diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 38511a691a..f505c1d9de 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -1,5 +1,20 @@
{
"redirections": [
+ {
+ "source_path": "windows/client-management/mdm/browserfavorite-csp.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-phone-8-1-end-of-support-faq-7f1ef0aa-0aaf-0747-3724-5c44456778a3",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/windows-10-mobile-security-guide.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
{
"source_path": "windows/client-management/mdm/windowssecurityauditing-ddf-file.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
@@ -5157,7 +5172,7 @@
},
{
"source_path": "windows/device-security/windows-10-mobile-security-guide.md",
- "redirect_url": "/windows/security/threat-protection/windows-10-mobile-security-guide",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@@ -5462,7 +5477,7 @@
},
{
"source_path": "windows/access-protection/installing-digital-certificates-on-windows-10-mobile.md",
- "redirect_url": "/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@@ -12072,7 +12087,7 @@
},
{
"source_path": "windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md",
- "redirect_url": "/windows/access-protection/installing-digital-certificates-on-windows-10-mobile",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@@ -13562,7 +13577,7 @@
},
{
"source_path": "windows/keep-secure/windows-10-mobile-security-guide.md",
- "redirect_url": "/windows/device-security/windows-10-mobile-security-guide",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
diff --git a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
index 557d57b34a..e6c30a056e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
@@ -34,6 +34,7 @@ Internet Explorer 11 gives you some new Group Policy settings to help you manage
| Always send Do Not Track header | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | At least Internet Explorer 10 | This policy setting allows you to configure how IE sends the Do Not Track (DNT) header.If you enable this policy setting, IE sends a `DNT:1` header with all HTTP and HTTPS requests. The `DNT:1` header signals to the servers not to track the user.
**In Internet Explorer 9 and 10:**
If you disable this policy setting, IE only sends the Do Not Track header if a Tracking Protection List is enabled or inPrivate Browsing mode is used.
**In at least IE11:**
If you disable this policy setting, IE only sends the Do Not Track header if inPrivate Browsing mode is used.
If you don't configure the policy setting, users can select the **Always send Do Not Track header** option on the **Advanced\* tab of the \*\*Internet Options** dialog box. By selecting this option, IE sends a `DNT:1` header with all HTTP and HTTPS requests; unless the user grants a site-specific exception, in which case IE sends a `DNT:0` header. By default, this option is enabled. |
| Don't run antimalware programs against ActiveX controls
(Internet, Restricted Zones) |
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone
| IE11 on Windows 10 | This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
If you don't configure this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using the Internet Explorer's **Security** settings. |
| Don't run antimalware programs against ActiveX controls
(Intranet, Trusted, Local Machine Zones) |
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone
| IE11 on Windows 10 | This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
If you don't configure this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer's **Security** settings. |
+| Hide Internet Explorer 11 Application Retirement Notification | Administrative Templates\Windows Components\Internet Explorer | Internet Explorer 11 on Windows 10 20H2 & newer | This policy setting allows you to prevent the notification bar that informs users of Internet Explorer 11’s retirement from showing up.
If you disable or don’t configure this setting, the notification will be shown. |
| Hide the button (next to the New Tab button) that opens Microsoft Edge | User Configuration\Administrative Templates\Windows Components/Internet Explorer\Internet Settings\Advanced Settings\Browsing\ | IE11 on Windows 10, version 1703 | This policy setting lets you decide whether employees can see the open Microsoft Edge button, which appears next to the New Tab button.
If you enable this policy setting, the button to open Microsoft Edge from Internet Explorer will be hidden.
If you disable this policy setting, the button to open Microsoft Edge from Internet Explorer appears.
If you don't configure this policy setting, the button to open Microsoft Edge from Internet Explorer can be configured by your employees. |
| Let users turn on and use Enterprise Mode from the **Tools** menu | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10 | This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the **Tools** menu.
If you enable this policy setting, users can see and use the **Enterprise Mode** option from the **Tools** menu. If you enable this setting, but don’t specify a report location, Enterprise Mode will still be available to your users, but you won’t get any reports.
If you disable or don’t configure this policy setting, the menu option won’t appear and users won’t be able to turn on Enterprise Mode locally. |
| Limit Site Discovery output by Domain | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to control which domains are included in the discovery function of the Internet Explorer Site Discovery Toolkit.
If you enable this policy setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in your specified domains, configured by adding one domain per line to the included text box.
If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in all domains.
**Note:**
You can use this setting in conjunction with the other settings that control the Internet Explorer Site Discovery Toolkit. |
diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md
index ba848193c2..1c5a8d3904 100644
--- a/education/includes/education-content-updates.md
+++ b/education/includes/education-content-updates.md
@@ -2,6 +2,15 @@
+## Week of December 13, 2021
+
+
+| Published On |Topic title | Change |
+|------|------------|--------|
+| 12/13/2021 | [What is Windows 11 SE](/education/windows/windows-11-se-overview) | modified |
+| 12/13/2021 | [Windows 11 SE settings list](/education/windows/windows-11-se-settings-list) | modified |
+
+
## Week of November 29, 2021
diff --git a/smb/includes/smb-content-updates.md b/smb/includes/smb-content-updates.md
index 4cebea6e8c..e8f13c7d35 100644
--- a/smb/includes/smb-content-updates.md
+++ b/smb/includes/smb-content-updates.md
@@ -2,10 +2,9 @@
-## Week of October 25, 2021
+## Week of December 13, 2021
| Published On |Topic title | Change |
|------|------------|--------|
-| 10/28/2021 | [Deploy and manage a full cloud IT solution for your business](/windows/smb/cloud-mode-business-setup) | modified |
-| 10/28/2021 | [Windows 10/11 for small to midsize businesses](/windows/smb/index) | modified |
+| 12/14/2021 | [Deploy and manage a full cloud IT solution for your business](/windows/smb/cloud-mode-business-setup) | modified |
diff --git a/store-for-business/includes/store-for-business-content-updates.md b/store-for-business/includes/store-for-business-content-updates.md
index e84a7708a4..d14bc10108 100644
--- a/store-for-business/includes/store-for-business-content-updates.md
+++ b/store-for-business/includes/store-for-business-content-updates.md
@@ -2,6 +2,17 @@
+## Week of December 13, 2021
+
+
+| Published On |Topic title | Change |
+|------|------------|--------|
+| 12/13/2021 | [Microsoft Store for Business and Education release history](/microsoft-store/release-history-microsoft-store-business-education) | modified |
+| 12/13/2021 | [Change history for Microsoft Store for Business and Education](/microsoft-store/sfb-change-history) | modified |
+| 12/14/2021 | [Manage user accounts in Microsoft Store for Business and Microsoft Store for Education (Windows 10)](/microsoft-store/manage-users-and-groups-microsoft-store-for-business) | modified |
+| 12/14/2021 | [Troubleshoot Microsoft Store for Business (Windows 10)](/microsoft-store/troubleshoot-microsoft-store-for-business) | modified |
+
+
## Week of November 15, 2021
diff --git a/windows/application-management/remove-provisioned-apps-during-update.md b/windows/application-management/remove-provisioned-apps-during-update.md
index 43afa3c4c5..1660c5406a 100644
--- a/windows/application-management/remove-provisioned-apps-during-update.md
+++ b/windows/application-management/remove-provisioned-apps-during-update.md
@@ -12,7 +12,7 @@ manager: dansimp
---
# How to keep apps removed from Windows 10 from returning during an update
->Applies to: Windows 10 (Semi-Annual Channel)
+> Applies to: Windows 10 (General Availability Channel)
When you update a computer running Windows 10, version 1703 or 1709, you might see provisioned apps that you previously removed return post-update. This can happen if the computer was offline when you removed the apps. This issue was fixed in Windows 10, version 1803.
diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md
index 8a7c060339..0c976ceceb 100644
--- a/windows/client-management/advanced-troubleshooting-boot-problems.md
+++ b/windows/client-management/advanced-troubleshooting-boot-problems.md
@@ -150,49 +150,19 @@ If you receive BCD-related errors, follow these steps:
2. Restart the computer to check whether the problem is fixed.
-3. If the problem is not fixed, run the following command:
-
- ```console
- Bootrec /rebuildbcd
- ```
-
-4. You might receive one of the following outputs:
-
- ```console
- Scanning all disks for Windows installations. Please wait, since this may take a while ...
- Successfully scanned Windows installations. Total identified Windows installations: 0
- The operation completed successfully.
- ```
-
- ```console
- Scanning all disks for Windows installations. Please wait, since this may take a while ...
- Successfully scanned Windows installations. Total identified Windows installations: 1
- D:\Windows
- Add installation to boot list? Yes/No/All:
- ```
-
- If the output shows **windows installation: 0**, run the following commands:
+3. If the problem is not fixed, run the following commands:
```console
bcdedit /export c:\bcdbackup
- attrib c:\\boot\\bcd -r –s -h
+ attrib c:\boot\bcd -r -s -h
- ren c:\\boot\\bcd bcd.old
+ ren c:\boot\bcd bcd.old
bootrec /rebuildbcd
```
-
- After you run the command, you receive the following output:
-
- ```console
- Scanning all disks for Windows installations. Please wait, since this may take a while ...
- Successfully scanned Windows installations. Total identified Windows installations: 1
- {D}:\Windows
- Add installation to boot list? Yes/No/All: Y
- ```
-5. Try restarting the system.
+4. Restart the system.
### Method 4: Replace Bootmgr
@@ -206,7 +176,7 @@ If methods 1, 2 and 3 do not fix the problem, replace the Bootmgr file from driv
attrib -r -s -h
```
-3. Run the same **attrib** command on the Windows (system drive):
+3. Navigate to the system drive and run the same command:
```console
attrib -r -s -h
@@ -394,7 +364,7 @@ If the dump file shows an error that is related to a driver (for example, window
- To do this, open WinRE, open a command prompt, and then run the following command:
```console
- SFC /Scannow /OffBootDir=C:\ /OffWinDir=E:\Windows
+ SFC /Scannow /OffBootDir=C:\ /OffWinDir=C:\Windows
```
For more information, see [Using System File Checker (SFC) To Fix Issues](/archive/blogs/askcore/using-system-file-checker-sfc-to-fix-issues)
diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md
index 5c5047248c..ec54bee4ae 100644
--- a/windows/client-management/connect-to-remote-aadj-pc.md
+++ b/windows/client-management/connect-to-remote-aadj-pc.md
@@ -9,7 +9,7 @@ ms.pagetype: devices
author: dansimp
ms.localizationpriority: medium
ms.author: dansimp
-ms.date: 09/14/2021
+ms.date: 01/18/2022
ms.reviewer:
manager: dansimp
ms.topic: article
@@ -55,8 +55,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu
```
where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD.
- This command only works for AADJ device users already added to any of the local groups (administrators).
- Otherwise this command throws the below error. For example:
+ In order to execute this PowerShell command you be a member of the local Administrators group. Otherwise, you'll get an error like this example:
- for cloud only user: "There is no such global user or group : *name*"
- for synced user: "There is no such global user or group : *name*"
@@ -67,7 +66,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu
- Adding users using policy
- Starting in Windows 10, version 2004, you can add users or Azure AD groups to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview).
+ Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview).
> [!TIP]
> When you connect to the remote PC, enter your account name in this format: AzureAD\yourloginid@domain.com.
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index 96b516b939..4530da2896 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -142,7 +142,7 @@ Allows you to set the default encryption method for each of the different drive
ADMX Info:
-- GP English name: Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)
+- GP Friendly name: Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)
- GP name: EncryptionMethodWithXts_Name
- GP path: Windows Components/BitLocker Drive Encryption
- GP ADMX file name: VolumeEncryption.admx
@@ -216,7 +216,7 @@ Allows you to associate unique organizational identifiers to a new drive that is
ADMX Info:
-- GP English name: Provide the unique identifiers for your organization
+- GP Friendly name: Provide the unique identifiers for your organization
- GP name: IdentificationField_Name
- GP path: Windows Components/BitLocker Drive Encryption
- GP ADMX file name: VolumeEncryption.admx
@@ -276,7 +276,7 @@ Allows users on devices that are compliant with InstantGo or the Microsoft Hardw
ADMX Info:
-- GP English name: Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN
+- GP Friendly name: Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN
- GP name: EnablePreBootPinExceptionOnDECapableDevice_Name
- GP path: Windows Components/BitLocker Drive Encryption/Operating System Drives
- GP ADMX file name: VolumeEncryption.admx
@@ -318,7 +318,7 @@ Allows users to configure whether or not enhanced startup PINs are used with Bit
ADMX Info:
-- GP English name: Allow enhanced PINs for startup
+- GP Friendly name: Allow enhanced PINs for startup
- GP name: EnhancedPIN_Name
- GP path: Windows Components/BitLocker Drive Encryption/Operating System Drives
- GP ADMX file name: VolumeEncryption.admx
@@ -363,7 +363,7 @@ Allows you to configure whether standard users are allowed to change BitLocker P
ADMX Info:
-- GP English name: Disallow standard users from changing the PIN or password
+- GP Friendly name: Disallow standard users from changing the PIN or password
- GP name: DisallowStandardUsersCanChangePIN_Name
- GP path: Windows Components/BitLocker Drive Encryption/Operating System Drives
- GP ADMX file name: VolumeEncryption.admx
@@ -408,7 +408,7 @@ Allows users to enable authentication options that require user input from the p
ADMX Info:
-- GP English name: Enable use of BitLocker authentication requiring preboot keyboard input on slates
+- GP Friendly name: Enable use of BitLocker authentication requiring preboot keyboard input on slates
- GP name: EnablePrebootInputProtectorsOnSlates_Name
- GP path: Windows Components/BitLocker Drive Encryption/Operating System Drives
- GP ADMX file name: VolumeEncryption.admx
@@ -459,7 +459,7 @@ Allows you to configure the encryption type that is used by BitLocker.
ADMX Info:
-- GP English name: Enforce drive encryption type on operating system drives
+- GP Friendly name: Enforce drive encryption type on operating system drives
- GP name: OSEncryptionType_Name
- GP path: Windows Components/BitLocker Drive Encryption/Operating System Drives
- GP ADMX file name: VolumeEncryption.admx
@@ -507,7 +507,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Require addition
ADMX Info:
-- GP English name: Require additional authentication at startup
+- GP Friendly name: Require additional authentication at startup
- GP name: ConfigureAdvancedStartup_Name
- GP path: Windows Components/BitLocker Drive Encryption/Operating System Drives
- GP ADMX file name: VolumeEncryption.admx
@@ -604,7 +604,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Configure minimu
ADMX Info:
-- GP English name:Configure minimum PIN length for startup
+- GP Friendly name:Configure minimum PIN length for startup
- GP name: MinimumPINLength_Name
- GP path: Windows Components/BitLocker Drive Encryption/Operating System Drives
- GP ADMX file name: VolumeEncryption.admx
@@ -670,7 +670,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Configure pre-bo
ADMX Info:
-- GP English name: Configure pre-boot recovery message and URL
+- GP Friendly name: Configure pre-boot recovery message and URL
- GP name: PrebootRecoveryInfo_Name
- GP path: Windows Components/BitLocker Drive Encryption/Operating System Drives
- GP ADMX file name: VolumeEncryption.admx
@@ -748,7 +748,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLo
ADMX Info:
-- GP English name: Choose how BitLocker-protected operating system drives can be recovered
+- GP Friendly name: Choose how BitLocker-protected operating system drives can be recovered
- GP name: OSRecoveryUsage_Name
- GP path: Windows Components/BitLocker Drive Encryption/Operating System Drives
- GP ADMX file name: VolumeEncryption.admx
@@ -834,7 +834,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLo
ADMX Info:
-- GP English name: Choose how BitLocker-protected fixed drives can be recovered
+- GP Friendly name: Choose how BitLocker-protected fixed drives can be recovered
- GP name: FDVRecoveryUsage_Name
- GP path: Windows Components/BitLocker Drive Encryption/Fixed Drives
- GP ADMX file name: VolumeEncryption.admx
@@ -929,7 +929,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Deny write acces
ADMX Info:
-- GP English name: Deny write access to fixed drives not protected by BitLocker
+- GP Friendly name: Deny write access to fixed drives not protected by BitLocker
- GP name: FDVDenyWriteAccess_Name
- GP path: Windows Components/BitLocker Drive Encryption/Fixed Drives
- GP ADMX file name: VolumeEncryption.admx
@@ -987,7 +987,7 @@ Allows you to configure the encryption type on fixed data drives that is used by
ADMX Info:
-- GP English name: Enforce drive encryption type on fixed data drives
+- GP Friendly name: Enforce drive encryption type on fixed data drives
- GP name: FDVEncryptionType_Name
- GP path: Windows Components/BitLocker Drive Encryption/Fixed Data Drives
- GP ADMX file name: VolumeEncryption.admx
@@ -1037,7 +1037,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Deny write acces
ADMX Info:
-- GP English name: Deny write access to removable drives not protected by BitLocker
+- GP Friendly name: Deny write access to removable drives not protected by BitLocker
- GP name: RDVDenyWriteAccess_Name
- GP path: Windows Components/BitLocker Drive Encryption/Removeable Drives
- GP ADMX file name: VolumeEncryption.admx
@@ -1106,7 +1106,7 @@ Allows you to configure the encryption type that is used by BitLocker.
ADMX Info:
-- GP English name: Enforce drive encryption type on removable data drives
+- GP Friendly name: Enforce drive encryption type on removable data drives
- GP name: RDVEncryptionType_Name
- GP path: Windows Components/BitLocker Drive Encryption/Removable Data Drives
- GP ADMX file name: VolumeEncryption.admx
@@ -1150,7 +1150,7 @@ Allows you to control the use of BitLocker on removable data drives.
ADMX Info:
-- GP English name: Control use of BitLocker on removable drives
+- GP Friendly name: Control use of BitLocker on removable drives
- GP name: RDVConfigureBDE_Name
- GP path: Windows Components/BitLocker Drive Encryption/Removable Data Drives
- GP ADMX file name: VolumeEncryption.admx
diff --git a/windows/client-management/mdm/browserfavorite-csp.md b/windows/client-management/mdm/browserfavorite-csp.md
deleted file mode 100644
index fa29e87d8d..0000000000
--- a/windows/client-management/mdm/browserfavorite-csp.md
+++ /dev/null
@@ -1,94 +0,0 @@
----
-title: BrowserFavorite CSP
-description: Learn how the BrowserFavorite configuration service provider is used to add and remove URLs from the favorites list on a device.
-ms.assetid: 5d2351ff-2d6a-4273-9b09-224623723cbf
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: dansimp
-ms.date: 10/25/2021
----
-
-# BrowserFavorite CSP
-
-
-The BrowserFavorite configuration service provider is used to add and remove URLs from the favorites list on a device.
-
-> [!Note]
-> BrowserFavorite CSP is only supported in Windows Phone 8.1.
-
-
-
-The BrowserFavorite configuration service provider manages only the favorites at the root favorite folder level. It does not manage subfolders under the root favorite folder nor does it manage favorites under a subfolder.
-
-> [!Note]
-> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_INTERNET\_EXPLORER\_FAVORITES capabilities to be accessed from a network configuration application.
-
-
-
-The following shows the BrowserFavorite configuration service provider in tree format as used by Open Mobile Alliance Device (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
-
-```console
-BrowserFavorite
-favorite name
-----URL
-```
-
-***favorite name***
-Required. Specifies the user-friendly name of the favorite URL that is displayed in the Favorites list of Internet Explorer.
-
-> [!Note]
-> The *favorite name* should contain only characters that are valid in the Windows file system. The invalid characters are: \\ / : \* ? " < > |
-
-
-
-Adding the same favorite twice adds only one occurrence to the Favorites list. If a favorite is added when another favorite with the same name but a different URL is already in the Favorites list, the existing favorite is replaced with the new favorite.
-
-**URL**
-Optional. Specifies the complete URL for the favorite.
-
-## OMA client provisioning examples
-
-
-Adding a new browser favorite.
-
-```xml
-
-
-
-
-
-
-
-
-```
-
-## Microsoft Custom Elements
-
-
-The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
-
-|Elements|Available|
-|--- |--- |
-|Parm-query|Yes|
-|Noparm|Yes|
-|Nocharacteristic|Yes|
-|Characteristic-query|Yes
Recursive query: Yes
Top-level query: Yes|
-
-## Related topics
-
-
-[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md
index ba1e38a584..1a39403fad 100644
--- a/windows/client-management/mdm/clientcertificateinstall-csp.md
+++ b/windows/client-management/mdm/clientcertificateinstall-csp.md
@@ -227,11 +227,11 @@ Optional. Specifies where to keep the private key.
The data type is an integer corresponding to one of the following values:
-| Value | Description |
-|-------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 1 | Private key protected by TPM. |
-| 2 | Private key protected by phone TPM if the device supports TPM. All Windows Phone 8.1 devices support TPM and will treat value 2 as 1. |
-| 3 | (Default) Private key saved in software KSP. |
+| Value | Description |
+|---|---|
+| 1 | Private key protected by TPM. |
+| 2 | Private key protected by phone TPM if the device supports TPM. |
+| 3 | (Default) Private key saved in software KSP. |
| 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specified, otherwise enrollment will fail. |
Supported operations are Add, Get, Delete, and Replace.
@@ -361,7 +361,7 @@ The date type format is Null, meaning this node doesn’t contain a value.
The only supported operation is Execute.
**ClientCertificateInstall/SCEP/*UniqueID*/Install/AADKeyIdentifierList**
-Optional. Specify the AAD Key Identifier List as a list of semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail.
+Optional. Specify the Azure AD Key Identifier List as a list of semicolon separated values. On Enroll, the values in this list are validated against the Azure AD Key present on the device. If no match is found, enrollment will fail.
Data type is string.
diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
index ad299e4113..46bb00affa 100644
--- a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
+++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
@@ -556,21 +556,22 @@ Supported operations are Get, Add, Delete, Replace.
3
Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN.
-SCEP enrolled cert doesn’t support TPM PIN protection.
-Supported values:
+
+SCEP enrolled cert doesn’t support TPM PIN protection. Supported values:
+
1 – private key protected by TPM,
2 – private key protected by phone TPM if the device supports TPM.
-All Windows Phone 8.1 devices support TPM and will treat value 2 as 1
3 (default) – private key saved in software KSP
-4 – private key protected by NGC. If this option is specified, container name should be specifed, if not enrollment will fail
+4 – private key protected by NGC. If this option is specified, container name should be specified, if not enrollment will fail.
Format is int.
Supported operations are Get, Add, Delete, Replace
+
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index 930d7f0b3b..47a47c403e 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -15,7 +15,7 @@ ms.collection: highpri
# Configuration service provider reference
-A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. Some configuration service providers support the WAP format, some support SyncML, and some support both. SyncML is only used over–the–air for Open Mobile Alliance Device Management (OMA DM), whereas WAP can be used over–the–air for OMA Client Provisioning, or it can be included in the phone image as a .provxml file that is installed during boot.
+A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. Some configuration service providers support the WAP format, some support SyncML, and some support both. SyncML is only used over–the–air for Open Mobile Alliance Device Management (OMA DM), whereas WAP can be used over–the–air for OMA Client Provisioning, or it can be included in the device image as a `.provxml` file that is installed during boot.
For information about the bridge WMI provider classes that map to these CSPs, see [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). For CSP DDF files, see [CSP DDF files download](#csp-ddf-files-download).
@@ -150,18 +150,6 @@ Additional lists:
-
-[BrowserFavorite CSP](browserfavorite-csp.md)
-
-
-
-|Home|Pro|Business|Enterprise|Education|
-|--- |--- |--- |--- |--- |
-|No|No|No|No|No|
-
-
-
-
[CMPolicy CSP](cmpolicy-csp.md)
@@ -1147,6 +1135,7 @@ The following list shows the CSPs supported in HoloLens devices:
- [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)
- [Firewall-CSP](firewall-csp.md)
- [HealthAttestation CSP](healthattestation-csp.md)
+- [NetworkProxy CSP](networkproxy-csp.md)
- [NetworkQoSPolicy CSP](networkqospolicy-csp.md)
- [NodeCache CSP](nodecache-csp.md)
- [PassportForWork CSP](passportforwork-csp.md)
diff --git a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md
index a13b3a0c7d..67d29f0ce3 100644
--- a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md
+++ b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md
@@ -25,7 +25,7 @@ ms.date: 06/26/2017
# DMProcessConfigXMLFiltered function
> [!Important]
-> The use of this function for automatic data configuration (ADC) is deprecated in Windows Phone 8.1. For more information about the new process for provisioning connectivity configuration, see [Connectivity configuration](/previous-versions//dn757424(v=vs.85)). However, this function is still supported for other OEM uses.
+> The use of this function for automatic data configuration (ADC) is deprecated in Windows Phone 8.1. For more information about the new process for provisioning connectivity configuration, see [Connectivity configuration](/previous-versions//dn757424(v=vs.85)). However, this function is still supported for other OEM uses.
Configures phone settings by using OMA Client Provisioning XML. Use of this function is strictly limited to the following scenarios.
@@ -45,7 +45,7 @@ Microsoft recommends that this function isn't used to configure the following ty
- Email settings
> [!Note]
-> The **DMProcessConfigXMLFiltered** function has full functionality in Windows Phone 8.1, but it has a read-only functionality in Windows 10.
+> The **DMProcessConfigXMLFiltered** function has full functionality in Windows Phone 8.1, but it has a read-only functionality in Windows 10.
@@ -54,37 +54,29 @@ Microsoft recommends that this function isn't used to configure the following ty
```C++
HRESULT STDAPICALLTYPE DMProcessConfigXMLFiltered(
LPCWSTR pszXmlIn,
- const WCHAR **rgszAllowedCspNode,
- const DWORD dwNumAllowedCspNodes,
- BSTR *pbstrXmlOut
+ const WCHAR **rgszAllowedCspNode,
+ const DWORD dwNumAllowedCspNodes,
+ BSTR *pbstrXmlOut
);
```
## Parameters
*pszXmlIn*
-
-- [in] The null–terminated input XML buffer containing the configuration data. The parameter holds the XML that will be used to configure the phone. DMProcessConfigXMLFiltered accepts only OMA Client Provisioning XML (also known as WAP provisioning). It doesn't accept OMA DM SyncML XML (also known as SyncML).
-
-
+
+- [in] The null–terminated input XML buffer containing the configuration data. The parameter holds the XML that will be used to configure the phone. **DMProcessConfigXMLFiltered** accepts only OMA Client Provisioning XML (also known as WAP provisioning). It doesn't accept OMA DM SyncML XML (also known as SyncML).
*rgszAllowedCspNode*
-
-- [in] Array of WCHAR\* that specify which configuration service provider nodes can be invoked.
-
-
+
+- [in] Array of `WCHAR` that specify which configuration service provider nodes can be invoked.
*dwNumAllowedCspNodes*
-
-- [in] Number of elements passed in rgszAllowedCspNode.
-
-
+
+- [in] Number of elements passed in rgszAllowedCspNode.
*pbstrXmlOut*
-
-- [out] The resulting null–terminated XML from configuration. The caller of DMProcessConfigXMLFiltered is responsible for cleanup of the output buffer that the pbstrXmlOut parameter references. Use SysFreeString to free the memory.
-
-
+
+- [out] The resulting null–terminated XML from configuration. The caller of **DMProcessConfigXMLFiltered** is responsible for cleanup of the output buffer that the pbstrXmlOut parameter references. Use **SysFreeString** to free the memory.
If **DMProcessConfigXMLFiltered** retrieves a document, the *pbstrXmlOut* holds the XML output (in string form) of the provisioning operations. If **DMProcessConfigXMLFiltered** returns a failure, the XML output often contains "error nodes" that indicate which elements of the original XML failed. If the input document doesn't contain queries and is successfully processed, the output document should resemble the input document. In some error cases, no output is returned.
diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
index 2ab4830667..ee5936c3f4 100644
--- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
+++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
@@ -36,7 +36,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
> See [Understanding ADMX policies in Policy CSP](./understanding-admx-backed-policies.md).
1. Find the policy from the list [ADMX policies](./policies-in-policy-csp-admx-backed.md). You need the following information listed in the policy description.
- - GP English name
+ - GP Friendly name
- GP name
- GP ADMX file name
- GP path
diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
index c77b8f6df6..1bb3dbc3a7 100644
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
-ms.date: 12/03/2021
+ms.date: 01/03/2022
ms.reviewer:
manager: dansimp
ms.collection: highpri
@@ -50,11 +50,11 @@ For this policy to work, you must verify that the MDM service provider allows th
To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly.
The following steps demonstrate required settings using the Intune service:
-1. Verify that the user who is going to enroll the device has a valid Intune license.
+1. Verify that the user who is going to enroll the device has a valid Endpoint Protection Manager license.
:::image type="content" alt-text="Intune license verification." source="images/auto-enrollment-intune-license-verification.png" lightbox="images/auto-enrollment-intune-license-verification.png":::
-2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md).
+2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM). For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md).
diff --git a/windows/client-management/mdm/federated-authentication-device-enrollment.md b/windows/client-management/mdm/federated-authentication-device-enrollment.md
index f55e50ff03..254ba46424 100644
--- a/windows/client-management/mdm/federated-authentication-device-enrollment.md
+++ b/windows/client-management/mdm/federated-authentication-device-enrollment.md
@@ -16,9 +16,9 @@ ms.date: 07/28/2017
This section provides an example of the mobile device enrollment protocol using federated authentication policy. When the authentication policy is set to Federated, the web authentication broker is leveraged by the enrollment client to get a security token. The enrollment client calls the web authentication broker API within the response message to start the process. The server should build the web authentication broker pages to fit the device screen and should be consistent with the existing enrollment UI. The opaque security token that is returned from the broker as an end page is used by the enrollment client as the device security secret during the client certificate request call.
-The <AuthenticationServiceURL> element the discovery response message specifies web authentication broker page start URL.
+The `` element the discovery response message specifies web authentication broker page start URL.
-For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692).
+For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692).
## In this topic
@@ -26,7 +26,7 @@ For details about the Microsoft mobile device enrollment protocol for Windows 1
[Enrollment policy web service](#enrollment-policy-web-service)
[Enrollment web service](#enrollment-web-service)
-For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported).
+For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported).
## Discovery service
@@ -35,7 +35,7 @@ The discovery web service provides the configuration information necessary for a
> [!NOTE]
> The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com.
-The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc
+The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: `http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc`.
The first request is a standard HTTP GET request.
@@ -146,7 +146,7 @@ A new XML tag, AuthenticationServiceUrl, is introduced in the DiscoveryResponse
The following are the explicit requirements for the server.
-- The <DiscoveryResponse><AuthenticationServiceUrl> element must support HTTPS.
+- The ```` element must support HTTPS.
- The authentication server must use a device trusted root certificate. Otherwise, the WAP call will fail.
- WP doesn’t support Windows Integrated Authentication (WIA) for ADFS during WAB authentication. ADFS 2012 R2 if used needs to be configured to not attempt WIA for Windows device.
@@ -156,8 +156,8 @@ The enrollment client issues an HTTPS request as follows:
AuthenticationServiceUrl?appru=&login_hint=
```
-- <appid> is of the form ms-app://string
-- <User Principal Name> is the name of the enrolling user, for example, user@constoso.com as input by the user in an enrollment sign in page. The value of this attribute serves as a hint that can be used by the authentication server as part of the authentication.
+- `` is of the form ms-app://string
+- `` is the name of the enrolling user, for example, user@constoso.com as input by the user in an enrollment sign in page. The value of this attribute serves as a hint that can be used by the authentication server as part of the authentication.
After authentication is complete, the auth server should return an HTML form document with a POST method action of appid identified in the query string parameter.
@@ -191,7 +191,7 @@ Content-Length: 556