Merge branch 'master' into patch-1

2025-06-20 04:43:37 +00:00 · 2021-08-12 10:21:03 -06:00
parent 4fb308c894 3f9adbe254
commit 55af29c7b5
56 changed files with 1326 additions and 302 deletions
--- a/windows/client-management/docfx.json
+++ b/windows/client-management/docfx.json
@ -32,6 +32,7 @@
    "overwrite": [],
    "externalReference": [],
    "globalMetadata": {
+      "recommendations": true,
      "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
      "uhfHeaderId": "MSDocsHeader-M365-IT",
      "ms.technology": "windows",
--- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
+++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
@ -1,6 +1,6 @@
 ---
 title: Bulk enrollment
-description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10.
+description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 and Windows 11.
 MS-HAID: 
  - 'p\_phdevicemgmt.bulk\_enrollment'
  - 'p\_phDeviceMgmt.bulk\_enrollment\_using\_Windows\_provisioning\_tool'
@ -18,7 +18,7 @@ ms.date: 06/26/2017

 # Bulk enrollment

-Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 desktop and mobile devices, you can use the [Provisioning CSP](provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario.
+Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 and 11 desktop devices, you can use the [Provisioning CSP](provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario.

 ## Typical use cases

@ -37,27 +37,29 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro
 > -   Bulk enrollment does not work in Intune standalone environment.
 > -   Bulk enrollment works in Microsoft Endpoint Manager where the ppkg is generated from the Configuration Manager console.
 > -   To change bulk enrollment settings, login to **AAD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**.
+> -   Bulk Token creation is not supported with federated accounts.

 ## What you need

-   Windows 10 devices
-   Windows Imaging and Configuration Designer (ICD) tool
-    To get the ICD tool, download the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). For more information about the ICD tool, see [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) and [Getting started with Windows ICD](/windows/configuration/provisioning-packages/provisioning-install-icd).
-   Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.)
+-   Windows 10 devices.
+-   Windows Configuration Designer (WCD) tool.
+
+    To get the WCD tool, download from the [Microsoft Store](https://www.microsoft.com/store/productId/9NBLGGH4TX22). For more information about the WCD tool, see [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) and [Getting started with Windows WCD](/windows/configuration/provisioning-packages/provisioning-install-icd).
+-   Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.).
 -   Wi-Fi credentials, computer name scheme, and anything else required by your organization.

    Some organizations require custom APNs to be provisioned before talking to the enrollment endpoint or custom VPN to join a domain.

 ## Create and apply a provisioning package for on-premises authentication

-Using the ICD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
+Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.

-1. Open the Windows ICD tool (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
+1. Open the WCD tool.
 2. Click **Advanced Provisioning**.

   ![icd start page](images/bulk-enrollment7.png)
 3. Enter a project name and click **Next**.
-4. Select **All Windows editions**, since Provisioning CSP is common to all Windows 10 editions, then click **Next**.
+4. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then click **Next**.
 5. Skip **Import a provisioning package (optional)** and click **Finish**.
 6. Expand **Runtime settings** &gt; **Workplace**.
 7. Click **Enrollments**, enter a value in **UPN**, and then click **Add**.
@ -70,8 +72,9 @@ Using the ICD, create a provisioning package using the enrollment information re
   -   **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank.
   -   **Secret** - Password
   For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md).
-   Here is the screenshot of the ICD at this point.
-   ![bulk enrollment screenshot](images/bulk-enrollment.png)
+   Here is the screenshot of the WCD at this point.
+   
+    ![bulk enrollment screenshot](images/bulk-enrollment.png)
 9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (e.g., **Runtime settings** &gt; **ConnectivityProfiles** &gt; **WLANSetting**).
 10. When you are done adding all the settings, on the **File** menu, click **Save**.
 11. On the main menu click **Export** &gt; **Provisioning package**.
@ -90,12 +93,12 @@ Using the ICD, create a provisioning package using the enrollment information re

 ## Create and apply a provisioning package for certificate authentication

-Using the ICD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
+Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.

-1. Open the Windows ICD tool (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
+1. Open the WCD tool.
 2. Click **Advanced Provisioning**.
 3. Enter a project name and click **Next**.
-4. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows 10 editions.
+4. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows editions.
 5. Skip **Import a provisioning package (optional)** and click **Finish**.
 6. Specify the certificate.
   1.  Go to **Runtime settings** &gt; **Certificates** &gt; **ClientCertificates**.
@ -129,8 +132,7 @@ Using the ICD, create a provisioning package using the enrollment information re
 Here's the list of topics about applying a provisioning package:

 -   [Apply a package on the first-run setup screen (out-of-the-box experience)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment#apply-package) - topic in Technet.
-   [Apply a package to a Windows 10 desktop edition image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_desktop_image) - topic in MSDN
-   [Apply a package to a Windows 10 Mobile image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_mobile_image) - topic in MSDN.
+-   [Apply a package to a Windows desktop edition image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_desktop_image) - topic in MSDN
 -   [Apply a package from the Settings menu](#apply-a-package-from-the-settings-menu) - topic below

 ## Apply a package from the Settings menu
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@ -35,6 +35,18 @@ Defender
 ------------InitialDetectionTime
 ------------LastThreatStatusChangeTime
 ------------NumberOfDetections
+----EnableNetworkProtection
+--------AllowNetworkProtectionDownLevel
+--------AllowNetworkProtectionOnWinServer
+--------DisableNetworkProtectionPerfTelemetry
+--------DisableDatagramProcessing
+--------DisableInboundConnectionFiltering
+--------EnableDnsSinkhole
+--------DisableDnsOverTcpParsing
+--------DisableHttpParsing
+--------DisableRdpParsing
+--------DisableSshParsing
+--------DisableTlsParsing
 ----Health
 --------ProductStatus (Added in Windows 10 version 1809)
 --------ComputerState
@ -125,7 +137,7 @@ The following table describes the supported values:
 | 7     | Remote access Trojan        |
 | 8     | Trojan                      |
 | 9     | Email flooder               |
-| 10    | Keylogger                   |
+| 10    | Key logger                   |
 | 11    | Dialer                      |
 | 12    | Monitoring software         |
 | 13    | Browser modifier            |
@ -185,7 +197,28 @@ The following list shows the supported values:
 - 7 = Removed
 - 8 = Cleaned
 - 9 = Allowed
- 10 = No Status ( Cleared)
+- 10 = No Status (Cleared)
+
+Supported operation is Get.
+
+<a href="" id="detections-threatid-currentstatus"></a>**Detections/*ThreatId*/CurrentStatus**  
+Information about the current status of the threat.
+
+The data type is integer.
+
+The following list shows the supported values:
+
+- 0 = Active
+- 1 = Action failed
+- 2 = Manual steps required
+- 3 = Full scan required
+- 4 = Reboot required
+- 5 = Remediated with noncritical failures
+- 6 = Quarantined
+- 7 = Removed
+- 8 = Cleaned
+- 9 = Allowed
+- 10 = No Status (Cleared)

 Supported operation is Get.

@ -217,6 +250,139 @@ The data type is integer.

 Supported operation is Get.

+<a href="" id="enablenetworkprotection"></a>**EnableNetworkProtection** 
+
+The Network Protection Service is a network filter that helps to protect you against web-based malicious threats, including phishing and malware. The Network Protection service contacts the SmartScreen URL reputation service to validate the safety of connections to web resources. 
+The acceptable values for this parameter are:
+- 0: Disabled. The Network Protection service will not block navigation to malicious websites, or contact the SmartScreen URL reputation service. It will still send connection metadata to the antimalware engine if behavior monitoring is enabled, to enhance AV Detections.
+- 1: Enabled. The Network Protection service will block connections to malicious websites based on URL Reputation from the SmartScreen URL reputation service.
+- 2: AuditMode. As above, but the Network Protection service will not block connections to malicious websites, but will instead log the access to the event log. 
+
+Accepted values: Disabled, Enabled, and AuditMode
+Position: Named
+Default value: Disabled
+Accept pipeline input: False
+Accept wildcard characters: False
+
+<a href="" id="enablenetworkprotection-allownetworkprotectiondownlevel"></a>**EnableNetworkProtection/AllowNetworkProtectionDownLevel**
+
+By default, network protection is not allowed to be enabled on Windows versions before 1709, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode. 
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+<a href="" id="enablenetworkprotection-allownetworkprotectiononwinserver"></a>**EnableNetworkProtection/AllowNetworkProtectionOnWinServer**
+
+By default, network protection is not allowed to be enabled on Windows Server, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode.
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+<a href="" id="enablenetworkprotection-disablenetworkprotectionperftelemetry"></a>**EnableNetworkProtection/DisableNetworkProtectionPerfTelemetry**
+
+Network Protection sends up anonymized performance statistics about its connection monitoring to improve our product and help to find bugs. You can disable this behavior by setting this configuration to "$true".
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+<a href="" id="enablenetworkprotection-disabledatagramprocessing"></a>**EnableNetworkProtection/DisableDatagramProcessing**
+
+Network Protection inspects UDP connections allowing us to find malicious DNS or other UDP Traffic. To disable this functionality, set this configuration to "$true".
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+<a href="" id="enablenetworkprotection-disableinboundconnectionfiltering"></a>**EnableNetworkProtection/DisableInboundConnectionFiltering**
+
+Network Protection inspects and can block both connections that originate from the host machine, as well as those that originates from outside the machine. To have network connection to inspect only outbound connections, set this configuration to "$true".
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+<a href="" id="enablenetworkprotection-enablednssinkhole"></a>**EnableNetworkProtection/EnableDnsSinkhole**
+
+Network Protection can inspect the DNS traffic of a machine and, in conjunction with behavior monitoring, detect and sink hole DNS exfiltration attempts and other DNS based malicious attacks. Set this configuration to "$true" to enable this feature.
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+<a href="" id="enablenetworkprotection-disablednsovertcpparsing"></a>**EnableNetworkProtection/DisableDnsOverTcpParsing**
+
+Network Protection inspects DNS traffic that occurs over a TCP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS sink holing if the -EnableDnsSinkhole configuration is set. This can be disabled by setting this value to "$true".
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+<a href="" id="enablenetworkprotection-disablednsparsing"></a>**EnableNetworkProtection/DisableDnsParsing**
+
+Network Protection inspects DNS traffic that occurs over a UDP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS sink holing if the -EnableDnsSinkhole configuration is set. This can be disabled by setting this value to "$true".
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+<a href="" id="enablenetworkprotection-disablehttpparsing"></a>**EnableNetworkProtection/DisableHttpParsing**
+
+Network Protection inspects HTTP traffic to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. HTTP connections to malicious websites can also be blocked if -EnableNetworkProtection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+<a href="" id="enablenetworkprotection-disablerdpparsing"></a>**EnableNetworkProtection/DisableRdpParsing**
+
+Network Protection inspects RDP traffic so that it can block connections from known malicious hosts if -EnableNetworkProtection is set to be enabled, and to provide metadata to behavior monitoring. RDP inspection can be disabled by setting this value to "$true".
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+<a href="" id="enablenetworkprotection-disablesshparsing"></a>**EnableNetworkProtection/DisableSshParsing**
+
+Network Protection inspects SSH traffic, so that it can block connections from known malicious hosts. If -EnableNetworkProtection is set to be enabled, and to provide metadata to behavior monitoring. SSH inspection can be disabled by setting this value to "$true".
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+<a href="" id="enablenetworkprotection-disabletlsparsing"></a>**EnableNetworkProtection/DisableTlsParsing**
+
+Network Protection inspects TLS traffic (also known as HTTPS traffic) to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. TLS connections to malicious websites can also be blocked if -EnableNetworkProtection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
 <a href="" id="health"></a>**Health**  
 An interior node to group information about Windows Defender health status.

@ -248,7 +414,7 @@ Supported product status values:
 -  Service is shutting down as part of system shutdown              = 1 << 16
 -  Threat remediation failed critically                             = 1 << 17
 -  Threat remediation failed non-critically                         = 1 << 18
-  No status flags set (well initialized state)                     = 1 << 19
+-  No status flags set (well-initialized state)                     = 1 << 19
 -  Platform is out of date                                          = 1 << 20
 -  Platform update is in progress                                   = 1 << 21
 -  Platform is about to be outdated                                 = 1 << 22
@ -552,7 +718,7 @@ Beta Channel: Devices set to this channel will be the first to receive new updat

 Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.

-Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
+Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested applying to a small, representative part of your production population (~10%).

 Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).

@ -581,7 +747,7 @@ Beta Channel: Devices set to this channel will be the first to receive new updat

 Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.

-Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
+Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested applying to a small, representative part of your production population (~10%).

 Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).

@ -637,8 +803,8 @@ The data type is integer.
 Supported operations are Add, Delete, Get, Replace.

 Valid values are:
-•	1 – Enabled.
-•	0 (default) – Not Configured.
+- 1 – Enabled.
+-	0 (default) – Not Configured.

 More details:  

--- a/windows/client-management/mdm/index.md
+++ b/windows/client-management/mdm/index.md
@ -28,8 +28,6 @@ Third-party MDM servers can manage Windows 10 by using the MDM protocol. The bu

 With Windows 10, version 1809, Microsoft is also releasing a Microsoft MDM security baseline that functions like the Microsoft GP-based security baseline. You can easily integrate this baseline into any MDM to support IT pros’ operational needs, addressing security concerns for modern cloud-managed devices.

-> [!NOTE]
->Intune support for the MDM security baseline is coming soon.

 The MDM security baseline includes policies that cover the following areas:

@ -48,7 +46,7 @@ For more details about the MDM policies defined in the MDM security baseline and

 - [MDM Security baseline for Windows 10, version 1809](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip)

-For information about the MDM policies defined in the Intune security baseline public preview, see [Windows security baseline settings for Intune](/intune/security-baseline-settings-windows).
+For information about the MDM policies defined in the Intune security baseline, see [Windows security baseline settings for Intune](/mem/intune/protect/security-baseline-settings-mdm-all).

 <span id="mmat" />

--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
@ -66,6 +66,9 @@ ms.date: 07/22/2020
 - [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth)
 - [Desktop/PreventUserRedirectionOfProfileFolders](policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
 - [RestrictedGroups/ConfigureGroupMembership](policy-csp-restrictedgroups.md)
+- [System/AllowLocation](policy-csp-system.md#system-allowlocation)
+- [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard)
+- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry)
 - [TextInput/AllowIMELogging](policy-csp-textinput.md#textinput-allowimelogging)
 - [TextInput/AllowIMENetworkAccess](policy-csp-textinput.md#textinput-allowimenetworkaccess)
 - [TextInput/AllowInputPanel](policy-csp-textinput.md#textinput-allowinputpanel)
@ -95,4 +98,4 @@ ms.date: 07/22/2020

 ## Related topics

-[Policy CSP](policy-configuration-service-provider.md)
+[Policy CSP](policy-configuration-service-provider.md)
--- a/windows/client-management/toc.yml
+++ b/windows/client-management/toc.yml
@ -55,6 +55,12 @@ items:
              items: 
                - name: Collect data using Network Monitor
                  href: troubleshoot-tcpip-netmon.md
+                - name: "Part 1: TCP/IP performance overview"
+                  href: /troubleshoot/windows-server/networking/overview-of-tcpip-performance
+                - name: "Part 2: TCP/IP performance underlying network issues"
+                  href: /troubleshoot/windows-server/networking/troubleshooting-tcpip-performance-underlying-network
+                - name: "Part 3: TCP/IP performance known issues"
+                  href: /troubleshoot/windows-server/networking/tcpip-performance-known-issues                
                - name: Troubleshoot TCP/IP connectivity
                  href: troubleshoot-tcpip-connectivity.md
                - name: Troubleshoot port exhaustion
--- a/windows/client-management/troubleshoot-tcpip.md
+++ b/windows/client-management/troubleshoot-tcpip.md
@ -17,6 +17,9 @@ manager: dansimp
 In these topics, you will learn how to troubleshoot common problems in a TCP/IP network environment.

 - [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md)
+- [Part 1: TCP/IP performance overview](/troubleshoot/windows-server/networking/overview-of-tcpip-performance)
+- [Part 2: TCP/IP performance underlying network issues](/troubleshoot/windows-server/networking/troubleshooting-tcpip-performance-underlying-network)
+- [Part 3: TCP/IP performance known issues](/troubleshoot/windows-server/networking/tcpip-performance-known-issues)
 - [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md)
 - [Troubleshoot port exhaustion issues](troubleshoot-tcpip-port-exhaust.md)
 - [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md)