Recovery Environment (Windows RE). Keep in mind that these are just tools and not a complete solution on their own. It’s when you combine these tools with solutions like [Microsoft Deployment Toolkit (MDT)](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) or [Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) that you get the complete deployment solution. +Microsoft provides many tools, services, and solutions. These tools include Windows Deployment Services (WDS), the Volume Activation Management Tool (VAMT), the User State Migration Tool (USMT), Windows System Image Manager (Windows SIM), Windows Preinstallation Environment (Windows PE), and Windows Recovery Environment (Windows RE). Keep in mind that these tools are not a complete solution on their own. It’s when you combine these tools with solutions like [Microsoft Deployment Toolkit (MDT)](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) or [Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) that you get the complete deployment solution. -In this topic, you also learn about different types of reference images that you can build, and why reference images are beneficial for most organizations +In this article, you also learn about different types of reference images that you can build, and why reference images are beneficial for most organizations ## Windows Assessment and Deployment Kit -Windows ADK contains core assessment and deployment tools and technologies, including Deployment Image Servicing and Management (DISM), Windows Imaging and Configuration Designer (Windows ICD), Windows System Image Manager (Windows SIM), User State Migration Tool (USMT), Volume Activation Management Tool (VAMT), Windows Preinstallation Environment (Windows PE), Windows Assessment Services, Windows Performance Toolkit (WPT), Application Compatibility Toolkit (ACT), and Microsoft SQL Server 2012 Express. For more details, see [Windows ADK for Windows 10](/windows-hardware/get-started/adk-install) or [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md). +Windows ADK contains core assessment and deployment tools and technologies, including Deployment Image Servicing and Management (DISM), Windows Imaging and Configuration Designer (Windows ICD), Windows System Image Manager (Windows SIM), User State Migration Tool (USMT), Volume Activation Management Tool (VAMT), Windows Preinstallation Environment (Windows PE), Windows Assessment Services, Windows Performance Toolkit (WPT), Application Compatibility Toolkit (ACT), and Microsoft SQL Server 2012 Express. For more information, see [Windows ADK for Windows 10](/windows-hardware/get-started/adk-install) or [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md). ![figure 1.](images/win-10-adk-select.png) @@ -43,7 +43,7 @@ DISM services online and offline images. For example, with DISM you can install Dism.exe /Online /Enable-Feature /FeatureName:NetFX3 /All /Source:D:\Sources\SxS /LimitAccess ``` -In Windows 10, you can use Windows PowerShell for many of the functions performed by DISM.exe. The equivalent command in Windows 10 using PowerShell is: +In Windows 10, you can use Windows PowerShell for many of the functions done by DISM.exe. The equivalent command in Windows 10 using PowerShell is: ``` syntax Enable-WindowsOptionalFeature -Online -FeatureName NetFx3 -All @@ -67,9 +67,9 @@ Occasionally, we find that customers are wary of USMT because they believe it re USMT includes several command-line tools, the most important of which are ScanState and LoadState: -- **ScanState.exe.** This performs the user-state backup. -- **LoadState.exe.** This performs the user-state restore. -- **UsmtUtils.exe.** This supplements the functionality in ScanState.exe and LoadState.exe. +- **ScanState.exe.** This tool performs the user-state backup. +- **LoadState.exe.** This tool performs the user-state restore. +- **UsmtUtils.exe.** This tool supplements the functionality in ScanState.exe and LoadState.exe. In addition to these tools, there are also XML templates that manage which data is migrated. You can customize the templates, or create new ones, to manage the backup process at a high level of detail. USMT uses the following terms for its templates: @@ -85,20 +85,20 @@ USMT supports capturing data and settings from Windows Vista and later, and rest By default USMT migrates many settings, most of which are related to the user profile but also to Control Panel configurations, file types, and more. The default templates that are used in Windows 10 deployments are MigUser.xml and MigApp.xml. These two default templates migrate the following data and settings: -- Folders from each profile, including those from user profiles as well as shared and public profiles. For example, the My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites folders are migrated. -- Specific file types. USMT templates migrate the following file types: .accdb, .ch3, .csv, .dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*. +- Folders from each profile, including those folders from user profiles, and shared and public profiles. For example, the My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites folders are migrated. +- Specific file types. USMT templates migrate the following file types: .accdb, .ch3, .csv,dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*. - **Note**   - The OpenDocument extensions (\*.odt, \*.odp, \*.ods, etc.) that Microsoft Office applications can use are not migrated by default. + > [!NOTE] + > The OpenDocument extensions (\*.odt, \*.odp, \*.ods, etc.) that Microsoft Office applications can use are not migrated by default. - Operating system component settings - Application settings -These are the settings migrated by the default MigUser.xml and MigApp.xml templates. For more details on what USMT migrates, see [What does USMT migrate?](./usmt/usmt-what-does-usmt-migrate.md) For more information on the USMT overall, see the [USMT technical reference](./usmt/usmt-reference.md). +These settings are the ones migrated by the default MigUser.xml and MigApp.xml templates. For more information on what USMT migrates, see [What does USMT migrate?](./usmt/usmt-what-does-usmt-migrate.md) For more information on the USMT overall, see the [USMT technical reference](./usmt/usmt-reference.md). ### Windows Imaging and Configuration Designer -Windows Imaging and Configuration Designer (Windows ICD) is a tool designed to assist with the creation of provisioning packages that can be used to dynamically configure a Windows device (PCs, tablets, and phones). This is particularly useful for setting up new devices, without the need for re-imaging the device with a custom image. +Windows Imaging and Configuration Designer (Windows ICD) is a tool designed to assist with the creation of provisioning packages that can be used to dynamically configure a Windows device (PCs, tablets, and phones). This tool is useful for setting up new devices, without the need for re-imaging the device with a custom image. ![figure 4.](images/windows-icd.png) @@ -108,7 +108,7 @@ For more information, see [Windows Imaging and Configuration Designer](/windows/ ### Windows System Image Manager (Windows SIM) -Windows SIM is an authoring tool for Unattend.xml files. When using MDT and/or Configuration Manager, you don’t need Windows SIM very often because those systems automatically update the Unattend.xml file during the deployment, greatly simplifying the process overall. +Windows SIM is an authoring tool for Unattend.xml files. When using MDT and/or Configuration Manager, you don’t need Windows SIM often because those systems automatically update the Unattend.xml file during the deployment, greatly simplifying the process overall. ![figure 7.](images/mdt-11-fig07.png) @@ -168,7 +168,7 @@ In Windows Server 2012 R2, [Windows Deployment Services](/previous-versions/wind ### Trivial File Transfer Protocol (TFTP) configuration -In some cases, you need to modify TFTP Maximum Block Size settings for performance tuning reasons, especially when PXE traffic travels through routers and such. In the previous version of WDS, it was possible to change that, but the method of do so—editing the registry—was not user friendly. In Windows Server 2012, this has become much easier to do as it can be configured as a setting. +In some cases, you need to modify TFTP Maximum Block Size settings for performance tuning reasons, especially when PXE traffic travels through routers and such. In the previous version of WDS, it was possible to change that, but the method of do so — editing the registry — was not user friendly. In Windows Server 2012, this modification in settings has become much easier to do as it can be configured as a setting. Also, there are a few new features related to TFTP performance: @@ -210,7 +210,7 @@ The SCM console showing a baseline configuration for a fictional client's comput ## Microsoft Desktop Optimization Pack -MDOP is a suite of technologies available to Software Assurance customers through an additional subscription. +MDOP is a suite of technologies available to Software Assurance customers through another subscription. The following components are included in the MDOP suite: @@ -267,29 +267,29 @@ With UEFI, you can benefit from: - **Faster boot time.** UEFI does not use INT 13, and that improves boot time, especially when it comes to resuming from hibernate. - **Multicast deployment.** UEFI firmware can use multicast directly when it boots up. In WDS, MDT, and Configuration Manager scenarios, you need to first boot up a normal Windows PE in unicast and then switch into multicast. With UEFI, you can run multicast from the start. - **Compatibility with earlier BIOS.** Most of the UEFI implementations include a compatibility support module (CSM) that emulates BIOS. -- **CPU-independent architecture.** Even if BIOS can run both 32- and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS. +- **CPU-independent architecture.** Even if BIOS can run both 32-bit and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS. - **CPU-independent drivers.** On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That is not needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment. - **Flexible pre-operating system environment.** UEFI can perform many functions for you. You just need an UEFI application, and you can perform diagnostics and automatic repairs, and call home to report errors. - **Secure boot.** Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware cannot switch the boot loader. ### Versions -UEFI Version 2.3.1B is the version required for Windows 8 and later logo compliance. Later versions have been released to address issues; a small number of machines may need to upgrade their firmware to fully support the UEFI implementation in Windows 8 and later. +UEFI Version 2.3.1B is the version required for Windows 8 and later logo compliance. Later versions have been released to address issues; a few machines may need to upgrade their firmware to fully support the UEFI implementation in Windows 8 and later. ### Hardware support for UEFI In regard to UEFI, hardware is divided into four device classes: -- **Class 0 devices.** This is the UEFI definition for a BIOS, or non-UEFI, device. -- **Class 1 devices.** These devices behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured. -- **Class 2 devices.** These devices have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available. -- **Class 3 devices.** These are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 is not supported on these class 3 devices. Class 3 devices do not have a CSM to emulate BIOS. +- **Class 0 devices.** The device of this class is the UEFI definition for a BIOS, or non-UEFI, device. +- **Class 1 devices.** The devices of this class behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured. +- **Class 2 devices.** The devices of this class have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available. +- **Class 3 devices.** The devices of this class are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 is not supported on these class 3 devices. Class 3 devices do not have a CSM to emulate BIOS. ### Windows support for UEFI Microsoft started with support for EFI 1.10 on servers and then added support for UEFI on both clients and servers. -With UEFI 2.3.1, there are both x86 and x64 versions of UEFI. Windows 10 supports both. However, UEFI does not support cross-platform boot. This means that a computer that has UEFI x64 can run only a 64-bit operating system, and a computer that has UEFI x86 can run only a 32-bit operating system. +With UEFI 2.3.1, there are both x86 and x64 versions of UEFI. Windows 10 supports both. However, UEFI does not support cross-platform boot. This limitation means that a computer that has UEFI x64 can run only a 64-bit operating system, and a computer that has UEFI x86 can run only a 32-bit operating system. ### How UEFI is changing operating system deployment @@ -297,12 +297,12 @@ There are many things that affect operating system deployment as soon as you run - Switching from BIOS to UEFI in the hardware is easy, but you also need to reinstall the operating system because you need to switch from MBR/NTFS to GPT/FAT32 and NTFS. - When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It is common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa. -- When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4GB. +- When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4 GB. - UEFI does not support cross-platform booting; therefore, you need to have the correct boot media (32- or 64-bit). For more information on UEFI, see the [UEFI firmware](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824898(v=win.10)) overview and related resources. -## Related topics +## Related articles [Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)
[Windows ADK for Windows 10 scenarios for IT pros](windows-adk-scenarios-for-it-pros.md) \ No newline at end of file From 332f1f3c3fc28244ab93489814c9b2db8e1d3d19 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 20 Jan 2022 12:05:37 +0530 Subject: [PATCH 080/217] Acrolinx issues fixed --- ...abase-management-strategies-and-deployment.md | 16 ++++++++-------- ...rotection-considerations-for-windows-to-go.md | 6 +++--- .../using-the-sdbinstexe-command-line-tool.md | 2 +- .../deployment/planning/using-the-sua-wizard.md | 4 ++-- 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md index fae3bcf0a8..29b77be77b 100644 --- a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md +++ b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md @@ -49,7 +49,7 @@ Microsoft provides general recommends the following remedies for improving the m - **Define your resources responsible for addressing questions and enforcing your standards** - Ensure you determine who will be responsible for staying current with the technology and standards that are related to your compatibility fixes and custom compatibility-fix databases. As your databases are managed over time, you must ensure that someone in your organization stays current with the relevant technology. + Ensure you determine who will be responsible for staying current with the technology and standards that are related to your compatibility fixes and custom compatibility-fix databases. As your databases are managed over time, ensure that someone in your organization stays current with the relevant technology. ## Strategies for Deploying Your Compatibility Fixes @@ -64,7 +64,7 @@ Determine which method best meets your organization's deployment needs. ### Deploying Fixes as Part of an Application-Installation Package -One strategy to deploy compatibility fixes is to create a custom compatibility-fix database that contains a single entry that is applied directly to the application-installation package. While this is the most straightforward method of deployment, it has been shown that this method can become overly complex, especially if you are fixing a large number of applications. +One strategy to deploy compatibility fixes is to create a custom compatibility-fix database that contains a single entry that is applied directly to the application-installation package. While this method is the most straightforward one for deployment, it has been shown that this method can become overly complex, especially if you are fixing a large number of applications. If the following considerations apply to your organization, you should avoid this strategy and instead consider using a centralized compatibility-fix database, as described in the next section. @@ -74,7 +74,7 @@ If the following considerations apply to your organization, you should avoid thi - **Will you be able to track which applications are installed on which computer?** - You might determine that your initial set of compatibility fixes is not comprehensive, and that you must deploy an updated version of the compatibility-fix database to resolve the additional issues. If you deployed the initial set by using the application-installation package, you will be required to locate each client computer that is running the application and replace the compatibility fix. + You might determine that your initial set of compatibility fixes is not comprehensive, and that you must deploy an updated version of the compatibility-fix database to resolve the other issues. If you deployed the initial set by using the application-installation package, you will be required to locate each client computer that is running the application and replace the compatibility fix. ### Deploying Fixes Through a Centralized Compatibility-Fix Database @@ -82,23 +82,23 @@ The other recommended strategy for deploying compatibility fixes into your organ This approach tends to work best for organizations that have a well-developed deployment infrastructure in place, with centralized ownership of the process. We recommend that you consider the following before using this approach: -- Does your organization have the tools required to deploy and update a compatibility-fix database for all of the effected computers? +- Does your organization have the tools required to deploy and update a compatibility-fix database for all of the affected computers? If you intend to manage a centralized compatibility-fix database, you must verify that your organization has the required tools to deploy and update all of the affected computers in your organization. - Do you have centralized resources that can manage and update the centralized compatibility-fix database? - You must ensure that you have identified the appropriate owners for the deployment process, for the applications, and for the database updates, in addition to determining the process by which compatibility issues can be deployed to specific computers. + Ensure that you have identified the appropriate owners for the deployment process, for the applications, and for the database updates, in addition to determining the process by which compatibility issues can be deployed to specific computers. ### Merging Centralized Compatibility-Fix Databases -If you decide to use the centralized compatibility-fix database deployment strategy, you can merge any of your individual compatibility-fix databases. This enables you to create a single custom compatibility-fix database that can be used to search for and determine whether Windows® should apply a fix to a specific executable (.exe) file. We recommend merging your databases based on the following process. +If you decide to use the centralized compatibility-fix database deployment strategy, you can merge any of your individual compatibility-fix databases. This provision enables you to create a single custom compatibility-fix database that can be used to search for and determine whether Windows® should apply a fix to a specific executable (.exe) file. We recommend merging your databases based on the following process. **To merge your custom-compatibility databases** 1. Verify that your application-compatibility testers are performing their tests on computers with the latest version of your compatibility-fix database. For example, Custom DB1. -2. If the tester determines that an application requires an additional compatibility fix that is not a part of the original compatibility-fix database, he or she must create a new custom compatibility database with all of the required information for that single fix. For example, Custom DB2. +2. If the tester determines that an application requires an extra compatibility fix that is not a part of the original compatibility-fix database, the tester must create a new custom compatibility database with all of the required information for that single fix, for example, Custom DB2. 3. The tester applies the new Custom DB2 information to the application and then tests for both the functionality and integration, to ensure that the compatibility issues are addressed. @@ -128,7 +128,7 @@ In order to meet the two requirements above, we recommend that you use one of th You can package your .sib file and a custom deployment script into a file with the .msi extension, and then deploy the .msi file into your organization. > [!IMPORTANT] - > You must ensure that you mark your custom script so that it does not impersonate the calling user. For example, if you use Microsoft® Visual Basic® Scripting Edition (VBScript), the custom action type would be: + > Ensure that you mark your custom script so that it does not impersonate the calling user. For example, if you use Microsoft® Visual Basic® Scripting Edition (VBScript), the custom action type would be: >`msidbCustomActionTypeVBScript + msidbCustomActionTypeInScript + msidbCustomActionTypeNoImpersonate = 0x0006 + 0x0400 + 0x0800 = 0x0C06 = 3078 decimal)` diff --git a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md index a40bab3ece..4bfd9b2dd9 100644 --- a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md +++ b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md @@ -32,12 +32,12 @@ One of the most important requirements to consider when you plan your Windows To As long as you are not saving data on the Windows To Go drive, there is no need for a backup and restore solution for Windows To Go. If you are saving data on the drive and are not using folder redirection and offline files, you should back up all of your data to a network location, such as cloud storage or a network share after each work session. Review the new and improved features described in [Supporting Information Workers with Reliable File Services and Storage](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831495(v=ws.11)) for different solutions you could implement. -If the USB drive fails for any reason, the standard process to restore the drive to working condition is to reformat and reprovision the drive with Windows To Go, so all data and customization on the drive will be lost. This is another reason why using roaming user profiles, folder redirection, and offline files with Windows To Go is strongly recommended. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). +If the USB drive fails for any reason, the standard process to restore the drive to working condition is to reformat and reprovision the drive with Windows To Go, so all data and customization on the drive will be lost. This result is another reason why using roaming user profiles, folder redirection, and offline files with Windows To Go is recommended. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). ## BitLocker -We recommend that you use BitLocker with your Windows To Go drives to protect the drive from being compromised if the drive is lost or stolen. When BitLocker is enabled, the user must provide a password to unlock the drive and boot the Windows To Go workspace, this helps prevent unauthorized users from booting the drive and using it to gain access to your network resources and confidential data. Because Windows To Go drives are meant to be roamed between computers, the Trusted Platform Module (TPM) cannot be used by BitLocker to protect the drive. Instead, you will be specifying a password that BitLocker will use for disk encryption and decryption. By default, this password must be eight characters in length and can enforce more strict requirements depending on the password complexity requirements defined by your organizations domain controller. +We recommend that you use BitLocker with your Windows To Go drives to protect the drive from being compromised if the drive is lost or stolen. When BitLocker is enabled, the user must provide a password to unlock the drive and boot the Windows To Go workspace. This password requirement helps prevent unauthorized users from booting the drive and using it to gain access to your network resources and confidential data. Because Windows To Go drives are meant to be roamed between computers, the Trusted Platform Module (TPM) cannot be used by BitLocker to protect the drive. Instead, you will be specifying a password that BitLocker will use for disk encryption and decryption. By default, this password must be eight characters in length and can enforce more strict requirements depending on the password complexity requirements defined by your organizations domain controller. You can enable BitLocker while using the Windows To Go Creator wizard as part of the drive provisioning process before first use; or it can be enabled afterward by the user from within the Windows To Go workspace. @@ -51,7 +51,7 @@ If you are using a host computer running Windows 7 that has BitLocker enabled, ## Disk discovery and data leakage -We recommend that you use the **NoDefaultDriveLetter** attribute when provisioning the USB drive to help prevent accidental data leakage. **NoDefaultDriveLetter** will prevent the host operating system from assigning a drive letter if a user inserts it into a running computer. This means the drive will not appear in Windows Explorer and an Auto-Play prompt will not be displayed to the user. This reduces the likelihood that an end user will access the offline Windows To Go disk directly from another computer. If you use the Windows To Go Creator to provision a workspace, this attribute will automatically be set for you. +We recommend that you use the **NoDefaultDriveLetter** attribute when provisioning the USB drive to help prevent accidental data leakage. **NoDefaultDriveLetter** will prevent the host operating system from assigning a drive letter if a user inserts it into a running computer. This prevention means the drive will not appear in Windows Explorer and an Auto-Play prompt will not be displayed to the user. This non-display of the drive and the prompt reduces the likelihood that an end user will access the offline Windows To Go disk directly from another computer. If you use the Windows To Go Creator to provision a workspace, this attribute will automatically be set for you. To prevent accidental data leakage between Windows To Go and the host system Windows 8 has a new SAN policy—OFFLINE\_INTERNAL - “4” to prevent the operating system from automatically bringing online any internally connected disk. The default configuration for Windows To Go has this policy enabled. It is recommended you do not change this policy to allow mounting of internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 operating system, mounting the drive will lead to loss of hibernation state and, therefore, user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted. diff --git a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md index 46307344ea..02820bf6da 100644 --- a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md +++ b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md @@ -63,7 +63,7 @@ The following table describes the available command-line options. |Option|Description| |--- |--- | |-?|Displays the Help for the Sdbinst.exe tool.

For example,
`sdbinst.exe -?`| -|-p|Allows SDBs installation with Patches.

For example,
`sdbinst.exe -p C:\Windows\AppPatch\Myapp.sdb`| +|-p|Allows SDBs' installation with Patches.

For example,
`sdbinst.exe -p C:\Windows\AppPatch\Myapp.sdb`| |-q|Does a silent installation with no visible window, status, or warning information. Fatal errors appear only in Event Viewer (Eventvwr.exe).

For example,
`sdbinst.exe -q`| |-u *filepath*|Does an uninstallation of the specified database.

For example,
`sdbinst.exe -u C:\example.sdb`| |-g *GUID*|Specifies the customized database to uninstall by a globally unique identifier (GUID).

For example,
`sdbinst.exe -g 6586cd8f-edc9-4ea8-ad94-afabea7f62e3`| diff --git a/windows/deployment/planning/using-the-sua-wizard.md b/windows/deployment/planning/using-the-sua-wizard.md index bcbda77946..015122670a 100644 --- a/windows/deployment/planning/using-the-sua-wizard.md +++ b/windows/deployment/planning/using-the-sua-wizard.md @@ -34,7 +34,7 @@ For information about the SUA tool, see [Using the SUA Tool](using-the-sua-tool. ## Testing an Application by Using the SUA Wizard -You must install Application Verifier before you can use the SUA Wizard. If Application Verifier is not installed on the computer that is running the SUA Wizard, the SUA Wizard notifies you. You must also install the Microsoft® .NET Framework 3.5 or later before you can use the SUA Wizard. +Install Application Verifier before you can use the SUA Wizard. If Application Verifier is not installed on the computer that is running the SUA Wizard, the SUA Wizard notifies you. In addition, install the Microsoft® .NET Framework 3.5 or later before you can use the SUA Wizard. The following flowchart shows the process of using the SUA Wizard. @@ -76,7 +76,7 @@ The following flowchart shows the process of using the SUA Wizard. The SUA Wizard closes the issue as resolved on the local computer. - If the remedies do not fix the issue with the application, click **No** again, and the wizard may offer another remedies. If the other remedies do not fix the issue, the wizard informs you that there are no more remedies available. For information about how to run the SUA tool for additional investigation, see [Using the SUA Tool](using-the-sua-tool.md). + If the remedies do not fix the issue with the application, click **No** again, and the wizard may offer another remedies. If the other remedies do not fix the issue, the wizard informs you that there are no more remedies available. For information about how to run the SUA tool for more investigation, see [Using the SUA Tool](using-the-sua-tool.md). ## Related articles [SUA User's Guide](sua-users-guide.md) From cc0bad2918b2bacdeb0f6e64990923fc82fa90ff Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 20 Jan 2022 13:35:08 +0530 Subject: [PATCH 081/217] Acrolinx issues fixed --- .../deployment/planning/sua-users-guide.md | 2 +- .../planning/using-the-sua-wizard.md | 30 +++++++++---------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/windows/deployment/planning/sua-users-guide.md b/windows/deployment/planning/sua-users-guide.md index 83926ee905..e8e6f31b30 100644 --- a/windows/deployment/planning/sua-users-guide.md +++ b/windows/deployment/planning/sua-users-guide.md @@ -40,7 +40,7 @@ You can use SUA in either of the following ways: |Topic|Description| |--- |--- | -|[Using the SUA Wizard](using-the-sua-wizard.md)|The Standard User Analyzer (SUA) Wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA Wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions.| +|[Using the SUA wizard](using-the-sua-wizard.md)|The Standard User Analyzer (SUA) wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions.| |[Using the SUA Tool](using-the-sua-tool.md)|By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.| diff --git a/windows/deployment/planning/using-the-sua-wizard.md b/windows/deployment/planning/using-the-sua-wizard.md index 015122670a..63fe07dfd7 100644 --- a/windows/deployment/planning/using-the-sua-wizard.md +++ b/windows/deployment/planning/using-the-sua-wizard.md @@ -1,6 +1,6 @@ --- -title: Using the SUA Wizard (Windows 10) -description: The Standard User Analyzer (SUA) Wizard, although it does not offer deep analysis, works much like the SUA tool to test for User Account Control (UAC) issues. +title: Using the SUA wizard (Windows 10) +description: The Standard User Analyzer (SUA) wizard, although it does not offer deep analysis, works much like the SUA tool to test for User Account Control (UAC) issues. ms.assetid: 29d07074-3de7-4ace-9a54-678af7255d6c ms.reviewer: manager: laurawi @@ -15,7 +15,7 @@ ms.date: 04/19/2017 ms.topic: article --- -# Using the SUA Wizard +# Using the SUA wizard **Applies to** @@ -27,30 +27,30 @@ ms.topic: article - Windows Server 2012 - Windows Server 2008 R2 -The Standard User Analyzer (SUA) Wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA Wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions. +The Standard User Analyzer (SUA) wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions. For information about the SUA tool, see [Using the SUA Tool](using-the-sua-tool.md). -## Testing an Application by Using the SUA Wizard +## Testing an Application by Using the SUA wizard -Install Application Verifier before you can use the SUA Wizard. If Application Verifier is not installed on the computer that is running the SUA Wizard, the SUA Wizard notifies you. In addition, install the Microsoft® .NET Framework 3.5 or later before you can use the SUA Wizard. +Install Application Verifier before you can use the SUA wizard. If Application Verifier is not installed on the computer that is running the SUA wizard, the SUA wizard notifies you. In addition, install the Microsoft® .NET Framework 3.5 or later before you can use the SUA wizard. -The following flowchart shows the process of using the SUA Wizard. +The following flowchart shows the process of using the SUA wizard. ![act sua wizard flowchart.](images/dep-win8-l-act-suawizardflowchart.jpg) -**To test an application by using the SUA Wizard** +**To test an application by using the SUA wizard** -1. On the computer where the SUA Wizard is installed, sign in by using a non-administrator account. +1. On the computer where the SUA wizard is installed, sign in by using a non-administrator account. -2. Run the Standard User Analyzer Wizard. +2. Run the Standard User Analyzer wizard. 3. Click **Browse for Application**, browse to the folder that contains the application that you want to test, and then double-click the executable file for the application. 4. Click **Launch**. - If you are prompted, elevate your permissions. The SUA Wizard may require elevation of permissions to correctly diagnose the application. + If you are prompted, elevate your permissions. The SUA wizard may require elevation of permissions to correctly diagnose the application. If a **Permission denied** dialog box appears, click **OK**. The application starts, despite the warning. @@ -58,11 +58,11 @@ The following flowchart shows the process of using the SUA Wizard. 6. After you finish testing, exit the application. - The SUA Wizard displays a message that asks whether the application ran without any issues. + The SUA wizard displays a message that asks whether the application ran without any issues. 7. Click **No**. - The SUA Wizard shows a list of potential remedies that you might use to fix the application. + The SUA wizard shows a list of potential remedies that you might use to fix the application. 8. Select the fixes that you want to apply, and then click **Launch**. @@ -70,11 +70,11 @@ The following flowchart shows the process of using the SUA Wizard. 9. Test the application again, and after you finish testing, exit the application. - The SUA Wizard displays a message that asks whether the application ran without any issues. + The SUA wizard displays a message that asks whether the application ran without any issues. 10. If the application ran correctly, click **Yes**. - The SUA Wizard closes the issue as resolved on the local computer. + The SUA wizard closes the issue as resolved on the local computer. If the remedies do not fix the issue with the application, click **No** again, and the wizard may offer another remedies. If the other remedies do not fix the issue, the wizard informs you that there are no more remedies available. For information about how to run the SUA tool for more investigation, see [Using the SUA Tool](using-the-sua-tool.md). From 4cd66bf706bc149717552613573ed5bab5199b75 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 20 Jan 2022 15:16:54 +0530 Subject: [PATCH 082/217] Resolved suggestions --- ...ix-information-sent-to-microsoft-during-activation-client.md | 1 + windows/deployment/windows-deployment-scenarios-and-tools.md | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md index b36419cb21..58c3926442 100644 --- a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md +++ b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md @@ -1,5 +1,6 @@ --- title: Appendix Information sent to Microsoft during activation (Windows 10) +description: Learn about the information sent to Microsoft during activation. ms.assetid: 4bfff495-07d0-4385-86e3-7a077cbd64b8 ms.reviewer: manager: laurawi diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md index 1a4195b593..84d317c451 100644 --- a/windows/deployment/windows-deployment-scenarios-and-tools.md +++ b/windows/deployment/windows-deployment-scenarios-and-tools.md @@ -138,7 +138,7 @@ Windows PE is a “Lite” version of Windows 10 and was created to act as a dep The key thing to know about Windows PE is that, like the operating system, it needs drivers for at least network and storage devices in each PC. Luckily Windows PE includes the same drivers as the full Windows 10 operating system, which means much of your hardware will work out of the box. -![figure 7.](images/mdt-11-fig09.png) +![Figure no. 7.](images/mdt-11-fig09.png) A machine booted with the Windows ADK default Windows PE boot image. From 2455056eb6ad50ae6cf15af3514861a37a89a84d Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 20 Jan 2022 15:20:19 +0530 Subject: [PATCH 083/217] Update appendix-information-sent-to-microsoft-during-activation-client.md --- ...dix-information-sent-to-microsoft-during-activation-client.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md index 58c3926442..e67fd3d3d5 100644 --- a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md +++ b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md @@ -5,7 +5,6 @@ ms.assetid: 4bfff495-07d0-4385-86e3-7a077cbd64b8 ms.reviewer: manager: laurawi ms.author: greglin -description: keywords: vamt, volume activation, activation, windows activation ms.prod: w10 ms.mktglfcycl: deploy From b6390b76a97cdf39018aa4c54709626365f81c83 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 20 Jan 2022 16:56:37 +0530 Subject: [PATCH 084/217] Update import-export-vamt-data.md --- .../volume-activation/import-export-vamt-data.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/deployment/volume-activation/import-export-vamt-data.md b/windows/deployment/volume-activation/import-export-vamt-data.md index 502813e80e..68bf78eeba 100644 --- a/windows/deployment/volume-activation/import-export-vamt-data.md +++ b/windows/deployment/volume-activation/import-export-vamt-data.md @@ -1,6 +1,6 @@ --- -title: Import and Export VAMT Data (Windows 10) -description: Learn how to use the Volume Activation Management Tool (VAMT) to import product-activation data from a .cilx or .cil file into SQL Server. +title: Import and Export Volume Activation Management Tool (VAMT) Data (Windows 10) +description: Learn how to use the VAMT to import product-activation data from a .cilx or .cil file into SQL Server. ms.assetid: 09a2c595-1a61-4da6-bd46-4ba8763cfd4f ms.reviewer: manager: laurawi @@ -15,15 +15,15 @@ ms.date: 04/25/2017 ms.topic: article --- -# Import and Export VAMT Data +# Import and Export Volume Activation Management Tool (VAMT) Data You can use the Volume Activation Management Tool (VAMT) to import product-activation data from a Computer Information List (.cilx or .cil) file into SQL Server, and to export product-activation data into a .cilx file. A .cilx file is an XML file that stores computer and product-activation data. You can import data or export data during the following scenarios: - Import and merge data from previous versions of VAMT. -- Export data to use to perform proxy activations. +- Export data to perform proxy activations. **Warning**   -Editing a .cilx file using an application other than VAMT can corrupt the .cilx file and is not supported. +Editing a .cilx file through an application other than VAMT can corrupt the .cilx file; and this method is not supported. ## Import VAMT Data @@ -37,7 +37,7 @@ Editing a .cilx file using an application other than VAMT can corrupt the .cilx Exporting VAMT data from a non-Internet-connected VAMT host computer is the first step of proxy activation using multiple VAMT hosts. To export product-activation data to a .cilx file: 1. In the left-side pane, you can click a product you want to export data for, or click **Products** if the list contains data for all products. -2. If you want to export only part of the data in a product list, in the product list view in the center pane select the products you want to export. +2. If you want to export only part of the data in a product list, in the product-list view in the center pane, select the products you want to export. 3. In the right-side **Actions** pane on, click **Export list** to open the **Export List** dialog box. 4. In the **Export List** dialog box, click **Browse** to navigate to the .cilx file. 5. Under **Export options**, select one of the following data-type options: @@ -47,6 +47,6 @@ Exporting VAMT data from a non-Internet-connected VAMT host computer is the firs 6. If you have selected products to export, select the **Export selected product rows only** check box. 7. Click **Save**. VAMT displays a progress message while the data is being exported. Click **OK** when a message appears and confirms that the export has completed successfully. -## Related topics +## Related articles - [Perform Proxy Activation](proxy-activation-vamt.md) From d67178338e93754b9d3bc59091e42d8e15fcfe51 Mon Sep 17 00:00:00 2001 From: Saurabh Koshta Date: Thu, 20 Jan 2022 14:21:56 -0600 Subject: [PATCH 085/217] Update bitlocker-csp.md This is based on my testing on Win10 and Win11 devices using bitlocker CSP deployed from Intune. --- windows/client-management/mdm/bitlocker-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 4530da2896..46b420a3e4 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -120,7 +120,7 @@ If you want to disable this policy, use the following SyncML: ``` > [!NOTE] -> Currently only used space encryption is supported when using this CSP. +> Currently only full disk encryption is supported when using this CSP. From 49bcc34ac86b6de75242b67c77f1630c714e519b Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 25 Jan 2022 22:06:46 +0530 Subject: [PATCH 086/217] Update whats-new-windows-10-version-21H1.md --- .../whats-new-windows-10-version-21H1.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/whats-new/whats-new-windows-10-version-21H1.md b/windows/whats-new/whats-new-windows-10-version-21H1.md index 06aade74c5..62cf673267 100644 --- a/windows/whats-new/whats-new-windows-10-version-21H1.md +++ b/windows/whats-new/whats-new-windows-10-version-21H1.md @@ -24,7 +24,7 @@ This article lists new and updated features and content that is of interest to I Windows 10, version 21H1 is a scoped set of features for select performance improvements, enterprise features, and quality enhancements. As an [H1-targeted release](/lifecycle/faq/windows#what-is-the-servicing-timeline-for-a-version--feature-update--of-windows-10-), 21H1 is serviced for 18 months from the release date for devices running Windows 10 Enterprise or Windows 10 Education editions. -For details on how to update your device, or the devices in your organization, see [How to get the Windows 10 May 2021 Update](https://blogs.windows.com/windowsexperience/?p=175674). Devices running Windows 10, versions 2004 and 20H2 have the ability to update quickly to version 21H1 via an enablement package. For more details, see [Feature Update through Windows 10, version 21H1 Enablement Package](https://support.microsoft.com/help/5000736). +For details on how to update your device, or the devices in your organization, see [How to get the Windows 10 May 2021 Update](https://blogs.windows.com/windowsexperience/?p=175674). Devices running Windows 10, versions 2004 and 20H2, have the ability to update quickly to version 21H1 via an enablement package. For more information, see [Feature Update through Windows 10, version 21H1 Enablement Package](https://support.microsoft.com/help/5000736). ## Servicing @@ -42,13 +42,13 @@ A new [resolved issues](/mem/autopilot/resolved-issues) article is available tha A new Intune remote action: **Collect diagnostics**, lets you collect the logs from corporate devices without interrupting or waiting for the end user. For more information, see [Collect diagnostics remote action](/mem/intune/fundamentals/whats-new#collect-diagnostics-remote-action). -Intune has also added capabilities to [Role-based access control](/mem/intune/fundamentals/whats-new#role-based-access-control) (RBAC) that can be used to further define profile settings for the Enrollment Status Page (ESP). For more information see [Create Enrollment Status Page profile and assign to a group](/mem/intune/enrollment/windows-enrollment-status#create-enrollment-status-page-profile-and-assign-to-a-group). +Intune has also added capabilities to [Role-based access control](/mem/intune/fundamentals/whats-new#role-based-access-control) (RBAC) that can be used to further define profile settings for the Enrollment Status Page (ESP). For more information,, see [Create Enrollment Status Page profile and assign to a group](/mem/intune/enrollment/windows-enrollment-status#create-enrollment-status-page-profile-and-assign-to-a-group). For a full list of what's new in Microsoft Intune, see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new). ### Windows Assessment and Deployment Toolkit (ADK) -There is no new ADK for Windows 10, version 21H1. The ADK for Windows 10, version 2004 will also work with Windows 10, version 21H1. For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). +There's no new ADK for Windows 10, version 21H1. The ADK for Windows 10, version 2004 will also work with Windows 10, version 21H1. For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). ## Device management @@ -74,7 +74,7 @@ The new Chromium-based [Microsoft Edge](https://www.microsoft.com/edge/business) ## General fixes -See the [Windows Insider blog](https://blogs.windows.com/windows-insider/2021/02/17/releasing-windows-10-build-19042-844-20h2-to-beta-and-release-preview-channels/) for more information. +For more information on the general fixes, see the [Windows Insider blog](https://blogs.windows.com/windows-insider/2021/02/17/releasing-windows-10-build-19042-844-20h2-to-beta-and-release-preview-channels/). This release includes the following enhancements and issues fixed: @@ -88,7 +88,7 @@ This release includes the following enhancements and issues fixed: - an issue that might cause video playback to flicker when rendering on certain low-latency capable monitors. - an issue that sometimes prevents the input of strings into the Input Method Editor (IME). - an issue that exhausts resources because Desktop Windows Manager (DWM) leaks handles and virtual memory in Remote Desktop sessions. -- a stop error that occurs at start up. +- a stop error that occurs at the start. - an issue that might delay a Windows Hello for Business (WHfB) Certificate Trust deployment when you open the Settings-> Accounts-> Sign-in Options page. - an issue that might prevent some keyboard keys from working, such as the home, Ctrl, or left arrow keys when you set the Japanese IME input mode to Kana. - removed the history of previously used pictures from a user account profile. @@ -104,8 +104,8 @@ This release includes the following enhancements and issues fixed: - an issue that prevents wevtutil from parsing an XML file. - failure to report an error when the Elliptic Curve Digital Signature Algorithm (ECDSA) generates invalid keys of 163 bytes instead of 165 bytes. - We added support for using the new Chromium-based Microsoft Edge as the assigned access single kiosk app. Now, you can also customize a breakout key sequence for single app kiosks. For more information, see Configure Microsoft Edge kiosk mode. -- User Datagram Protocol (UDP) broadcast packets that are larger than the maximum transmission unit (MTU). Devices that receive these packets discard them because the checksum is not valid. -- the WinHTTP AutoProxy service does not comply with the value set for the maximum Time To Live (TTL) on the Proxy Auto-Configuration (PAC) file. This prevents the cached file from updating dynamically. +- User Datagram Protocol (UDP) broadcast packets that are larger than the maximum transmission unit (MTU). Devices that receive these packets discard them because the checksum isn't valid. +- the WinHTTP AutoProxy service doesn't comply with the value set for the maximum Time To Live (TTL) on the Proxy Auto-Configuration (PAC) file. This prevents the cached file from updating dynamically. - We improved the ability of the WinHTTP Web Proxy Auto-Discovery Service to ignore invalid Web Proxy Auto-Discovery Protocol (WPAD) URLs that the Dynamic Host Configuration Protocol (DHCP) server returns. - We displayed the proper Envelope media type as a selectable output paper type for Universal Print queues. - We ended the display of a random paper size for a printer when it uses the Microsoft Internet Printing Protocol (IPP) Class Driver. @@ -122,7 +122,7 @@ This release includes the following enhancements and issues fixed: * Default value = 1; enables the log. * Value other than 1; disables the log. - If this key does not exist, it will be created automatically. + If this key doesn't exist, it will be created automatically. To take effect, any change to **dfslog/RootShareAcquireSuccessEvent** in the registry requires that you restart the DFSN service. - We updated the Open Mobile Alliance (OMA) Device Management (DM) sync protocol by adding a check-in reason for requests from the client to the server. The check-in reason will allow the mobile device management (MDM) service to make better decisions about sync sessions. With this change, the OMA-DM service must negotiate a protocol version of 4.0 with the Windows OMA-DM client. - We turned off token binding by default in Windows Internet (WinINet). @@ -137,4 +137,4 @@ This release includes the following enhancements and issues fixed: [What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
[Announcing more ways we’re making app development easier on Windows](https://blogs.windows.com/windowsdeveloper/2020/09/22/kevin-gallo-microsoft-ignite-2020/): Simplifying app development in Windows.
[Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features.
-[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
+[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that aren't being developed.
From c451f4c8eb50c0bc3331f09a68475cd1b8ae0192 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 25 Jan 2022 22:28:22 +0530 Subject: [PATCH 087/217] updates --- .../includes/configure-additional-search-engines-shortdesc.md | 2 +- .../includes/configure-kiosk-mode-shortdesc.md | 2 +- .../includes/provision-favorites-shortdesc.md | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/includes/configure-additional-search-engines-shortdesc.md b/windows/client-management/includes/configure-additional-search-engines-shortdesc.md index 873d33a2f0..8b7bc5ad00 100644 --- a/windows/client-management/includes/configure-additional-search-engines-shortdesc.md +++ b/windows/client-management/includes/configure-additional-search-engines-shortdesc.md @@ -9,4 +9,4 @@ ms.prod: edge ms.topic: include --- -By default, users can set a default search engine in the Microsoft Edge browser, using the Set default search engine policy. With this policy, you can configure up to five more search engines and set any one of them as the default. If you previously enabled this policy and now want to disable it, disabling deletes all configured search engines. +Users can set a default search engine in the Microsoft Edge browser, using the Set default search engine policy. With this policy, the users can configure up to five more search engines and set any one of them as the default. If you previously enabled this policy and now want to disable it, disabling deletes all configured search engines. diff --git a/windows/client-management/includes/configure-kiosk-mode-shortdesc.md b/windows/client-management/includes/configure-kiosk-mode-shortdesc.md index c76de7864b..f2bddfe2b7 100644 --- a/windows/client-management/includes/configure-kiosk-mode-shortdesc.md +++ b/windows/client-management/includes/configure-kiosk-mode-shortdesc.md @@ -9,7 +9,7 @@ ms.prod: edge ms.topic: include --- -For the Microsoft Edge browser, configure a behavior that is to be exhibited in kiosk mode with assigned access. This behavior configuration is for Microsoft Edge as a single-app or as one of many apps running on the kiosk device. +Configure a behavior to be displayed by the Microsoft Edge browser in kiosk mode with assigned access. This behavior configuration is for Microsoft Edge as a single-app or as one of many apps running on the kiosk device. You can facilitate the following functionalities in the Microsoft Edge browser: - Execution of InPrivate full screen diff --git a/windows/client-management/includes/provision-favorites-shortdesc.md b/windows/client-management/includes/provision-favorites-shortdesc.md index 77281a67f6..79fca42087 100644 --- a/windows/client-management/includes/provision-favorites-shortdesc.md +++ b/windows/client-management/includes/provision-favorites-shortdesc.md @@ -9,11 +9,11 @@ ms.prod: edge ms.topic: include --- -By default, you can customize the Favorites list in the Microsoft Edge browser. Whatever you customize becomes the standard list. +You can customize the Favorites list in the Microsoft Edge browser. Whatever you customize becomes the standard list. > [!NOTE] > The standard list of favorites can include folders. The favorites that you add also become part of this standard list. -Once your customized Favorites list appears in the Microsoft Edge browser, you cannot customize it again, such as adding folders for organizing, and adding or removing any of the favorites configured. +Once your customized Favorites list appears in the Microsoft Edge browser, you can't customize it again, such as adding folders for organizing, and adding or removing any of the favorites configured. From ee369e88ff1fb45646d758c2be1ed1ca069adbc4 Mon Sep 17 00:00:00 2001 From: Thomas Raya Date: Tue, 25 Jan 2022 09:18:42 -0800 Subject: [PATCH 088/217] Revert "Delete appv-create-a-package-accelerator-with-powershell.md" This reverts commit eca7661e5574728be0d2cfc797d463b7b0153fc5. --- ...e-a-package-accelerator-with-powershell.md | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md new file mode 100644 index 0000000000..2583a8e7d4 --- /dev/null +++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md @@ -0,0 +1,51 @@ +--- +title: How to create a package accelerator by using Windows PowerShell (Windows 10/11) +description: Learn how to create an App-v Package Accelerator by using Windows PowerShell. App-V Package Accelerators automatically sequence large, complex applications. +author: greg-lindsay +ms.pagetype: mdop, appcompat, virtualization +ms.mktglfcycl: deploy +ms.sitesec: library +ms.prod: w10 +ms.date: 07/10/2018 +ms.reviewer: +manager: dansimp +ms.author: greglin +ms.topic: article +--- +# How to create a package accelerator by using Windows PowerShell + +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] + +App-V Package Accelerators automatically sequence large, complex applications. Also, when you apply an App-V Package Accelerator, you don't have to manually install an application to create the virtualized package. + +## Create a package accelerator + +1. Install the App-V sequencer. For more information about installing the sequencer, see [How to install the sequencer](appv-install-the-sequencer.md). +2. To open a Windows PowerShell console, select **Start** and enter **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**. +3. Ensure you have the .Apps package to create an accelerator from the installation media or installation files. You can also optionally use a readme file for the accelerator's users to reference. +4. Enter the **New-AppvPackageAccelerator** cmdlet. + + The following parameters are required to use the package accelerator cmdlet: + + - *InstalledFilesPath* specifies the application installation path. + - *Installer* specifies the path to the application installer media. + - *InputPackagePath* specifies the path to the.appv package. + - *Path* specifies the output directory for the package. + + The following example cmdlet shows how you can create a package accelerator with .app package and the installation media: + + ```PowerShell + New-AppvPackageAccelerator -InputPackagePath -Installer -Path + ``` + + You can also use the following optional parameter with the **New-AppvPackageAccelerator** cmdlet: + + - *AcceleratorDescriptionFile* specifies the path to user-created package accelerator instructions. The package accelerator instructions are **.txt** or **.rtf** description files that will be included in the package created by the package accelerator. + + + + + +## Related articles + +- [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md) From f3374156614d5f07fa3c80064bb76a49b18e94b8 Mon Sep 17 00:00:00 2001 From: Thomas Raya Date: Tue, 25 Jan 2022 09:23:44 -0800 Subject: [PATCH 089/217] Update appv-create-a-package-accelerator-with-powershell.md undo changes --- .../appv-create-a-package-accelerator-with-powershell.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md index 2583a8e7d4..79b713f591 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md @@ -22,17 +22,17 @@ App-V Package Accelerators automatically sequence large, complex applications. A 1. Install the App-V sequencer. For more information about installing the sequencer, see [How to install the sequencer](appv-install-the-sequencer.md). 2. To open a Windows PowerShell console, select **Start** and enter **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**. -3. Ensure you have the .Apps package to create an accelerator from the installation media or installation files. You can also optionally use a readme file for the accelerator's users to reference. +3. Make sure that you have the .appv package to create an accelerator from the installation media or installation files. You can also optionally use a readme file for the accelerator's users to reference. 4. Enter the **New-AppvPackageAccelerator** cmdlet. The following parameters are required to use the package accelerator cmdlet: - *InstalledFilesPath* specifies the application installation path. - *Installer* specifies the path to the application installer media. - - *InputPackagePath* specifies the path to the.appv package. + - *InputPackagePath* specifies the path to the .appv package. - *Path* specifies the output directory for the package. - The following example cmdlet shows how you can create a package accelerator with .app package and the installation media: + The following example cmdlet shows how you can create a package accelerator with an .appv package and the installation media: ```PowerShell New-AppvPackageAccelerator -InputPackagePath -Installer -Path @@ -46,6 +46,6 @@ App-V Package Accelerators automatically sequence large, complex applications. A -## Related articles +## Related topics - [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md) From d809a4ec8d8f0f1396e9a3aaa1dbad12def4f4c1 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 27 Jan 2022 13:27:02 +0530 Subject: [PATCH 090/217] resolved Acrolinx check failures --- .../configure-additional-search-engines-shortdesc.md | 8 +++++++- .../includes/configure-kiosk-mode-shortdesc.md | 7 ++++++- .../includes/provision-favorites-shortdesc.md | 12 +++++++----- 3 files changed, 20 insertions(+), 7 deletions(-) diff --git a/windows/client-management/includes/configure-additional-search-engines-shortdesc.md b/windows/client-management/includes/configure-additional-search-engines-shortdesc.md index 8b7bc5ad00..cd9e9d9751 100644 --- a/windows/client-management/includes/configure-additional-search-engines-shortdesc.md +++ b/windows/client-management/includes/configure-additional-search-engines-shortdesc.md @@ -9,4 +9,10 @@ ms.prod: edge ms.topic: include --- -Users can set a default search engine in the Microsoft Edge browser, using the Set default search engine policy. With this policy, the users can configure up to five more search engines and set any one of them as the default. If you previously enabled this policy and now want to disable it, disabling deletes all configured search engines. +The Set default search engine policy enables the users to: + +- Set a default search engine +- Configure up to five more search engines, and set any one of them as the default + +If you previously enabled this policy and now want to disable it, doing so results in deletion of all the configured search engines + diff --git a/windows/client-management/includes/configure-kiosk-mode-shortdesc.md b/windows/client-management/includes/configure-kiosk-mode-shortdesc.md index f2bddfe2b7..8397ff7c18 100644 --- a/windows/client-management/includes/configure-kiosk-mode-shortdesc.md +++ b/windows/client-management/includes/configure-kiosk-mode-shortdesc.md @@ -9,7 +9,12 @@ ms.prod: edge ms.topic: include --- -Configure a behavior to be displayed by the Microsoft Edge browser in kiosk mode with assigned access. This behavior configuration is for Microsoft Edge as a single-app or as one of many apps running on the kiosk device. +You can define a behavior for the Microsoft Edge browser, which it shall display when part of many applications running on a kiosk device. + +> [!NOTE] +> You can define the browser's behavior only if you have the assigned access privileges. + +You can also define a behavior when Microsoft Edge serves as a single application. You can facilitate the following functionalities in the Microsoft Edge browser: - Execution of InPrivate full screen diff --git a/windows/client-management/includes/provision-favorites-shortdesc.md b/windows/client-management/includes/provision-favorites-shortdesc.md index 79fca42087..1798b33e43 100644 --- a/windows/client-management/includes/provision-favorites-shortdesc.md +++ b/windows/client-management/includes/provision-favorites-shortdesc.md @@ -9,11 +9,13 @@ ms.prod: edge ms.topic: include --- -You can customize the Favorites list in the Microsoft Edge browser. Whatever you customize becomes the standard list. +You can customize the Favorites list in the Microsoft Edge browser. Customization of the favorites list includes: -> [!NOTE] -> The standard list of favorites can include folders. +- Creating a standard list + - This standard list includes: + - Folders (which you can add) + - the list of favorites that you manually add, after creating the standard list -The favorites that you add also become part of this standard list. +This customized favorite is the final version. -Once your customized Favorites list appears in the Microsoft Edge browser, you can't customize it again, such as adding folders for organizing, and adding or removing any of the favorites configured. +You can't add folders again for organizing, and adding or removing any of the favorites configured. From 575edbd89e4b3a7cf37d0af054d6d092720fb3bb Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 27 Jan 2022 13:31:50 +0530 Subject: [PATCH 091/217] resolved Acrolinx check failure --- .../client-management/includes/provision-favorites-shortdesc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/includes/provision-favorites-shortdesc.md b/windows/client-management/includes/provision-favorites-shortdesc.md index 1798b33e43..2ddbc5c6d7 100644 --- a/windows/client-management/includes/provision-favorites-shortdesc.md +++ b/windows/client-management/includes/provision-favorites-shortdesc.md @@ -18,4 +18,4 @@ You can customize the Favorites list in the Microsoft Edge browser. Customizatio This customized favorite is the final version. -You can't add folders again for organizing, and adding or removing any of the favorites configured. + From fc90ef4fd07c6d68f517cfeeab0195b7bf8366f8 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 27 Jan 2022 13:43:50 +0530 Subject: [PATCH 092/217] resolved Acrolinx check failure --- .../mdm/push-notification-windows-mdm.md | 26 +++++++++---------- .../mdm/tenantlockdown-csp.md | 4 +-- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/windows/client-management/mdm/push-notification-windows-mdm.md b/windows/client-management/mdm/push-notification-windows-mdm.md index 0b8ad9e938..43c7d7baf5 100644 --- a/windows/client-management/mdm/push-notification-windows-mdm.md +++ b/windows/client-management/mdm/push-notification-windows-mdm.md @@ -28,27 +28,27 @@ Because a device may not always be connected to the internet, WNS supports cachi The following restrictions are related to push notifications and WNS: -- Push for device management uses raw push notifications. This restriction means that these raw push notifications do not support or utilize push notification payloads. -- Receipt of push notifications are sensitive to the Battery Saver and Data Sense settings on the device. For example, if the battery drops below certain thresholds, the persistent connection of the device with WNS will be terminated. Additionally, if the user is utilizing Data Sense and has exceeded their monthly allotment of data, the persistent connection of the device with WNS will also be terminated. -- A ChannelURI provided to the management server by the device is only valid for 30 days. The device automatically renews the ChannelURI after 15 days and triggers a management session on successful renewal of the ChannelURI. It is strongly recommended that, during every management session, the management server queries the ChannelURI value to ensure that it has received the latest value. This will ensure that the management server will not attempt to use a ChannelURI that has expired. -- Push is not a replacement for having a polling schedule. +- Push for device management uses raw push notifications. This restriction means that these raw push notifications don't support or utilize push notification payloads. +- Receipt of push notifications is sensitive to the Battery Saver and Data Sense settings on the device. For example, if the battery drops below certain thresholds, the persistent connection of the device with WNS will be terminated. Additionally, if the user is utilizing Data Sense and has exceeded their monthly allotment of data, the persistent connection of the device with WNS will also be terminated. +- A ChannelURI provided to the management server by the device is only valid for 30 days. The device automatically renews the ChannelURI after 15 days and triggers a management session on successful renewal of the ChannelURI. It's strongly recommended that, during every management session, the management server queries the ChannelURI value to ensure that it has received the latest value. This will ensure that the management server won't attempt to use a ChannelURI that has expired. +- Push isn't a replacement for having a polling schedule. - WNS reserves the right to block push notifications to your PFN if improper use of notifications is detected. Any devices being managed using this PFN will cease to have push initiated device management support. - On Windows 10, version 1511 as well as Windows 8 and 8.1, MDM Push may fail to renew the WNS Push channel automatically causing it to expire. It can also potentially hang when setting the PFN for the channel. - To workaround this issue, when a 410 is returned by the WNS server when attempting to send a Push notification to the device the PFN should be set during the next sync session. To prevent the push channel from expiring on older builds, servers can reset the PFN before the channel expires (~30 days). If they’re already running Windows 10, there should be an update available that they can install that should fix the issue. + To work around this issue, when a 410 is returned by the WNS server when attempting to send a Push notification to the device the PFN should be set during the next sync session. To prevent the push channel from expiring on older builds, servers can reset the PFN before the channel expires (~30 days). If they’re already running Windows 10, there should be an update available that they can install that should fix the issue. - On Windows 10, version 1511, we use the following retry logic for the DMClient: - - If ExpiryTime is greater than 15 days a schedule is set for when 15 days are left. - - If ExpiryTime is between now and 15 days a schedule set for 4 +/- 1 hours from now. - - If ExpiryTime has passed a schedule is set for 1 day +/- 4 hours from now. + - If ExpiryTime is greater than 15 days, a schedule is set for when 15 days are left. + - If ExpiryTime is between now and 15 days, a schedule set for 4 +/- 1 hours from now. + - If ExpiryTime has passed, a schedule is set for 1 day +/- 4 hours from now. -- On Windows 10, version 1607, we check for network connectivity before retrying. We do not check for internet connectivity. If network connectivity is not available we will skip the retry and set schedule for 4+/-1 hours to try again. +- On Windows 10, version 1607, we check for network connectivity before retrying. We don't check for internet connectivity. If network connectivity isn't available, we'll skip the retry and set schedule for 4+/-1 hours to try again. ## Get WNS credentials and PFN for MDM push notification -To get a PFN and WNS credentials, you must create an Microsoft Store app. +To get a PFN and WNS credentials, you must create a Microsoft Store app. 1. Go to the Windows [Dashboard](https://dev.windows.com/en-US/dashboard) and sign in with your developer account. @@ -68,8 +68,8 @@ To get a PFN and WNS credentials, you must create an Microsoft Store app. 6. Click **Live Services site**. A new window opens for the **Application Registration Portal** page. ![mdm push notification6.](images/push-notification6.png) -7. In the **Application Registration Portal** page, you will see the properties for the app that you created, such as: - - Application Id +7. In the **Application Registration Portal** page, you'll see the properties for the app that you created, such as: + - Application ID - Application Secrets - Microsoft Store Package SID, Application Identity, and Publisher. @@ -80,6 +80,6 @@ To get a PFN and WNS credentials, you must create an Microsoft Store app. 11. From the left nav, expand **App management** and then click **App identity**. ![mdm push notification10.](images/push-notification10.png) -12. In the **App identity** page, you will see the **Package Family Name (PFN)** of your app. +12. In the **App identity** page, you'll see the **Package Family Name (PFN)** of your app.   diff --git a/windows/client-management/mdm/tenantlockdown-csp.md b/windows/client-management/mdm/tenantlockdown-csp.md index af816d6d88..6f4815ab07 100644 --- a/windows/client-management/mdm/tenantlockdown-csp.md +++ b/windows/client-management/mdm/tenantlockdown-csp.md @@ -33,11 +33,11 @@ The root node. **RequireNetworkInOOBE** Specifies whether to require a network connection during the out-of-box experience (OOBE) at first sign in. -When RequireNetworkInOOBE is true, when the device goes through OOBE at first sign in or after a reset, the user is required to choose a network before proceeding. There is no "skip for now" option. +When RequireNetworkInOOBE is true, when the device goes through OOBE at first sign in or after a reset, the user is required to choose a network before proceeding. There's no "skip for now" option. Value type is bool. Supported operations are Get and Replace. - True - Require network in OOBE - False - No network connection requirement in OOBE -Example scenario: Henry is the IT admin at Contoso. He deploys 1000 devices successfully with RequireNetworkInOOBE set to true. When users accidentally or intentionally reset their device, they are required to connect to a network before they can proceed. Upon successful connection, users see the Contoso branded sign-in experience where they must use their Azure AD credentials. There is no option to skip the network connection and create a local account. +Example scenario: Henry is the IT admin at Contoso. He deploys 1000 devices successfully with RequireNetworkInOOBE set to true. When users accidentally or intentionally reset their device, they're required to connect to a network before they can proceed. Upon successful connection, users see the Contoso branded sign-in experience where they must use their Azure AD credentials. There's no option to skip the network connection and create a local account. From abb34bdde2d96d78f0139bf87dc8de6a25a551b8 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 27 Jan 2022 15:43:21 +0530 Subject: [PATCH 093/217] enhanced Acrolinx score --- ...ix-database-management-strategies-and-deployment.md | 6 +++--- windows/deployment/planning/sua-users-guide.md | 2 +- windows/deployment/planning/using-the-sua-wizard.md | 10 +++++----- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md index 29b77be77b..1d9fa5aab2 100644 --- a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md +++ b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md @@ -74,7 +74,7 @@ If the following considerations apply to your organization, you should avoid thi - **Will you be able to track which applications are installed on which computer?** - You might determine that your initial set of compatibility fixes is not comprehensive, and that you must deploy an updated version of the compatibility-fix database to resolve the other issues. If you deployed the initial set by using the application-installation package, you will be required to locate each client computer that is running the application and replace the compatibility fix. + You might determine that your initial set of compatibility fixes isn't comprehensive, and that you must deploy an updated version of the compatibility-fix database to resolve the other issues. If you deployed the initial set by using the application-installation package, you'll be required to locate each client computer that is running the application and replace the compatibility fix. ### Deploying Fixes Through a Centralized Compatibility-Fix Database @@ -88,7 +88,7 @@ This approach tends to work best for organizations that have a well-developed de - Do you have centralized resources that can manage and update the centralized compatibility-fix database? - Ensure that you have identified the appropriate owners for the deployment process, for the applications, and for the database updates, in addition to determining the process by which compatibility issues can be deployed to specific computers. + Ensure that you've identified the appropriate owners for the deployment process, for the applications, and for the database updates, in addition to determining the process by which compatibility issues can be deployed to specific computers. ### Merging Centralized Compatibility-Fix Databases @@ -98,7 +98,7 @@ If you decide to use the centralized compatibility-fix database deployment strat 1. Verify that your application-compatibility testers are performing their tests on computers with the latest version of your compatibility-fix database. For example, Custom DB1. -2. If the tester determines that an application requires an extra compatibility fix that is not a part of the original compatibility-fix database, the tester must create a new custom compatibility database with all of the required information for that single fix, for example, Custom DB2. +2. If the tester determines that an application requires an extra compatibility fix that isn't a part of the original compatibility-fix database, the tester must create a new custom compatibility database with all of the required information for that single fix, for example, Custom DB2. 3. The tester applies the new Custom DB2 information to the application and then tests for both the functionality and integration, to ensure that the compatibility issues are addressed. diff --git a/windows/deployment/planning/sua-users-guide.md b/windows/deployment/planning/sua-users-guide.md index e8e6f31b30..3019bfd486 100644 --- a/windows/deployment/planning/sua-users-guide.md +++ b/windows/deployment/planning/sua-users-guide.md @@ -40,7 +40,7 @@ You can use SUA in either of the following ways: |Topic|Description| |--- |--- | -|[Using the SUA wizard](using-the-sua-wizard.md)|The Standard User Analyzer (SUA) wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions.| +|[Using the SUA wizard](using-the-sua-wizard.md)|The Standard User Analyzer (SUA) wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA wizard doesn't offer detailed analysis, and it can't disable virtualization or elevate your permissions.| |[Using the SUA Tool](using-the-sua-tool.md)|By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.| diff --git a/windows/deployment/planning/using-the-sua-wizard.md b/windows/deployment/planning/using-the-sua-wizard.md index 63fe07dfd7..dbea2d8bec 100644 --- a/windows/deployment/planning/using-the-sua-wizard.md +++ b/windows/deployment/planning/using-the-sua-wizard.md @@ -1,6 +1,6 @@ --- title: Using the SUA wizard (Windows 10) -description: The Standard User Analyzer (SUA) wizard, although it does not offer deep analysis, works much like the SUA tool to test for User Account Control (UAC) issues. +description: The Standard User Analyzer (SUA) wizard, although it doesn't offer deep analysis, works much like the SUA tool to test for User Account Control (UAC) issues. ms.assetid: 29d07074-3de7-4ace-9a54-678af7255d6c ms.reviewer: manager: laurawi @@ -27,14 +27,14 @@ ms.topic: article - Windows Server 2012 - Windows Server 2008 R2 -The Standard User Analyzer (SUA) wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions. +The Standard User Analyzer (SUA) wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA wizard doesn't offer detailed analysis, and it can't disable virtualization or elevate your permissions. For information about the SUA tool, see [Using the SUA Tool](using-the-sua-tool.md). ## Testing an Application by Using the SUA wizard -Install Application Verifier before you can use the SUA wizard. If Application Verifier is not installed on the computer that is running the SUA wizard, the SUA wizard notifies you. In addition, install the Microsoft® .NET Framework 3.5 or later before you can use the SUA wizard. +Install Application Verifier before you can use the SUA wizard. If Application Verifier isn't installed on the computer that is running the SUA wizard, the SUA wizard notifies you. In addition, install the Microsoft® .NET Framework 3.5 or later before you can use the SUA wizard. The following flowchart shows the process of using the SUA wizard. @@ -50,7 +50,7 @@ The following flowchart shows the process of using the SUA wizard. 4. Click **Launch**. - If you are prompted, elevate your permissions. The SUA wizard may require elevation of permissions to correctly diagnose the application. + If you're prompted, elevate your permissions. The SUA wizard may require elevation of permissions to correctly diagnose the application. If a **Permission denied** dialog box appears, click **OK**. The application starts, despite the warning. @@ -76,7 +76,7 @@ The following flowchart shows the process of using the SUA wizard. The SUA wizard closes the issue as resolved on the local computer. - If the remedies do not fix the issue with the application, click **No** again, and the wizard may offer another remedies. If the other remedies do not fix the issue, the wizard informs you that there are no more remedies available. For information about how to run the SUA tool for more investigation, see [Using the SUA Tool](using-the-sua-tool.md). + If the remedies don't fix the issue with the application, click **No** again, and the wizard may offer another remedies. If the other remedies don't fix the issue, the wizard informs you that there are no more remedies available. For information about how to run the SUA tool for more investigation, see [Using the SUA Tool](using-the-sua-tool.md). ## Related articles [SUA User's Guide](sua-users-guide.md) From 2046b4163b5b6b4bd3f7fbf980baf98c7a9c15ed Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 27 Jan 2022 18:14:09 +0530 Subject: [PATCH 094/217] enhanced Acrolinx scores to fix failures --- ...ection-considerations-for-windows-to-go.md | 14 ++-- ...ndows-to-go-frequently-asked-questions.yml | 78 +++++++++---------- ...t-to-microsoft-during-activation-client.md | 14 ++-- .../import-export-vamt-data.md | 4 +- .../manage-activations-vamt.md | 6 +- .../volume-activation/vamt-step-by-step.md | 4 +- .../windows-deployment-scenarios-and-tools.md | 42 +++++----- 7 files changed, 81 insertions(+), 81 deletions(-) diff --git a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md index 4bfd9b2dd9..ed4fe7d457 100644 --- a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md +++ b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md @@ -30,37 +30,37 @@ One of the most important requirements to consider when you plan your Windows To ## Backup and restore -As long as you are not saving data on the Windows To Go drive, there is no need for a backup and restore solution for Windows To Go. If you are saving data on the drive and are not using folder redirection and offline files, you should back up all of your data to a network location, such as cloud storage or a network share after each work session. Review the new and improved features described in [Supporting Information Workers with Reliable File Services and Storage](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831495(v=ws.11)) for different solutions you could implement. +When you don't save data on the Windows To Go drive, you don't need for a backup and restore solution for Windows To Go. If you're saving data on the drive and aren't using folder redirection and offline files, you should back up all of your data to a network location such as cloud storage or a network share, after each work session. Review the new and improved features described in [Supporting Information Workers with Reliable File Services and Storage](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831495(v=ws.11)) for different solutions you could implement. If the USB drive fails for any reason, the standard process to restore the drive to working condition is to reformat and reprovision the drive with Windows To Go, so all data and customization on the drive will be lost. This result is another reason why using roaming user profiles, folder redirection, and offline files with Windows To Go is recommended. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). ## BitLocker -We recommend that you use BitLocker with your Windows To Go drives to protect the drive from being compromised if the drive is lost or stolen. When BitLocker is enabled, the user must provide a password to unlock the drive and boot the Windows To Go workspace. This password requirement helps prevent unauthorized users from booting the drive and using it to gain access to your network resources and confidential data. Because Windows To Go drives are meant to be roamed between computers, the Trusted Platform Module (TPM) cannot be used by BitLocker to protect the drive. Instead, you will be specifying a password that BitLocker will use for disk encryption and decryption. By default, this password must be eight characters in length and can enforce more strict requirements depending on the password complexity requirements defined by your organizations domain controller. +We recommend that you use BitLocker with your Windows To Go drives to protect the drive from being compromised if the drive is lost or stolen. When BitLocker is enabled, the user must provide a password to unlock the drive and boot the Windows To Go workspace. This password requirement helps prevent unauthorized users from booting the drive and using it to gain access to your network resources and confidential data. Because Windows To Go drives are meant to be roamed between computers, the Trusted Platform Module (TPM) can't be used by BitLocker to protect the drive. Instead, you'll be specifying a password that BitLocker will use for disk encryption and decryption. By default, this password must be eight characters in length and can enforce more strict requirements depending on the password complexity requirements defined by your organizations domain controller. You can enable BitLocker while using the Windows To Go Creator wizard as part of the drive provisioning process before first use; or it can be enabled afterward by the user from within the Windows To Go workspace. **Tip**   -If the Windows To Go Creator wizard is not able to enable BitLocker, see [Why can't I enable BitLocker from Windows To Go Creator?](windows-to-go-frequently-asked-questions.yml#why-can-t-i-enable-bitlocker-from-windows-to-go-creator-) +If the Windows To Go Creator wizard isn't able to enable BitLocker, see [Why can't I enable BitLocker from Windows To Go Creator?](windows-to-go-frequently-asked-questions.yml#why-can-t-i-enable-bitlocker-from-windows-to-go-creator-) -If you are using a host computer running Windows 7 that has BitLocker enabled, you should suspend BitLocker before changing the BIOS settings to boot from USB and then resume BitLocker protection. If BitLocker is not suspended first, the next time the computer is started it will boot into recovery mode. +When you use a host computer running Windows 7 that has BitLocker enabled, suspend BitLocker before changing the BIOS settings to boot from USB and then resume BitLocker protection. If BitLocker isn't suspended first, the next boot of the computer is in recovery mode. ## Disk discovery and data leakage -We recommend that you use the **NoDefaultDriveLetter** attribute when provisioning the USB drive to help prevent accidental data leakage. **NoDefaultDriveLetter** will prevent the host operating system from assigning a drive letter if a user inserts it into a running computer. This prevention means the drive will not appear in Windows Explorer and an Auto-Play prompt will not be displayed to the user. This non-display of the drive and the prompt reduces the likelihood that an end user will access the offline Windows To Go disk directly from another computer. If you use the Windows To Go Creator to provision a workspace, this attribute will automatically be set for you. +We recommend that you use the **NoDefaultDriveLetter** attribute when provisioning the USB drive to help prevent accidental data leakage. **NoDefaultDriveLetter** will prevent the host operating system from assigning a drive letter if a user inserts it into a running computer. This prevention means the drive won't appear in Windows Explorer and an Auto-Play prompt won't be displayed to the user. This non-display of the drive and the prompt reduces the likelihood that an end user will access the offline Windows To Go disk directly from another computer. If you use the Windows To Go Creator to provision a workspace, this attribute will automatically be set for you. -To prevent accidental data leakage between Windows To Go and the host system Windows 8 has a new SAN policy—OFFLINE\_INTERNAL - “4” to prevent the operating system from automatically bringing online any internally connected disk. The default configuration for Windows To Go has this policy enabled. It is recommended you do not change this policy to allow mounting of internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 operating system, mounting the drive will lead to loss of hibernation state and, therefore, user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted. +To prevent accidental data leakage between Windows To Go and the host system Windows 8 has a new SAN policy—OFFLINE\_INTERNAL - “4” to prevent the operating system from automatically bringing online any internally connected disk. The default configuration for Windows To Go has this policy enabled. It's recommended you do not change this policy to allow mounting of internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 operating system, mounting the drive will lead to loss of hibernation state and, therefore, user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted. For more information, see [How to Configure Storage Area Network (SAN) Policy in Windows PE](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825063(v=win.10)). ## Security certifications for Windows To Go -Windows to Go is a core capability of Windows when it is deployed on the drive and is configured following the guidance for the applicable security certification. Solutions built using Windows To Go can be submitted for more certifications by the solution provider that cover the solution provider’s specific hardware environment. For more information about Windows security certifications, see the following articles. +Windows to Go is a core capability of Windows when it's deployed on the drive and is configured following the guidance for the applicable security certification. Solutions built using Windows To Go can be submitted for more certifications by the solution provider that cover the solution provider’s specific hardware environment. For more information about Windows security certifications, see the following articles. - [Windows Platform Common Criteria Certification](/windows/security/threat-protection/windows-platform-common-criteria) diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml index a912d623b5..ec5e722d45 100644 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml +++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml @@ -22,7 +22,7 @@ summary: | - Windows 10 > [!IMPORTANT] - > Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. + > Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature doesn't support feature updates and therefore doesn't enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. The following list identifies some commonly asked questions about Windows To Go. @@ -50,7 +50,7 @@ summary: | - [Why isn't my computer booting from USB?](#why-isn-t-my-computer-booting-from-usb-) - - [What happens if I remove my Windows To Go drive while it is running?](#what-happens-if-i-remove-my-windows-to-go-drive-while-it-is-running-) + - [What happens if I remove my Windows To Go drive while it's running?](#what-happens-if-i-remove-my-windows-to-go-drive-while-it-is-running-) - [Can I use BitLocker to protect my Windows To Go drive?](#can-i-use-bitlocker-to-protect-my-windows-to-go-drive-) @@ -102,7 +102,7 @@ summary: | - [My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?](#my-host-computer-running-windows-7-is-protected-by-bitlocker-drive-encryption--why-did-i-need-to-use-the-recovery-key-to-unlock-and-reboot-my-host-computer-after-using-windows-to-go-) - - [I decided to stop using a drive for Windows To Go and reformatted it – why doesn't it have a drive letter assigned and how can I fix it?](#i-decided-to-stop-using-a-drive-for-windows-to-go-and-reformatted-it---why-doesn-t-it-have-a-drive-letter-assigned-and-how-can-i-fix-it-) + - [I decided to stop using a drive for Windows To Go and reformatted it – why it doesn't have a drive letter assigned and how can I fix it?](#i-decided-to-stop-using-a-drive-for-windows-to-go-and-reformatted-it---why-doesn-t-it-have-a-drive-letter-assigned-and-how-can-i-fix-it-) - [Why do I keep on getting the message "Installing devices…" when I boot Windows To Go?](#why-do-i-keep-on-getting-the-message--installing-devices---when-i-boot-windows-to-go-) @@ -138,7 +138,7 @@ sections: - A Windows 10 Enterprise, Windows 10 Education or Windows 10 Professional host PC that can be used to provision new USB keys - You can use a Windows PowerShell script to target several drives and scale your deployment for a large number of Windows To Go drives. You can also use a USB duplicator to duplicate a Windows To Go drive after it has been provisioned if you are creating a large number of drives. See the [Windows To Go Step by Step](https://go.microsoft.com/fwlink/p/?LinkId=618950) article on the TechNet wiki for a walkthrough of the drive creation process. + You can use a Windows PowerShell script to target several drives and scale your deployment for a large number of Windows To Go drives. You can also use a USB duplicator to duplicate a Windows To Go drive after it has been provisioned if you're creating a large number of drives. See the [Windows To Go Step by Step](https://go.microsoft.com/fwlink/p/?LinkId=618950) article on the TechNet wiki for a walkthrough of the drive creation process. - question: | Is Windows To Go supported on both USB 2.0 and USB 3.0 drives? @@ -153,7 +153,7 @@ sections: - question: | How do I identify a USB 3.0 port? answer: | - USB 3.0 ports are usually marked blue or carry a SS marking on the side. + USB 3.0 ports are usually marked blue or carry an SS marking on the side. - question: | Does Windows To Go run faster on a USB 3.0 port? @@ -191,7 +191,7 @@ sections: If the host computer is running an earlier version of the Windows operating system need to configure the computer to boot from USB manually. - To do this, early during boot time (usually when you see the manufacturer's logo), enter your firmware/BIOS setup. (This method to enter firmware/BIOS setup differs with different computer manufacturers, but is usually entered by pressing one of the function keys, such as F12, F2, F1, Esc, and so forth. You should check the manufacturer's site to be sure if you do not know which key to use to enter firmware setup.) + To do this, early during boot time (usually when you see the manufacturer's logo), enter your firmware/BIOS setup. (This method to enter firmware/BIOS setup differs with different computer manufacturers, but is usually entered by pressing one of the function keys, such as F12, F2, F1, Esc, and so forth. You should check the manufacturer's site to be sure if you don't know which key to use to enter firmware setup.) After you have entered firmware setup, make sure that boot from USB is enabled. Then change the boot order to boot from USB drives first. @@ -213,14 +213,14 @@ sections: 2. Ensure that the Windows To Go drive is connected directly to a USB port on the computer. Many computers don't support booting from a device connected to a USB 3 PCI add-on card or external USB hubs. - 3. If the computer is not booting from a USB 3.0 port, try to boot from a USB 2.0 port. + 3. If the computer isn't booting from a USB 3.0 port, try to boot from a USB 2.0 port. If none of these items enable the computer to boot from USB, contact the hardware manufacturer for additional support. - question: | - What happens if I remove my Windows To Go drive while it is running? + What happens if I remove my Windows To Go drive while it's running? answer: | - If the Windows To Go drive is removed, the computer will freeze and the user will have 60 seconds to reinsert the Windows To Go drive. If the Windows To Go drive is reinserted into the same port it was removed from, Windows will resume at the point where the drive was removed. If the USB drive is not reinserted, or is reinserted into a different port, the host computer will turn off after 60 seconds. + If the Windows To Go drive is removed, the computer will freeze and the user will have 60 seconds to reinsert the Windows To Go drive. If the Windows To Go drive is reinserted into the same port it was removed from, Windows will resume at the point where the drive was removed. If the USB drive isn't reinserted, or is reinserted into a different port, the host computer will turn off after 60 seconds. **Warning**   You should never remove your Windows To Go drive when your workspace is running. The computer freeze is a safety measure to help mitigate the risk of accidental removal. Removing the Windows To Go drive without shutting down the Windows To Go workspace could result in corruption of the Windows To Go drive. @@ -230,28 +230,28 @@ sections: - question: | Can I use BitLocker to protect my Windows To Go drive? answer: | - Yes. In Windows 8 and later, BitLocker has added support for using a password to protect operating system drives. This means that you can use a password to secure your Windows To Go workspace and you will be prompted to enter this password every time you use the Windows To Go workspace. + Yes. In Windows 8 and later, BitLocker has added support for using a password to protect operating system drives. This means that you can use a password to secure your Windows To Go workspace and you'll be prompted to enter this password every time you use the Windows To Go workspace. - question: | Why can't I enable BitLocker from Windows To Go Creator? answer: | - Several different Group Policies control the use of BitLocker on your organizations computers. These policies are located in the **Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** folder of the local Group Policy editor. The folder contains three sub-folders for fixed, operating system and removable data drive types. + Several different Group Policies control the use of BitLocker on your organizations computers. These policies are located in the **Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** folder of the local Group Policy editor. The folder contains three subfolders for fixed, operating system and removable data drive types. - When you are using Windows To Go Creator, the Windows To Go drive is considered a removable data drive by BitLocker. Review the following setting to see if these settings apply in your situation: + When you're using Windows To Go Creator, the Windows To Go drive is considered a removable data drive by BitLocker. Review the following setting to see if these settings apply in your situation: 1. **Control use of BitLocker on removable drives** - If this setting is disabled BitLocker cannot be used with removable drives, so the Windows To Go Creator wizard will fail if it attempts to enable BitLocker on the Windows To Go drive. + If this setting is disabled BitLocker can't be used with removable drives, so the Windows To Go Creator wizard will fail if it attempts to enable BitLocker on the Windows To Go drive. 2. **Configure use of smart cards on removable data drives** - If this setting is enabled and the option **Require use of smart cards on removable data drives** is also selected the creator wizard might fail if you have not already signed on using your smart card credentials before starting the Windows To Go Creator wizard. + If this setting is enabled and the option **Require use of smart cards on removable data drives** is also selected the creator wizard might fail if you haven't already signed on using your smart card credentials before starting the Windows To Go Creator wizard. 3. **Configure use of passwords for removable data drives** - If this setting is enabled and the **Require password complexity option** is selected the computer must be able to connect to the domain controller to verify that the password specified meets the password complexity requirements. If the connection is not available, the Windows To Go Creator wizard will fail to enable BitLocker. + If this setting is enabled and the **Require password complexity option** is selected the computer must be able to connect to the domain controller to verify that the password specified meets the password complexity requirements. If the connection isn't available, the Windows To Go Creator wizard will fail to enable BitLocker. - Additionally, the Windows To Go Creator will disable the BitLocker option if the drive does not have any volumes. In this situation, you should initialize the drive and create a volume using the Disk Management console before provisioning the drive with Windows To Go. + Additionally, the Windows To Go Creator will disable the BitLocker option if the drive doesn't have any volumes. In this situation, you should initialize the drive and create a volume using the Disk Management console before provisioning the drive with Windows To Go. - question: | What power states does Windows To Go support? @@ -261,7 +261,7 @@ sections: - question: | Why is hibernation disabled in Windows To Go? answer: | - When a Windows To Go workspace is hibernated, it will only successfully resume on the exact same hardware. Therefore, if a Windows To Go workspace is hibernated on one computer and roamed to another, the hibernation state (and therefore user state) will be lost. To prevent this from happening, the default settings for a Windows To Go workspace disable hibernation. If you are confident that you will only attempt to resume on the same computer, you can enable hibernation using the Windows To Go Group Policy setting, **Allow hibernate (S4) when started from a Windows To Go workspace** that is located at **\\\\Computer Configuration\\Administrative Templates\\Windows Components\\Portable Operating System\\** in the Local Group Policy Editor (gpedit.msc). + When a Windows To Go workspace is hibernated, it will only successfully resume on the exact same hardware. Therefore, if a Windows To Go workspace is hibernated on one computer and roamed to another, the hibernation state (and therefore user state) will be lost. To prevent this from happening, the default settings for a Windows To Go workspace disable hibernation. If you're confident that you'll only attempt to resume on the same computer, you can enable hibernation using the Windows To Go Group Policy setting, **Allow hibernate (S4) when started from a Windows To Go workspace** that is located at **\\\\Computer Configuration\\Administrative Templates\\Windows Components\\Portable Operating System\\** in the Local Group Policy Editor (gpedit.msc). - question: | Does Windows To Go support crash dump analysis? @@ -273,7 +273,7 @@ sections: answer: | Yes, if both operating systems are running the Windows 8 operating system. Enabling "Windows To Go Startup Options" should cause the computer to boot from the Windows To Go workspace when the drive is plugged in before the computer is turned on. - If you have configured a dual boot computer with a Windows operating system and another operating system it might work occasionally and fail occasionally. Using this configuration is unsupported. + If you have configured a dual boot computer with a Windows operating system and another operating system, it might work occasionally and fail occasionally. Using this configuration is unsupported. - question: | I plugged my Windows To Go drive into a running computer and I can't see the partitions on the drive. Why not? @@ -281,14 +281,14 @@ sections: Windows To Go Creator and the recommended deployment steps for Windows To Go set the NO\_DEFAULT\_DRIVE\_LETTER flag on the Windows To Go drive. This flag prevents Windows from automatically assigning drive letters to the partitions on the Windows To Go drive. That's why you can't see the partitions on the drive when you plug your Windows To Go drive into a running computer. This helps prevent accidental data leakage between the Windows To Go drive and the host computer. If you really need to access the files on the Windows To Go drive from a running computer, you can use diskmgmt.msc or diskpart to assign a drive letter. **Warning**   - It is strongly recommended that you do not plug your Windows To Go drive into a running computer. If the computer is compromised, your Windows To Go workspace can also be compromised. + It's strongly recommended that you don't plug your Windows To Go drive into a running computer. If the computer is compromised, your Windows To Go workspace can also be compromised. - question: | I'm booted into Windows To Go, but I can't browse to the internal hard drive of the host computer. Why not? answer: | - Windows To Go Creator and the recommended deployment steps for Windows To Go set SAN Policy 4 on Windows To Go drive. This policy prevents Windows from automatically mounting internal disk drives. That's why you can't see the internal hard drives of the host computer when you are booted into Windows To Go. This is done to prevent accidental data leakage between Windows To Go and the host system. This policy also prevents potential corruption on the host drives or data loss if the host operating system is in a hibernation state. If you really need to access the files on the internal hard drive, you can use diskmgmt.msc to mount the internal drive. + Windows To Go Creator and the recommended deployment steps for Windows To Go set SAN Policy 4 on Windows To Go drive. This policy prevents Windows from automatically mounting internal disk drives. That's why you can't see the internal hard drives of the host computer when you're booted into Windows To Go. This is done to prevent accidental data leakage between Windows To Go and the host system. This policy also prevents potential corruption on the host drives or data loss if the host operating system is in a hibernation state. If you really need to access the files on the internal hard drive, you can use diskmgmt.msc to mount the internal drive. **Warning**   It is strongly recommended that you do not mount internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 or later operating system, mounting the drive will lead to loss of hibernation state and therefor user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted. @@ -323,7 +323,7 @@ sections: - question: | Do I need to activate Windows To Go every time I roam? answer: | - No, Windows To Go requires volume activation; either using the [Key Management Service](/previous-versions/tn-archive/ff793434(v=technet.10)) (KMS) server in your organization or using [Active Directory](/previous-versions/windows/hh852637(v=win.10)) based volume activation. The Windows To Go workspace will not need to be reactivated every time you roam. KMS activates Windows on a local network, eliminating the need for individual computers to connect to Microsoft. To remain activated, KMS client computers must renew their activation by connecting to the KMS host on periodic basis. This typically occurs as soon as the user has access to the corporate network (either through a direct connection on-premises or a through remote connection using DirectAccess or a virtual private network connection), once activated the machine will not need to be activated again until the activation validity interval has passed. In a KMS configuration the activation validity interval is 180 days. + No, Windows To Go requires volume activation; either using the [Key Management Service](/previous-versions/tn-archive/ff793434(v=technet.10)) (KMS) server in your organization or using [Active Directory](/previous-versions/windows/hh852637(v=win.10)) based volume activation. The Windows To Go workspace won't need to be reactivated every time you roam. KMS activates Windows on a local network, eliminating the need for individual computers to connect to Microsoft. To remain activated, KMS client computers must renew their activation by connecting to the KMS host on periodic basis. This typically occurs as soon as the user has access to the corporate network (either through a direct connection on-premises or a through remote connection using DirectAccess or a virtual private network connection), once activated the machine won't need to be activated again until the activation validity interval has passed. In a KMS configuration, the activation validity interval is 180 days. - question: | Can I use all Windows features on Windows To Go? @@ -338,22 +338,22 @@ sections: - question: | Does Windows To Go work slower than standard Windows? answer: | - If you are using a USB 3.0 port and a Windows To Go certified device, there should be no perceivable difference between standard Windows and Windows To Go. However, if you are booting from a USB 2.0 port, you may notice some slowdown since USB 2.0 transfer speeds are slower than SATA speeds. + If you're using a USB 3.0 port and a Windows To Go certified device, there should be no perceivable difference between standard Windows and Windows To Go. However, if you're booting from a USB 2.0 port, you may notice some slowdown since USB 2.0 transfer speeds are slower than SATA speeds. - question: | If I lose my Windows To Go drive, will my data be safe? answer: | - Yes! If you enable BitLocker on your Windows To Go drive, all your data will be encrypted and protected and a malicious user will not be able to access your data without your password. If you don't enable BitLocker, your data will be vulnerable if you lose your Windows To Go drive. + Yes! If you enable BitLocker on your Windows To Go drive, all your data will be encrypted and protected and a malicious user won't be able to access your data without your password. If you don't enable BitLocker, your data will be vulnerable if you lose your Windows To Go drive. - question: | Can I boot Windows To Go on a Mac? answer: | - We are committed to give customers a consistent and quality Windows 10 experience with Windows To Go. Windows To Go supports host devices certified for use with Windows 7 or later. Because Mac computers are not certified for use with Windows 7 or later, using Windows To Go is not supported on a Mac. + We're committed to give customers a consistent and quality Windows 10 experience with Windows To Go. Windows To Go supports host devices certified for use with Windows 7 or later. Because Mac computers aren't certified for use with Windows 7 or later, using Windows To Go isn't supported on a Mac. - question: | Are there any APIs that allow applications to identify a Windows To Go workspace? answer: | - Yes. You can use a combination of identifiers to determine if the currently running operating system is a Windows To Go workspace. First, check if the **PortableOperatingSystem** property is true. When that value is true it means that the operating system was booted from an external USB device. + Yes. You can use a combination of identifiers to determine if the currently running operating system is a Windows To Go workspace. First, check if the **PortableOperatingSystem** property is true. When that value is true, it means that the operating system was booted from an external USB device. Next, check if the **OperatingSystemSKU** property is equal to **4** (for Windows 10 Enterprise) or **121** (for Windows 10 Education). The combination of those two properties represents a Windows To Go workspace environment. @@ -367,17 +367,17 @@ sections: - question: | Does Windows Recovery Environment work with Windows To Go? What's the guidance for recovering a Windows To Go drive? answer: | - No, use of Windows Recovery Environment is not supported on Windows To Go. It is recommended that you implement user state virtualization technologies like Folder Redirection to centralize and back up user data in the data center. If any corruption occurs on a Windows To Go drive, you should re-provision the workspace. + No, use of Windows Recovery Environment isn't supported on Windows To Go. It's recommended that you implement user state virtualization technologies like Folder Redirection to centralize and back up user data in the data center. If any corruption occurs on a Windows To Go drive, you should reprovision the workspace. - question: | Why won't Windows To Go work on a computer running Windows XP or Windows Vista? answer: | - Actually it might. If you have purchased a computer certified for Windows 7 or later and then installed an older operating system, Windows To Go will boot and run as expected as long as you have configured the firmware to boot from USB. However, if the computer was certified for Windows XP or Windows Vista, it might not meet the hardware requirements for Windows To Go to run. Typically computers certified for Windows Vista and earlier operating systems have less memory, less processing power, reduced video rendering, and slower USB ports. + Actually it might. If you've purchased a computer certified for Windows 7 or later and then installed an older operating system, Windows To Go will boot and run as expected as long as you've configured the firmware to boot from USB. However, if the computer was certified for Windows XP or Windows Vista, it might not meet the hardware requirements for Windows To Go to run. Typically computers certified for Windows Vista and earlier operating systems have less memory, less processing power, reduced video rendering, and slower USB ports. - question: | Why does the operating system on the host computer matter? answer: | - It doesn't other than to help visually identify if the PC has compatible hardware. For a PC to be certified for Windows 7 or later it had to support booting from USB. If a computer cannot boot from USB there is no way that it can be used with Windows To Go. The Windows To Go workspace is a full Windows 10 environment, so all of the hardware requirements of Windows 10 with respect to processing speed, memory usage, and graphics rendering need to be supported to be assured that it will work as expected. + It doesn't other than to help visually identify if the PC has compatible hardware. For a PC to be certified for Windows 7 or later it had to support booting from USB. If a computer can't boot from USB there's no way that it can be used with Windows To Go. The Windows To Go workspace is a full Windows 10 environment, so all of the hardware requirements of Windows 10 with respect to processing speed, memory usage, and graphics rendering need to be supported to be assured that it will work as expected. - question: | My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go? @@ -386,17 +386,17 @@ sections: You can reset the BitLocker system measurements to incorporate the new boot order using the following steps: - 1. Log on to the host computer using an account with administrator privileges. + 1. Sign in to the host computer using an account with administrator privileges. 2. Click **Start**, click **Control Panel**, click **System and Security**, and then click **BitLocker Drive Encryption**. 3. Click **Suspend Protection** for the operating system drive. - A message is displayed, informing you that your data will not be protected while BitLocker is suspended and asking if you want to suspend BitLocker Drive Encryption. Click **Yes** to continue and suspend BitLocker on the drive. + A message is displayed, informing you that your data won't be protected while BitLocker is suspended and asking if you want to suspend BitLocker Drive Encryption. Click **Yes** to continue and suspend BitLocker on the drive. 4. Restart the computer and enter the firmware settings to reset the boot order to boot from USB first. For more information on changing the boot order in the BIOS, see [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) on the TechNet wiki. - 5. Restart the computer again and then log on to the host computer using an account with administrator privileges. (Neither your Windows To Go drive nor any other USB drive should be inserted.) + 5. Restart the computer again and then sign in to the host computer using an account with administrator privileges. (Neither your Windows To Go drive nor any other USB drive should be inserted.) 6. Click **Start**, click **Control Panel**, click **System and Security**, and then click **BitLocker Drive Encryption**. @@ -405,41 +405,41 @@ sections: The host computer will now be able to be booted from a USB drive without triggering recovery mode. > [!NOTE] - > The default BitLocker protection profile in Windows 8 or later does not monitor the boot order. + > The default BitLocker protection profile in Windows 8 or later doesn't monitor the boot order. - question: | - I decided to stop using a drive for Windows To Go and reformatted it – why doesn't it have a drive letter assigned and how can I fix it? + I decided to stop using a drive for Windows To Go and reformatted it – why it doesn't have a drive letter assigned and how can I fix it? answer: | Reformatting the drive erases the data on the drive, but doesn't reconfigure the volume attributes. When a drive is provisioned for use as a Windows To Go drive the NODEFAULTDRIVELETTER attribute is set on the volume. To remove this attribute, use the following steps: 1. Open a command prompt with full administrator permissions. > [!NOTE] - > If your user account is a member of the Administrators group, but is not the Administrator account itself, then, by default, the programs that you run only have standard user permissions unless you explicitly choose to elevate them. + > If your user account is a member of the Administrators group, but isn't the Administrator account itself, then, by default, the programs that you run only have standard user permissions unless you explicitly choose to elevate them. 2. Start the [diskpart](/windows-server/administration/windows-commands/diskpart) command interpreter, by typing `diskpart` at the command prompt. - 3. Use the `select disk` command to identify the drive. If you do not know the drive number, use the `list` command to display the list of disks available. + 3. Use the `select disk` command to identify the drive. If you don't know the drive number, use the `list` command to display the list of disks available. 4. After selecting the disk, run the `clean` command to remove all data, formatting, and initialization information from the drive. - question: | Why do I keep on getting the message "Installing devices…" when I boot Windows To Go? answer: | - One of the challenges involved in moving the Windows To Go drive between PCs while seamlessly booting Windows with access to all of their applications and data is that for Windows to be fully functional, specific drivers need to be installed for the hardware in each machine that runs Windows. Windows 8 or later has a process called respecialize which will identify new drivers that need to be loaded for the new PC and disable drivers which are not present on the new configuration. In general this feature is reliable and efficient when roaming between PCs of widely varying hardware configurations. + One of the challenges involved in moving the Windows To Go drive between PCs while seamlessly booting Windows with access to all of their applications and data is that for Windows to be fully functional, specific drivers need to be installed for the hardware in each machine that runs Windows. Windows 8 or later has a process called respecialize which will identify new drivers that need to be loaded for the new PC and disable drivers that aren't present on the new configuration. In general, this feature is reliable and efficient when roaming between PCs of widely varying hardware configurations. - In certain cases, third party drivers for different hardware models or versions can reuse device ID's, driver file names, registry keys (or any other operating system constructs which do not support side-by-side storage) for similar hardware. For example, Touchpad drivers on different laptops often reuse the same device ID's, and video cards from the same manufacturer may often reuse service names. Windows handles these situations by marking the non-present device node with a flag that indicates the existing driver needs to be reinstalled before continuing to install the new driver. + In certain cases, third-party drivers for different hardware models or versions can reuse device ID's, driver file names, registry keys (or any other operating system constructs that don't support side-by-side storage) for similar hardware. For example, Touchpad drivers on different laptops often reuse the same device ID's, and video cards from the same manufacturer may often reuse service names. Windows handles these situations by marking the non-present device node with a flag that indicates the existing driver needs to be reinstalled before continuing to install the new driver. - This process will occur on any boot that a new driver is found and a driver conflict is detected. In some cases that will result in a respecialize progress message "Installing devices…" displaying every time that a Windows to Go drive is roamed between two PCs which require conflicting drivers. + This process will occur on any boot that a new driver is found and a driver conflict is detected. In some cases that will result in a respecialize progress message "Installing devices…" displaying every time that a Windows to Go drive is roamed between two PCs that require conflicting drivers. - question: | How do I upgrade the operating system on my Windows To Go drive? answer: | - There is no support in Windows for upgrading a Windows To Go drive. Deployed Windows To Go drives with older versions of Windows will need to be re-imaged with a new version of Windows in order to transition to the new operating system version. + There's no support in Windows for upgrading a Windows To Go drive. Deployed Windows To Go drives with older versions of Windows will need to be reimaged with a new version of Windows in order to transition to the new operating system version. additionalContent: | diff --git a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md index e67fd3d3d5..992cec996b 100644 --- a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md +++ b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md @@ -33,13 +33,13 @@ ms.topic: article When you activate a computer running Windows 10, the following information is sent to Microsoft: -- The Microsoft product code (a five-digit code that identifies the Windows product you are activating) +- The Microsoft product code (a five-digit code that identifies the Windows product you're activating) - A channel ID or site code that identifies how the Windows product was originally obtained For example, a channel ID or site code identifies whether the product was originally purchased from a retail store, obtained as an evaluation copy, obtained through a volume licensing program, or preinstalled by a computer manufacturer. - The date of installation and whether the installation was successful -- Information that helps confirm that your Windows product key has not been altered +- Information that helps confirm that your Windows product key hasn't been altered - Computer make and model - Version information for the operating system and software - Region and language settings @@ -51,18 +51,18 @@ When you activate a computer running Windows 10, the following information is s This result includes error codes and the following information about any activation exploits and related malicious or unauthorized software that was found or disabled: - - The activation exploit’s identifier - - The activation exploit’s current state, such as cleaned or quarantined + - The activation exploits’ identifier + - The activation exploits’ current state, such as cleaned or quarantined - Computer manufacturer’s identification - - The activation exploit’s file name and hash in addition to a hash of related software components that may indicate the presence of an activation exploit + - The activation exploits’ file name and hash apart from a hash of related software components that may indicate the presence of an activation exploit - The name and a hash of the contents of your computer’s startup instructions file - If your Windows license is on a subscription basis, information about how your subscription works -Standard computer information is also sent, but your computer’s IP address is only retained temporarily. +Standard computer information is also sent, but your computer’s IP address is only kept temporarily. ## Use of information -Microsoft uses the information to confirm that you have a licensed copy of the software. Microsoft does not use the information to contact individual consumers. +Microsoft uses the information to confirm that you have a licensed copy of the software. Microsoft doesn't use the information to contact individual consumers. For more information, see [Windows 10 Privacy Statement](https://go.microsoft.com/fwlink/p/?LinkId=619879). ## See also diff --git a/windows/deployment/volume-activation/import-export-vamt-data.md b/windows/deployment/volume-activation/import-export-vamt-data.md index 68bf78eeba..d79250faa8 100644 --- a/windows/deployment/volume-activation/import-export-vamt-data.md +++ b/windows/deployment/volume-activation/import-export-vamt-data.md @@ -23,7 +23,7 @@ You can import data or export data during the following scenarios: - Export data to perform proxy activations. **Warning**   -Editing a .cilx file through an application other than VAMT can corrupt the .cilx file; and this method is not supported. +Editing a .cilx file through an application other than VAMT can corrupt the .cilx file; and this method isn't supported. ## Import VAMT Data @@ -44,7 +44,7 @@ Exporting VAMT data from a non-Internet-connected VAMT host computer is the firs - Export products and product keys - Export products only - Export proxy activation data only. Selecting this option ensures that the export contains only the licensing information required for the proxy web service to obtain CIDs from Microsoft. No Personally Identifiable Information (PII) is contained in the exported .cilx file when this selection is checked. -6. If you have selected products to export, select the **Export selected product rows only** check box. +6. If you've selected products to export, select the **Export selected product rows only** check box. 7. Click **Save**. VAMT displays a progress message while the data is being exported. Click **OK** when a message appears and confirms that the export has completed successfully. ## Related articles diff --git a/windows/deployment/volume-activation/manage-activations-vamt.md b/windows/deployment/volume-activation/manage-activations-vamt.md index 6c96637ddf..78091384e8 100644 --- a/windows/deployment/volume-activation/manage-activations-vamt.md +++ b/windows/deployment/volume-activation/manage-activations-vamt.md @@ -24,11 +24,11 @@ This section describes how to activate a client computer, by using various activ |Topic |Description | |------|------------| |[Perform Online Activation](online-activation-vamt.md) |Describes how to activate a client computer over the Internet. | -|[Perform Proxy Activation](proxy-activation-vamt.md) |Describes how to perform volume activation for client products that do not have Internet access. | +|[Perform Proxy Activation](proxy-activation-vamt.md) |Describes how to perform volume activation for client products that don't have Internet access. | |[Perform KMS Activation](kms-activation-vamt.md) |Describes how to perform volume activation using the Key Management Service (KMS). | |[Perform Local Reactivation](local-reactivation-vamt.md) |Describes how to reactivate an operating system or Office program that was reinstalled. | -|[Activate an Active Directory Forest Online](activate-forest-vamt.md) |Describes how to use Active Directory-Based Activation to online activate an Active Directory forest. | -|[Activate by Proxy an Active Directory Forest](activate-forest-by-proxy-vamt.md) |Describes how to use Active Directory-Based Activation to proxy activate an Active Directory forest that is not connected to the Internet. | +|[Activate an Active Directory Forest Online](activate-forest-vamt.md) |Describes how to use Active Directory-Based Activation to activate an Active Directory forest, online. | +|[Activate by Proxy an Active Directory Forest](activate-forest-by-proxy-vamt.md) |Describes how to use Active Directory-Based Activation to proxy activate an Active Directory forest that isn't connected to the Internet. | diff --git a/windows/deployment/volume-activation/vamt-step-by-step.md b/windows/deployment/volume-activation/vamt-step-by-step.md index da420e7365..bf81a8a5ad 100644 --- a/windows/deployment/volume-activation/vamt-step-by-step.md +++ b/windows/deployment/volume-activation/vamt-step-by-step.md @@ -17,14 +17,14 @@ ms.topic: article # VAMT Step-by-Step Scenarios -This section provides step-by-step instructions on implementing the Volume Activation Management Tool (VAMT) in typical environments. VAMT supports many common scenarios; the scenarios in this section describe some of the most common to get you started. +This section provides instructions on how to implement the Volume Activation Management Tool (VAMT) in typical environments. VAMT supports many common scenarios; it describes here some of the most common to get you started. ## In this Section |Topic |Description | |------|------------| |[Scenario 1: Online Activation](scenario-online-activation-vamt.md) |Describes how to distribute Multiple Activation Keys (MAKs) to products installed on one or more connected computers within a network, and how to instruct these products to contact Microsoft over the Internet for activation. | -|[Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) |Describes how to use two VAMT host computers — the first one with Internet access and a second computer within an isolated workgroup — as proxies to perform MAK volume activation for workgroup computers that do not have Internet access. | +|[Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) |Describes how to use two VAMT host computers—the first one with Internet access and a second computer within an isolated workgroup—as proxies to perform MAK volume activation for workgroup computers that don't have Internet access. | |[Scenario 3: Key Management Service (KMS) Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of Windows 10, Windows Vista, Windows® 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. | ## Related articles diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md index 84d317c451..1a62df47e7 100644 --- a/windows/deployment/windows-deployment-scenarios-and-tools.md +++ b/windows/deployment/windows-deployment-scenarios-and-tools.md @@ -18,9 +18,9 @@ ms.collection: highpri # Windows 10 deployment scenarios and tools -To successfully deploy the Windows 10 operating system and applications for your organization, you must know about the available tools to help with the process. In this article, you will learn about the most commonly used tools for Windows 10 deployment. +To successfully deploy the Windows 10 operating system and applications for your organization, you must know about the available tools to help with the process. In this article, you'll learn about the most commonly used tools for Windows 10 deployment. -Microsoft provides many tools, services, and solutions. These tools include Windows Deployment Services (WDS), the Volume Activation Management Tool (VAMT), the User State Migration Tool (USMT), Windows System Image Manager (Windows SIM), Windows Preinstallation Environment (Windows PE), and Windows Recovery Environment (Windows RE). Keep in mind that these tools are not a complete solution on their own. It’s when you combine these tools with solutions like [Microsoft Deployment Toolkit (MDT)](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) or [Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) that you get the complete deployment solution. +Microsoft provides many tools, services, and solutions. These tools include Windows Deployment Services (WDS), Volume Activation Management Tool (VAMT), User State Migration Tool (USMT), Windows System Image Manager (Windows SIM), Windows Preinstallation Environment (Windows PE), and Windows Recovery Environment (Windows RE). Keep in mind that these tools aren't a complete solution on their own. It’s when you combine these tools with solutions like [Microsoft Deployment Toolkit (MDT)](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) or [Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) that you get the complete deployment solution. In this article, you also learn about different types of reference images that you can build, and why reference images are beneficial for most organizations @@ -61,7 +61,7 @@ For more information on DISM, see [DISM technical reference](/windows-hardware/m USMT is a backup and restore tool that allows you to migrate user state, data, and settings from one installation to another. Microsoft Deployment Toolkit (MDT) and System Center 2012 R2 Configuration Manager use USMT as part of the operating system deployment process. **Note**   -Occasionally, we find that customers are wary of USMT because they believe it requires significant configuration, but, as you will learn below, using USMT is not difficult. If you use MDT and Lite Touch to deploy your machines, the USMT feature is automatically configured and extended so that it is easy to use. With MDT, you do nothing at all and USMT just works. +Occasionally, we find that customers are wary of USMT because they believe it requires significant configuration, but, as you'll learn later, using USMT isn't difficult. If you use MDT and Lite Touch to deploy your machines, the USMT feature is automatically configured and extended so that it's easy to use. With MDT, you do nothing at all and USMT just works. @@ -75,7 +75,7 @@ In addition to these tools, there are also XML templates that manage which data - **Migration templates.** The default templates in USMT. - **Custom templates.** Custom templates that you create. -- **Config template.** An optional template, called Config.xml, which you can use to exclude or include components in a migration without modifying the other standard XML templates. +- **Config template.** An optional template called Config.xml which you can use to exclude or include components in a migration without modifying the other standard XML templates. ![figure 3.](images/mdt-11-fig06.png) @@ -86,7 +86,7 @@ USMT supports capturing data and settings from Windows Vista and later, and rest By default USMT migrates many settings, most of which are related to the user profile but also to Control Panel configurations, file types, and more. The default templates that are used in Windows 10 deployments are MigUser.xml and MigApp.xml. These two default templates migrate the following data and settings: - Folders from each profile, including those folders from user profiles, and shared and public profiles. For example, the My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites folders are migrated. -- Specific file types. USMT templates migrate the following file types: .accdb, .ch3, .csv,dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*. +- Specific file types. USMT templates migrate the following file types: .accdb, .ch3, .csv, dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*. > [!NOTE] > The OpenDocument extensions (\*.odt, \*.odp, \*.ods, etc.) that Microsoft Office applications can use are not migrated by default. @@ -98,7 +98,7 @@ These settings are the ones migrated by the default MigUser.xml and MigApp.xml t ### Windows Imaging and Configuration Designer -Windows Imaging and Configuration Designer (Windows ICD) is a tool designed to assist with the creation of provisioning packages that can be used to dynamically configure a Windows device (PCs, tablets, and phones). This tool is useful for setting up new devices, without the need for re-imaging the device with a custom image. +Windows Imaging and Configuration Designer (Windows ICD) is a tool designed to assist with the creation of provisioning packages that can be used to dynamically configure a Windows device (PCs, tablets, and phones). This tool is useful for setting up new devices, without the need for reimaging the device with a custom image. ![figure 4.](images/windows-icd.png) @@ -118,7 +118,7 @@ For more information, see [Windows System Image Manager Technical Reference]( ht ### Volume Activation Management Tool (VAMT) -If you don’t use KMS, you can still manage your MAKs centrally with the Volume Activation Management Tool (VAMT). With this tool, you can install and manage product keys throughout the organization. VAMT also can activate on behalf of clients without Internet access, acting as a MAK proxy. +If you don’t use KMS, manage your MAKs centrally with the Volume Activation Management Tool (VAMT). Use this tool to install and manage product keys throughout the organization. VAMT can also activate on behalf of clients without Internet access, acting as a MAK proxy. ![figure 6.](images/mdt-11-fig08.png) @@ -142,12 +142,12 @@ The key thing to know about Windows PE is that, like the operating system, it ne A machine booted with the Windows ADK default Windows PE boot image. -For more details on Windows PE, see [Windows PE (WinPE)](/windows-hardware/manufacture/desktop/winpe-intro). +For more information on Windows PE, see [Windows PE (WinPE)](/windows-hardware/manufacture/desktop/winpe-intro). ## Windows Recovery Environment -Windows Recovery Environment (Windows RE) is a diagnostics and recovery toolset included in Windows Vista and later operating systems. The latest version of Windows RE is based on Windows PE. You can also extend Windows RE and add your own tools if needed. If a Windows installation fails to start and Windows RE is installed, you will see an automatic failover into Windows RE. +Windows Recovery Environment (Windows RE) is a diagnostics and recovery toolset included in Windows Vista and later operating systems. The latest version of Windows RE is based on Windows PE. You can also extend Windows RE and add your own tools if needed. If a Windows installation fails to start and Windows RE is installed, you'll see an automatic failover into Windows RE. ![figure 8.](images/mdt-11-fig10.png) @@ -158,17 +158,17 @@ For more information on Windows RE, see [Windows Recovery Environment](/windows- ## Windows Deployment Services -Windows Deployment Services (WDS) has been updated and improved in several ways starting with Windows 8. Remember that the two main functions you will use are the PXE boot support and multicast. Most of the changes are related to management and increased performance. In Windows Server 2012 R2, WDS also can be used for the Network Unlock feature in BitLocker. +Windows Deployment Services (WDS) has been updated and improved in several ways starting with Windows 8. Remember that the two main functions you'll use are the PXE boot support and multicast. Most of the changes are related to management and increased performance. In Windows Server 2012 R2, WDS also can be used for the Network Unlock feature in BitLocker. ![figure 9.](images/mdt-11-fig11.png) Windows Deployment Services using multicast to deploy three machines. -In Windows Server 2012 R2, [Windows Deployment Services](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831764(v=ws.11)) can be configured for stand-alone mode or for Active Directory integration. In most scenarios, the Active Directory integration mode is the best option. WDS also has the capability to manage drivers; however, driver management through MDT and Configuration Manager is more suitable for deployment due to the flexibility offered by both solutions, so you will use them instead. In WDS, it is possible to pre-stage devices in Active Directory, but here, too, Configuration Manager has that capability built in, and MDT has the ability to use a SQL Server database for pre-staging. In most scenarios, those solutions are better than the built-in pre-staging function as they allow greater control and management. +In Windows Server 2012 R2, [Windows Deployment Services](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831764(v=ws.11)) can be configured for stand-alone mode or for Active Directory integration. The Active Directory integration mode is the best option, in most scenarios. WDS also has the capability to manage drivers; however, driver management through MDT and Configuration Manager is more suitable for deployment due to the flexibility offered by both solutions, so you'll use them instead. In WDS, it's possible to pre-stage devices in Active Directory, but here, too, Configuration Manager has that capability built in, and MDT has the ability to use a SQL Server database for pre-staging. In most scenarios, those solutions are better than the built-in pre-staging function as they allow greater control and management. ### Trivial File Transfer Protocol (TFTP) configuration -In some cases, you need to modify TFTP Maximum Block Size settings for performance tuning reasons, especially when PXE traffic travels through routers and such. In the previous version of WDS, it was possible to change that, but the method of do so — editing the registry — was not user friendly. In Windows Server 2012, this modification in settings has become much easier to do as it can be configured as a setting. +In some cases, you need to modify TFTP Maximum Block Size settings for performance tuning reasons, especially when PXE traffic travels through routers and such. In the previous version of WDS, it was possible to change that, but the method of do so—editing the registry—wasn't user friendly. In Windows Server 2012, this modification in settings has become much easier to do as it can be configured as a setting. Also, there are a few new features related to TFTP performance: @@ -248,14 +248,14 @@ For more information on WSUS, see the [Windows Server Update Services Overview]( ## Unified Extensible Firmware Interface -For many years BIOS has been the industry standard for booting a PC. BIOS has served us well, but it is time to replace it with something better. **UEFI** is the replacement for BIOS, so it is important to understand the differences between BIOS and UEFI. In this section, you learn the major differences between the two and how they affect operating system deployment. +For many years BIOS has been the industry standard for booting a PC. BIOS has served us well, but it's time to replace it with something better. **UEFI** is the replacement for BIOS, so it's important to understand the differences between BIOS and UEFI. In this section, you learn the major differences between the two and how they affect operating system deployment. ### Introduction to UEFI BIOS has been in use for approximately 30 years. Even though it clearly has proven to work, it has some limitations, including: - 16-bit code -- 1 MB address space +- 1-MB address space - Poor performance on ROM initialization - MBR maximum bootable disk size of 2.2 TB @@ -264,13 +264,13 @@ As the replacement to BIOS, UEFI has many features that Windows can and will use With UEFI, you can benefit from: - **Support for large disks.** UEFI requires a GUID Partition Table (GPT) based disk, which means a limitation of roughly 16.8 million TB in disk size and more than 100 primary disks. -- **Faster boot time.** UEFI does not use INT 13, and that improves boot time, especially when it comes to resuming from hibernate. +- **Faster boot time.** UEFI doesn't use INT 13, and that improves boot time, especially when it comes to resuming from hibernate. - **Multicast deployment.** UEFI firmware can use multicast directly when it boots up. In WDS, MDT, and Configuration Manager scenarios, you need to first boot up a normal Windows PE in unicast and then switch into multicast. With UEFI, you can run multicast from the start. - **Compatibility with earlier BIOS.** Most of the UEFI implementations include a compatibility support module (CSM) that emulates BIOS. - **CPU-independent architecture.** Even if BIOS can run both 32-bit and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS. -- **CPU-independent drivers.** On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That is not needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment. +- **CPU-independent drivers.** On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That isn't needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment. - **Flexible pre-operating system environment.** UEFI can perform many functions for you. You just need an UEFI application, and you can perform diagnostics and automatic repairs, and call home to report errors. -- **Secure boot.** Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware cannot switch the boot loader. +- **Secure boot.** Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware can't switch the boot loader. ### Versions @@ -283,22 +283,22 @@ In regard to UEFI, hardware is divided into four device classes: - **Class 0 devices.** The device of this class is the UEFI definition for a BIOS, or non-UEFI, device. - **Class 1 devices.** The devices of this class behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured. - **Class 2 devices.** The devices of this class have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available. -- **Class 3 devices.** The devices of this class are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 is not supported on these class 3 devices. Class 3 devices do not have a CSM to emulate BIOS. +- **Class 3 devices.** The devices of this class are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 isn't supported on these class 3 devices. Class 3 devices don't have a CSM to emulate BIOS. ### Windows support for UEFI Microsoft started with support for EFI 1.10 on servers and then added support for UEFI on both clients and servers. -With UEFI 2.3.1, there are both x86 and x64 versions of UEFI. Windows 10 supports both. However, UEFI does not support cross-platform boot. This limitation means that a computer that has UEFI x64 can run only a 64-bit operating system, and a computer that has UEFI x86 can run only a 32-bit operating system. +With UEFI 2.3.1, there are both x86 and x64 versions of UEFI. Windows 10 supports both. However, UEFI doesn't support cross-platform boot. This limitation means that a computer that has UEFI x64 can run only a 64-bit operating system, and a computer that has UEFI x86 can run only a 32-bit operating system. ### How UEFI is changing operating system deployment There are many things that affect operating system deployment as soon as you run on UEFI/EFI-based hardware. Here are considerations to keep in mind when working with UEFI devices: - Switching from BIOS to UEFI in the hardware is easy, but you also need to reinstall the operating system because you need to switch from MBR/NTFS to GPT/FAT32 and NTFS. -- When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It is common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa. +- When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It's common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa. - When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4 GB. -- UEFI does not support cross-platform booting; therefore, you need to have the correct boot media (32- or 64-bit). +- UEFI doesn't support cross-platform booting; therefore, you need to have the correct boot media (32-bit or 64-bit). For more information on UEFI, see the [UEFI firmware](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824898(v=win.10)) overview and related resources. From 4efc42cb405a5e0066ae18ba84526a13a6e3922c Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 27 Jan 2022 18:28:08 +0530 Subject: [PATCH 095/217] Update windows-to-go-frequently-asked-questions.yml --- .../planning/windows-to-go-frequently-asked-questions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml index ec5e722d45..62e665f800 100644 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml +++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml @@ -50,7 +50,7 @@ summary: | - [Why isn't my computer booting from USB?](#why-isn-t-my-computer-booting-from-usb-) - - [What happens if I remove my Windows To Go drive while it's running?](#what-happens-if-i-remove-my-windows-to-go-drive-while-it-is-running-) + - [What happens if I remove my Windows To Go drive while it's running?](#what-happens-if-i-remove-my-windows-to-go-drive-while-it-s-running-) - [Can I use BitLocker to protect my Windows To Go drive?](#can-i-use-bitlocker-to-protect-my-windows-to-go-drive-) From e9aa58a0b9f6b4e0d9175def096307fdd15db577 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 27 Jan 2022 18:33:58 +0530 Subject: [PATCH 096/217] Update windows-to-go-frequently-asked-questions.yml --- .../planning/windows-to-go-frequently-asked-questions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml index 62e665f800..9721c8da6e 100644 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml +++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml @@ -102,7 +102,7 @@ summary: | - [My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?](#my-host-computer-running-windows-7-is-protected-by-bitlocker-drive-encryption--why-did-i-need-to-use-the-recovery-key-to-unlock-and-reboot-my-host-computer-after-using-windows-to-go-) - - [I decided to stop using a drive for Windows To Go and reformatted it – why it doesn't have a drive letter assigned and how can I fix it?](#i-decided-to-stop-using-a-drive-for-windows-to-go-and-reformatted-it---why-doesn-t-it-have-a-drive-letter-assigned-and-how-can-i-fix-it-) + - [I decided to stop using a drive for Windows To Go and reformatted it – why it doesn't have a drive letter assigned and how can I fix it?](#i-decided-to-stop-using-a-drive-for-windows-to-go-and-reformatted-it--why-doesn-t-it-have-a-drive-letter-assigned-and-how-can-i-fix-it-) - [Why do I keep on getting the message "Installing devices…" when I boot Windows To Go?](#why-do-i-keep-on-getting-the-message--installing-devices---when-i-boot-windows-to-go-) From 38e920b3ecb1b7d63ab86072146edcbcda0ee5f1 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 27 Jan 2022 18:41:36 +0530 Subject: [PATCH 097/217] Update windows-to-go-frequently-asked-questions.yml --- .../planning/windows-to-go-frequently-asked-questions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml index 9721c8da6e..62e665f800 100644 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml +++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml @@ -102,7 +102,7 @@ summary: | - [My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?](#my-host-computer-running-windows-7-is-protected-by-bitlocker-drive-encryption--why-did-i-need-to-use-the-recovery-key-to-unlock-and-reboot-my-host-computer-after-using-windows-to-go-) - - [I decided to stop using a drive for Windows To Go and reformatted it – why it doesn't have a drive letter assigned and how can I fix it?](#i-decided-to-stop-using-a-drive-for-windows-to-go-and-reformatted-it--why-doesn-t-it-have-a-drive-letter-assigned-and-how-can-i-fix-it-) + - [I decided to stop using a drive for Windows To Go and reformatted it – why it doesn't have a drive letter assigned and how can I fix it?](#i-decided-to-stop-using-a-drive-for-windows-to-go-and-reformatted-it---why-doesn-t-it-have-a-drive-letter-assigned-and-how-can-i-fix-it-) - [Why do I keep on getting the message "Installing devices…" when I boot Windows To Go?](#why-do-i-keep-on-getting-the-message--installing-devices---when-i-boot-windows-to-go-) From dbd766686e0cda7b71345fbf2612a687bd3251c2 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 28 Jan 2022 09:53:21 +0530 Subject: [PATCH 098/217] Update windows-to-go-frequently-asked-questions.yml --- .../planning/windows-to-go-frequently-asked-questions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml index 62e665f800..4de6a56139 100644 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml +++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml @@ -102,7 +102,7 @@ summary: | - [My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?](#my-host-computer-running-windows-7-is-protected-by-bitlocker-drive-encryption--why-did-i-need-to-use-the-recovery-key-to-unlock-and-reboot-my-host-computer-after-using-windows-to-go-) - - [I decided to stop using a drive for Windows To Go and reformatted it – why it doesn't have a drive letter assigned and how can I fix it?](#i-decided-to-stop-using-a-drive-for-windows-to-go-and-reformatted-it---why-doesn-t-it-have-a-drive-letter-assigned-and-how-can-i-fix-it-) + - [I decided to stop using a drive for Windows To Go and reformatted it – why it doesn't have a drive letter assigned and how can I fix it?](#i-decided-to-stop-using-a-drive-for-windows-to-go-and-reformatted-it---why-it-doesn-t-have-a-drive-letter-assigned-and-how-can-i-fix-it-) - [Why do I keep on getting the message "Installing devices…" when I boot Windows To Go?](#why-do-i-keep-on-getting-the-message--installing-devices---when-i-boot-windows-to-go-) From f4750619b3bce921f8654014f64ba92d6991d825 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 28 Jan 2022 18:46:20 +0530 Subject: [PATCH 099/217] Acrolinx enhancement --- education/windows/autopilot-reset.md | 23 +-- education/windows/change-history-edu.md | 6 +- education/windows/change-to-pro-education.md | 26 ++-- .../windows/chromebook-migration-guide.md | 126 ++++++++--------- .../configure-windows-for-education.md | 22 +-- .../deploy-windows-10-in-a-school-district.md | 132 +++++++++--------- .../windows/deploy-windows-10-in-a-school.md | 110 +++++++-------- ...se-management-strategies-and-deployment.md | 2 +- 8 files changed, 226 insertions(+), 221 deletions(-) diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md index c0ac95e03e..41d85135d0 100644 --- a/education/windows/autopilot-reset.md +++ b/education/windows/autopilot-reset.md @@ -19,7 +19,12 @@ manager: dansimp - Windows 10, version 1709 -IT admins or technical teachers can use Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With Autopilot Reset, devices are returned to a fully configured or known IT-approved state. +IT admins or technical teachers can use Autopilot Reset to: + - Quickly remove personal files, apps, and settings, + - Reset Windows 10 devices from the lock screen anytime, and + - Apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. + +With Autopilot Reset, devices are returned to a fully configured or known IT-approved state. To enable Autopilot Reset in Windows 10, version 1709 (Fall Creators Update), you must: @@ -30,7 +35,7 @@ To enable Autopilot Reset in Windows 10, version 1709 (Fall Creators Update), yo To use Autopilot Reset, [Windows Recovery Environment (WinRE) must be enabled on the device](#winre). -**DisableAutomaticReDeploymentCredentials** is a policy that enables or disables the visibility of the credentials for Autopilot Reset. It is a policy node in the [Policy CSP](/windows/client-management/mdm/policy-csp-credentialproviders), **CredentialProviders/DisableAutomaticReDeploymentCredentials**. By default, this policy is set to 1 (Disable). This ensures that Autopilot Reset isn't triggered by accident. +**DisableAutomaticReDeploymentCredentials** is a policy that enables or disables the visibility of the credentials for Autopilot Reset. It's a policy node in the [Policy CSP](/windows/client-management/mdm/policy-csp-credentialproviders), **CredentialProviders/DisableAutomaticReDeploymentCredentials**. By default, this policy is set to 1 (Disable). This ensures that Autopilot Reset isn't triggered by accident. You can set the policy using one of these methods: @@ -49,11 +54,11 @@ You can set the policy using one of these methods: - Set up School PCs app - Autopilot Reset in the Set up School PCs app is available in the latest release of the app. Make sure you are running Windows 10, version 1709 on the student PCs if you want to use Autopilot Reset through the Set up School PCs app. You can check the version several ways: + Autopilot Reset in the Set up School PCs app is available in the latest release of the app. Ensure you're running Windows 10, version 1709 on the student PCs if you want to use Autopilot Reset through the Set up School PCs app. You can check the version several ways: - Reach out to your device manufacturer. - - If you manage your PCs using Intune or Intune for Education, you can check the OS version by checking the **OS version** info for the device. If you are using another MDM provider, check the documentation for the MDM provider to confirm the OS version. + - If you manage your PCs using Intune or Intune for Education, you can check the OS version by checking the **OS version** info for the device. If you're using another MDM provider, check the documentation for the MDM provider to confirm the OS version. - Log into the PCs, go to the **Settings > System > About** page, look in the **Windows specifications** section and confirm **Version** is set to 1709. @@ -72,9 +77,9 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo ![Enter CTRL+Windows key+R on the Windows lockscreen.](images/autopilot-reset-lockscreen.png) - This will open up a custom login screen for Autopilot Reset. The screen serves two purposes: + This will open up a custom sign-in screen for Autopilot Reset. The screen serves two purposes: - 1. Confirm/verify that the end user has the right to trigger Autopilot Reset + 1. Confirm/verify that the end user has the right to trigger Autopilot Reset. 2. Notify the user in case a provisioning package, created using Windows Configuration Designer or Set up School PCs, will be used as part of the process. @@ -93,7 +98,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo - Connects to Wi-Fi. - - If you provided a provisioning package when Autopilot Reset is triggered, the system will apply this new provisioning package. Otherwise, the system will re-apply the original provisioning package on the device. + - If you provided a provisioning package when Autopilot Reset is triggered, the system will apply this new provisioning package. Otherwise, the system will reapply the original provisioning package on the device. - Is returned to a known good managed state, connected to Azure AD and MDM. @@ -105,7 +110,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo ## Troubleshoot Autopilot Reset -Autopilot Reset will fail when the [Windows Recovery Environment (WinRE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is not enabled on the device. You will see `Error code: ERROR_NOT_SUPPORTED (0x80070032)`. +Autopilot Reset will fail when the [Windows Recovery Environment (WinRE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) isn't enabled on the device. You'll see `Error code: ERROR_NOT_SUPPORTED (0x80070032)`. To make sure WinRE is enabled, use the [REAgentC.exe tool](/windows-hardware/manufacture/desktop/reagentc-command-line-options) to run the following command: @@ -113,7 +118,7 @@ To make sure WinRE is enabled, use the [REAgentC.exe tool](/windows-hardware/man reagentc /enable ``` -If Autopilot Reset fails after enabling WinRE, or if you are unable to enable WinRE, please contact [Microsoft Support](https://support.microsoft.com) for assistance. +If Autopilot Reset fails after enabling WinRE, or if you're unable to enable WinRE, please contact [Microsoft Support](https://support.microsoft.com) for assistance. ## Related topics diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md index aafc6c622f..e977b03d61 100644 --- a/education/windows/change-history-edu.md +++ b/education/windows/change-history-edu.md @@ -85,14 +85,14 @@ New or changed topic | Description | New or changed topic | Description | | --- | ---- | -| [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) | New. If you have an education tenant and use devices Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education. | +| [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) | New. If you have an education tenant and use devices Windows 10 Pro or Windows 10 S in your schools, find out how you can opt in to a free switch to Windows 10 Pro Education. | | [Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Updated. Now includes network tips and updated step-by-step instructions that show the latest updates to the app such as Wi-Fi setup. | ## RELEASE: Windows 10, version 1703 (Creators Update) | New or changed topic | Description| | --- | --- | -| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](/microsoft-365/education/deploy/) | New. Learn how you can you can quickly and easily use the new Microsoft Education system to implement a full IT cloud solution for your school. | +| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](/microsoft-365/education/deploy/) | New. Learn how you can quickly and easily use the new Microsoft Education system to implement a full IT cloud solution for your school. | | [Microsoft Education documentation and resources](/education) | New. Find links to more content for IT admins, teachers, students, and education app developers. | | [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) | New. Provides guidance on ways to configure the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school. | | [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) | Updated the screenshots and related instructions to reflect the current UI and experience. | @@ -111,7 +111,7 @@ New or changed topic | Description | New or changed topic | Description | | --- | --- | -| [Upgrade Windows 10 Pro to Pro Education from Microsoft Store for Business] | New. Learn how to opt-in to a free upgrade to Windows 10 Pro Education. As of May 2017, this topic has been replaced with [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md). | +| [Upgrade Windows 10 Pro to Pro Education from Microsoft Store for Business] | New. Learn how to opt in to a free upgrade to Windows 10 Pro Education. As of May 2017, this topic has been replaced with [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md). | ## November 2016 diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md index ea30225b3e..a936025d6f 100644 --- a/education/windows/change-to-pro-education.md +++ b/education/windows/change-to-pro-education.md @@ -17,7 +17,7 @@ manager: dansimp # Change to Windows 10 Pro Education from Windows 10 Pro Windows 10 Pro Education is a new offering in Windows 10, version 1607. This edition builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools by providing education-specific default settings. -If you have an education tenant and use devices with Windows 10 Pro, global administrators can opt-in to a free change to Windows 10 Pro Education depending on your scenario. +If you have an education tenant and use devices with Windows 10 Pro, global administrators can opt in to a free change to Windows 10 Pro Education depending on your scenario. - [Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode](./s-mode-switch-to-edu.md) To take advantage of this offering, make sure you meet the [requirements for changing](#requirements-for-changing). For academic customers who are eligible to change to Windows 10 Pro Education, but are unable to use the above methods, contact Microsoft Support for assistance. @@ -43,7 +43,7 @@ For more info about Windows 10 default settings and recommendations for educatio ## Change from Windows 10 Pro to Windows 10 Pro Education -For schools that want to standardize all their Windows 10 Pro devices to Windows 10 Pro Education, a global admin for the school can opt-in to a free change through the Microsoft Store for Education. +For schools that want to standardize all their Windows 10 Pro devices to Windows 10 Pro Education, a global admin for the school can opt in to a free change through the Microsoft Store for Education. In this scenario: @@ -73,7 +73,7 @@ See [change using Microsoft Store for Education](#change-using-microsoft-store-f ### Change using Windows Configuration Designer You can use Windows Configuration Designer to create a provisioning package that you can use to change the Windows edition for your device(s). [Install Windows Configuration Designer from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22) to create a provisioning package. -1. In Windows Configuration Designer, select **Provision desktop devices** to open the simple editor and create a provisioning package for Windows desktop editions. +1. In Windows Configuration Designer, select **Provision desktop devices** to open the editor and create a provisioning package for Windows desktop editions. 2. In the **Set up device** page, enter the MAK license key in the **Enter product key** field to change to Windows 10 Pro Education. **Figure 2** - Enter the license key @@ -98,8 +98,8 @@ Academic institutions can easily move from Windows 10 Pro to Windows 10 Pro Educ When you change to Windows 10 Pro Education, you get the following benefits: -- **Windows 10 Pro Education edition**. Devices currently running Windows 10 Pro, version 1607 or higher, or Windows 10 S mode, version 1703, can get Windows 10 Pro Education Current Branch (CB). This benefit does not include Long Term Service Branch (LTSB). -- **Support from one to hundreds of users**. The Windows 10 Pro Education program does not have a limitation on the number of licenses an organization can have. +- **Windows 10 Pro Education edition**. Devices currently running Windows 10 Pro, version 1607 or higher, or Windows 10 S mode, version 1703, can get Windows 10 Pro Education Current Branch (CB). This benefit doesn't include Long Term Service Branch (LTSB). +- **Support from one to hundreds of users**. The Windows 10 Pro Education program doesn't have a limitation on the number of licenses an organization can have. - **Roll back options to Windows 10 Pro** - When a user leaves the domain or you turn off the setting to automatically change to Windows 10 Pro Education, the device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 30 days). - For devices that originally had Windows 10 Pro edition installed, when a license expires or is transferred to another user, the Windows 10 Pro Education device seamlessly steps back down to Windows 10 Pro. @@ -108,7 +108,7 @@ When you change to Windows 10 Pro Education, you get the following benefits: ### Change using Microsoft Store for Education -Once you enable the setting to change to Windows 10 Pro Education, the change will begin only after a user signs in to their device. The setting applies to the entire organization or tenant, so you cannot select which users will receive the change. The change will only apply to Windows 10 Pro devices. +Once you enable the setting to change to Windows 10 Pro Education, the change will begin only after a user signs in to their device. The setting applies to the entire organization or tenant, so you can't select which users will receive the change. The change will only apply to Windows 10 Pro devices. **To turn on the automatic change to Windows 10 Pro Education** @@ -134,7 +134,7 @@ Once you enable the setting to change to Windows 10 Pro Education, the change wi 8. Click **Change now** in the **changing your device to Windows 10 Pro Education for free** page in the Microsoft Store. - You will see a window that confirms you've successfully changed all the devices in your organization to Windows 10 Pro Education, and each Azure AD joined device running Windows 10 Pro will automatically change the next time someone in your organization signs in to the device. + You'll see a window that confirms you've successfully changed all the devices in your organization to Windows 10 Pro Education, and each Azure AD joined device running Windows 10 Pro will automatically change the next time someone in your organization signs in to the device. 9. Click **Close** in the **Success** window. @@ -148,7 +148,7 @@ So what will users experience? How will they change their devices? ### For existing Azure AD joined devices Existing Azure AD domain joined devices will be changed to Windows 10 Pro Education the next time the user logs in. That's it! No additional steps are needed. -### For new devices that are not Azure AD joined +### For new devices that aren't Azure AD joined Now that you've turned on the setting to automatically change to Windows 10 Pro Education, the users are ready to change their devices running Windows 10 Pro, version 1607 or higher, version 1703 to Windows 10 Pro Education edition. #### Step 1: Join users’ devices to Azure AD @@ -224,7 +224,7 @@ If there are any problems with the Windows 10 Pro Education license or the acti In some instances, users may experience problems with the Windows 10 Pro Education change. The most common problems that users may experience are as follows: -- The existing operating system (Windows 10 Pro, version 1607 or higher, or version 1703) is not activated. +- The existing operating system (Windows 10 Pro, version 1607 or higher, or version 1703) isn't activated. - The Windows 10 Pro Education change has lapsed or has been removed. Use the following figures to help you troubleshoot when users experience these common problems: @@ -234,7 +234,7 @@ Use the following figures to help you troubleshoot when users experience these c Windows 10 activated and subscription active

-**Figure 11** - Illustrates a device on which the existing operating system is not activated, but the Windows 10 Pro Education change is active. +**Figure 11** - Illustrates a device on which the existing operating system isn't activated, but the Windows 10 Pro Education change is active. Windows 10 not activated and subscription active

@@ -245,7 +245,7 @@ Devices must be running Windows 10 Pro, version 1607 or higher, or domain joined **To determine if a device is Azure AD joined** -1. Open a command prompt and type the following: +1. Open a command prompt and type the following command: ``` dsregcmd /status @@ -280,7 +280,7 @@ Once the automatic change to Windows 10 Pro Education is turned off, the change **To roll back Windows 10 Pro Education to Windows 10 Pro** -1. Log in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your school or work account, or follow the link from the notification email to turn off the automatic change. +1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your school or work account, or follow the link from the notification email to turn off the automatic change. 2. Select **Manage > Benefits** and locate the section **Windows 10 Pro Education** and follow the link. 3. In the **Revert to Windows 10 Pro** page, click **Revert to Windows 10 Pro**. @@ -288,7 +288,7 @@ Once the automatic change to Windows 10 Pro Education is turned off, the change ![Revert to Windows 10 Pro.](images/msfe_manage_reverttowin10pro.png) -4. You will be asked if you're sure that you want to turn off automatic changes to Windows 10 Pro Education. Click **Yes**. +4. You'll be asked if you're sure that you want to turn off automatic changes to Windows 10 Pro Education. Click **Yes**. 5. Click **Close** in the **Success** page. All global admins get a confirmation email that a request was made to roll back your organization to Windows 10 Pro. If you, or another global admin, decide later that you want to turn on automatic changes again, you can do this by selecting **change to Windows 10 Pro Education for free** from the **Manage > Benefits** in the Microsoft Store for Education. diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index 66569c4674..65b576133c 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -1,6 +1,6 @@ --- title: Chromebook migration guide (Windows 10) -description: In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. +description: In this guide, you'll learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA ms.reviewer: manager: dansimp @@ -22,23 +22,23 @@ ms.date: 10/13/2017 - Windows 10 -In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. You will learn how to perform the necessary planning steps, including Windows device deployment, migration of user and device settings, app migration or replacement, and cloud storage migration. You will then learn the best method to perform the migration by using automated deployment and migration tools. +In this guide, you'll learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. You'll learn how to perform the necessary planning steps, including Windows device deployment, migration of user and device settings, app migration or replacement, and cloud storage migration. You'll then learn the best method to perform the migration by using automated deployment and migration tools. ## Plan Chromebook migration Before you begin to migrate Chromebook devices, plan your migration. As with most projects, there can be an urge to immediately start doing before planning. When you plan your Chromebook migration before you perform the migration, you can save countless hours of frustration and mistakes during the migration process. -In the planning portion of this guide, you will identify all the decisions that you need to make and how to make each decision. At the end of the planning section, you will have a list of information you need to collect and what you need to do with the information. You will be ready to perform your Chromebook migration. +In the planning portion of this guide, you'll identify all the decisions that you need to make and how to make each decision. At the end of the planning section, you'll have a list of information you need to collect and what you need to do with the information. You'll be ready to perform your Chromebook migration. ## Plan for app migration or replacement -App migration or replacement is an essential part of your Chromebook migration. In this section you will plan how you will migrate or replace Chromebook (Chrome OS) apps that are currently in use with the same or equivalent Windows apps. At the end of this section, you will have a list of the active Chrome OS apps and the Windows app counterparts. +App migration or replacement is an essential part of your Chromebook migration. In this section, you'll plan how you'll migrate or replace Chromebook (Chrome OS) apps that are currently in use with the same or equivalent Windows apps. At the end of this section, you'll have a list of the active Chrome OS apps and the Windows app counterparts. **Identify the apps currently in use on Chromebook devices** -Before you can do any analysis or make decisions about which apps to migrate or replace, you need to identify which apps are currently in use on the Chromebook devices. You will create a list of apps that are currently in use (also called an app portfolio). +Before you can do any analysis or make decisions about which apps to migrate or replace, you need to identify which apps are currently in use on the Chromebook devices. You'll create a list of apps that are currently in use (also called an app portfolio). > [!NOTE] > The majority of Chromebook apps are web apps. For these apps you need to first perform Microsoft Edge compatibility testing and then publish the web app URL to the Windows users. For more information, see the [Perform app compatibility testing for web apps](#perform-testing-webapps) section. @@ -63,7 +63,7 @@ Record the following information about each app in your app portfolio: - App priority (how necessary is the app to the day-to-day process of the institution or a classroom? Rank as high, medium, or low) -Throughout the entire app migration or replacement process, focus on the higher priority apps. Focus on lower priority apps only after you have determined what you will do with the higher priority apps. +Throughout the entire app migration or replacement process, focus on the higher priority apps. Focus on lower priority apps only after you've determined what you will do with the higher priority apps. ### @@ -85,13 +85,13 @@ Table 1. Google App replacements -It may be that you will decide to replace Google Apps after you deploy Windows devices. For more information on making this decision, see the [Select cloud services migration strategy](#select-cs-migrationstrat) section of this guide. +It may be that you'll decide to replace Google Apps after you deploy Windows devices. For more information on making this decision, see the [Select cloud services migration strategy](#select-cs-migrationstrat) section of this guide. **Find the same or similar apps in the Microsoft Store** In many instances, software vendors will create a version of their app for multiple platforms. You can search the Microsoft Store to find the same or similar apps to any apps not identified in the [Select Google Apps replacements](#select-googleapps) section. -In other instances, the offline app does not have a version written for the Microsoft Store or is not a web app. In these cases, look for an app that provides similar functions. For example, you might have a graphing calculator offline Android app published on the Chrome OS, but the software publisher does not have a version for Windows devices. Search the Microsoft Store for a graphing calculator app that provides similar features and functionality. Use that Microsoft Store app as a replacement for the graphing calculator offline Android app published on the Chrome OS. +In other instances, the offline app doesn't have a version written for the Microsoft Store or isn't a web app. In these cases, look for an app that provides similar functions. For example, you might have a graphing calculator offline Android app published on the Chrome OS, but the software publisher doesn't have a version for Windows devices. Search the Microsoft Store for a graphing calculator app that provides similar features and functionality. Use that Microsoft Store app as a replacement for the graphing calculator offline Android app published on the Chrome OS. Record the Windows app that replaces the Chromebook app in your app portfolio. @@ -99,20 +99,20 @@ Record the Windows app that replaces the Chromebook app in your app portfolio. **Perform app compatibility testing for web apps** -The majority of Chromebook apps are web apps. Because you cannot run native offline Chromebook apps on a Windows device, there is no reason to perform app compatibility testing for offline Chromebook apps. However, you may have a number of web apps that will run on both platforms. +The majority of Chromebook apps are web apps. Because you can't run native offline Chromebook apps on a Windows device, there's no reason to perform app compatibility testing for offline Chromebook apps. However, you may have a number of web apps that will run on both platforms. Ensure that you test these web apps in Microsoft Edge. Record the level of compatibility for each web app in Microsoft Edge in your app portfolio. ## Plan for migration of user and device settings -Some institutions have configured the Chromebook devices to make the devices easier to use by using the Google Chrome Admin Console. You have also probably configured the Chromebook devices to help ensure the user data access and ensure that the devices themselves are secure by using the Google Chrome Admin Console. +Some institutions have configured the Chromebook devices to make the devices easier to use by using the Google Chrome Admin Console. You've also probably configured the Chromebook devices to help ensure the user data access and ensure that the devices themselves are secure by using the Google Chrome Admin Console. However, in addition to your centralized configuration in the Google Admin Console, Chromebook users have probably customized their device. In some instances, users may have changed the web content that is displayed when the Chrome browser starts. Or they may have bookmarked websites for future reference. Or users may have installed apps for use in the classroom. -In this section, you will identify the user and device configuration settings for your Chromebook users and devices. Then you will prioritize these settings to focus on the configuration settings that are essential to your educational institution. +In this section, you'll identify the user and device configuration settings for your Chromebook users and devices. Then you'll prioritize these settings to focus on the configuration settings that are essential to your educational institution. -At the end of this section, you should have a list of Chromebook user and device settings that you want to migrate to Windows, as well as a level of priority for each setting. You may discover at the end of this section that you have few or no higher priority settings to be migrated. If this is the case, you can skip the [Perform migration of user and device settings](#migrate-user-device-settings) section of this guide. +At the end of this section, you should have a list of Chromebook user and device settings that you want to migrate to Windows, as well as a level of priority for each setting. You may discover at the end of this section that you've few or no higher priority settings to be migrated. If this is the case, you can skip the [Perform migration of user and device settings](#migrate-user-device-settings) section of this guide. **Identify Google Admin Console settings to migrate** @@ -122,17 +122,17 @@ You use the Google Admin Console (as shown in Figure 1) to manage user and devic Figure 1. Google Admin Console -Table 2 lists the settings in the Device Management node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows. +Table 2 lists the settings in the Device Management node in the Google Admin Console. Review the settings and determine which settings you'll migrate to Windows. Table 2. Settings in the Device Management node in the Google Admin Console |Section |Settings | |---------|---------| |Network |

These settings configure the network connections for Chromebook devices and include the following settings categories: