diff --git a/.acrolinx-config.edn b/.acrolinx-config.edn index 0ffbb03551..4adf09ac5a 100644 --- a/.acrolinx-config.edn +++ b/.acrolinx-config.edn @@ -4,15 +4,14 @@ :targets { :counts { - ;;:spelling 10 - ;;:grammar 3 + ;;:correctness 13 ;;:total 15 ;; absolute flag count but i don't know the difference between this and issues ;;:issues 15 ;; coming from the platform, will need to be tested. } :scores { ;;:terminology 100 :qualityscore 80 ;; Confirmed with Hugo that you just comment out the single score and leave the structure in place - ;;:spelling 40 + ;;:correctness 40 } } @@ -22,7 +21,7 @@ { "languageId" "en" "ruleSetName" "Standard" - "requestedFlagTypes" ["SPELLING" "GRAMMAR" "STYLE" + "requestedFlagTypes" ["CORRECTNESS" "SPELLING" "GRAMMAR" "STYLE" "TERMINOLOGY_DEPRECATED" "TERMINOLOGY_VALID" "VOICE_GUIDANCE" @@ -35,7 +34,7 @@ " ## Acrolinx Scorecards -**The minimum Acrolinx topic score of 80 is required for all MARVEL content merged to the default branch.** +**The minimum Acrolinx topic score of 80 is required for all MAGIC content merged to the default branch.** If you need a scoring exception for content in this PR, add the *Sign off* and the *Acrolinx exception* labels to the PR. The PubOps Team will review the exception request and may take one or more of the following actions: @@ -47,12 +46,12 @@ For more information about the exception criteria and exception process, see [Mi Click the scorecard links for each article to review the Acrolinx feedback on grammar, spelling, punctuation, writing style, and terminology: -| Article | Score | Issues | Correctness
issues | Scorecard | Processed | +| Article | Score | Issues | Correctness
score | Scorecard | Processed | | ------- | ----- | ------ | ------ | --------- | --------- | " :template-change - "| ${s/file} | ${acrolinx/qualityscore} | ${acrolinx/flags/issues} | ${acrolinx/flags/correctness} | [link](${acrolinx/scorecard}) | ${s/status} | + "| ${s/file} | ${acrolinx/qualityscore} | ${acrolinx/flags/issues} | ${acrolinx/scores/correctness} | [link](${acrolinx/scorecard}) | ${s/status} | " :template-footer diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000000..deb2888417 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,39 @@ + + + +## Why + + + +- Closes #[Issue Number] + +## Changes + + + + \ No newline at end of file diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json index 37391cc166..83d51cf7f0 100644 --- a/browsers/internet-explorer/docfx.json +++ b/browsers/internet-explorer/docfx.json @@ -26,12 +26,6 @@ "recommendations": true, "breadcrumb_path": "/internet-explorer/breadcrumb/toc.json", "ROBOTS": "INDEX, FOLLOW", - "audience": "ITPro", - "ms.technology": "internet-explorer", - "ms.prod": "ie11", - "ms.topic": "article", - "manager": "dansimp", - "ms.date": "04/05/2017", "feedback_system": "None", "hideEdit": true, "_op_documentIdPathDepotMapping": { diff --git a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md index ca1542a952..83c7c6b9b8 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md +++ b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md @@ -7,6 +7,7 @@ ms.reviewer: audience: itpro manager: dansimp ms.author: dansimp +ms.prod: ie11 --- # Full-sized flowchart detailing how document modes are chosen in IE11 diff --git a/browsers/internet-explorer/internet-explorer.yml b/browsers/internet-explorer/internet-explorer.yml index 05e93f6e25..17eee2393b 100644 --- a/browsers/internet-explorer/internet-explorer.yml +++ b/browsers/internet-explorer/internet-explorer.yml @@ -9,6 +9,7 @@ metadata: author: aczechowski ms.author: aaroncz ms.date: 07/29/2022 + ms.prod: ie11 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md index b9d519b4c6..47c8557394 100644 --- a/education/includes/education-content-updates.md +++ b/education/includes/education-content-updates.md @@ -2,6 +2,38 @@ +## Week of September 05, 2022 + + +| Published On |Topic title | Change | +|------|------------|--------| +| 9/8/2022 | [Education scenarios Microsoft Store for Education](/education/windows/education-scenarios-store-for-business) | modified | +| 9/8/2022 | [Get Minecraft Education Edition](/education/windows/get-minecraft-for-education) | modified | +| 9/8/2022 | [For teachers get Minecraft Education Edition](/education/windows/teacher-get-minecraft) | modified | +| 9/9/2022 | [Take tests in Windows](/education/windows/take-tests-in-windows-10) | modified | + + +## Week of August 29, 2022 + + +| Published On |Topic title | Change | +|------|------------|--------| +| 8/31/2022 | [Configure applications with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-apps) | added | +| 8/31/2022 | [Configure and secure devices with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-settings) | added | +| 8/31/2022 | [Configure devices with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-devices-overview) | added | +| 8/31/2022 | [Enrollment in Intune with standard out-of-box experience (OOBE)](/education/windows/tutorial-school-deployment/enroll-aadj) | added | +| 8/31/2022 | [Enrollment in Intune with Windows Autopilot](/education/windows/tutorial-school-deployment/enroll-autopilot) | added | +| 8/31/2022 | [Device enrollment overview](/education/windows/tutorial-school-deployment/enroll-overview) | added | +| 8/31/2022 | [Enrollment of Windows devices with provisioning packages](/education/windows/tutorial-school-deployment/enroll-package) | added | +| 8/31/2022 | [Introduction](/education/windows/tutorial-school-deployment/index) | added | +| 8/31/2022 | [Manage devices with Microsoft Intune](/education/windows/tutorial-school-deployment/manage-overview) | added | +| 8/31/2022 | [Management functionalities for Surface devices](/education/windows/tutorial-school-deployment/manage-surface-devices) | added | +| 8/31/2022 | [Reset and wipe Windows devices](/education/windows/tutorial-school-deployment/reset-wipe) | added | +| 8/31/2022 | [Set up Azure Active Directory](/education/windows/tutorial-school-deployment/set-up-azure-ad) | added | +| 8/31/2022 | [Set up device management](/education/windows/tutorial-school-deployment/set-up-microsoft-intune) | added | +| 8/31/2022 | [Troubleshoot Windows devices](/education/windows/tutorial-school-deployment/troubleshoot-overview) | added | + + ## Week of August 15, 2022 @@ -47,14 +79,3 @@ | 8/10/2022 | [What is Windows 11 SE](/education/windows/windows-11-se-overview) | modified | | 8/10/2022 | [Windows 11 SE settings list](/education/windows/windows-11-se-settings-list) | modified | | 8/10/2022 | [Windows 10 editions for education customers](/education/windows/windows-editions-for-education-customers) | modified | - - -## Week of July 25, 2022 - - -| Published On |Topic title | Change | -|------|------------|--------| -| 7/26/2022 | [Upgrade Windows Home to Windows Education on student-owned devices](/education/windows/change-home-to-edu) | added | -| 7/26/2022 | [Secure the Windows boot process](/education/windows/change-home-to-edu) | modified | -| 7/25/2022 | Edit an existing topic using the Edit link | removed | -| 7/26/2022 | [Windows Hello for Business Videos](/education/windows/change-home-to-edu) | modified | diff --git a/education/windows/TOC.yml b/education/windows/TOC.yml index f90e7d595f..b3ef37c53c 100644 --- a/education/windows/TOC.yml +++ b/education/windows/TOC.yml @@ -26,18 +26,22 @@ items: href: set-up-school-pcs-shared-pc-mode.md - name: Windows 10 configuration recommendations for education customers href: configure-windows-for-education.md + - name: Take tests and assessments in Windows + href: take-tests-in-windows-10.md - name: How-to-guides items: - - name: Use the Set up School PCs app - href: use-set-up-school-pcs-app.md - - name: Take tests and assessments in Windows - items: - - name: Overview - href: take-tests-in-windows-10.md + - name: Configure education features + items: + - name: Configure education themes + href: edu-themes.md + - name: Configure Stickers + href: edu-stickers.md - name: Configure Take a Test on a single PC href: take-a-test-single-pc.md - name: Configure a Test on multiple PCs href: take-a-test-multiple-pcs.md + - name: Use the Set up School PCs app + href: use-set-up-school-pcs-app.md - name: Change Windows edition items: - name: Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index b7d6452223..6893cd17a9 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -1,12 +1,8 @@ --- title: Chromebook migration guide (Windows 10) description: In this guide, you'll learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. -ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA -keywords: migrate, automate, device, Chromebook migration -ms.prod: windows -ms.mktglfcycl: plan -ms.sitesec: library -ms.pagetype: edu, devices +ms.prod: windows-client +ms.technology: itpro-edu ms.localizationpriority: medium ms.collection: education author: paolomatarazzo @@ -142,7 +138,7 @@ Table 3. Settings in the Security node in the Google Admin Console |Set up single sign-on (SSO)|This section is used to configure SSO for Google web-based apps (such as Google Apps Gmail or Google Apps Calendar). While you don’t need to migrate any settings in this section, you probably will want to configure Azure Active Directory synchronization to replace Google-based SSO.| |Advanced settings|This section is used to configure administrative access to user data and to configure the Google Secure Data Connector (which allows Google Apps to access data on your local network). You don’t need to migrate any settings in this section.| -**Identify locally-configured settings to migrate** +**Identify locally configured settings to migrate** In addition to the settings configured in the Google Admin Console, users may have locally configured their devices based on their own personal preferences (as shown in Figure 2). Table 4 lists the Chromebook user and device settings that you can locally configure. Review the settings and determine which settings you'll migrate to Windows. Some of the settings listed in Table 4 can only be seen when you click the **Show advanced settings** link (as shown in Figure 2). @@ -150,7 +146,7 @@ In addition to the settings configured in the Google Admin Console, users may ha Figure 2. Locally configured settings on Chromebook -Table 4. Locally-configured settings +Table 4. Locally configured settings | Section | Settings | |------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| @@ -206,7 +202,7 @@ In addition to Chromebook devices, users may have companion devices (smartphones After you've identified each companion device, verify the settings for the device that are used to access Office 365. You only need to test one type of each companion device. For example, if users use Android phones to access Google Apps Gmail mailboxes, configure the device to access Office 365 and then record those settings. You can publish those settings on a website or to your helpdesk staff so that users will know how to access their Office 365 mailbox. -In most instances, users will only need to provide in their Office 365 email account and password. However, you should verify these credentials on each type of companion device. For more information about how to configure a companion device to work with Office 365, see [Compare how different mobile devices work with Office 365](https://go.microsoft.com/fwlink/p/?LinkId=690254). +In most instances, users will only need to provide in their Office 365 email account and password. However, you should verify these credentials on each type of companion device. For more information about how to configure a companion device to work with Office 365, see [Compare how different mobile devices work with Office 365](https://support.microsoft.com/office/compare-how-different-mobile-devices-work-with-office-365-bdd06229-776a-4824-947c-82425d72597b). **Identify the optimal timing for the migration** @@ -416,11 +412,11 @@ Examine each of the following network infrastructure technologies and services a For more information that compares Internet bandwidth consumption for Chromebook and Windows devices, see the following resources: - - [Chromebook vs. Windows Notebook Network Traffic Analysis](https://go.microsoft.com/fwlink/p/?LinkId=690255) + - [Chromebook vs. Windows Notebook Network Traffic Analysis](https://www.principledtechnologies.com/Microsoft/Chromebook_PC_network_traffic_0613.pdf) - - [Hidden Cost of Chromebook Deployments](https://go.microsoft.com/fwlink/p/?LinkId=690256) + - [Hidden Cost of Chromebook Deployments](https://www.principledtechnologies.com/Microsoft/Windows_Chromebook_bandwidth_0514.pdf) - - [Microsoft Windows 8.1 Notebook vs. Chromebooks for Education](https://go.microsoft.com/fwlink/p/?LinkId=690257) + - [Microsoft Windows 8.1 Notebook vs. Chromebooks for Education](https://www.principledtechnologies.com/Microsoft/Windows_8.1_vs_Chromebooks_in_Education_0715.pdf) - **Power.** Although not specifically a network infrastructure, you need to ensure your classrooms have adequate power. Chromebook and Windows devices should consume similar amounts of power. This condition means that your existing power outlets should support the same number of Windows devices. @@ -442,15 +438,11 @@ You must perform some of the steps in this section in a specific sequence. Each The first migration task is to perform any network infrastructure remediation. In the [Plan network infrastructure remediation](#plan-network-infra-remediation) section, you determined the network infrastructure remediation (if any) that you needed to perform. -It's important that you perform any network infrastructure remediation first because the remaining migration steps are dependent on the network infrastructure. Table 7 lists the Microsoft network infrastructure products and technologies and deployment resources for each. +It's important that you perform any network infrastructure remediation first because the remaining migration steps are dependent on the network infrastructure. Use the following Microsoft network infrastructure products and technologies: -Table 7. Network infrastructure products and technologies and deployment resources - -|Product or technology|Resources| -|--- |--- | -|DHCP|
  • [Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11))
  • [DHCP Deployment Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd283051(v=ws.10))| -|DNS|
  • [Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11))
  • [Deploying Domain Name System (DNS)](/previous-versions/windows/it-pro/windows-server-2003/cc780661(v=ws.10))| - +- [Core network guidance for Windows Server](/windows-server/networking/core-network-guide/core-network-guide-windows-server) +- [DHCP overview](/windows-server/networking/technologies/dhcp/dhcp-top) +- [DNS overview](/windows-server/networking/dns/dns-top) If you use network infrastructure products and technologies from other vendors, refer to the vendor documentation on how to perform the necessary remediation. If you determined that no remediation is necessary, you can skip this section. @@ -459,34 +451,39 @@ If you use network infrastructure products and technologies from other vendors, It's important that you perform AD DS and Azure AD services deployment or remediation right after you finish network infrastructure remediation. Many of the remaining migration steps are dependent on you having your identity system (AD DS or Azure AD) in place and up to necessary expectations. -In the [Plan for Active Directory services](#plan-adservices) section, you determined the AD DS and/or Azure AD deployment or remediation (if any) that needed to be performed. Table 8 list AD DS, Azure AD, and the deployment resources for both. Use the resources in this table to deploy or remediate on-premises AD DS, Azure AD, or both. +In the [Plan for Active Directory services](#plan-adservices) section, you determined the AD DS and/or Azure AD deployment or remediation (if any) that needed to be performed. Use the following resources to deploy or remediate on-premises AD DS, Azure AD, or both: -Table 8. AD DS, Azure AD and deployment resources - -|Product or technology|Resources| -|--- |--- | -|AD DS|
  • [Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11))
  • [Active Directory Domain Services Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831484(v=ws.11))| -|Azure AD|
  • [Azure Active Directory documentation](/azure/active-directory/)
  • [Manage and support Azure Active Directory Premium](https://go.microsoft.com/fwlink/p/?LinkId=690259)
  • [Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines](/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100)| +- [Core network guidance for Windows Server](/windows-server/networking/core-network-guide/core-network-guide-windows-server) +- [AD DS overview](/windows-server/identity/ad-ds/active-directory-domain-services) +- [Azure AD documentation](/azure/active-directory/) +- [Azure AD Premium](https://azure.microsoft.com/pricing/details/active-directory/) +- [Safely virtualizing Active Directory Domain Services (AD DS)](/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100)| If you decided not to migrate to AD DS or Azure AD as a part of the migration, or if you determined that no remediation is necessary, you can skip this section. If you use identity products and technologies from another vendor, refer to the vendor documentation on how to perform the necessary steps. ## Prepare device, user, and app management systems - In the [Plan device, user, and app management](#plan-userdevapp-manage) section of this guide, you selected the products and technologies that you'll use to manage devices, users, and apps on Windows devices. You need to prepare your management systems prior to Windows 10 device deployment. You'll use these management systems to manage the user and device settings that you selected to migrate in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section. You need to prepare these systems prior to the migration of user and device settings. -Table 9 lists the Microsoft management systems and the deployment resources for each. Use the resources in this table to prepare (deploy or remediate) these management systems. +Use the following Microsoft management systems and the deployment resources to prepare (deploy or remediate) these management systems. -Table 9. Management systems and deployment resources +- [Microsoft Intune](/mem/intune/fundamentals/setup-steps) -|Management system|Resources| -|--- |--- | -|Windows provisioning packages|
  • [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
  • [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd)
  • [Step-By-Step: Building Windows 10 Provisioning Packages](/archive/blogs/canitpro/step-by-step-building-windows-10-provisioning-packages)| -|Group Policy|
  • [Core Network Companion Guide: Group Policy Deployment](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj899807(v=ws.11))
  • [Deploying Group Policy](/previous-versions/windows/it-pro/windows-server-2003/cc737330(v=ws.10))"| -|Configuration Manager|
  • [Site Administration for Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg681983(v=technet.10))
  • [Deploying Clients for Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699391(v=technet.10))| -|Intune|
  • [Set up and manage devices with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=690262)
  • [System Center 2012 R2 Configuration Manager & Windows Intune](/learn/?l=fCzIjVKy_6404984382)| -|MDT|
  • [Step-By-Step: Installing Windows 8.1 From A USB Key](/archive/blogs/canitpro/step-by-step-installing-windows-8-1-from-a-usb-key)| +- [Windows Autopilot](/mem/autopilot/windows-autopilot) +- Microsoft Endpoint Configuration Manager [core infrastructure documentation](/mem/configmgr/core/) + +- Provisioning packages: + + - [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package) + - [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) + - [Step-By-Step: Building Windows 10 Provisioning Packages](/archive/blogs/canitpro/step-by-step-building-windows-10-provisioning-packages) + +- Group policy + + - [Core Network Companion Guide: Group Policy Deployment](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj899807(v=ws.11)) + - [Deploying Group Policy](/previous-versions/windows/it-pro/windows-server-2003/cc737330(v=ws.10)) + If you determined that no new management system or no remediation of existing systems is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps. ## Perform app migration or replacement @@ -494,21 +491,19 @@ If you determined that no new management system or no remediation of existing sy In the [Plan for app migration or replacement](#plan-app-migrate-replace) section, you identified the apps currently in use on Chromebook devices and selected the Windows apps that will replace the Chromebook apps. You also performed app compatibility testing for web apps to ensure that web apps on the Chromebook devices would run on Microsoft Edge and Internet Explorer. -In this step, you need to configure your management system to deploy the apps to the appropriate Windows users and devices. Table 10 lists the Microsoft management systems and the app deployment resources for each. Use the resources in this table to configure these management systems to deploy the apps that you selected in the [Plan for app migration or replacement](#plan-app-migrate-replace) section of this guide. +In this step, you need to configure your management system to deploy the apps to the appropriate Windows users and devices. Use the following Microsoft management systems and the app deployment resources to configure these management systems to deploy the apps that you selected in the [Plan for app migration or replacement](#plan-app-migrate-replace) section of this guide. -Table 10. Management systems and app deployment resources - -|Management system|Resources| -|--- |--- | -|Group Policy|
  • [Editing an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10))
  • [Group Policy Software Deployment Background](/previous-versions/windows/it-pro/windows-server-2003/cc739305(v=ws.10))
  • [Assigning and Publishing Software](/previous-versions/windows/it-pro/windows-server-2003/cc783635(v=ws.10))| -|Configuration Manager|
  • [How to Deploy Applications in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682082(v=technet.10))
  • [Application Management in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699373(v=technet.10))| -|Intune|
  • [Manage apps with Microsoft Intune](/mem/intune/)| +- [Manage apps in Microsoft Intune](/mem/intune/apps/) +- [App management in Configuration Manager](/mem/configmgr/apps/) +- Group policy + - [Edit an AppLocker policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10)) + - [Group policy software deployment background](/previous-versions/windows/it-pro/windows-server-2003/cc739305(v=ws.10)) + - [Assigning and publishing software](/previous-versions/windows/it-pro/windows-server-2003/cc783635(v=ws.10)) If you determined that no deployment of apps is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps. ## Perform migration of user and device settings - In the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, you determined the user and device settings that you want to migrate. You selected settings that are configured in the Google Admin Console and locally on the Chromebook device. Perform the user and device setting migration by using the following steps: @@ -534,7 +529,7 @@ Alternatively, if you want to migrate to Office 365 from: - **On-premises Microsoft Exchange Server.** Use the following resources to migrate to Office 365 from an on-premises Microsoft Exchange Server: - - [Cutover Exchange Migration and Single Sign-On](https://go.microsoft.com/fwlink/p/?LinkId=690266) + - [What you need to know about a cutover email migration in Exchange Online](/exchange/mailbox-migration/what-to-know-about-a-cutover-migration) - [Step-By-Step: Migration of Exchange 2003 Server to Office 365](/archive/blogs/canitpro/step-by-step-migration-of-exchange-2003-server-to-office-365) @@ -544,7 +539,6 @@ Alternatively, if you want to migrate to Office 365 from: ## Perform cloud storage migration - In the [Plan for cloud storage migration](#plan-cloud-storage-migration) section, you identified the cloud storage services currently in use, selected the Microsoft cloud storage services that you'll use, and optimized your cloud storage services migration plan. You can perform the cloud storage migration before or after you deploy the Windows devices. Manually migrate the cloud storage migration by using the following steps: @@ -577,7 +571,9 @@ In the [Select a Windows device deployment strategy](#select-windows-device-depl For example, if you selected to deploy Windows devices by each classroom, start with the first classroom and then proceed through all of the classrooms until you’ve deployed all Windows devices. -In some instances, you may receive the devices with Windows 10 already deployed, and want to use provisioning packages. In other cases, you may have a custom Windows 10 image that you want to deploy to the devices by using Configuration Manager and/or MDT. For information on how to deploy Windows 10 images to the devices, see the following resources: +In some instances, you may receive the devices with Windows 10 already deployed, and want to use provisioning packages. In other cases, you may have a custom Windows 10 image that you want to deploy to the devices by using Configuration Manager or MDT. For more information on how to deploy Windows 10 images to the devices, see the following resources: + +- [OS deployment in Configuration Manager](/mem/configmgr/osd/) - [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) @@ -585,8 +581,6 @@ In some instances, you may receive the devices with Windows 10 already deployed - [Step-By-Step: Installing Windows 8.1 From A USB Key](/archive/blogs/canitpro/step-by-step-installing-windows-8-1-from-a-usb-key) -- [Operating System Deployment in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682018(v=technet.10)) - In addition to the Windows 10 image deployment, you may need to perform the following tasks as a part of device deployment: - Enroll the device with your management system. @@ -601,10 +595,6 @@ After you complete these steps, your management system should take over the day- ## Related topics - [Try it out: Windows 10 deployment (for education)](../index.yml) [Try it out: Windows 10 in the classroom](../index.yml) - - - diff --git a/education/windows/edu-stickers.md b/education/windows/edu-stickers.md index aac455b777..857ad0910f 100644 --- a/education/windows/edu-stickers.md +++ b/education/windows/edu-stickers.md @@ -1,5 +1,5 @@ --- -title: Stickers for Windows 11 SE +title: Configure Stickers for Windows 11 SE description: Description of Stickers for Windows 11 SE and how to configure them via MDM ms.date: 09/15/2022 ms.prod: windows @@ -53,13 +53,6 @@ Stickers aren't enabled by default. IT administrators can allow students to pers - Data type: **Integer** - Value: **1** 1. Select **Save** -1. Select **Add** -1. In **Add Row**, enter the following properties: - - Name: enter **IsEducationEnvironment** - - OMA-URI: `./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment` - - Data type: **Integer** - - Value: **1** -1. Select **Save** 1. Select **Next** 1. In **Scope tags**, assign any applicable tags (optional) 1. Select **Next** diff --git a/education/windows/edu-themes.md b/education/windows/edu-themes.md index 49d14d2367..8dba7e4dc8 100644 --- a/education/windows/edu-themes.md +++ b/education/windows/edu-themes.md @@ -1,6 +1,6 @@ --- -title: Education themes for Windows 11 SE -description: Description of education themes for Windows 11 SE and how to configure them via MDM +title: Configure education themes for Windows 11 +description: Description of education themes for Windows 11 and how to configure them via MDM ms.date: 09/15/2022 ms.prod: windows ms.technology: windows @@ -12,14 +12,15 @@ ms.reviewer: manager: aaroncz ms.collection: education appliesto: +- ✅ Windows 11 22H2 - ✅ Windows 11 SE 22H2 --- -# Configure education themes for Windows 11 SE +# Configure education themes for Windows 11 -Starting in **Windows 11 SE, version 22H2**, you can deploy education themes to your devices. The education themes are designed for students using devices in a school. +Starting in **Windows 11, version 22H2**, you can deploy education themes to your devices. The education themes are designed for students using devices in a school. -:::image type="content" source="./images/win-11-se-themes-1.png" alt-text="Windows 11 SE desktop with 3 stickers" border="true"::: +:::image type="content" source="./images/win-11-se-themes-1.png" alt-text="Windows 11 desktop with 3 stickers" border="true"::: Themes allow the end user to quickly configure the look and feel of the device, with preset wallpaper, accent color, and other settings. Students can choose their own themes, making it feel the device is their own. When students feel more ownership over their device, they tend to take better care of it. This is great news for schools looking to give that same device to a new student the next year. @@ -42,14 +43,7 @@ Education themes aren't enabled by default. IT administrators can configure devi 1. In **Configuration settings**, select **Add** 1. In **Add Row**, enter the following properties: - Name: enter **EnableEduThemes** - - OMA-URI: `./Vendor/MSFT/Policy/Config/Stickers/EnableEduThemes` - - Data type: **Integer** - - Value: **1** -1. Select **Save** -1. Select **Add** -1. In **Add Row**, enter the following properties: - - Name: enter **IsEducationEnvironment** - - OMA-URI: `./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment` + - OMA-URI: `./Vendor/MSFT/Policy/Config/Education/EnableEduThemes` - Data type: **Integer** - Value: **1** 1. Select **Save** @@ -67,4 +61,4 @@ Once the education themes are enabled, the device will download them as soon as To change the theme, select **Settings** > **Personalization** > **Themes** > **Select a theme** -:::image type="content" source="./images/win-11-se-themes.png" alt-text="Windows 11 SE desktop contextual menu to open the sticker editor" border="true"::: +:::image type="content" source="./images/win-11-se-themes.png" alt-text="Windows 11 education themes selection" border="true"::: diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md index 4fbe0e9f89..0a06370a11 100644 --- a/education/windows/education-scenarios-store-for-business.md +++ b/education/windows/education-scenarios-store-for-business.md @@ -16,6 +16,8 @@ ms.reviewer: manager: aaroncz appliesto: - ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE --- # Working with Microsoft Store for Education @@ -133,18 +135,10 @@ Teachers can: ## Distribute apps -Manage and distribute apps to students and others in your organization. Different options are available for admins and teachers. - -Applies to: IT admins - **To manage and distribute apps** - For info on how to distribute **Minecraft: Education Edition**, see [For IT admins – Minecraft: Education Edition](./school-get-minecraft.md#distribute-minecraft) - For info on how to manage and distribute other apps, see [App inventory management - Microsoft Store for Business](/microsoft-store/app-inventory-management-windows-store-for-business) -Applies to: Teachers - -For info on how to distribute **Minecraft: Education Edition**, see [For teachers – Minecraft: Education Edition](./teacher-get-minecraft.md#distribute-minecraft). - **To assign an app to a student** 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). @@ -177,4 +171,4 @@ You can manage your orders through Microsoft Store for Business. For info on ord It can take up to 24 hours after a purchase, before a receipt is available on your **Order history page**. > [!NOTE] -> For **Minecraft: Education Edition**, you can request a refund through Microsoft Store for Business for two months from the purchase date. After two months, refunds require a support call. \ No newline at end of file +> For **Minecraft: Education Edition**, you can request a refund through Microsoft Store for Business for two months from the purchase date. After two months, refunds require a support call. diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index f03899ae3d..a29c2d277f 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -16,6 +16,8 @@ ms.reviewer: manager: aaroncz appliesto: - ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE --- # Get Minecraft: Education Edition @@ -24,23 +26,18 @@ appliesto: -Teachers and IT administrators can now get early access to **Minecraft: Education Edition** and add it their Microsoft Store for Business for distribution. - - +Teachers and IT administrators can now get access to **Minecraft: Education Edition** and add it their Microsoft Admin Center for distribution. ## Prerequisites -- **Minecraft: Education Edition** requires Windows 10. +- For a complete list of Operating Systems supported by **Minecraft: Education Edition**, see [here](https://educommunity.minecraft.net/hc/articles/360047556591-System-Requirements). - Trials or subscriptions of **Minecraft: Education Edition** are offered to education tenants that are managed by Azure Active Directory (Azure AD). - If your school doesn't have an Azure AD tenant, the [IT administrator can set one up](school-get-minecraft.md) as part of the process of getting **Minecraft: Education Edition**. - Office 365 Education, which includes online versions of Office apps plus 1 TB online storage. [Sign up your school for Office 365 Education.](https://www.microsoft.com/education/products/office) - If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](/windows/client-management/mdm/register-your-free-azure-active-directory-subscription) - -[Learn how teachers can get and distribute **Minecraft: Education Edition**](teacher-get-minecraft.md) - -[Learn how IT administrators can get and distribute **Minecraft: Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft. \ No newline at end of file +[Learn how IT administrators can get and distribute **Minecraft: Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft. diff --git a/education/windows/images/windows-11-se.png b/education/windows/images/windows-11-se.png new file mode 100644 index 0000000000..48446caa20 Binary files /dev/null and b/education/windows/images/windows-11-se.png differ diff --git a/education/windows/index.yml b/education/windows/index.yml index 510c5c520f..5205e02a4a 100644 --- a/education/windows/index.yml +++ b/education/windows/index.yml @@ -47,11 +47,17 @@ landingContent: url: windows-11-se-overview.md - text: Windows 11 SE settings url: windows-11-se-settings-list.md + - linkListType: whats-new + links: + - text: Configure education themes + url: edu-themes.md + - text: Configure Stickers + url: edu-stickers.md - linkListType: video links: - text: Deploy Windows 11 SE using Set up School PCs url: https://www.youtube.com/watch?v=Ql2fbiOop7c - + - title: Deploy devices with Set up School PCs linkLists: diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index e6daee3daa..e2858efc79 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -15,6 +15,8 @@ ms.reviewer: manager: aaroncz appliesto: - ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE --- # Set up Take a Test on multiple PCs @@ -114,8 +116,6 @@ You can configure a dedicated testing account through MDM or Configuration Manag - **Custom OMA-DM URI** = ./Vendor/MSFT/SecureAssessment/LaunchURI - **String value** = *assessment URL* - See [Assessment URLs](#assessment-urls) for more information. - 4. Create a policy that associates the assessment URL to the account using the following values: - **Custom OMA-DM URI** = ./Vendor/MSFT/SecureAssessment/TesterAccount @@ -263,16 +263,10 @@ You can also distribute the test link by creating a shortcut. To create the shor Once the shortcut is created, you can copy it and distribute it to students. - -## Assessment URLs -This assessment URL uses our lockdown API: -- SBAC/AIR: [https://mobile.tds.airast.org/launchpad/](https://mobile.tds.airast.org/launchpad/). - - ## Related topics -[Take tests in Windows 10](take-tests-in-windows-10.md) +[Take tests in Windows](take-tests-in-windows-10.md) [Set up Take a Test on a single PC](take-a-test-single-pc.md) -[Take a Test app technical reference](take-a-test-app-technical.md) \ No newline at end of file +[Take a Test app technical reference](take-a-test-app-technical.md) diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md index 2dcc9c525c..2cf14b3079 100644 --- a/education/windows/take-a-test-single-pc.md +++ b/education/windows/take-a-test-single-pc.md @@ -15,6 +15,8 @@ ms.reviewer: manager: aaroncz appliesto: - ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE --- # Set up Take a Test on a single PC @@ -23,7 +25,7 @@ To configure [Take a Test](take-tests-in-windows-10.md) on a single PC, follow t ## Set up a dedicated test account To configure the assessment URL and a dedicated testing account on a single PC, follow these steps. -1. Sign into the Windows 10 device with an administrator account. +1. Sign into the Windows device with an administrator account. 2. Open the **Settings** app and go to **Accounts > Access work or school**. 3. Click **Set up an account for taking tests**. @@ -127,7 +129,7 @@ Once the shortcut is created, you can copy it and distribute it to students. ## Related topics -[Take tests in Windows 10](take-tests-in-windows-10.md) +[Take tests in Windows](take-tests-in-windows-10.md) [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md index e0e44e51c8..64dc362a33 100644 --- a/education/windows/take-tests-in-windows-10.md +++ b/education/windows/take-tests-in-windows-10.md @@ -1,5 +1,5 @@ --- -title: Take tests in Windows 10 +title: Take tests in Windows description: Learn how to set up and use the Take a Test app. keywords: take a test, test taking, school, how to, use Take a Test ms.prod: windows @@ -15,11 +15,13 @@ ms.reviewer: manager: aaroncz appliesto: - ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE --- -# Take tests in Windows 10 +# Take tests in Windows -Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10 creates the right environment for taking a test: +Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows creates the right environment for taking a test: - Take a Test shows just the test and nothing else. - Take a Test clears the clipboard. @@ -46,7 +48,7 @@ There are several ways to configure devices for assessments, depending on your u - **For a single PC** - You can use the Windows 10 **Settings** application. For more info, see [Set up Take a Test on a single PC](take-a-test-single-pc.md). + You can use the Windows **Settings** application. For more info, see [Set up Take a Test on a single PC](take-a-test-single-pc.md). - **For multiple PCs** @@ -55,7 +57,7 @@ There are several ways to configure devices for assessments, depending on your u - A provisioning package created in Windows Configuration Designer - Group Policy to deploy a scheduled task that runs a Powershell script - Beginning with Windows 10 Creators Update (version 1703), you can also configure Take a Test using these options: + You can also configure Take a Test using these options: - Set up School PCs app - Intune for Education diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md index 9436f4e605..47f90a01c2 100644 --- a/education/windows/teacher-get-minecraft.md +++ b/education/windows/teacher-get-minecraft.md @@ -16,160 +16,34 @@ ms.reviewer: manager: aaroncz appliesto: - ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE --- # For teachers - get Minecraft: Education Edition -The following article describes how teachers can get and distribute Minecraft: Education Edition. -Minecraft: Education Edition is available for anyone to trial, and subscriptions can be purchased by qualified educational institutions directly in the Microsoft Store for Education, via volume licensing agreements and through partner resellers. +The following article describes how teachers can get and distribute Minecraft: Education Edition at their school. Minecraft: Education Edition is available for anyone to trial, and subscriptions can be purchased by qualified educational institutions directly in the [Microsoft Admin Center by IT Admins](/education/windows/school-get-minecraft), via volume licensing agreements and through partner resellers. -To get started, go to https://education.minecraft.net/ and select **GET STARTED**. ## Try Minecraft: Education Edition for Free Minecraft: Education Edition is available for anyone to try for free! The free trial is fully functional but limited by the number of logins (25 for teachers and 10 for students) before a paid license will be required to continue playing. -To learn more and get started, go to https://education.minecraft.net/ and select **GET STARTED**. +To learn more and get started, [download the Minecraft: Education Edition app here.](https://aka.ms/download) ## Purchase Minecraft: Education Edition for Teachers and Students -Minecraft: Education Edition is licensed via yearly subscriptions that are purchased through the Microsoft Store for Education, via volume licensing agreements and through partner resellers. +As a teacher, you will need to have your IT Admin purchase licenses for you and your students directly through the Microsoft Admin Center, or you may already have access to licenses at your school (through a volume license agreement) if you have an Office 365 subscription. ->[!Note] ->M:EE is available on many platforms, but all license purchases can only be done through one of the three methods listed above. +M:EE is included in many volume license agreements, however, only the administrators at your school will be able to assign and manage those licenses. If you have an Office 365 account, check with your school administration or IT administrator prior to purchasing M:EE directly. -As a teacher, you may purchase subscription licenses for you and your students directly through the Microsoft Store for Education, or you may already have access to licenses at your school (through a volume license agreement) if you have an Office 365 account. - ->[!Note] ->If you already have Office 365, you may already have Minecraft: Education Edition licenses for your school! M:EE is included in many volume license agreements, however, only the administrators at your school will be able to assign and manage those licenses. If you have an Office 365 account, check with your school administration or IT administrator prior to purchasing M:EE directly. - -You can purchase individual Minecraft: Education Edition subscriptions for you and other teachers and students directly in the Microsoft Store for Education. - -To purchase individual Minecraft: Education Edition subscriptions (that is, direct purchase): - -1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your Office 365 account. -2. Click on [Minecraft: Education Edition](https://educationstore.microsoft.com/en-us/store/details/minecraft-education-edition/9nblggh4r2r6) (or use Search the Store to find it) -3. Click **Buy** - ->[!Note] ->Administrators can restrict the ability for teachers to purchase applications in the Microsoft Store for Education. If you do not have the ability to Buy, contact your school administration or IT administrator. - - -## Distribute Minecraft - -After Minecraft: Education Edition licenses have been purchased, either directly, through a volume license agreement or through a partner reseller, those licenses will be added to your Microsoft Store for Education. From there you have three options: - -- You can install the app on your PC. -- You can assign the app to others. -- You can download the app to distribute. - - - -### Install for me -You can install the app on your PC. This gives you a chance to work with the app before using it with your students. - -1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**, and then click **Install**. - - - -3. Click **Install**. - -### Assign to others -Enter email addresses for your students, and each student will get an email with a link to install the app. This option is best for older, more tech-savvy students who will always use the same PC at school. - -**To assign to others** -1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**. - - - -3. Click **Invite people**. - -4. Type the name, or email address of the student or group you want to assign the app to, and then click **Assign**. - - ![Assign to people showing student name.](images/minecraft-assign-to-people-name.png) - - You can assign the app to students with work or school accounts.
    - If you don't find the student, you can still assign the app to them if self-service sign up is supported for your domain. Students will receive an email with a link to Microsoft 365 admin center where they can create an account, and then install **Minecraft: Education Edition**. Questions about self-service sign up? Check with your admin. - - -**To finish Minecraft install (for students)** - -Students will receive an email with a link that will install the app on their PC. - -![Email with Get the app link.](images/minecraft-student-install-email.png) - -1. Click **Get the app** to start the app install in Microsoft Store app. -2. In Microsoft Store app, click **Install**. - - ![Microsoft Store app with Minecraft page.](images/minecraft-in-windows-store-app.png) - - After installing the app, students can find Minecraft: Education Edition in Microsoft Store app under **My Library**. - - ![Microsoft Store app directing the navigation to My Library.](images/minecraft-private-store.png) - - When students click **My Library** they'll find apps assigned to them. - - ![My Library for example student.](images/minecraft-my-library.png) - -### Download for others -Download for others allows teachers or IT admins to download packages that they can install on student PCs. This option will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for students, and for shared computers. Choose this option when: -- You have administrative permissions to install apps on the PC. -- You want to install this app on each of your student's Windows 10 (at least version 1511) PCs. -- Your students share Windows 10 computers, but sign in with their own Windows account. - -#### Requirements -- Administrative permissions are required on the PC. If you don't have the correct permissions, you won't be able to install the app. -- Windows 10 (at least version 1511) is required for PCs running Minecraft: Education Edition. - -#### Check for updates -Minecraft: Education Edition won't install if there are updates pending for other apps on the PC. Before installing Minecraft, check to see if there are pending updates for Microsoft Store apps. - -**To check for app updates** -1. Start Microsoft Store app on the PC (click **Start**, and type **Store**). -2. Click the account button, and then click **Downloads and updates**. - - ![Microsoft Store app displaying the navigation to the My Library option.](images/minecraft-private-store.png) - -3. Click **Check for updates**, and install all available updates. - - ![Microsoft Store app directing the navigation to the My Library submenu item.](images/mc-check-for-updates.png) - -4. Restart the computer before installing Minecraft: Education Edition. - -#### To download for others -You'll download a .zip file, extract the files, and then use one of the files to install Minecraft: Education Edition on each PC. - -1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**. - - ![Microsoft Store app depicting the navigation path to the My Library option.](images/mc-dnld-others-teacher.png) - -2. **Extract files**. Find the .zip file that you downloaded and extract the files. This downloaded location is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**. -3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC. -4. **Install app**. Use the USB drive to copy the Minecraft folder to each Windows 10 PC where you want to install Minecraft: Education Edition. Open Minecraft: Education Edition folder, right-click **InstallMinecraftEducationEdition.bat** and click **Run as administrator**. -5. **Quick check**. The install program checks the PC to make sure it can run Minecraft: Education Edition. If your PC passes this test, the app will automatically install. -6. **Restart**. Once installation is complete, restart each PC. Minecraft: Education Edition app is now ready for any student to use. #### Troubleshoot -If you ran **InstallMinecraftEducationEdition.bat** and Minecraft: Education Edition isn't available, there are a few things that might have happened. - -| Problem | Possible cause | Solution | -|---------|----------------|----------| -| Script ran, but it doesn't look like the app installed. | There might be pending app updates. | Check for app updates (see steps earlier in this topic).
    Install updates.
    Restart PC.
    Run **InstallMinecraftEducationEdition.bat** again. | -| App won't install. | AppLocker is configured and preventing app installs. | Contact IT Admin. | -| App won't install. | Policy prevents users from installing apps on the PC. | Contact IT Admin. | -| Script starts, but stops quickly. | Policy prevents scripts from running on the PC. | Contact IT Admin. | -| App isn't available for other users. | No restart after install. If you don't restart the PC, and just switch users the app won't be available.| Restart PC.
    Run **InstallMinecraftEducationEdition.bat** again.
    If a restart doesn't work, contact your IT Admin. | - - -If you're still having trouble installing the app, you can get more help on our [Support page](https://go.microsoft.com/fwlink/?LinkID=799757). +If you're having trouble installing the app, you can get more help on our [Support page](https://aka.ms/minecraftedusupport). ## Related topics -[Working with Microsoft Store for Education](education-scenarios-store-for-business.md)
    -Learn about overall Microsoft Store for Business management: manage settings, shop for apps, distribute apps, manage inventory, and manage order history. [Get Minecraft: Education Edition](get-minecraft-for-education.md) [For IT admins: get Minecraft: Education Edition](school-get-minecraft.md) diff --git a/education/windows/tutorial-school-deployment/enroll-autopilot.md b/education/windows/tutorial-school-deployment/enroll-autopilot.md index d4333d8625..a64a7590e3 100644 --- a/education/windows/tutorial-school-deployment/enroll-autopilot.md +++ b/education/windows/tutorial-school-deployment/enroll-autopilot.md @@ -92,7 +92,7 @@ While Intune for Education offers simple options for Autopilot configurations, m An Enrollment Status Page (ESP) is a greeting page displayed to users while enrolling or signing in for the first time to Windows devices. The ESP displays provisioning progress, showing applications and profiles installation status. -:::image type="content" source="./images/win11-oobe-esp.png" alt-text="Windows OOBE - enrollment status page" border="false"::: +:::image type="content" source="./images/win11-oobe-esp.gif" alt-text="Windows OOBE - enrollment status page animation." border="false"::: > [!NOTE] > Some Windows Autopilot deployment profiles **require** the ESP to be configured. diff --git a/education/windows/tutorial-school-deployment/enroll-package.md b/education/windows/tutorial-school-deployment/enroll-package.md index acfb5e06ff..35f640ae75 100644 --- a/education/windows/tutorial-school-deployment/enroll-package.md +++ b/education/windows/tutorial-school-deployment/enroll-package.md @@ -57,10 +57,9 @@ For more information, see [Install Windows Configuration Designer][WIN-1], which ## Enroll devices with the provisioning package To provision Windows devices with provisioning packages, insert the USB stick containing the package during the out-of-box experience. The devices will read the content of the package, join Azure AD and automatically enroll in Intune. +All settings defined in the package and in Intune will be applied to the device, and the device will be ready to use. -:::image type="content" source="./images/win11-oobe-ppkg.png" alt-text="Windows 11 OOBE - enrollment with provisioning package." border="false"::: - -:::image type="content" source="./images/win11-login-screen.png" alt-text="Windows 11 login screen" border="false"::: +:::image type="content" source="./images/win11-oobe-ppkg.gif" alt-text="Windows 11 OOBE - enrollment with provisioning package animation." border="false"::: ________________________________________________________ ## Next steps diff --git a/education/windows/tutorial-school-deployment/images/intune-education-apps.png b/education/windows/tutorial-school-deployment/images/intune-education-apps.png index 5b6599de3e..ca344cf5cf 100644 Binary files a/education/windows/tutorial-school-deployment/images/intune-education-apps.png and b/education/windows/tutorial-school-deployment/images/intune-education-apps.png differ diff --git a/education/windows/tutorial-school-deployment/images/remote-actions.png b/education/windows/tutorial-school-deployment/images/remote-actions.png index 5a3f95bc51..cfbd12f2da 100644 Binary files a/education/windows/tutorial-school-deployment/images/remote-actions.png and b/education/windows/tutorial-school-deployment/images/remote-actions.png differ diff --git a/education/windows/tutorial-school-deployment/images/win11-oobe-esp.gif b/education/windows/tutorial-school-deployment/images/win11-oobe-esp.gif new file mode 100644 index 0000000000..fa2e4c3aeb Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/win11-oobe-esp.gif differ diff --git a/education/windows/tutorial-school-deployment/images/win11-oobe-esp.png b/education/windows/tutorial-school-deployment/images/win11-oobe-esp.png deleted file mode 100644 index 73efb59230..0000000000 Binary files a/education/windows/tutorial-school-deployment/images/win11-oobe-esp.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/win11-oobe-ppkg.gif b/education/windows/tutorial-school-deployment/images/win11-oobe-ppkg.gif new file mode 100644 index 0000000000..2defd5c1ce Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/win11-oobe-ppkg.gif differ diff --git a/education/windows/tutorial-school-deployment/images/win11-oobe-ppkg.png b/education/windows/tutorial-school-deployment/images/win11-oobe-ppkg.png deleted file mode 100644 index 7de484934b..0000000000 Binary files a/education/windows/tutorial-school-deployment/images/win11-oobe-ppkg.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/set-up-azure-ad.md b/education/windows/tutorial-school-deployment/set-up-azure-ad.md index c134a1a846..efe5fa2545 100644 --- a/education/windows/tutorial-school-deployment/set-up-azure-ad.md +++ b/education/windows/tutorial-school-deployment/set-up-azure-ad.md @@ -133,7 +133,7 @@ To configure your school's branding: :::image type="content" source="images/entra-branding.png" alt-text="Configure Azure AD branding from Microsoft Entra admin center." lightbox="images/entra-branding.png"::: 1. To adjust the school tenant's name displayed during OOBE, select **Azure Active Directory** > **Overview** > **Properties** 1. In the **Name** field, enter the school district or organization's name > **Save** - :::image type="content" alt-text="Configure Azure AD tenant name from Microsoft Entra admin center." source="images/entra-tenant-name.png"::: + :::image type="content" alt-text="Configure Azure AD tenant name from Microsoft Entra admin center." source="images/entra-tenant-name.png" lightbox="images/entra-tenant-name.png"::: For more information, see [Add branding to your directory][AAD-5]. diff --git a/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md index ebd9cc6e9a..a75509b502 100644 --- a/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md +++ b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md @@ -78,7 +78,7 @@ To disable Windows Hello for Business at the tenant level: 1. Ensure that **Configure Windows Hello for Business** is set to **disabled** 1. Select **Save** -:::image type="content" source="./images/whfb-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Endpoint Manager admin center" border="true"::: +:::image type="content" source="./images/whfb-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Endpoint Manager admin center." border="true" lightbox="./images/whfb-disable.png"::: For more information how to enable Windows Hello for Business on specific devices, see [Create a Windows Hello for Business policy][MEM-4]. diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index 32691a8669..117059af5e 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -1,5 +1,5 @@ --- -title: What is Windows 11 SE +title: Windows 11 SE Overview description: Learn more about Windows 11 SE, and the apps that are included with the operating system. Read about the features IT professionals and administrators should know about Windows 11 SE. Add and deploy your apps using Microsoft Intune for Education. ms.prod: windows ms.mktglfcycl: deploy @@ -8,130 +8,179 @@ ms.pagetype: mobile ms.collection: education author: paolomatarazzo ms.author: paoloma -ms.date: 08/10/2022 +ms.date: 09/12/2022 ms.reviewer: manager: aaroncz appliesto: - ✅ Windows 11 SE --- -# Windows 11 SE for Education +# Windows 11 SE Overview -Windows 11 SE is a new edition of Windows that's designed for education. It runs on web-first devices that use essential education apps. Microsoft Office 365 is preinstalled (subscription sold separately). +Windows 11 SE is an edition of Windows that's designed for education. Windows SE runs on web-first devices that use essential education apps, and it comes with Microsoft Office 365 preinstalled (subscription sold separately). For education customers seeking cost-effective devices, Microsoft Windows 11 SE is a great choice. Windows 11 SE includes the following benefits: -- A simplified and secure experience for students. Student privacy is prioritized. -- Admins remotely manage Windows 11 SE devices using [Microsoft Intune for Education](/intune-education/what-is-intune-for-education). -- It's built for low-cost devices. -- It has a curated app experience, and is designed to only run essential education apps. +- A simplified and secure experience for students, where student privacy is prioritized. With a curated allowlist of applications maintained by Microsoft, Windows SE is designed to only run essential education apps +- IT admin can remotely manage Windows 11 SE devices using [Microsoft Intune for Education][INT-1] +- It's built for low-cost devices + +:::image type="content" source="./images/windows-11-se.png" alt-text="Screenshot of Windows 11 SE showing Start menu and taskbar with default layout" border="false"::: ## Get Windows 11 SE -Windows 11 SE is only available preinstalled on devices from OEMs. The OEM installs Windows 11 SE, and makes the devices available for you to purchase. For example, you'll be able to purchase Microsoft Surface devices with Windows 11 SE already installed. +Windows 11 SE is only available preinstalled on devices from OEMs. OEMs install Windows 11 SE, and make the devices available for you to purchase. For example, you can purchase Microsoft Surface SE devices with Windows 11 SE already installed. -## Available apps +## Application types -Windows 11 SE comes with some preinstalled apps. The following apps can also run on Windows 11 SE, and are deployed using the [Intune for Education portal](https://intuneeducation.portal.azure.com). For more information, see [Manage devices running Windows 11 SE](/intune-education/windows-11-se-overview). +The following table lists the different application types available in Windows operating systems, detailing which application types are enabled in Windows 11 SE. +| App type | Description | Enabled | Note| +| --- | --- | :---: | ---| +|Progressive Web Apps (PWAs) | PWAs are web-based applications that can run in a browser and that can be installed as standalone apps. |✅|PWAs are enabled by default in Windows 11 SE.| +| Web apps | Web apps are web-based applications that run in a browser. | ✅ | Web apps are enabled by default in Windows 11 SE. | +|Win32| Win32 applications are Windows classic applications that may require installation |⛔| If users try to install or execute Win32 applications that haven't been allowed to run, they'll fail.| +|Universal Windows Platform (UWP)/Store apps |UWP apps are commonly obtained from the Microsoft Store and may require installation |⛔|If users try to install or execute UWP applications that haven't been allowed to run, they'll fail.| -| Application | Supported version | App Type | Vendor | -| --- | --- | --- | --- | -|AirSecure |8.0.0 |Win32 |AIR| -|Brave Browser |1.34.80|Win32 |Brave| -|Bulb Digital Portfolio |0.0.7.0|Store|Bulb| -|Cisco Umbrella |3.0.110.0 |Win32 |Cisco| -|CKAuthenticator |3.6 |Win32 |Content Keeper| -|Class Policy |114.0.0 |Win32 |Class Policy| -|Classroom.cloud |1.40.0004 |Win32 |NetSupport| -|CoGat Secure Browser |11.0.0.19 |Win32 |Riverside Insights| -|Dragon Professional Individual |15.00.100 |Win32 |Nuance Communications| -|DRC INSIGHT Online Assessments |12.0.0.0 |Store |Data recognition Corporation| -|Duo from Cisco |2.25.0 |Win32 |Cisco| -|e-Speaking Voice and Speech recognition |4.4.0.8 |Win32 |e-speaking| -|eTests |4.0.25 |Win32 |CASAS| -|FortiClient |7.0.1.0083 |Win32 |Fortinet| -|Free NaturalReader |16.1.2 |Win32 |Natural Soft| -|GoGuardian |1.4.4 |Win32 |GoGuardian| -|Google Chrome |102.0.5005.115|Win32 |Google| -|Illuminate Lockdown Browser |2.0.5 |Win32 |Illuminate Education| -|Immunet |7.5.0.20795 |Win32 |Immunet| -|JAWS for Windows |2022.2112.24 |Win32 |Freedom Scientific| -|Kite Student Portal |8.0.3.0 |Win32 |Dynamic Learning Maps| -|Kortext |2.3.433.0 |Store |Kortext| -|Kurzweil 3000 Assistive Learning |20.13.0000 |Win32 |Kurzweil Educational Systems| -|LanSchool |9.1.0.46 |Win32 |Stoneware| -|Lightspeed Smart Agent |2.6.2 |Win32 |Lightspeed Systems| -|Microsoft Connect |10.0.22000.1 |Store |Microsoft| -|Mozilla Firefox |99.0.1 |Win32 |Mozilla| -|NAPLAN |2.5.0 |Win32 |NAP| -|NetSupport Manager |12.01.0011 |Win32 |NetSupport| -|NetSupport Notify |5.10.1.215 |Win32 |NetSupport| -|NetSupport School |14.00.0011 |Win32 |NetSupport| -|NextUp Talker |1.0.49 |Win32 |NextUp Technologies| -|NonVisual Desktop Access |2021.3.1 |Win32 |NV Access| -|NWEA Secure Testing Browser |5.4.300.0 |Win32 |NWEA| -|Pearson TestNav |1.10.2.0 |Store |Pearson| -|Questar Secure Browser |4.8.3.376 |Win32 |Questar, Inc| -|ReadAndWriteForWindows |12.0.60.0 |Win32 |Texthelp Ltd.| -|Remote Desktop client (MSRDC) |1.2.3213.0 |Win32 |Microsoft| -|Remote Help |3.8.0.12 |Win32 |Microsoft| -|Respondus Lockdown Browser |2.0.8.05 |Win32 |Respondus| -|Safe Exam Browser |3.3.2.413 |Win32 |Safe Exam Browser| -|Secure Browser |14.0.0 |Win32 |Cambium Development| -|Senso.Cloud |2021.11.15.0 |Win32|Senso.Cloud| -|SuperNova Magnifier & Screen Reader |21.02 |Win32 |Dolphin Computer Access| -|Zoom |5.9.1 (2581)|Win32 |Zoom| -|ZoomText Fusion |2022.2109.10|Win32 |Freedom Scientific| -|ZoomText Magnifier/Reader |2022.2109.25|Win32 |Freedom Scientific| +> [!IMPORTANT] +> If there are specific Win32 or UWP applications that you want to allow, work with Microsoft to get them enabled. For more information, see [Add your own applications](#add-your-own-applications). -### Enabled apps +## Applications included in Windows 11 SE -| App type | Enabled | -| --- | --- | -| Apps that run in a browser | ✔️ Apps that run in a browser, like Progressive Web Apps (PWA) and Web apps, can run on Windows 11 SE without any changes or limitations. | -| Apps that require installation | ❌ Apps that require an installation, including Microsoft Store apps and Win32 apps can't be installed. If students try to install these apps, the installation fails.

    ✔️ If there are specific installation-type apps you want to enable, then work with Microsoft to get them enabled. For more information, see [Add your own apps](#add-your-own-apps) (in this article). | +The following table lists all the applications included in Windows 11 SE and the pinning to either the Start menu or to the taskbar. -### Add your own apps +| App name | App type | Pinned to Start? | Pinned to taskbar? | +|:-----------------------------|:--------:|:----------------:|:------------------:| +| Alarm & Clock | UWP | | | +| Calculator | UWP | ✅ | | +| Camera | UWP | ✅ | | +| Microsoft Edge | Win32 | ✅ | ✅ | +| Excel | Win32 | ✅ | | +| Feedback Hub | UWP | | | +| File Explorer | Win32 | | ✅ | +| FlipGrid | PWA | | | +| Get Help | UWP | | | +| Groove Music | UWP | ✅ | | +| Maps | UWP | | | +| Minecraft: Education Edition | UWP | | | +| Movies & TV | UWP | | | +| News | UWP | | | +| Notepad | Win32 | | | +| OneDrive | Win32 | | | +| OneNote | Win32 | ✅ | | +| Outlook | PWA | ✅ | | +| Paint | Win32 | ✅ | | +| Photos | UWP | | | +| PowerPoint | Win32 | ✅ | | +| Settings | UWP | ✅ | | +| Snip & Sketch | UWP | | | +| Sticky Notes | UWP | | | +| Teams | Win32 | ✅ | | +| To Do | UWP | | | +| Whiteboard | UWP | ✅ | | +| Word | Win32 | ✅ | | -If the apps you need aren't shown in the [available apps list](#available-apps) (in this article), then you can submit an application request at [aka.ms/eduapprequest](https://aka.ms/eduapprequest). Anyone from a school district can submit the request. In the form, sign in with your school account, such as `user@contoso.edu`. We'll update you using this email account. +## Available applications + +The following applications can also run on Windows 11 SE, and can be deployed using Intune for Education. For more information, see [Configure applications with Microsoft Intune][EDUWIN-1] + +| Application | Supported version | App Type | Vendor | +|-----------------------------------------|-------------------|----------|------------------------------| +| AirSecure | 8.0.0 | Win32 | AIR | +| Alertus Desktop | 5.4.44.0 | Win32 | Alertus technologies | +| Brave Browser | 1.34.80 | Win32 | Brave | +| Bulb Digital Portfolio | 0.0.7.0 | Store | Bulb | +| Cisco Umbrella | 3.0.110.0 | Win32 | Cisco | +| CKAuthenticator | 3.6 | Win32 | Content Keeper | +| Class Policy | 114.0.0 | Win32 | Class Policy | +| Classroom.cloud | 1.40.0004 | Win32 | NetSupport | +| CoGat Secure Browser | 11.0.0.19 | Win32 | Riverside Insights | +| Dragon Professional Individual | 15.00.100 | Win32 | Nuance Communications | +| DRC INSIGHT Online Assessments | 12.0.0.0 | Store | Data recognition Corporation | +| Duo from Cisco | 2.25.0 | Win32 | Cisco | +| e-Speaking Voice and Speech recognition | 4.4.0.8 | Win32 | e-speaking | +| eTests | 4.0.25 | Win32 | CASAS | +| FortiClient | 7.0.1.0083 | Win32 | Fortinet | +| Free NaturalReader | 16.1.2 | Win32 | Natural Soft | +| Ghotit Real Writer & Reader | 10.14.2.3 | Win32 | Ghotit Ltd | +| GoGuardian | 1.4.4 | Win32 | GoGuardian | +| Google Chrome | 102.0.5005.115 | Win32 | Google | +| Illuminate Lockdown Browser | 2.0.5 | Win32 | Illuminate Education | +| Immunet | 7.5.0.20795 | Win32 | Immunet | +| Impero Backdrop Client | 4.4.86 | Win32 | Impero Software | +| JAWS for Windows | 2022.2112.24 | Win32 | Freedom Scientific | +| Kite Student Portal | 8.0.3.0 | Win32 | Dynamic Learning Maps | +| Kortext | 2.3.433.0 | Store | Kortext | +| Kurzweil 3000 Assistive Learning | 20.13.0000 | Win32 | Kurzweil Educational Systems | +| LanSchool | 9.1.0.46 | Win32 | Stoneware | +| Lightspeed Smart Agent | 1.9.1 | Win32 | Lightspeed Systems | +| MetaMoJi ClassRoom | 3.12.4.0 | Store | MetaMoJi Corporation | +| Microsoft Connect | 10.0.22000.1 | Store | Microsoft | +| Mozilla Firefox | 99.0.1 | Win32 | Mozilla | +| NAPLAN | 2.5.0 | Win32 | NAP | +| Netref Student | 22.2.0 | Win32 | NetRef | +| NetSupport Manager | 12.01.0011 | Win32 | NetSupport | +| NetSupport Notify | 5.10.1.215 | Win32 | NetSupport | +| NetSupport School | 14.00.0011 | Win32 | NetSupport | +| NextUp Talker | 1.0.49 | Win32 | NextUp Technologies | +| NonVisual Desktop Access | 2021.3.1 | Win32 | NV Access | +| NWEA Secure Testing Browser | 5.4.356.0 | Win32 | NWEA | +| Pearson TestNav | 1.10.2.0 | Store | Pearson | +| Questar Secure Browser | 4.8.3.376 | Win32 | Questar, Inc | +| ReadAndWriteForWindows | 12.0.60.0 | Win32 | Texthelp Ltd. | +| Remote Desktop client (MSRDC) | 1.2.3213.0 | Win32 | Microsoft | +| Remote Help | 3.8.0.12 | Win32 | Microsoft | +| Respondus Lockdown Browser | 2.0.9.00 | Win32 | Respondus | +| Safe Exam Browser | 3.3.2.413 | Win32 | Safe Exam Browser | +| Secure Browser | 14.0.0 | Win32 | Cambium Development | +| Senso.Cloud | 2021.11.15.0 | Win32 | Senso.Cloud | +| SuperNova Magnifier & Screen Reader | 21.02 | Win32 | Dolphin Computer Access | +| Zoom | 5.9.1 (2581) | Win32 | Zoom | +| ZoomText Fusion | 2022.2109.10 | Win32 | Freedom Scientific | +| ZoomText Magnifier/Reader | 2022.2109.25 | Win32 | Freedom Scientific | + +## Add your own applications + +If the applications you need aren't in the [available applications list](#available-applications), then you can submit an application request at [aka.ms/eduapprequest](https://aka.ms/eduapprequest). Anyone from a school district can submit the request. In the form, sign in with your school account, such as `user@contoso.edu`. We'll update you using this email account. Microsoft reviews every app request to make sure each app meets the following requirements: -- Apps can be any native Windows app type, such as a Microsoft Store app, Win32 app, `.MSIX`, `.APPX`, and more. - -- Apps must be in one of the following app categories:​ - - Content Filtering apps​ - - Test Taking solutions​ +- Apps can be any native Windows app type, such as a Microsoft Store app, Win32 app, `.MSIX`, `.APPX`, and more +- Apps must be in one of the following app categories: + - Content Filtering apps + - Test Taking solutions - Assistive technologies - - Classroom communication apps​ + - Classroom communication apps - Essential diagnostics, management, and supportability apps - -- Apps must meet the performance [requirements of Windows 11](/windows/whats-new/windows-11-requirements). - +- Apps must meet the performance [requirements of Windows 11][WIN-1] - Apps must meet the following security requirements: - - All app binaries are code-signed​. - - All files include the `OriginalFileName` in the resource file header​. - - All kernel drivers are WHQL-signed. - -- Apps don't have an equivalent web application​. - -- Apps can't invoke any processes that can be used to jailbreak a device, automate jailbreaks, or present a security risk. For example, processes such as Reg.exe, CBE.exe, CMD.exe, and KD.exe are blocked on Windows 11 SE. + - All app binaries are code-signed + - All files include the `OriginalFileName` in the resource file header + - All kernel drivers are WHQL-signed +- Apps don't have an equivalent web application +- Apps can't invoke any processes that can be used to jailbreak a device, automate jailbreaks, or present a security risk. For example, processes such as Reg.exe, CBE.exe, CMD.exe, and KD.exe are blocked on Windows 11 SE If the app meets the requirements, Microsoft works with the Independent Software Vendor (ISV) to test the app, and make sure the app works as expected on Windows 11 SE. -When the app is ready, Microsoft will update you. Then, you add the app to the [Intune for Education portal](https://intuneeducation.portal.azure.com), and [assign](/intune-education/assign-apps) it to your Windows 11 SE devices. +When the app is ready, Microsoft will update you. Then, you add the app to the Intune for Education portal, and assign it to your Windows 11 SE devices. -For more information on Intune requirements for adding education apps, see [Manage devices running Windows 11 SE](/intune-education/windows-11-se-overview). +For more information on Intune requirements for adding education apps, see [Configure applications with Microsoft Intune][EDUWIN-1]. ### 0x87D300D9 error with an app When you deploy an app using Intune for Education, you may get a `0x87D300D9` error code with a `Failed` state in the [Intune for Education portal](https://intuneeducation.portal.azure.com). If you have an app that fails with this error, then: -- Make sure the app is on the [available apps list](#available-apps) (in this article). Or, make sure your app is [approved for Windows 11 SE](#add-your-own-apps) (in this article). -- If the app is approved, then it's possible the app is packaged wrong. For more information, see [Add your own apps](#add-your-own-apps) (in this article) and [Manage devices running Windows 11 SE](/intune-education/windows-11-se-overview). -- If the app isn't approved, then it won't run on Windows 11 SE. To get apps approved, see [Add your own apps](#add-your-own-apps) (in this article). Or, use an app that runs in a web browser, such as a web app or PWA. +- Make sure the app is on the [available applications list](#available-applications). Or, make sure your app is [approved for Windows 11 SE](#add-your-own-applications) +- If the app is approved, then it's possible the app is packaged wrong. For more information, see [Add your own apps](#add-your-own-applications) and [Configure applications with Microsoft Intune][EDUWIN-1] +- If the app isn't approved, then it won't run on Windows 11 SE. To get apps approved, see [Add your own apps](#add-your-own-applications). Or, use an app that runs in a web browser, such as a web app or PWA ## Related articles -- [Use Intune for Education to manage devices running Windows 11 SE](/intune-education/windows-11-se-overview) +- [Tutorial: deploy and manage Windows devices in a school][EDUWIN-2] + +[INT-1]: /intune-education/what-is-intune-for-education + +[EDUWIN-1]: /education/windows/tutorial-school-deployment/configure-device-apps +[EDUWIN-2]: /education/windows/tutorial-school-deployment/ + +[WIN-1]: /windows/whats-new/windows-11-requirements diff --git a/education/windows/windows-11-se-settings-list.md b/education/windows/windows-11-se-settings-list.md index e654aff272..0dda7bbc35 100644 --- a/education/windows/windows-11-se-settings-list.md +++ b/education/windows/windows-11-se-settings-list.md @@ -8,7 +8,7 @@ ms.pagetype: mobile ms.collection: education author: paolomatarazzo ms.author: paoloma -ms.date: 08/10/2022 +ms.date: 09/12/2022 ms.reviewer: manager: aaroncz appliesto: @@ -25,26 +25,26 @@ This article lists the settings automatically configured. For more information o The following table lists and describes the settings that can be changed by administrators. -| Setting | Description | -| --- | --- | -| Block manual unenrollment | Default: Blocked

    Users can't unenroll their devices from device management services.

    [Experience/AllowManualMDMUnenrollment CSP](/windows/client-management/mdm/policy-csp-experience#experience-allowmanualmdmunenrollment) | -| Allow option to Show Network | Default: Allowed

    Gives users the option to see the **Show Network** folder in File Explorer. | -| Allow option to Show This PC | Default: Allowed

    Gives user the option to see the **Show This PC** folder in File Explorer. | -| Set Allowed Folder location | Default folders: Documents, Desktop, Pictures, and Downloads

    Gives user access to these folders. | -| Set Allowed Storage Locations | Default: Blocks local drives and network drives

    Blocks user access to these storage locations. | -| Allow News and Interests | Default: Hide

    Hides widgets. | -| Disable advertising ID | Default: Disabled

    Blocks apps from using usage data to tailor advertisements.

    [Privacy/DisableAdvertisingId CSP](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) | -| Visible settings pages | Default:

    | -| Enable App Install Control | Default: Turned On

    Users can't download apps from the internet.

    [SmartScreen/EnableAppInstallControl CSP](/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol)| -| Configure Storage Sense Cloud Content Dehydration Threshold | Default: 30 days

    If a file hasn't been opened in 30 days, it becomes an online-only file. Online-only files can be opened when there's an internet connection. When an online-only file is opened on a device, it downloads and becomes locally available on that device. The file is available until it's unopened for the specified number of days, and becomes online-only again.

    [Storage/ConfigStorageSenseCloudContentDehydrationThreshold CSP](/windows/client-management/mdm/policy-csp-storage#storage-configstoragesensecloudcontentdehydrationthreshold) | -| Allow Telemetry | Default: Required Telemetry Only

    Sends only basic device info, including quality-related data, app compatibility, and similar data to keep the device secure and up-to-date.

    [System/AllowTelemetry CSP](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | -| Allow Experimentation | Default: Disabled

    Microsoft can't experiment with the product to study user preferences or device behavior.

    [System/AllowExperimentation CSP](/windows/client-management/mdm/policy-csp-system#system-allowexperimentation) | -| Block external extensions | Default: Blocked

    In Microsoft Edge, users can't install external extensions.

    [BlockExternalExtensions](/DeployEdge/microsoft-edge-policies#blockexternalextensions) | -| Configure new tab page | Default: `Office.com`

    In Microsoft Edge, the new tab page defaults to `Office.com`.

    [Configure the new tab page URL](/DeployEdge/microsoft-edge-policies#configure-the-new-tab-page-url) | -| Configure homepage | Default: `Office.com`

    In Microsoft Edge, the homepage defaults to `Office.com`.

    [HomepageIsNewTabPage](/DeployEdge/microsoft-edge-policies#homepageisnewtabpage) | -| Prevent SmartScreen prompt override | Default: Enabled

    In Microsoft Edge, users can't override Windows Defender SmartScreen warnings.

    [PreventSmartScreenPromptOverride](/DeployEdge/microsoft-edge-policies#preventsmartscreenpromptoverride) | -| Wallpaper Image Customization | Default:

    Specify a jpg, jpeg, or png image to be used as the desktop image. This setting can take an http or https URL to a remote image to be downloaded, a file URL to a local image.

    [DesktopImageUrl](/windows/client-management/mdm/personalization-csp) | -| Lock Screen Image Customization | Default:

    Specify a jpg, jpeg, or png image to be used as lock screen image. This setting can take an http or https URL to a remote image to be downloaded, a file URL to a local image.

    [LockScreenImageUrl](/windows/client-management/mdm/personalization-csp) | +| Setting | Description | Default Value | +| --- | --- | --- | +| Block manual unenrollment | When blocked, users can't unenroll their devices from device management services.

    [Experience/AllowManualMDMUnenrollment CSP](/windows/client-management/mdm/policy-csp-experience#experience-allowmanualmdmunenrollment) | Blocked | +| Allow option to Show Network | When allowed, it gives users the option to see the **Show Network** folder in File Explorer. | Allowed | +| Allow option to Show This PC | When allowed, it gives users the option to see the **Show This PC** folder in File Explorer. | Allowed | +| Set Allowed Folder location | Gives user access to these folders. | Default folders: Documents, Desktop, Pictures, and Downloads | +| Set Allowed Storage Locations | Blocks user access to these storage locations. | Blocks local drives and network drives | +| Allow News and Interests | Hides widgets. | Hide | +| Disable advertising ID | Blocks apps from using usage data to tailor advertisements.

    [Privacy/DisableAdvertisingId CSP](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) | Disabled | +| Visible settings pages | Default:

    || +| Enable App Install Control | When enabled, users can't download apps from the internet.

    [SmartScreen/EnableAppInstallControl CSP](/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol)| Enabled | +| Configure Storage Sense Cloud Content Dehydration Threshold | If a file hasn't been opened in 30 days, it becomes an online-only file. Online-only files can be opened when there's an internet connection. When an online-only file is opened on a device, it downloads and becomes locally available on that device. The file is available until it's unopened for the specified number of days, and becomes online-only again.

    [Storage/ConfigStorageSenseCloudContentDehydrationThreshold CSP](/windows/client-management/mdm/policy-csp-storage#storage-configstoragesensecloudcontentdehydrationthreshold) | 30 days | +| Allow Telemetry | With *Required Telemetry Only*, it sends only basic device info, including quality-related data, app compatibility, and similar data to keep the device secure and up-to-date.

    [System/AllowTelemetry CSP](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | Required Telemetry Only | +| Allow Experimentation | When disabled, Microsoft can't experiment with the product to study user preferences or device behavior.

    [System/AllowExperimentation CSP](/windows/client-management/mdm/policy-csp-system#system-allowexperimentation) | Disabled | +| Block external extensions | When blocked, in Microsoft Edge users can't install external extensions.

    [BlockExternalExtensions](/DeployEdge/microsoft-edge-policies#blockexternalextensions) | Blocked | +| Configure new tab page | Set the new tab page defaults to a specific url.

    [Configure the new tab page URL](/DeployEdge/microsoft-edge-policies#configure-the-new-tab-page-url) | `Office.com` | +| Configure homepage | Set the Microsoft Edge's homepage default.

    [HomepageIsNewTabPage](/DeployEdge/microsoft-edge-policies#homepageisnewtabpage) | `Office.com` | +| Prevent SmartScreen prompt override | When enabled, in Microsoft Edge, users can't override Windows Defender SmartScreen warnings.

    [PreventSmartScreenPromptOverride](/DeployEdge/microsoft-edge-policies#preventsmartscreenpromptoverride) | Enabled | +| Wallpaper Image Customization | Specify a jpg, jpeg, or png image to be used as the desktop image. This setting can take an http or https URL to a remote image to be downloaded, a file URL to a local image.

    [DesktopImageUrl](/windows/client-management/mdm/personalization-csp) | Not configured | +| Lock Screen Image Customization | Specify a jpg, jpeg, or png image to be used as lock screen image. This setting can take an http or https URL to a remote image to be downloaded, a file URL to a local image.

    [LockScreenImageUrl](/windows/client-management/mdm/personalization-csp) | Not configured | ## Settings that can't be changed diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json index 1f3a0d4e61..0c2d4413bb 100644 --- a/windows/application-management/docfx.json +++ b/windows/application-management/docfx.json @@ -37,10 +37,10 @@ "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "windows", - "audience": "ITPro", "ms.topic": "article", - "ms.author": "elizapo", - "feedback_system": "None", + "feedback_system": "GitHub", + "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", + "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.win-app-management", @@ -59,7 +59,11 @@ ], "searchScope": ["Windows 10"] }, - "fileMetadata": {}, + "fileMetadata": { + "feedback_system": { + "app-v/**/*.*": "None" + } + }, "template": [], "dest": "win-app-management", "markdownEngineName": "markdig" diff --git a/windows/client-management/manage-device-installation-with-group-policy.md b/windows/client-management/manage-device-installation-with-group-policy.md index 7c8c46580d..a78fb7d156 100644 --- a/windows/client-management/manage-device-installation-with-group-policy.md +++ b/windows/client-management/manage-device-installation-with-group-policy.md @@ -18,8 +18,8 @@ ms.topic: article - Windows 11 - Windows Server 2022 - ## Summary + By using Windows operating systems, administrators can determine what devices can be installed on computers they manage. This guide summarizes the device installation process and demonstrates several techniques for controlling device installation by using Group Policy. ## Introduction @@ -60,7 +60,6 @@ It's more difficult for users to make unauthorized copies of company data if use You can ensure that users install only those devices that your technical support team is trained and equipped to support. This benefit reduces support costs and user confusion. - ## Scenario Overview The scenarios presented in this guide illustrate how you can control device installation and usage on the computers that you manage. The scenarios use Group Policy on a local machine to simplify using the procedures in a lab environment. In an environment where you manage multiple client computers, you should apply these settings using Group Policy.. With Group Policy deployed by Active Directory, you can apply settings to all computers that are members of a domain or an organizational unit in a domain. For more information about how to use Group Policy to manage your client computers, see Group Policy at the Microsoft Web site. @@ -90,7 +89,6 @@ This scenario, although similar to scenario #2, brings another layer of complexi In this scenario, combining all previous four scenarios, you'll learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the ‘prevent’ functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario. - ## Technology Review The following sections provide a brief overview of the core technologies discussed in this guide and give background information that is necessary to understand the scenarios. @@ -126,14 +124,14 @@ Hardware IDs are the identifiers that provide the exact match between a device a Windows uses these identifiers to select a driver if the operating system can't find a match with the device ID or any of the other hardware IDs. Compatible IDs are listed in the order of decreasing suitability. These strings are optional, and, when provided, they're generic, such as Disk. When a match is made using a compatible ID, you can typically use only the most basic functions of the device. -When you install a device, such as a printer, a USB storage device, or a keyboard, Windows searches for driver packages that match the device you are attempting to install. During this search, Windows assigns a "rank" to each driver package it discovers with at least one match to a hardware or compatible ID. The rank indicates how well the driver matches the device. Lower rank numbers indicate better matches between the driver and the device. A rank of zero represents the best possible match. A match with the device ID to one in the driver package results in a lower (better) rank than a match to one of the other hardware IDs. Similarly, a match to a hardware ID results in a better rank than a match to any of the compatible IDs. After Windows ranks all of the driver packages, it installs the one with the lowest overall rank. For more information about the process of ranking and selecting driver packages, see How Setup Selects Drivers in the Microsoft Docs library. +When you install a device, such as a printer, a USB storage device, or a keyboard, Windows searches for driver packages that match the device you are attempting to install. During this search, Windows assigns a "rank" to each driver package it discovers with at least one match to a hardware or compatible ID. The rank indicates how well the driver matches the device. Lower rank numbers indicate better matches between the driver and the device. A rank of zero represents the best possible match. A match with the device ID to one in the driver package results in a lower (better) rank than a match to one of the other hardware IDs. Similarly, a match to a hardware ID results in a better rank than a match to any of the compatible IDs. After Windows ranks all of the driver packages, it installs the one with the lowest overall rank. For more information about the process of ranking and selecting driver packages, see [How Windows selects a driver package for a device](/windows-hardware/drivers/install/how-windows-selects-a-driver-for-a-device). > [!NOTE] > For more information about the driver installation process, see the "Technology review" section of the Step-by-Step Guide to Driver Signing and Staging. Some physical devices create one or more logical devices when they're installed. Each logical device might handle part of the functionality of the physical device. For example, a multi-function device, such as an all-in-one scanner/fax/printer, might have a different device identification string for each function. -When you use Device Installation policies to allow or prevent the installation of a device that uses logical devices, you must allow or prevent all of the device identification strings for that device. For example, if a user attempts to install a multifunction device and you didn't allow or prevent all of the identification strings for both physical and logical devices, you could get unexpected results from the installation attempt. For more detailed information about hardware IDs, see Device Identification Strings in Microsoft Docs. +When you use Device Installation policies to allow or prevent the installation of a device that uses logical devices, you must allow or prevent all of the device identification strings for that device. For example, if a user attempts to install a multifunction device and you didn't allow or prevent all of the identification strings for both physical and logical devices, you could get unexpected results from the installation attempt. For more detailed information about hardware IDs, see [Device identification strings](/windows-hardware/drivers/install/device-identification-strings). #### Device setup classes @@ -143,7 +141,7 @@ When you use device Classes to allow or prevent users from installing drivers, y For example, a multi-function device, such as an all-in-one scanner/fax/printer, has a GUID for a generic multi-function device, a GUID for the printer function, a GUID for the scanner function, and so on. The GUIDs for the individual functions are "child nodes" under the multi-function device GUID. To install a child node, Windows must also be able to install the parent node. You must allow installation of the device setup class of the parent GUID for the multi-function device in addition to any child GUIDs for the printer and scanner functions. -For more information, see [Device Setup Classes](/windows-hardware/drivers/install/overview-of-device-setup-classes) in Microsoft Docs. +For more information, see [Device Setup Classes](/windows-hardware/drivers/install/overview-of-device-setup-classes). This guide doesn't depict any scenarios that use device setup classes. However, the basic principles demonstrated with device identification strings in this guide also apply to device setup classes. After you discover the device setup class for a specific device, you can then use it in a policy to either allow or prevent installation of drivers for that class of devices. @@ -154,14 +152,13 @@ The following two links provide the complete list of Device Setup Classes. ‘Sy #### ‘Removable Device’ Device type -Some devices could be classified as _Removable Device_. A device is considered _removable_ when the driver for the device to which it's connected indicates that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected. - +Some devices could be classified as _Removable Device_. A device is considered _removable_ when the driver for the device to which it's connected indicates that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected. ### Group Policy Settings for Device Installation Group Policy is an infrastructure that allows you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences. -Device Installation section in Group Policy is a set of policies that control which device could or couldn't be installed on a machine. Whether you want to apply the settings to a stand-alone computer or to many computers in an Active Directory domain, you use the Group Policy Object Editor to configure and apply the policy settings. For more information, see Group Policy Object Editor Technical Reference. +Device Installation section in Group Policy is a set of policies that control which device could or couldn't be installed on a machine. Whether you want to apply the settings to a stand-alone computer or to many computers in an Active Directory domain, you use the Group Policy Object Editor to configure and apply the policy settings. For more information, see [Group Policy Object Editor](/previous-versions/windows/desktop/Policy/group-policy-object-editor). The following passages are brief descriptions of the Device Installation policies that are used in this guide. @@ -210,12 +207,9 @@ This policy setting will change the evaluation order in which Allow and Prevent > If you disable or don't configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device. Some of these policies take precedence over other policies. The flowchart shown below illustrates how Windows processes them to determine whether a user can install a device or not, as shown in Figure below. - + ![Device Installation policies flow chart.](images/device-installation-flowchart.png)
    _Device Installation policies flow chart_ - - - ## Requirements for completing the scenarios ### General @@ -259,7 +253,7 @@ To find device identification strings using Device Manager 3. Device Manager starts and displays a tree representing all of the devices detected on your computer. At the top of the tree is a node with your computers name next to it. Lower nodes represent the various categories of hardware into which your computers devices are grouped. 4. Find the “Printers” section and find the target printer - + ![Selecting the printer in Device Manager.](images/device-installation-dm-printer-by-device.png)
    _Selecting the printer in Device Manager_ 5. Double-click the printer and move to the ‘Details’ tab. @@ -273,7 +267,7 @@ To find device identification strings using Device Manager ![Compatible ID.](images/device-installation-dm-printer-compatible-ids.png)
    _HWID and Compatible ID_ > [!TIP] - > You can also determine your device identification strings by using the PnPUtil command-line utility. For more information, see [PnPUtil - Windows drivers](/windows-hardware/drivers/devtest/pnputil) in Microsoft Docs. + > You can also determine your device identification strings by using the PnPUtil command-line utility. For more information, see [PnPUtil - Windows drivers](/windows-hardware/drivers/devtest/pnputil). ### Getting device identifiers using PnPUtil @@ -316,7 +310,7 @@ Setting up the environment for the scenario with the following steps: 1. Open Group Policy Editor and navigate to the Device Installation Restriction section. -2. Disable all previous Device Installation policies, except ‘Apply layered order of evaluation’—although the policy is disabled in default, this policy is recommended to be enabled in most practical applications. +2. Disable all previous Device Installation policies, except ‘Apply layered order of evaluation’—although the policy is disabled in default, this policy is recommended to be enabled in most practical applications. 3. If there are any enabled policies, changing their status to ‘disabled’, would clear them from all parameters @@ -333,7 +327,7 @@ Getting the right device identifier to prevent it from being installed: - [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors) - [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use) -3. Our current scenario is focused on preventing all printers from being installed, as such here's the Class GUID for most of printers in the market: +3. Our current scenario is focused on preventing all printers from being installed, as such here's the Class GUID for most of printers in the market: > Printers\ > Class = Printer\ @@ -347,7 +341,7 @@ Creating the policy to prevent all printers from being installed: 1. Open Group Policy Object Editor—either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI. -2. Navigate to the Device Installation Restriction page: +2. Navigate to the Device Installation Restriction page: > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions @@ -625,12 +619,12 @@ These devices are internal devices on the machine that define the USB port conne > [!IMPORTANT] > Some device in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it's important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an ‘Allow list’ in such cases. See below for the list: -> -> PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST (for Host Controllers)/ +> +> PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST (for Host Controllers)/ > USB\ROOT_HUB30; USB\ROOT_HUB20 (for USB Root Hubs)/ > USB\USB20_HUB (for Generic USB Hubs)/ -> -> Specifically for desktop machines, it's very important to list all the USB devices that your keyboards and mice are connected through in the above list. Failing to do so could block a user from accessing its machine through HID devices. +> +> Specifically for desktop machines, it's very important to list all the USB devices that your keyboards and mice are connected through in the above list. Failing to do so could block a user from accessing its machine through HID devices. > > Different PC manufacturers sometimes have different ways to nest USB devices in the PnP tree, but in general this is how it's done. diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md index d447311a4e..2623c3d235 100644 --- a/windows/client-management/mdm/accounts-csp.md +++ b/windows/client-management/mdm/accounts-csp.md @@ -52,8 +52,11 @@ Available naming macros: |Macro|Description|Example|Generated Name| |:---|:---|:---|:---| -|%RAND:<# of digits>|Generates the specified number of random digits.|Test%RAND:6%|Test123456| -|%SERIAL%|Generates the serial number derived from the device. If the serial number causes the new name to exceed the 15 character limit, the serial number will be truncated from the beginning of the sequence.|Test-Device-%SERIAL%|Test-Device-456| +|`%RAND:#%`|Generates the specified number (`#`) of random digits.|`Test%RAND:6%`|`Test123456`| +|`%SERIAL%`|Generates the serial number derived from the device. If the serial number causes the new name to exceed the 15 character limit, the serial number will be truncated from the beginning of the sequence.|`Test-Device-%SERIAL%`|`Test-Device-456`| + +> [!NOTE] +> If you use these naming macros, a unique name isn't guaranteed. The generated name may still be duplicated. To reduce the likelihood of a duplicated device name, use `%RAND:#%` with a large number. With the understanding that the maximum device name is 15 characters. Supported operation is Add. diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 97ff6341d2..1334adc13d 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -754,7 +754,7 @@ ADMX Info: This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of required startup key information. This setting is applied when you turn on BitLocker. -The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, see the BitLocker Drive Encryption Deployment Guide on Microsoft Docs. +The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, see [BitLocker recovery guide](/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan). In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. @@ -843,7 +843,7 @@ ADMX Info: This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker. -The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, see the BitLocker Drive Encryption Deployment Guide on Microsoft Docs. +The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, see [BitLocker recovery guide](/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan). In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index c900b41939..72be68417e 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -1,7 +1,7 @@ --- title: DeviceStatus CSP description: Learn how the DeviceStatus configuration service provider keeps track of device inventory and queries the compliance state of devices within the enterprise. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -71,12 +71,14 @@ DeviceStatus --------VirtualizationBasedSecurityHwReq --------VirtualizationBasedSecurityStatus --------LsaCfgCredGuardStatus +----CertAttestation +--------MDMClientCertAttestation ``` -**DeviceStatus** +**DeviceStatus** The root node for the DeviceStatus configuration service provider. -**DeviceStatus/SecureBootState** +**DeviceStatus/SecureBootState** Indicates whether secure boot is enabled. The value is one of the following values: - 0 - Not supported @@ -85,67 +87,67 @@ Indicates whether secure boot is enabled. The value is one of the following valu Supported operation is Get. -**DeviceStatus/CellularIdentities** +**DeviceStatus/CellularIdentities** Required. Node for queries on the SIM cards. >[!NOTE] >Multiple SIMs are supported. -**DeviceStatus/CellularIdentities/***IMEI* +**DeviceStatus/CellularIdentities/***IMEI* The unique International Mobile Station Equipment Identity (IMEI) number of the mobile device. An IMEI is present for each SIM card on the device. -**DeviceStatus/CellularIdentities/*IMEI*/IMSI** +**DeviceStatus/CellularIdentities/*IMEI*/IMSI** The International Mobile Subscriber Identity (IMSI) associated with the IMEI number. Supported operation is Get. -**DeviceStatus/CellularIdentities/*IMEI*/ICCID** +**DeviceStatus/CellularIdentities/*IMEI*/ICCID** The Integrated Circuit Card ID (ICCID) of the SIM card associated with the specific IMEI number. Supported operation is Get. -**DeviceStatus/CellularIdentities/*IMEI*/PhoneNumber** +**DeviceStatus/CellularIdentities/*IMEI*/PhoneNumber** Phone number associated with the specific IMEI number. Supported operation is Get. -**DeviceStatus/CellularIdentities/*IMEI*/CommercializationOperator** +**DeviceStatus/CellularIdentities/*IMEI*/CommercializationOperator** The mobile service provider or mobile operator associated with the specific IMEI number. Supported operation is Get. -**DeviceStatus/CellularIdentities/*IMEI*/RoamingStatus** +**DeviceStatus/CellularIdentities/*IMEI*/RoamingStatus** Indicates whether the SIM card associated with the specific IMEI number is roaming. Supported operation is Get. -**DeviceStatus/CellularIdentities/*IMEI*/RoamingCompliance** +**DeviceStatus/CellularIdentities/*IMEI*/RoamingCompliance** Boolean value that indicates compliance with the enforced enterprise roaming policy. Supported operation is Get. -**DeviceStatus/NetworkIdentifiers** +**DeviceStatus/NetworkIdentifiers** Node for queries on network and device properties. -**DeviceStatus/NetworkIdentifiers/***MacAddress* +**DeviceStatus/NetworkIdentifiers/***MacAddress* MAC address of the wireless network card. A MAC address is present for each network card on the device. -**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV4** +**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV4** IPv4 address of the network card associated with the MAC address. Supported operation is Get. -**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV6** +**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV6** IPv6 address of the network card associated with the MAC address. Supported operation is Get. -**DeviceStatus/NetworkIdentifiers/*MacAddress*/IsConnected** +**DeviceStatus/NetworkIdentifiers/*MacAddress*/IsConnected** Boolean value that indicates whether the network card associated with the MAC address has an active network connection. Supported operation is Get. -**DeviceStatus/NetworkIdentifiers/*MacAddress*/Type** +**DeviceStatus/NetworkIdentifiers/*MacAddress*/Type** Type of network connection. The value is one of the following values: - 2 - WLAN (or other Wireless interface) @@ -154,10 +156,10 @@ Type of network connection. The value is one of the following values: Supported operation is Get. -**DeviceStatus/Compliance** +**DeviceStatus/Compliance** Node for the compliance query. -**DeviceStatus/Compliance/EncryptionCompliance** +**DeviceStatus/Compliance/EncryptionCompliance** Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following values: - 0 - Not encrypted @@ -165,42 +167,42 @@ Boolean value that indicates compliance with the enterprise encryption policy fo Supported operation is Get. -**DeviceStatus/TPM** +**DeviceStatus/TPM** Added in Windows, version 1607. Node for the TPM query. Supported operation is Get. -**DeviceStatus/TPM/SpecificationVersion** +**DeviceStatus/TPM/SpecificationVersion** Added in Windows, version 1607. String that specifies the specification version. Supported operation is Get. -**DeviceStatus/OS** +**DeviceStatus/OS** Added in Windows, version 1607. Node for the OS query. Supported operation is Get. -**DeviceStatus/OS/Edition** +**DeviceStatus/OS/Edition** Added in Windows, version 1607. String that specifies the OS edition. Supported operation is Get. -**DeviceStatus/OS/Mode** +**DeviceStatus/OS/Mode** Added in Windows, version 1803. Read only node that specifies the device mode. -Valid values: +Valid values: - 0 - The device is in standard configuration. - 1 - The device is in S mode configuration. Supported operation is Get. -**DeviceStatus/Antivirus** +**DeviceStatus/Antivirus** Added in Windows, version 1607. Node for the antivirus query. Supported operation is Get. -**DeviceStatus/Antivirus/SignatureStatus** +**DeviceStatus/Antivirus/SignatureStatus** Added in Windows, version 1607. Integer that specifies the status of the antivirus signature. Valid values: @@ -218,7 +220,7 @@ If more than one antivirus provider is active, this node returns: This node also returns 0 when no antivirus provider is active. -**DeviceStatus/Antivirus/Status** +**DeviceStatus/Antivirus/Status** Added in Windows, version 1607. Integer that specifies the status of the antivirus. Valid values: @@ -231,12 +233,12 @@ Valid values: Supported operation is Get. -**DeviceStatus/Antispyware** +**DeviceStatus/Antispyware** Added in Windows, version 1607. Node for the anti-spyware query. Supported operation is Get. -**DeviceStatus/Antispyware/SignatureStatus** +**DeviceStatus/Antispyware/SignatureStatus** Added in Windows, version 1607. Integer that specifies the status of the anti-spyware signature. Valid values: @@ -254,7 +256,7 @@ If more than one anti-spyware provider is active, this node returns: This node also returns 0 when no anti-spyware provider is active. -**DeviceStatus/Antispyware/Status** +**DeviceStatus/Antispyware/Status** Added in Windows, version 1607. Integer that specifies the status of the anti-spyware. Valid values: @@ -266,12 +268,12 @@ Valid values: Supported operation is Get. -**DeviceStatus/Firewall** +**DeviceStatus/Firewall** Added in Windows, version 1607. Node for the firewall query. Supported operation is Get. -**DeviceStatus/Firewall/Status** +**DeviceStatus/Firewall/Status** Added in Windows, version 1607. Integer that specifies the status of the firewall. Valid values: @@ -284,75 +286,75 @@ Valid values: Supported operation is Get. -**DeviceStatus/UAC** +**DeviceStatus/UAC** Added in Windows, version 1607. Node for the UAC query. Supported operation is Get. -**DeviceStatus/UAC/Status** +**DeviceStatus/UAC/Status** Added in Windows, version 1607. Integer that specifies the status of the UAC. Supported operation is Get. -**DeviceStatus/Battery** +**DeviceStatus/Battery** Added in Windows, version 1607. Node for the battery query. Supported operation is Get. -**DeviceStatus/Battery/Status** +**DeviceStatus/Battery/Status** Added in Windows, version 1607. Integer that specifies the status of the battery Supported operation is Get. -**DeviceStatus/Battery/EstimatedChargeRemaining** +**DeviceStatus/Battery/EstimatedChargeRemaining** Added in Windows, version 1607. Integer that specifies the estimated battery charge remaining. This value is the one that is returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status). The value is the number of seconds of battery life remaining when the device isn't connected to an AC power source. When it's connected to a power source, the value is -1. When the estimation is unknown, the value is -1. Supported operation is Get. -**DeviceStatus/Battery/EstimatedRuntime** +**DeviceStatus/Battery/EstimatedRuntime** Added in Windows, version 1607. Integer that specifies the estimated runtime of the battery. This value is the one that is returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status). The value is the number of seconds of battery life remaining when the device isn't connected to an AC power source. When it's connected to a power source, the value is -1. When the estimation is unknown, the value is -1. Supported operation is Get. -**DeviceStatus/DomainName** +**DeviceStatus/DomainName** Added in Windows, version 1709. Returns the fully qualified domain name of the device (if any). If the device isn't domain-joined, it returns an empty string. Supported operation is Get. -**DeviceStatus/DeviceGuard** +**DeviceStatus/DeviceGuard** Added in Windows, version 1709. Node for Device Guard query. Supported operation is Get. -**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq** +**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq** Added in Windows, version 1709. Virtualization-based security hardware requirement status. The value is a 256 value bitmask. - 0x0: System meets hardware configuration requirements -- 0x1: SecureBoot required +- 0x1: SecureBoot required - 0x2: DMA Protection required - 0x4: HyperV not supported for Guest VM - 0x8: HyperV feature isn't available Supported operation is Get. -**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus** +**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus** Added in Windows, version 1709. Virtualization-based security status. Value is one of the following: - 0 - Running -- 1 - Reboot required -- 2 - 64-bit architecture required -- 3 - Not licensed -- 4 - Not configured -- 5 - System doesn't meet hardware requirements +- 1 - Reboot required +- 2 - 64-bit architecture required +- 3 - Not licensed +- 4 - Not configured +- 5 - System doesn't meet hardware requirements - 42 – Other. Event logs in Microsoft-Windows-DeviceGuard have more details. Supported operation is Get. -**DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus** +**DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus** Added in Windows, version 1709. Local System Authority (LSA) credential guard status. - 0 - Running @@ -363,6 +365,11 @@ Added in Windows, version 1709. Local System Authority (LSA) credential guard s Supported operation is Get. +**DeviceStatus/CertAttestation/MDMClientCertAttestation** +Added in Windows 11, version 22H2. MDM Certificate attestation information. This will return an XML blob containing the relevant attestation fields. + +Supported operation is Get. + ## Related topics [Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/devicestatus-ddf.md b/windows/client-management/mdm/devicestatus-ddf.md index 9019f6a5b9..f081bf1262 100644 --- a/windows/client-management/mdm/devicestatus-ddf.md +++ b/windows/client-management/mdm/devicestatus-ddf.md @@ -1,7 +1,7 @@ --- title: DeviceStatus DDF description: This topic shows the OMA DM device description framework (DDF) for the DeviceStatus configuration service provider. DDF files are used only with OMA DM provisioning XML. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -25,862 +25,904 @@ The XML below is for Windows 10, version 1803. "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd" []> - 1.2 - + 1.2 + DeviceStatus ./Vendor/MSFT - - - - - - - - - - - - - - com.microsoft/1.4/MDM/DeviceStatus - + + + + + + + + + + + + + + com.microsoft/1.4/MDM/DeviceStatus + - SecureBootState - - - - - - - - - - - - - - - text/plain - - - - - CellularIdentities - - - - - - - - - - - - - - - - - - - + SecureBootState - - - - - - - - - - - - - IMEI - - - - - - IMSI - - + - + - + - + - text/plain + text/plain - - - - ICCID - + + + + CellularIdentities + - + - + - + - + - text/plain + - - - - PhoneNumber - - - - - - - - - - - - - - - text/plain - - - - - CommercializationOperator - - - - - - - - - - - - - - - text/plain - - - - - RoamingStatus - - - - - - - - - - - - - - - text/plain - - - - - RoamingCompliance - - - - - - - - - - - - - - - text/plain - - - - - - - NetworkIdentifiers - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - MacAddress - - - - IPAddressV4 - + + + + + + + + + + + + + + + IMEI + + + + + + IMSI + + + + + + + + + + + + + + + text/plain + + + + + ICCID + + + + + + + + + + + + + + + text/plain + + + + + PhoneNumber + + + + + + + + + + + + + + + text/plain + + + + + CommercializationOperator + + + + + + + + + + + + + + + text/plain + + + + + RoamingStatus + + + + + + + + + + + + + + + text/plain + + + + + RoamingCompliance + + + + + + + + + + + + + + + text/plain + + + + + + + NetworkIdentifiers + - + - + - + - + - text/plain + - + + + + + + + + + + + + + + + + + MacAddress + + + + + + IPAddressV4 + + + + + + + + + + + + + + + text/plain + + + + + IPAddressV6 + + + + + + + + + + + + + + + text/plain + + + + + IsConnected + + + + + + + + + + + + + + + text/plain + + + + + Type + + + + + + + + + + + + + + + text/plain + + + + + + + Compliance + + + + + + + + + + + + + + + + + + + EncryptionCompliance + + + + + + + + + + + + + + + text/plain + + + + + + TPM + + + + + + + + + + + + + + + + + + + SpecificationVersion + + + + + Not available + + + + + + + + + + + text/plain + + + + + + OS + + + + + + + + + + + + + + + + + + + Edition + + + + + Not available + + + + + + + + + + + text/plain + + - IPAddressV6 - + Mode + + + + + Not available + + + + + + + + + + + text/plain + + + + + + Antivirus + - + - + - + - + - text/plain + - + + + SignatureStatus + + + + + 1 + + + + + + + + + + + text/plain + + - IsConnected - + Status + + + + + 3 + + + + + + + + + + + text/plain + + + + + + Antispyware + - + - + - + - + - text/plain + - + + + SignatureStatus + + + + + 1 + + + + + + + + + + + text/plain + + - Type - + Status + + + + + 3 + + + + + + + + + + + text/plain + + + + + + Firewall + - + - + - + - + - text/plain + - + + + Status + + + + + 3 + + + + + + + + + + + text/plain + + - - Compliance - - - - - - - - - - - - - - - - - - - EncryptionCompliance + UAC - - - - - - - - - - - - - - text/plain - + + + + + + + + + + + + + + + - + + Status + + + + + + + + + + + + + + + text/plain + + + - TPM - - - - - - - - - - - - - - - - - - - SpecificationVersion + Battery - - - - Not available - - - - - - - - - - - text/plain - + + + + + + + + + + + + + + + - + + Status + + + + + 0 + + + + + + + + + + + text/plain + + + + + EstimatedChargeRemaining + + + + + 0 + + + + + + + + + + + text/plain + + + + + EstimatedRuntime + + + + + 0 + + + + + + + + + + + text/plain + + + - OS - - - - - - - - - - - - - - - - - - - Edition + DomainName - - - - Not available - - - - - - - - - - - text/plain - + + + + Returns the fully qualified domain name of the device(if any). + + + + + + + + + + DomainName + + text/plain + - - - Mode - - - - - Not available - - - - - - - - - - - text/plain - - - - Antivirus - - - - - - - - - - - - - - - - - - - SignatureStatus + DeviceGuard - - - - 1 - - - - - - - - - - - text/plain - + + + + + + + + + + + + + + + - - - Status - - - - - 3 - - - - - - - - - - - text/plain - - - + + VirtualizationBasedSecurityHwReq + + + + + + + + + + + + + + + text/plain + + + + + VirtualizationBasedSecurityStatus + + + + + + + + + + + + + + + text/plain + + + + + LsaCfgCredGuardStatus + + + + + + + + + + + + + + + text/plain + + + - Antispyware - - - - - - - - - - - - - - - - - - - SignatureStatus + CertAttestation - - - - 1 - - - - - - - - - - - text/plain - + + + + Node for Certificate Attestation + + + + + + + + + + + + - - - Status - - - - - 3 - - - - - - - - - - - text/plain - - - + + MDMClientCertAttestation + + + + + MDM Certificate attestation information. This will return an XML blob containing the relevent attestation fields. + + + + + + + + + + + + + + - - Firewall - - - - - - - - - - - - - - - - - - - Status - - - - - 3 - - - - - - - - - - - text/plain - - - - - - UAC - - - - - - - - - - - - - - - - - - - Status - - - - - - - - - - - - - - - text/plain - - - - - - Battery - - - - - - - - - - - - - - - - - - - Status - - - - - 0 - - - - - - - - - - - text/plain - - - - - EstimatedChargeRemaining - - - - - 0 - - - - - - - - - - - text/plain - - - - - EstimatedRuntime - - - - - 0 - - - - - - - - - - - text/plain - - - - - - DomainName - - - - - Returns the fully qualified domain name of the device(if any). - - - - - - - - - - DomainName - - text/plain - - - - - DeviceGuard - - - - - - - - - - - - - - - - - - - VirtualizationBasedSecurityHwReq - - - - - - - - - - - - - - - text/plain - - - - - VirtualizationBasedSecurityStatus - - - - - - - - - - - - - - - text/plain - - - - - LsaCfgCredGuardStatus - - - - - - - - - - - - - - - text/plain - - - - - + ``` diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index d45249dffe..67c5ae122a 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -150,6 +150,15 @@ If you disable or don't configure this policy setting, the PIN will be provision Supported operations are Add, Get, Delete, and Replace. +***TenantId*/Policies/UseCloudTrustForOnPremAuth** (only for ./Device/Vendor/MSFT) +Boolean value that enables Windows Hello for Business to use Azure AD Kerberos to authenticate to on-premises resources. + +If you enable this policy setting, Windows Hello for Business will use an Azure AD Kerberos ticket to authenticate to on-premises resources. The Azure AD Kerberos ticket is returned to the client after a successful authentication to Azure AD if Azure AD Kerberos is enabled for the tenant and domain. + +If you disable or do not configure this policy setting, Windows Hello for Business will use a key or certificate to authenticate to on-premises resources. + +Supported operations are Add, Get, Delete, and Replace. + ***TenantId*/Policies/PINComplexity** Node for defining PIN settings. diff --git a/windows/client-management/mdm/personaldataencryption-csp.md b/windows/client-management/mdm/personaldataencryption-csp.md new file mode 100644 index 0000000000..598c8121ec --- /dev/null +++ b/windows/client-management/mdm/personaldataencryption-csp.md @@ -0,0 +1,47 @@ +--- +title: PersonalDataEncryption CSP +description: Learn how the PersonalDataEncryption configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices. +ms.author: v-nsatapathy +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nimishasatapathy +ms.localizationpriority: medium +ms.date: 09/12/2022 +ms.reviewer: +manager: dansimp +ms.collection: highpri +--- + +# PersonalDataEncryption CSP + +The PersonalDataEncryption configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices. This CSP was added in Windows 11, version 22H2. + +The following shows the PersonalDataEncryption configuration service provider in tree format: + +``` +./User/Vendor/MSFT/PDE +-- EnablePersonalDataEncryption +-- Status +-------- PersonalDataEncryptionStatus + +``` + +**EnablePersonalDataEncryption**: +- 0 is default (disabled) +- 1 (enabled) will make Personal Data Encryption (PDE) public API available to applications for the user: [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). + +The public API allows the applications running as the user to encrypt data as soon as this policy is enabled. However, prerequisites must be met for the PDE to be enabled. + +**Status/PersonalDataEncryptionStatus**: Reports the current status of Personal Data Encryption (PDE) for the user. If prerequisites of PDE aren't met, then the status will be 0. If all prerequisites are met for PDE, then PDE will be enabled and status will be 1. + +> [!Note] +> The policy is only applicable on Enterprise and Education SKUs. + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|No|Yes| +|Education|No|Yes| diff --git a/windows/client-management/mdm/personaldataencryption-ddf-file.md b/windows/client-management/mdm/personaldataencryption-ddf-file.md new file mode 100644 index 0000000000..2911a85c66 --- /dev/null +++ b/windows/client-management/mdm/personaldataencryption-ddf-file.md @@ -0,0 +1,127 @@ +--- +title: PersonalDataEncryption DDF file +description: Learn about the OMA DM device description framework (DDF) for the PersonalDataEncryption configuration service provider. +ms.author: v-nsatapathy +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nimishasatapathy +ms.localizationpriority: medium +ms.date: 09/10/2022 +ms.reviewer: +manager: dansimp +--- + +# PersonalDataEncryption DDF file + +This topic shows the OMA DM device description framework (DDF) for the **PersonalDataEncryption** configuration service provider. + +Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). + +The XML below is the current version for this CSP. + +```xml + +]> + + 1.2 + + PDE + ./User/Vendor/MSFT + + + + + + + + + + + + + + + + + + + EnablePersonalDataEncryption + + + + + + + + Allows the Admin to enable Personal Data Encryption. Set to '1' to set this policy. + + + + + + + + + + + + + + + 0 + Disable Personal Data Encryption. + + + 1 + Enable Personal Data Encryption. + + + + + + Status + + + + + + + + + + + + + + + + + + + PersonalDataEncryptionStatus + + + + + This node reports the current state of Personal Data Encryption for a user. '0' means disabled. '1' means enabled. + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index e06e70792f..aa15270570 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -1559,6 +1559,16 @@ ms.date: 10/08/2020 - [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) - [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) - [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders) +- [DesktopAppInstaller/EnableAdditionalSources](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableadditionalsources) +- [DesktopAppInstaller/EnableAppInstaller](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableappinstaller) +- [DesktopAppInstaller/EnableLocalManifestFiles](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablelocalmanifestfiles) +- [DesktopAppInstaller/EnableHashOverride](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablehashoverride) +- [DesktopAppInstaller/EnableMicrosoftStoreSource](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablemicrosoftstoresource) +- [DesktopAppInstaller/EnableMSAppInstallerProtocol](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablemsappinstallerprotocol) +- [DesktopAppInstaller/EnableSettings](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablesettings) +- [DesktopAppInstaller/EnableAllowedSources](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableallowedsources) +- [DesktopAppInstaller/EnableExperimentalFeatures](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableexperimentalfeatures) +- [DesktopAppInstaller/SourceAutoUpdateInterval](./policy-csp-desktopappinstaller.md#desktopappinstaller-sourceautoupdateinterval) - [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceids) - [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdevicesetupclasses) - [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallationpreventdevicemetadatafromnetwork) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 24683b75fe..79aba31f6b 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -5173,6 +5173,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC + ### ADMX_WindowsRemoteManagement policies
    @@ -6303,6 +6304,43 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    +### DesktopAppInstaller policies +
    +
    + DesktopAppInstaller/EnableAdditionalSources +
    +
    + DesktopAppInstaller/EnableAppInstaller +
    +
    + DesktopAppInstaller/EnableDefaultSource +
    +
    + DesktopAppInstaller/EnableLocalManifestFiles +
    +
    + DesktopAppInstaller/EnableHashOverride +
    +
    + DesktopAppInstaller/EnableMicrosoftStoreSource +
    +
    + DesktopAppInstaller/EnableMSAppInstallerProtocol +
    +
    + DesktopAppInstaller/EnableSettings +
    +
    + DesktopAppInstaller/EnableAllowedSources +
    +
    + DesktopAppInstaller/EnableExperimentalFeatures +
    +
    + DesktopAppInstaller/SourceAutoUpdateInterval +
    +
    + ### DeviceGuard policies
    @@ -6550,6 +6588,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    Experience/AllowSyncMySettings
    +
    + Experience/AllowSpotlightCollection +
    Experience/AllowTailoredExperiencesWithDiagnosticData
    @@ -7895,6 +7936,42 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC ### Printers policies
    +
    + Printers/ApprovedUsbPrintDevices +
    +
    + Printers/ApprovedUsbPrintDevicesUser +
    +
    + Printers/ConfigureCopyFilesPolicy +
    +
    + Printers/ConfigureDriverValidationLevel +
    +
    + Printers/ConfigureIppPageCountsPolicy +
    +
    + Printers/ConfigureRedirectionGuardPolicy +
    +
    + Printers/ConfigureRpcConnectionPolicy +
    +
    + Printers/ConfigureRpcListenerPolicy +
    +
    + Printers/ConfigureRpcTcpPort +
    +
    + Printers/EnableDeviceControl +
    +
    + Printers/EnableDeviceControlUser +
    +
    + Printers/ManageDriverExclusionList +
    Printers/PointAndPrintRestrictions
    @@ -7904,6 +7981,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    Printers/PublishPrinters
    +
    + Printers/RestrictDriverInstallationToAdministrators +
    ### Privacy policies diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 6c42ebfde5..172eeb0f4f 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -2105,17 +2105,17 @@ If you disable or don't configure this setting, security intelligence will be re ADMX Info: -- GP Friendly name: *Define security intelligence location for VDI clients* +- GP Friendly name: *Specify the signature (Security intelligence) delivery optimization for Defender in Virtual Environments* - GP name: *SecurityIntelligenceLocation* - GP element: *SecurityIntelligenceLocation* -- GP path: *Windows Components/Microsoft Defender Antivirus/Security Intelligence Updates* +- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender* - GP ADMX file name: *WindowsDefender.admx* - Empty string - no policy is set -- Non-empty string - the policy is set and security intelligence is gathered from the location +- Non-empty string - the policy is set and security intelligence is gathered from the location. diff --git a/windows/client-management/mdm/policy-csp-desktopappinstaller.md b/windows/client-management/mdm/policy-csp-desktopappinstaller.md new file mode 100644 index 0000000000..f6ec4db880 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-desktopappinstaller.md @@ -0,0 +1,595 @@ +--- +title: Policy CSP - DesktopAppInstaller +description: Learn about the Policy CSP - DesktopAppInstaller. +ms.author: v-aljupudi +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: alekyaj +ms.date: 08/24/2022 +ms.reviewer: +manager: aaroncz +--- + +# Policy CSP - DesktopAppInstaller + +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +
    + + +## DesktopAppInstaller policies + +
    +
    + DesktopAppInstaller/EnableAdditionalSources +
    +
    + DesktopAppInstaller/EnableAppInstaller +
    +
    + DesktopAppInstaller/EnableDefaultSource +
    +
    + DesktopAppInstaller/EnableLocalManifestFiles +
    +
    + DesktopAppInstaller/EnableHashOverride +
    +
    + DesktopAppInstaller/EnableMicrosoftStoreSource +
    +
    + DesktopAppInstaller/EnableMSAppInstallerProtocol +
    +
    + DesktopAppInstaller/EnableSettings +
    +
    + DesktopAppInstaller/EnableAllowedSources +
    +
    + DesktopAppInstaller/EnableExperimentalFeatures +
    +
    + DesktopAppInstaller/SourceAutoUpdateInterval +
    +
    + + +
    + + +**DesktopAppInstaller/EnableAdditionalSources** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy controls additional sources configured for [Windows Package Manager](/windows/package-manager/). + +If you don't configure this setting, no additional sources will be configured for Windows Package Manager. + +If you enable this setting, additional sources will be added to Windows Package Manager, and can't be removed. The representation for each additional source can be obtained from installed sources using [*winget source export*](/windows/package-manager/winget/). + +If you disable this setting, no additional sources can be configured by the user for Windows Package Manager. + + + + +ADMX Info: +- GP Friendly name: *Enable Additional Windows Package Manager Sources* +- GP name: *EnableAdditionalSources* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + +
    + + + +**DesktopAppInstaller/EnableAppInstaller** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy controls whether Windows Package Manager can be used by users. Users will still be able to execute the *winget* command. The default help will be displayed, and users will still be able to execute *winget -?* to display the help as well. Any other command will result in the user being informed the operation is disabled by Group Policy. + +- If you enable or don't configure this setting, users will be able to use the Windows Package Manager. +- If you disable this setting, users won't be able to use the Windows Package Manager. + + + + +ADMX Info: +- GP Friendly name: *Controls whether the Windows Package Manager can be used by the users* +- GP name: *EnableAppInstaller* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + +
    + + +**DesktopAppInstaller/EnableDefaultSource** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + + +This policy controls the default source included with the Windows Package Manager. +If you do not configure this setting, the default source for the Windows Package Manager will be and can be removed. +- If you enable this setting, the default source for the Windows Package Manager will be, and can't be removed. +- If you disable this setting the default source for the Windows Package Manager won't be available. + + + + +ADMX Info: +- GP Friendly name: *Enable Windows Package Manager Default Source* +- GP name: *EnableDefaultSource* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + +
    + + +**DesktopAppInstaller/EnableLocalManifestFiles** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + + +This policy controls whether users can install packages with local manifest files. + +- If you enable or don't configure this setting, users will be able to install packages with local manifests using the Windows Package Manager. +- If you disable this setting, users won't be able to install packages with local manifests using the Windows Package Manager. + + + + +ADMX Info: +- GP Friendly name: *Enable Windows Package Manager Local Manifest Files* +- GP name: *EnableLocalManifestFiles* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + + + +**DesktopAppInstaller/EnableHashOverride** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + + +This policy controls whether Windows Package Manager can be configured to enable the ability to override `SHA256` security validation in settings. Windows Package Manager compares the installer after it has downloaded with the hash provided in the manifest. + +- If you enable or do not configure this setting, users will be able to enable the ability to override `SHA256` security validation in Windows Package Manager settings. + +- If you disable this setting, users will not be able to enable the ability to override SHA256 security validation in Windows Package Manager settings. + + + + +ADMX Info: +- GP Friendly name: *Enable App Installer Hash Override* +- GP name: *EnableHashOverride* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + +
    + + +**DesktopAppInstaller/EnableMicrosoftStoreSource** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + + +This policy controls the Microsoft Store source included with the Windows Package Manager. +If you don't configure this setting, the Microsoft Store source for the Windows Package manager will be available and can be removed. +- If you enable this setting, the Microsoft Store source for the Windows Package Manager will be available, and can't be removed. +- If you disable this setting the Microsoft Store source for the Windows Package Manager won't be available. + + + + +ADMX Info: +- GP Friendly name: *Enable Windows Package Manager Microsoft Store Source* +- GP name: *EnableMicrosoftStoreSource* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + +
    + + +**DesktopAppInstaller/EnableMSAppInstallerProtocol** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + + +This policy controls whether users can install packages from a website that is using the `ms-appinstaller` protocol. + +- If you enable or do not configure this setting, users will be able to install packages from websites that use this protocol. + +- If you disable this setting, users will not be able to install packages from websites that use this protocol. + + + + +ADMX Info: +- GP Friendly name: *Enable MS App Installer Protocol* +- GP name: *EnableMSAppInstallerProtocol* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + +
    + + +**DesktopAppInstaller/EnableSettings** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + + +This policy controls whether users can change their settings. The settings are stored inside of a .json file on the user’s system. It may be possible for users to gain access to the file using elevated credentials. This won't override any policy settings that have been configured by this policy. + +- If you enable or do not configure this setting, users will be able to change settings for Windows Package Manager. +- If you disable this setting, users will not be able to change settings for Windows Package Manager. + + + + +ADMX Info: +- GP Friendly name: *Enable Windows Package Manager Settings Command* +- GP name: *EnableSettings* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + +
    + + +**DesktopAppInstaller/EnableAllowedSources** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + + +This policy controls additional sources approved for users to configure using Windows Package Manager. If you don't configure this setting, users will be able to add or remove additional sources other than those configured by policy. + +- If you enable this setting, only the sources specified can be added or removed from Windows Package Manager. The representation for each allowed source can be obtained from installed sources using winget source export. +- If you disable this setting, no additional sources can be configured by the user for Windows Package Manager. + + + + +ADMX Info: +- GP Friendly name: *Enable Windows Package Manager Settings Command* +- GP name: *EnableAllowedSources* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + +
    + + +**DesktopAppInstaller/EnableExperimentalFeatures** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + + +This policy controls whether users can enable experimental features in Windows Package Manager. Experimental features are used during Windows Package Manager development cycle to provide previews for new behaviors. Some of these experimental features may be implemented prior to the Group Policy settings designed to control their behavior. + +- If you enable or do not configure this setting, users will be able to enable experimental features for Windows Package Manager. + +- If you disable this setting, users will not be able to enable experimental features for Windows Package Manager. + + + + +ADMX Info: +- GP Friendly name: *Enable Windows Package Manager Experimental Features* +- GP name: *EnableExperimentalFeatures* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + +
    + + +**DesktopAppInstaller/SourceAutoUpdateInterval** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + + +This policy controls the auto-update interval for package-based sources. The default source for Windows Package Manager is configured such that an index of the packages is cached on the local machine. The index is downloaded when a user invokes a command, and the interval has passed (the index is not updated in the background). This setting has no impact on REST-based sources. + +- If you enable this setting, the number of minutes specified will be used by Windows Package Manager. + +- If you disable or do not configure this setting, the default interval or the value specified in settings will be used by Windows Package Manager. + + + + +ADMX Info: +- GP Friendly name: *Set Windows Package Manager Source Auto Update Interval In Minutes* +- GP name: *SourceAutoUpdateInterval* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + +
    + + + +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index 80986cd431..baeea5bf25 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -50,6 +50,9 @@ manager: aaroncz
    Experience/AllowSyncMySettings
    +
    + Experience/AllowSpotlightCollection +
    Experience/AllowTailoredExperiencesWithDiagnosticData
    @@ -494,6 +497,50 @@ The following list shows the supported values:
    + +**Experience/AllowSpotlightCollection** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|No|Yes| +|Education|No|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy allows spotlight collection on the device. + +- If you enable this policy, "Spotlight collection" will not be available as an option in Personalization settings. +- If you disable or do not configure this policy, "Spotlight collection" will appear as an option in Personalization settings, allowing the user to select "Spotlight collection" as the Desktop provider and display daily images from Microsoft on the desktop. + + + +The following list shows the supported values: + +- When set to 0: Spotlight collection will not show as an option in Personalization Settings and therefore be unavailable on Desktop +- When set to 1: Spotlight collection will show as an option in Personalization Settings and therefore be available on Desktop, allowing Desktop to refresh for daily images from Microsoft +- Default value: 1 + + + + +
    + **Experience/AllowTailoredExperiencesWithDiagnosticData** diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md index df30b8f920..d1a49971c5 100644 --- a/windows/client-management/mdm/policy-csp-humanpresence.md +++ b/windows/client-management/mdm/policy-csp-humanpresence.md @@ -20,6 +20,9 @@ manager: aaroncz ## HumanPresence policies
    +
    + HumanPresence/ForceInstantDim +
    HumanPresence/ForceInstantLock
    @@ -33,6 +36,56 @@ manager: aaroncz
    + +**HumanPresence/ForceInstantDim** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|Yes| +|Business|No|No| +|Enterprise|No|Yes| +|Education|No|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This feature dims the screen based on user attention. This is a power saving feature that prolongs battery charge. + + + +ADMX Info: +- GP Friendly name: *Force Instant Dim* +- GP name: *ForceInstantDim* +- GP path: *Windows Components/Human Presence* +- GP ADMX file name: *Sensors.admx* + + + +The following list shows the supported values: + +- 2 = ForcedOff +- 1 = ForcedOn +- 0 = DefaultToUserChoice +- Defaults to 0. + + + + +
    + **HumanPresence/ForceInstantLock** diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index ef76b0c2fb..c92b313661 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -213,6 +213,12 @@ manager: aaroncz
    InternetExplorer/EnableExtendedIEModeHotkeys
    +
    + InternetExplorer/EnableGlobalWindowListInIEMode +
    +
    + InternetExplorer/HideInternetExplorer11RetirementNotification +
    InternetExplorer/IncludeAllLocalSites
    @@ -612,6 +618,9 @@ manager: aaroncz
    InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls
    +
    + InternetExplorer/ResetZoomForDialogInIEMode +
    InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses
    @@ -4423,6 +4432,115 @@ ADMX Info: +
    + + +**InternetExplorer/EnableGlobalWindowListInIEMode** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
    + + + +This setting allows Internet Explorer mode to use the global window list that enables sharing state with other applications. +The setting will take effect only when Internet Explorer 11 is disabled as a standalone browser. + +- If you enable this policy, Internet Explorer mode will use the global window list. + +- If you disable or don’t configure this policy, Internet Explorer mode will continue to maintain a separate window list. + + + +The following list shows the supported values: + +- 0 (default) - Disabled +- 1 - Enabled + + + +ADMX Info: +- GP Friendly name: *Enable global window list in Internet Explorer mode* +- GP name: *EnableGlobalWindowListInIEMode* +- GP path: *Windows Components/Internet Explorer/Main* +- GP ADMX file name: *inetres.admx* + + + + +
    + + +**InternetExplorer/HideInternetExplorer11RetirementNotification** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|No| +|Windows SE|No|No| +|Business|Yes|No| +|Enterprise|Yes|No| +|Education|Yes|No| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
    + + + +This policy setting allows you to manage whether the notification bar reminder that Internet Explorer is being retired is displayed. By default, the Notification bar is displayed in Internet Explorer 11. + +- If you enable this policy setting, the notification bar will not be displayed in Internet Explorer 11. + +- If you disable, or do not configure, this policy setting, the notification bar will be displayed in Internet Explorer 11. + + + +The following list shows the supported values: + +- 0 (default) - Disabled +- 1 - Enabled + + + +ADMX Info: +- GP Friendly name: *Hide Internet Explorer 11 retirement notification* +- GP name: *DisableIEAppDeprecationNotification* +- GP path: *Windows Components/Internet Explorer/Main* +- GP ADMX file name: *inetres.admx* + + + +
    **InternetExplorer/IncludeAllLocalSites** @@ -11161,6 +11279,60 @@ ADMX Info:
    + +**InternetExplorer/ResetZoomForDialogInIEMode** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
    + + + +This policy setting lets admins reset zoom to default for HTML dialogs in Internet Explorer mode. + +- If you enable this policy, the zoom of an HTML dialog in Internet Explorer mode will not get propagated from its parent page. + +- If you disable, or don't configure this policy, the zoom of an HTML dialog in Internet Explorer mode will be set based on the zoom of it's parent page. + + + +The following list shows the supported values: + +- 0 (default) - Disabled +- 1 - Enabled + + + +ADMX Info: +- GP Friendly name: *Reset zoom to default for HTML dialogs in Internet Explorer mode* +- GP name: *ResetZoomForDialogInIEMode* +- GP path: *Windows Components/Internet Explorer/Main* +- GP ADMX file name: *inetres.admx* + + + + +
    + **InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses** diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md index bcce2e1390..b62689625c 100644 --- a/windows/client-management/mdm/policy-csp-printers.md +++ b/windows/client-management/mdm/policy-csp-printers.md @@ -27,12 +27,36 @@ manager: aaroncz
    Printers/ApprovedUsbPrintDevicesUser
    +
    + Printers/ConfigureCopyFilesPolicy +
    +
    + Printers/ConfigureDriverValidationLevel +
    +
    + Printers/ConfigureIppPageCountsPolicy +
    +
    + Printers/ConfigureRedirectionGuardPolicy +
    +
    + Printers/ConfigureRpcConnectionPolicy +
    +
    + Printers/ConfigureRpcListenerPolicy +
    +
    + Printers/ConfigureRpcTcpPort +
    Printers/EnableDeviceControl
    Printers/EnableDeviceControlUser
    +
    + Printers/ManageDriverExclusionList +
    Printers/PointAndPrintRestrictions
    @@ -42,6 +66,9 @@ manager: aaroncz
    Printers/PublishPrinters
    +
    + Printers/RestrictDriverInstallationToAdministrators +
    > [!TIP] @@ -57,38 +84,14 @@ manager: aaroncz **Printers/ApprovedUsbPrintDevices** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProYesYes
    BusinessYesYes
    EnterpriseYesYes
    EducationYesYes
    +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
    @@ -109,7 +112,6 @@ These requirements include restricting printing to USB connected printers that m This policy will contain the comma-separated list of approved USB Vid&Pid combinations that the print spooler will allow to print when Device Control is enabled. The format of this setting is `/[,/]` -Parent deliverable: 26209274 - Device Control: Printer @@ -129,38 +131,14 @@ ADMX Info: **Printers/ApprovedUsbPrintDevicesUser** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProYesYes
    BusinessYesYes
    EnterpriseYesYes
    EducationYesYes
    +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
    @@ -194,42 +172,423 @@ ADMX Info:
    + +**Printers/ConfigureCopyFilesPolicy** + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\CopyFilesPolicy` registry entry to restrict processing of the CopyFiles registry entries during printer connection installation. This registry key was added to the print system as part of the 9B security update. + +The default value of the policy will be Unconfigured. + +If the policy object is either Unconfigured or Disabled, the code will default to *SyncCopyFilestoColorFolderOnly* as the value and process the CopyFiles entries as appropriate. + +If the policy object is Enabled, the code will read the *DWORD* value from the registry entry and act accordingly. + +The following are the supported values: + +Type: DWORD. Defaults to 1. + +- 0 (DisableCopyFiles) - Don't process any CopyFiles registry entries when installing printer connections. +- 1 (SyncCopyFilestoColorFolderOnly) - Only allow CopyFiles entries that conform to the standard Color Profile scheme. This means entries using the Registry Key CopyFiles\ICM, containing a Directory value of COLOR and supporting mscms.dll as the Module value. +- 2 (AllowCopyFile) - Allow any CopyFiles registry entries to be processed/created when installing printer connections. + + + + +ADMX Info: +- GP Friendly name: *Manage processing of Queue-specific files* +- GP name: *ConfigureCopyFilesPolicy* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**Printers/ConfigureDriverValidationLevel** + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + + +This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\Driver\ValidationLevel` registry entry to determine the print driver digital signatures. This registry key was added to the print system as part of the 10C security update. + +The default value of the policy will be Unconfigured. + +If the policy object is either Unconfigured or Disabled, the code will default to *DriverValidationLevel_Legacy* as the value and process the print driver digital signatures as appropriate. + +If the policy object is Enabled, the code will read the *DWORD* value from the registry entry and act accordingly. + +The following are the supported values: + +Type: DWORD. Defaults to 4. + +- 0 (DriverValidationLevel_Inbox) - Only drivers that are shipped as part of a Windows image are allowed on this computer. +- 1 (DriverValidationLevel_Trusted) - Only drivers that are shipped as part of a Windows image or drivers that are signed by certificates installed in the 'PrintDrivers' certificate store are allowed on this computer. +- 2 (DriverValidationLevel_WHQL)- Only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the 'PrintDrivers' certificate store, or signed by the Windows Hardware Quality Lab (WHQL). +- 3 (DriverValidationLevel_TrustedShared) - Only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the 'PrintDrivers' certificate store, signed by the Windows Hardware Quality Lab (WHQL), or signed by certificates installed in the 'Trusted Publishers' certificate store. +- 4 (DriverValidationLevel_Legacy) - Any print driver that has a valid embedded signature or can be validated against the print driver catalog can be installed on this computer. + + + +ADMX Info: +- GP Friendly name: *Manage Print Driver signature validation* +- GP name: *ConfigureDriverValidationLevel* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**Printers/ConfigureIppPageCountsPolicy** + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + + +This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\IPP\AlwaysSendIppPageCounts`registry entry to allow administrators to configure setting for the IPP print stack. + +The default value of the policy will be Unconfigured. + +If the policy object is either Unconfigured or Disabled, the code will default to sending page count job accounting information for IPP print jobs only when necessary. + +If the policy object is Enabled, the code will always send page count job accounting information for IPP print jobs. + +The following are the supported values: + +AlwaysSendIppPageCounts: DWORD. Defaults to 0. + +- 0 (Disabled) - Job accounting information will not always be sent for IPP print jobs **(default)**. +- 1 (Enabled) - Job accounting information will always be sent for IPP print jobs. + + + + +ADMX Info: +- GP Friendly name: *Always send job page count information for IPP printers* +- GP name: *ConfigureIppPageCountsPolicy* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**Printers/ConfigureRedirectionGuardPolicy** + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + + +This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\ConfigureRedirectionGuard` registry entry, which in turn is used to control the functionality of the Redirection Guard feature in the spooler process. + +The default value of the policy will be Unconfigured. + +If the policy object is either Unconfigured or Disabled, the code will default to 1 (enabled) as the value and will prevent redirection primitives in the spooler from being used. + +If the policy object is Enabled, the code will read the *DWORD* value from the registry entry and act accordingly. + +The following are the supported values: + +Type: DWORD, defaults to 1. + +- 0 (Redirection Guard Disabled) - Redirection Guard is not enabled for the spooler process and will not prevent the use of redirection primitives within said process. +- 1 (Redirection Guard Enabled) - Redirection Guard is enabled for the spooler process and will prevent the use of redirection primitives from being used. +- 2 (Redirection Guard Audit Mode) - Redirection Guard will be disabled but will log telemetry events as though it were enabled. + + + + +ADMX Info: +- GP Friendly name: *Configure Redirection Guard* +- GP name: *ConfigureRedirectionGuardPolicy* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**Printers/ConfigureRpcConnectionPolicy** + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + + +This new Group Policy entry will be used to manage 2 new DWORD Values added under the `Software\Policies\Microsoft\Windows NT\Printers\RPC` registry key to allow administrators to configure RPC security settings used by RPC connections in the print stack. + +There are 2 values which can be configured: + +- RpcUseNamedPipeProtocol DWORD + - 0: RpcOverTcp (default) + - 1: RpcOverNamedPipes +- RpcAuthentication DWORD + - 0: RpcConnectionAuthenticationDefault (default) + - 1: RpcConnectionAuthenticationEnabled + - 2: RpcConnectionAuthenticationDisabled + +The default value of the policy will be Unconfigured. + +If the policy object is either Unconfigured or Disabled, the code will default to *RpcOverTcp*, and RPC authentication enabled on domain joined machines and RPC authentication disabled on non domain joined machines. + +If the policy object is Enabled, the code will read the DWORD values from the registry entries and act accordingly. + +The following are the supported values: + +- Not configured or Disabled - The print stack makes RPC connections over TCP and enables RPC authentication on domain joined machines, but disables RPC authentication on non domain joined machines. +- Enabled - The print stack reads from the registry to determine RPC protocols to connect on and whether to perform RPC authentication. + + + + +ADMX Info: +- GP Friendly name: *Configure RPC connection settings* +- GP name: *ConfigureRpcConnectionPolicy* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**Printers/ConfigureRpcListenerPolicy** + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + + +This new Group Policy entry will be used to manage 2 new DWORD Values added under the `Software\Policies\Microsoft\Windows NT\Printers\RPC` registry key to allow administrators to configure RPC security settings used by RPC listeners in the print stack. + +There are 2 values which can be configured: +- RpcProtocols DWORD + - 3: RpcOverNamedPipes - Only listen for incoming RPC connections using named pipes + - 5: RpcOverTcp - Only listen for incoming RPC connections using TCP (default) + - 7: RpcOverNamedPipesAndTcp - Listen for both RPC connections over named pipes over TCP +- ForceKerberosForRpc DWORD + - 0: RpcAuthenticationProtocol_Negotiate - Use Negotiate protocol for RPC connection authentication (default). Negotiate negotiates between Kerberos and NTLM depending on client/server support + - 1: RpcAuthenticationProtocol_Kerberos - Only allow Kerberos protocol to be used for RPC authentication + +The default value of the policy will be Unconfigured. + +If the policy object is either Unconfigured or Disabled, the code will default to *RpcOverTcp* and *RpcAuthenticationProtocol_Negotiate*. + +If the policy object is Enabled, the code will read the DWORD values from the registry entry and act accordingly. + +The following are the supported values: + +- Not configured or Disabled - The print stack listens for incoming RPC connections over TCP and uses Negotiate authentication protocol. +- Enabled - The print stack reads from the registry to determine RPC protocols to listen on and authentication protocol to use. + + + + +ADMX Info: +- GP Friendly name: *Configure RPC listener settings* +- GP name: *ConfigureRpcListenerPolicy* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**Printers/ConfigureRpcTcpPort** + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + + +This new Group Policy entry will be used to manage a new DWORD Value added under the the `Software\Policies\Microsoft\Windows NT\Printers\RPC` registry key to allow administrators to configure RPC security settings used by RPC listeners and connections in the print stack. + +- RpcTcpPort DWORD + - 0: Use dynamic TCP ports for RPC over TCP (default). + - 1-65535: Use the given port for RPC over TCP. + +The default value of the policy will be Unconfigured. + +If the policy object is either Unconfigured or Disabled, the code will default to dynamic ports for *RpcOverTcp*. + +If the policy object is Enabled, the code will read the DWORD values from the registry entry and act accordingly. + +The following are the supported values: + +- Not configured or Disabled - The print stack uses dynamic TCP ports for RPC over TCP. +- Enabled - The print stack reads from the registry to determine which TCP port to use for RPC over TCP. + + + + +ADMX Info: +- GP Friendly name: *Configure RPC over TCP port* +- GP name: *ConfigureRpcTcpPort* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + **Printers/EnableDeviceControl** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProYesYes
    BusinessYesYes
    EnterpriseYesYes
    EducationYesYes
    +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
    @@ -274,38 +633,14 @@ ADMX Info: **Printers/EnableDeviceControlUser** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProYesYes
    BusinessYesYes
    EnterpriseYesYes
    EducationYesYes
    +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
    @@ -345,6 +680,62 @@ ADMX Info:
    + +**Printers/ManageDriverExclusionList** + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + + +This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\Driver\ExclusionList` registry key to allow administrators to curate a set of print drivers that are not allowed to be installed on the computer. This registry key was added to the print system as part of the 10C security update. + +The default value of the policy will be Unconfigured. + +If the policy object is either Unconfigured or Disabled, the registry Key will not exist and there will not be a Print Driver exclusion list. + +If the policy object is Enabled, the ExclusionList Reg Key will contain one or more *REG_ZS* values that represent the list of excluded print driver INF or main DLL files. Tach *REG_SZ* value will have the file hash as the name and the file name as the data value. + +The following are the supported values: + +Create REG_SZ Values under key `Software\Policies\Microsoft\Windows NT\Printers\Driver\ExclusionList` + +Type: REG_SZ +Value Name: Hash of excluded file +Value Data: Name of excluded file + + + + +ADMX Info: +- GP Friendly name: *Manage Print Driver exclusion list* +- GP name: *ManageDriverExclusionList* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + **Printers/PointAndPrintRestrictions** @@ -548,6 +939,61 @@ ADMX Info:
    + +**Printers/RestrictDriverInstallationToAdministrators** + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + + +This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\RestrictDriverInstallationToAdministrators` registry entry for restricting print driver installation to Administrator users. + +This registry key was added to the print system as part of the 7OOB security update and use of this registry key was expanded as part of the 8B security rollup. + +The default value of the policy will be Unconfigured. + +If the policy value is either Unconfigured or Enabled, only Administrators or members of an Administrator security group (Administrators, Domain Administrators, Enterprise Administrators) will be allowed to install print drivers on the computer. + +If the policy value is Disabled, standard users will also be allowed to install print drivers on the computer. + +The following are the supported values: + +- Not configured or Enabled - Only administrators can install print drivers on the computer. +- Disabled - Standard users are allowed to install print drivers on the computer. + + + + +ADMX Info: +- GP Friendly name: *Restrict installation of print drivers to Administrators* +- GP name: *RestrictDriverInstallationToAdministrators* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + ## Related topics diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md index f3891cb68f..1c50ab927a 100644 --- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md +++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md @@ -128,7 +128,7 @@ This policy setting allows you to turn off discovering the display service adver The following list shows the supported values: -- 0 - Don't allow +- 0 - Doesn't allow - 1 - Allow @@ -166,9 +166,9 @@ The table below shows the applicability of Windows: This policy setting allows you to disable the infrastructure movement detection feature. -If you set it to 0, your PC may stay connected and continue to project if you walk away from a Wireless Display receiver to which you're projecting over infrastructure. +- If you set it to 0, your PC may stay connected and continue to project if you walk away from a Wireless Display receiver to which you are projecting over infrastructure. -If you set it to 1, your PC will detect that you've moved and will automatically disconnect your infrastructure Wireless Display session. +- If you set it to 1, your PC will detect that you have moved and will automatically disconnect your infrastructure Wireless Display session. The default value is 1. @@ -177,7 +177,7 @@ The default value is 1. The following list shows the supported values: -- 0 - Don't allow +- 0 - Doesn't allow - 1 (Default) - Allow diff --git a/windows/client-management/mdm/sharedpc-csp.md b/windows/client-management/mdm/sharedpc-csp.md index 1e4509043f..9dc7485482 100644 --- a/windows/client-management/mdm/sharedpc-csp.md +++ b/windows/client-management/mdm/sharedpc-csp.md @@ -1,7 +1,7 @@ --- title: SharedPC CSP description: Learn how the SharedPC configuration service provider is used to configure settings for Shared PC usage. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -31,6 +31,7 @@ The following example shows the SharedPC configuration service provider manageme ./Vendor/MSFT SharedPC ----EnableSharedPCMode +----EnableSharedPCModeWithOneDriveSync ----SetEduPolicies ----SetPowerPolicies ----MaintenanceStartTime @@ -47,12 +48,12 @@ SharedPC ----InactiveThreshold ----MaxPageFileSizeMB ``` -**./Vendor/MSFT/SharedPC** +**./Vendor/MSFT/SharedPC** The root node for the SharedPC configuration service provider. The supported operation is Get. -**EnableSharedPCMode** +**EnableSharedPCMode** A boolean value that specifies whether Shared PC mode is enabled. The supported operations are Add, Get, Replace, and Delete. @@ -61,16 +62,23 @@ Setting this value to True triggers the action to configure a device to Shared P The default value is Not Configured and SharedPC mode is not enabled. -**SetEduPolicies** +**EnableSharedPCModeWithOneDriveSync** +Setting this node to true triggers the action to configure a device to Shared PC mode with OneDrive sync turned on. + +The supported operations are Add, Get, Replace, and Delete. + +The default value is false. + +**SetEduPolicies** A boolean value that specifies whether the policies for education environment are enabled. Setting this value to true triggers the action to configure a device as education environment. The supported operations are Add, Get, Replace, and Delete. -The default value changed to false in Windows 10, version 1703. The default value is Not Configured and this node needs to be configured independent of EnableSharedPCMode. +The default value changed to false in Windows 10, version 1703. The default value is Not Configured and this node needs to be configured independent of EnableSharedPCMode. In Windows 10, version 1607, the value is set to True and the education environment is automatically configured when SharedPC mode is configured. -**SetPowerPolicies** +**SetPowerPolicies** Optional. A boolean value that specifies that the power policies should be set when configuring SharedPC mode. > [!NOTE] @@ -80,7 +88,7 @@ The supported operations are Add, Get, Replace, and Delete. The default value is Not Configured and the effective power settings are determined by the OS's default power settings. Its value in the SharedPC provisioning package is True. -**MaintenanceStartTime** +**MaintenanceStartTime** Optional. An integer value that specifies the daily start time of maintenance hour. Given in minutes from midnight. The range is 0-1440. > [!NOTE] @@ -90,7 +98,7 @@ The supported operations are Add, Get, Replace, and Delete. The default value is Not Configured and its value in the SharedPC provisioning package is 0 (12 AM). -**SignInOnResume** +**SignInOnResume** Optional. A boolean value that, when set to True, requires sign in whenever the device wakes up from sleep mode. > [!NOTE] @@ -100,8 +108,8 @@ The supported operations are Add, Get, Replace, and Delete. The default value is Not Configured and its value in the SharedPC provisioning package is True. -**SleepTimeout** -The amount of time in seconds before the PC sleeps. 0 means the PC never sleeps. Default is 5 minutes. This node is optional. +**SleepTimeout** +The amount of time in seconds before the PC sleeps. 0 means the PC never sleeps. Default is 5 minutes. This node is optional. > [!NOTE] > If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. @@ -110,7 +118,7 @@ The supported operations are Add, Get, Replace, and Delete. The default value is Not Configured, and effective behavior is determined by the OS's default settings. Its value in the SharedPC provisioning package for Windows 10, version 1703 is 300, and in Windows 10, version 1607 is 3600. -**EnableAccountManager** +**EnableAccountManager** A boolean that enables the account manager for shared PC mode. > [!NOTE] @@ -120,7 +128,7 @@ The supported operations are Add, Get, Replace, and Delete. The default value is Not Configured and its value in the SharedPC provisioning package is True. -**AccountModel** +**AccountModel** Configures which type of accounts are allowed to use the PC. > [!NOTE] @@ -136,7 +144,7 @@ The following list shows the supported values: Its value in the SharedPC provisioning package is 1 or 2. -**DeletionPolicy** +**DeletionPolicy** Configures when accounts are deleted. > [!NOTE] @@ -149,7 +157,7 @@ For Windows 10, version 1607, here's the list shows the supported values: - 0 - Delete immediately. - 1 (default) - Delete at disk space threshold. -For Windows 10, version 1703, here's the list of supported values: +For Windows 10, version 1703, here's the list of supported values: - 0 - Delete immediately. - 1 - Delete at disk space threshold. @@ -157,7 +165,7 @@ For Windows 10, version 1703, here's the list of supported values: The default value is Not Configured. Its value in the SharedPC provisioning package is 1 or 2. -**DiskLevelDeletion** +**DiskLevelDeletion** Sets the percentage of disk space remaining on a PC before cached accounts will be deleted to free disk space. Accounts that have been inactive the longest will be deleted first. > [!NOTE] @@ -169,7 +177,7 @@ For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevel The supported operations are Add, Get, Replace, and Delete. -**DiskLevelCaching** +**DiskLevelCaching** Sets the percentage of available disk space a PC should have before it stops deleting cached accounts. > [!NOTE] @@ -181,48 +189,48 @@ For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevel The supported operations are Add, Get, Replace, and Delete. -**RestrictLocalStorage** -Added in Windows 10, version 1703. Restricts the user from using local storage. This node is optional. +**RestrictLocalStorage** +Added in Windows 10, version 1703. Restricts the user from using local storage. This node is optional. The default value is Not Configured and behavior is no such restriction applied. Value type is bool. Supported operations are Add, Get, Replace, and Delete. Default in SharedPC provisioning package is False. > [!NOTE] > If used, this value must set before the action on the **EnableSharedPCMode** node is taken. -**KioskModeAUMID** -Added in Windows 10, version 1703. Specifies the AUMID of the app to use with assigned access. This node is optional. +**KioskModeAUMID** +Added in Windows 10, version 1703. Specifies the AUMID of the app to use with assigned access. This node is optional. -- Value type is string. -- Supported operations are Add, Get, Replace, and Delete. +- Value type is string. +- Supported operations are Add, Get, Replace, and Delete. > [!NOTE] > If used, this value must set before the action on the **EnableSharedPCMode** node is taken. -**KioskModeUserTileDisplayText** -Added in Windows 10, version 1703. Specifies the display text for the account shown on the sign-in screen that launches the app specified by KioskModeAUMID. This node is optional. +**KioskModeUserTileDisplayText** +Added in Windows 10, version 1703. Specifies the display text for the account shown on the sign-in screen that launches the app specified by KioskModeAUMID. This node is optional. -Value type is string. Supported operations are Add, Get, Replace, and Delete. +Value type is string. Supported operations are Add, Get, Replace, and Delete. > [!NOTE] > If used, this value must set before the action on the **EnableSharedPCMode** node is taken. -**InactiveThreshold** +**InactiveThreshold** Added in Windows 10, version 1703. Accounts will start being deleted when they haven't been logged on during the specified period, given as number of days. -- The default value is Not Configured. -- Value type is integer. +- The default value is Not Configured. +- Value type is integer. - Supported operations are Add, Get, Replace, and Delete. The default in the SharedPC provisioning package is 30. -**MaxPageFileSizeMB** -Added in Windows 10, version 1703. Maximum size of the paging file in MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM. This node is optional. +**MaxPageFileSizeMB** +Added in Windows 10, version 1703. Maximum size of the paging file in MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM. This node is optional. > [!NOTE] > If used, this value must set before the action on the **EnableSharedPCMode** node is taken. -- Default value is Not Configured. -- Value type is integer. +- Default value is Not Configured. +- Value type is integer. - Supported operations are Add, Get, Replace, and Delete. The default in the SharedPC provisioning package is 1024. diff --git a/windows/client-management/mdm/sharedpc-ddf-file.md b/windows/client-management/mdm/sharedpc-ddf-file.md index 1eb414317a..071887f881 100644 --- a/windows/client-management/mdm/sharedpc-ddf-file.md +++ b/windows/client-management/mdm/sharedpc-ddf-file.md @@ -1,7 +1,7 @@ --- title: SharedPC DDF file description: Learn how the OMA DM device description framework (DDF) for the SharedPC configuration service provider (CSP). -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -70,6 +70,32 @@ The XML below is the DDF for Windows 10, version 1703. + + EnableSharedPCModeWithOneDriveSync + + + + + + + + false + Setting this node to “1” triggers the action to configure a device to Shared PC mode with OneDrive sync turned on + + + + + + + + + + Enable Shared PC mode with OneDrive sync + + + + + SetEduPolicies diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 1b307f4e8d..813ff6e424 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -333,6 +333,11 @@ items: items: - name: PassportForWork DDF file href: passportforwork-ddf.md + - name: PersonalDataEncryption CSP + href: personaldataencryption-csp.md + items: + - name: PersonalDataEncryption DDF file + href: personaldataencryption-ddf-file.md - name: Personalization CSP href: personalization-csp.md items: @@ -685,6 +690,8 @@ items: href: policy-csp-deliveryoptimization.md - name: Desktop href: policy-csp-desktop.md + - name: DesktopAppInstaller + href: policy-csp-desktopappinstaller.md - name: DeviceGuard href: policy-csp-deviceguard.md - name: DeviceHealthMonitoring @@ -980,4 +987,4 @@ items: href: wirednetwork-csp.md items: - name: WiredNetwork DDF file - href: wirednetwork-ddf-file.md \ No newline at end of file + href: wirednetwork-ddf-file.md diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index e8c9563d43..15cbeaed69 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -322,10 +322,8 @@ Supported operation is Get. - Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode. - Bit 1 - Set to 1 when the client machine is Hyper-V capable. - Bit 2 - Set to 1 when the client machine has a valid OS license and SKU. -- Bit 3 - Set to 1 when Application Guard installed on the client machine. +- Bit 3 - Set to 1 when Application Guard is installed on the client machine. - Bit 4 - Set to 1 when required Network Isolation Policies are configured. - > [!IMPORTANT] - > If you are deploying Application Guard via Intune, Network Isolation Policy must be configured to enable Application Guard for Microsoft Edge. - Bit 5 - Set to 1 when the client machine meets minimum hardware requirements. - Bit 6 - Set to 1 when system reboot is required. @@ -381,4 +379,4 @@ ADMX Info: ## Related topics -[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json index ee22abf878..346cc5e640 100644 --- a/windows/configuration/docfx.json +++ b/windows/configuration/docfx.json @@ -37,10 +37,10 @@ "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "windows", - "audience": "ITPro", "ms.topic": "article", - "feedback_system": "None", - "hideEdit": false, + "feedback_system": "GitHub", + "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", + "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.win-configuration", @@ -59,7 +59,12 @@ ], "searchScope": ["Windows 10"] }, - "fileMetadata": {}, + "fileMetadata": { + "feedback_system": { + "ue-v/**/*.*": "None", + "cortana-at-work/**/*.*": "None" + } + }, "template": [], "dest": "win-configuration", "markdownEngineName": "markdig" diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md index 3e4b126512..933279aeb0 100644 --- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md +++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md @@ -160,12 +160,12 @@ Here is a list of CSPs supported on Windows 10 Enterprise: - [Maps CSP](/windows/client-management/mdm/maps-csp) - [NAP CSP](/windows/client-management/mdm/filesystem-csp) - [NAPDEF CSP](/windows/client-management/mdm/napdef-csp) -- [NodeCache CSP]( https://go.microsoft.com/fwlink/p/?LinkId=723265) +- [NodeCache CSP](https://go.microsoft.com/fwlink/p/?LinkId=723265) - [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp) - [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) -- [PolicyManager CSP]( https://go.microsoft.com/fwlink/p/?LinkId=723418) +- [PolicyManager CSP](https://go.microsoft.com/fwlink/p/?LinkId=723418) - [Provisioning CSP](/windows/client-management/mdm/provisioning-csp) -- [Proxy CSP]( https://go.microsoft.com/fwlink/p/?LinkId=723372) +- [Proxy CSP](https://go.microsoft.com/fwlink/p/?LinkId=723372) - [PXLOGICAL CSP](/windows/client-management/mdm/pxlogical-csp) - [Registry CSP](/windows/client-management/mdm/registry-csp) - [RemoteFind CSP](/windows/client-management/mdm/remotefind-csp) diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md index d398777f84..3f3f880cc0 100644 --- a/windows/deployment/deploy-windows-to-go.md +++ b/windows/deployment/deploy-windows-to-go.md @@ -33,7 +33,7 @@ The following is a list of items that you should be aware of before you start th * When running a Windows To Go workspace, always shutdown the workspace before unplugging the drive. -* Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. You can download Configuration Manager for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkId=618746). For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj651035(v=technet.10)). +* Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj651035(v=technet.10)). * If you're planning on using a USB drive duplicator to duplicate Windows To Go drives, don't configure offline domain join or BitLocker on the drive. diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json index 6e2cfcba95..ad1f0f4c84 100644 --- a/windows/deployment/docfx.json +++ b/windows/deployment/docfx.json @@ -21,9 +21,8 @@ "files": [ "**/*.png", "**/*.jpg", - "**/*.gif", - "**/*.pdf", - "**/*.vsdx" + "**/*.svg", + "**/*.gif" ], "exclude": [ "**/obj/**", @@ -37,9 +36,6 @@ "recommendations": true, "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", - "ms.technology": "windows", - "audience": "ITPro", - "ms.topic": "article", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", diff --git a/windows/deployment/media/Windows10AutopilotFlowchart.pdf b/windows/deployment/media/Windows10AutopilotFlowchart.pdf deleted file mode 100644 index 5ab6f1c52e..0000000000 Binary files a/windows/deployment/media/Windows10AutopilotFlowchart.pdf and /dev/null differ diff --git a/windows/deployment/media/Windows10Autopilotflowchart.vsdx b/windows/deployment/media/Windows10Autopilotflowchart.vsdx deleted file mode 100644 index ef702ab66b..0000000000 Binary files a/windows/deployment/media/Windows10Autopilotflowchart.vsdx and /dev/null differ diff --git a/windows/deployment/media/Windows10DeploymentConfigManager.pdf b/windows/deployment/media/Windows10DeploymentConfigManager.pdf deleted file mode 100644 index 3a4c5f022e..0000000000 Binary files a/windows/deployment/media/Windows10DeploymentConfigManager.pdf and /dev/null differ diff --git a/windows/deployment/media/Windows10DeploymentConfigManager.vsdx b/windows/deployment/media/Windows10DeploymentConfigManager.vsdx deleted file mode 100644 index 8b2db358ff..0000000000 Binary files a/windows/deployment/media/Windows10DeploymentConfigManager.vsdx and /dev/null differ diff --git a/windows/deployment/update/check-release-health.md b/windows/deployment/update/check-release-health.md index 8b93291b64..c6b984340b 100644 --- a/windows/deployment/update/check-release-health.md +++ b/windows/deployment/update/check-release-health.md @@ -22,7 +22,6 @@ search.appverid: - BCS160 - IWA160 description: "Check the release health status of Microsoft 365 services before you call support to see if there is an active service interruption." -feedback_system: none --- # How to check Windows release health diff --git a/windows/deployment/update/update-compliance-v2-help.md b/windows/deployment/update/update-compliance-v2-help.md index 871ce3464e..e1fccf14ec 100644 --- a/windows/deployment/update/update-compliance-v2-help.md +++ b/windows/deployment/update/update-compliance-v2-help.md @@ -86,7 +86,7 @@ If you create an issue for something not related to documentation, Microsoft wil - [Product questions (using Microsoft Q&A)](/answers/products/) - [Support requests](#open-a-microsoft-support-case) for Update Compliance -To share feedback on the fundamental docs.microsoft.com platform, see [Docs feedback](https://aka.ms/sitefeedback). The platform includes all of the wrapper components such as the header, table of contents, and right menu. Also how the articles render in the browser, such as the font, alert boxes, and page anchors. +To share feedback about the Microsoft Docs platform, see [Microsoft Docs feedback](https://aka.ms/sitefeedback). The platform includes all of the wrapper components such as the header, table of contents, and right menu. Also how the articles render in the browser, such as the font, alert boxes, and page anchors. ## Troubleshooting tips diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md index 18021d5a5d..c4377a6979 100644 --- a/windows/deployment/windows-10-deployment-posters.md +++ b/windows/deployment/windows-10-deployment-posters.md @@ -5,31 +5,33 @@ ms.reviewer: manager: dougeby author: aczechowski ms.author: aaroncz -ms.prod: w10 +ms.prod: windows-client +ms.technology: itpro-deploy ms.localizationpriority: medium -ms.topic: article +ms.topic: reference --- -# Windows 10 deployment process posters +# Windows 10 deployment process posters **Applies to** -- Windows 10 +- Windows 10 -The following posters step through various options for deploying Windows 10 with Windows Autopilot or Microsoft Endpoint Configuration Manager. +The following posters step through various options for deploying Windows 10 with Windows Autopilot or Microsoft Endpoint Configuration Manager. ## Deploy Windows 10 with Autopilot -The Windows Autopilot poster is two pages in portrait mode (11x17). Click the image to view a PDF in your browser. You can also download this poster in [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10AutopilotFlowchart.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10Autopilotflowchart.vsdx) format. +The Windows Autopilot poster is two pages in portrait mode (11x17). Select the image to download a PDF version. -[![Deploy Windows 10 with Autopilot.](./media/windows10-autopilot-flowchart.png)](./media/Windows10AutopilotFlowchart.pdf) +[![Deploy Windows 10 with Autopilot.](./media/windows10-autopilot-flowchart.png)](https://download.microsoft.com/download/8/4/b/84b5e640-8f66-4b43-81a9-1c3b9ea18eda/Windows10AutopilotFlowchart.pdf) ## Deploy Windows 10 with Microsoft Endpoint Configuration Manager -The Configuration Manager poster is one page in landscape mode (17x11). Click the image to view a PDF in your browser. You can also download this poster in [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.vsdx) format. +The Configuration Manager poster is one page in landscape mode (17x11). Select the image to download a PDF version. -[![Deploy Windows 10 with Configuration Manager.](./media/windows10-deployment-config-manager.png)](./media/Windows10DeploymentConfigManager.pdf) +[![Deploy Windows 10 with Configuration Manager.](./media/windows10-deployment-config-manager.png)](https://download.microsoft.com/download/e/2/a/e2a70587-d3cc-4f1a-ba49-cfd724a1736b/Windows10DeploymentConfigManager.pdf) ## See also -[Overview of Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot)
    -[Scenarios to deploy enterprise operating systems with Configuration Manager](/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems) +[Overview of Windows Autopilot](/mem/autopilot/windows-autopilot) + +[Scenarios to deploy enterprise operating systems with Configuration Manager](/mem/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems) diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml index b56c8a8916..f2950818eb 100644 --- a/windows/deployment/windows-autopatch/TOC.yml +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -32,6 +32,8 @@ href: deploy/windows-autopatch-device-registration-overview.md - name: Register your devices href: deploy/windows-autopatch-register-devices.md + - name: Post-device registration readiness checks + href: deploy/windows-autopatch-post-reg-readiness-checks.md - name: Operate href: operate/index.md items: diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md index 1d55fce3d7..ede51bee83 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md @@ -1,7 +1,7 @@ --- title: Device registration overview description: This article provides and overview on how to register devices in Autopatch -ms.date: 07/28/2022 +ms.date: 09/07/2022 ms.prod: w11 ms.technology: windows ms.topic: conceptual @@ -44,12 +44,12 @@ See the following detailed workflow diagram. The diagram covers the Windows Auto | **Step 1: Identify devices** | IT admin identifies devices to be managed by the Windows Autopatch service. | | **Step 2: Add devices** | IT admin adds devices through direct membership or nests other Azure AD assigned or dynamic groups into the **Windows Autopatch Device Registration** Azure AD assigned group. | | **Step 3: Discover devices** | The Windows Autopatch Discover Devices function hourly discovers devices previously added by the IT admin into the **Windows Autopatch Device Registration** Azure AD assigned group in **step #2**. The Azure AD device ID is used by Windows Autopatch to query device attributes in both Microsoft Endpoint Manager-Intune and Azure AD when registering devices into its service.
    1. Once devices are discovered from the Azure AD group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Azure AD in this step:
      1. **AzureADDeviceID**
      2. **OperatingSystem**
      3. **DisplayName (Device name)**
      4. **AccountEnabled**
      5. **RegistrationDateTime**
      6. **ApproximateLastSignInDateTime**
    2. In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements prior to registration.
    | -| **Step 4: Check prerequisites** | The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the [Detailed prerequisite check workflow diagram](#detailed-prerequisite-check-workflow-diagram) section. The service checks the following device readiness attributes, and/or prerequisites:
    1. **Serial number, model, and manufacturer.**
      1. Checks if the serial number already exists in the Windows Autopatch’s managed device database.
    2. **If the device is Intune-managed or not.**
      1. Windows Autopatch looks to see **if the Azure AD device ID has an Intune device ID associated with it**.
        1. If **yes**, it means this device is enrolled into Intune.
        2. If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
      2. **If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Azure AD device attributes gathered and saved to its memory in **step 3a**.
        1. Once it has the device attributes gathered from Azure AD in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not ready** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasn’t enrolled into Intune.
        2. A common reason is when the Azure AD device ID is stale, it doesn’t have an Intune device ID associated with it anymore. To remediate, [clean up any stale Azure AD device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).
      3. **If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.
    3. **If the device is a Windows device or not.**
      1. Windows Autopatch looks to see if the Azure AD device ID has an Intune device ID associated with it.
        1. **If yes**, it means this device is enrolled into Intune.
        2. **If not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
    4. **Windows Autopatch checks the Windows SKU family**. The SKU must be either:
      1. **Enterprise**
      2. **Pro**
      3. **Pro Workstation**
    5. **If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:
      1. **Only managed by Intune.**
        1. If the device is only managed by Intune, the device is marked as Passed all prerequisites.
      2. **Co-managed by both Configuration Manager and Intune.**
        1. If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:
          1. **Windows Updates Policies**
          2. **Device Configuration**
          3. **Office Click to Run**
        2. If Windows Autopatch determines that one of these workloads isn’t enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not Ready** tab.
    | +| **Step 4: Check prerequisites** | The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the [Detailed prerequisite check workflow diagram](#detailed-prerequisite-check-workflow-diagram) section. The service checks the following device readiness attributes, and/or prerequisites:
    1. **Serial number, model, and manufacturer.**
      1. Checks if the serial number already exists in the Windows Autopatch’s managed device database.
    2. **If the device is Intune-managed or not.**
      1. Windows Autopatch looks to see **if the Azure AD device ID has an Intune device ID associated with it**.
        1. If **yes**, it means this device is enrolled into Intune.
        2. If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
      2. **If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Azure AD device attributes gathered and saved to its memory in **step 3a**.
        1. Once it has the device attributes gathered from Azure AD in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not registered** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasn’t enrolled into Intune.
        2. A common reason is when the Azure AD device ID is stale, it doesn’t have an Intune device ID associated with it anymore. To remediate, [clean up any stale Azure AD device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).
      3. **If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.
    3. **If the device is a Windows device or not.**
      1. Windows Autopatch looks to see if the Azure AD device ID has an Intune device ID associated with it.
        1. **If yes**, it means this device is enrolled into Intune.
        2. **If not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
    4. **Windows Autopatch checks the Windows SKU family**. The SKU must be either:
      1. **Enterprise**
      2. **Pro**
      3. **Pro Workstation**
    5. **If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:
      1. **Only managed by Intune.**
        1. If the device is only managed by Intune, the device is marked as Passed all prerequisites.
      2. **Co-managed by both Configuration Manager and Intune.**
        1. If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:
          1. **Windows Updates Policies**
          2. **Device Configuration**
          3. **Office Click to Run**
        2. If Windows Autopatch determines that one of these workloads isn’t enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not registered** tab.
    | | **Step 5: Calculate deployment ring assignment** | Once the device passes all prerequisites described in **step #4**, Windows Autopatch starts its deployment ring assignment calculation. The following logic is used to calculate the Windows Autopatch deployment ring assignment:
    1. If the Windows Autopatch tenant’s existing managed device size is **≤ 200**, the deployment ring assignment is **First (5%)**, **Fast (15%)**, remaining devices go to the **Broad ring (80%)**.
    2. If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be **First (1%)**, **Fast (9%)**, remaining devices go to the **Broad ring (90%)**.
    | | **Step 6: Assign devices to a deployment ring group** | Once the deployment ring calculation is done, Windows Autopatch assigns devices to one of the following deployment ring groups:
    1. **Modern Workplace Devices-Windows Autopatch-First**
      1. The Windows Autopatch device registration process doesn’t automatically assign devices to the Test ring represented by the Azure AD group (Modern Workplace Devices-Windows Autopatch-Test). It’s important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.
    2. **Modern Workplace Devices-Windows Autopatch-Fast**
    3. **Modern Workplace Devices-Windows Autopatch-Broad**
    | | **Step 7: Assign devices to an Azure AD group** | Windows Autopatch also assigns devices to the following Azure AD groups when certain conditions apply:
    1. **Modern Workplace Devices - All**
      1. This group has all devices managed by Windows Autopatch.
    2. When registering **Windows 10 devices**, use **Modern Workplace Devices Dynamic - Windows 10**
      1. This group has all devices managed by Windows Autopatch and that have Windows 10 installed.
    3. When registering **Windows 11 devices**, use **Modern Workplace Devices Dynamic - Windows 11**
      1. This group has all devices managed by Windows Autopatch and that have Windows 11 installed.
    4. When registering **virtual devices**, use **Modern Workplace Devices - Virtual Machine**
      1. This group has all virtual devices managed by Windows Autopatch.
      | | **Step 8: Post-device registration** | In post-device registration, three actions occur:
      1. Windows Autopatch adds devices to its managed database.
      2. Flags devices as **Active** in the **Ready** tab.
      3. The Azure AD device ID of the device successfully registered is added into the Microsoft Cloud Managed Desktop Extension’s allowlist. Windows Autopatch installs the Microsoft Cloud Managed Desktop Extension agent once devices are registered, so the agent can communicate back to the Microsoft Cloud Managed Desktop Extension service.
        1. The agent is the **Modern Workplace - Autopatch Client setup** PowerShell script that was created during the Windows Autopatch tenant enrollment process. The script is executed once devices are successfully registered into the Windows Autopatch service.
        | -| **Step 9: Review device registration status** | IT admins review the device registration status in both the **Ready** and **Not ready** tabs.
        1. If the device was **successfully registered**, the device shows up in the **Ready** tab.
        2. If **not**, the device shows up in the **Not ready** tab.
        | +| **Step 9: Review device registration status** | IT admins review the device registration status in both the **Ready** and **Not registered** tabs.
        1. If the device was **successfully registered**, the device shows up in the **Ready** tab.
        2. If **not**, the device shows up in the **Not registered** tab.
        | | **Step 10: End of registration workflow** | This is the end of the Windows Autopatch device registration workflow. | ## Detailed prerequisite check workflow diagram diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md new file mode 100644 index 0000000000..aa5eafc5b2 --- /dev/null +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md @@ -0,0 +1,99 @@ +--- +title: Post-device registration readiness checks +description: This article details how post-device registration readiness checks are performed in Windows Autopatch +ms.date: 09/15/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: andredm7 +--- + +# Post-device registration readiness checks + +One of the most expensive aspects of the software update management process is to make sure devices are always healthy to receive and report software updates for each software update release cycle. + +Having a way of measuring, quickly detecting and remediating when something goes wrong with on-going change management processes is important; it helps mitigate high Helpdesk ticket volumes, reduces cost, and improves overall update management results. + +Windows Autopatch provides proactive device readiness information about devices that are and aren't ready to be fully managed by the service. IT admins can easily detect and fix device-related issues that are preventing them from achieving their update management compliance report goals. + +## Device readiness scenarios + +Device readiness in Windows Autopatch is divided into two different scenarios: + +| Scenario | Description | +| ----- | ----- | +| Prerequisite checks | Ensures devices follow software-based requirements before being registered with the service. | +| Post-device registration readiness checks | Provides continuous monitoring of device health for registered devices.

        IT admins can easily detect and remediate configuration mismatches in their environments or issues that prevent devices from having one or more software update workloads (Windows quality, feature updates, Microsoft Office, Microsoft Teams, or Microsoft Edge) fully managed by the Windows Autopatch service. Configuration mismatches can leave devices in a vulnerable state, out of compliance and exposed to security threats.

        | + +### Device readiness checks available for each scenario + +| Required device readiness (prerequisite checks) prior to device registration (powered by Intune Graph API) | Required post-device registration readiness checks (powered by Microsoft Cloud Managed Desktop Extension) | +| ----- | ----- | +|
        • Windows OS (build, architecture and edition)
        • Managed by either Intune or ConfigMgr co-management
        • ConfigMgr co-management workloads
        • Last communication with Intune
        • Personal or non-Windows devices
        |
        • Windows OS (build, architecture and edition)
        • Windows updates & Office Group Policy Object (GPO) versus Intune mobile device management (MDM) policy conflict
        • Bind network endpoints (Microsoft Defender, Microsoft Teams, Microsoft Edge, Microsoft Office)
        • Internet connectivity
        | + +The status of each post-device registration readiness check is shown in the Windows Autopatch’s Devices blade under the **Not ready** tab. You can take appropriate action(s) on devices that aren't ready to be fully managed by the Windows Autopatch service. + +## About the three tabs in the Devices blade + +You deploy software updates to secure your environment, but these deployments only reach healthy and active devices. Unhealthy or not ready devices affect the overall software update compliance. Figuring out device health can be challenging and disruptive to the end user when IT can’t obtain proactive data sent by the device to the service for IT admins to proactively detect, troubleshoot, and fix issues. + +Windows Autopatch has three tabs within its Devices blade. Each tab is designed to provide a different set of device readiness statuses so IT admins know where to go to monitor, and troubleshoot potential device health issues: + +| Tab | Description | +| ----- | ----- | +| Ready | This tab only lists devices with the **Active** status. Devices with the **Active** status successfully:
        • Passed the prerequisite checks.
        • Registered with Windows Autopatch.
        This tab also lists devices that have passed all postdevice registration readiness checks. | +| Not ready | This tab only lists devices with the **Readiness failed** and **Inactive** status.
        • **Readiness failed status**: Devices that didn’t pass one or more post-device registration readiness checks.
        • **Inactive**: Devices that haven’t communicated with the Microsoft Endpoint Manager-Intune service in the last 28 days.
        | +| Not registered | Only lists devices with the **Prerequisite failed** status in it. Devices with the **Prerequisite failed** status didn’t pass one or more prerequisite checks during the device registration process. | + +## Details about the post-device registration readiness checks + +A healthy or active device in Windows Autopatch is: + +- Online +- Actively sending data +- Passes all post-device registration readiness checks + +The post-device registration readiness checks are powered by the **Microsoft Cloud Managed Desktop Extension**. It's installed right after devices are successfully registered with Windows Autopatch. The **Microsoft Cloud Managed Desktop Extension** has the Device Readiness Check Plugin responsible for performing the readiness checks in devices and report back to the service. The **Microsoft Cloud Managed Desktop Extension** is a subcomponent of the overall Windows Autopatch service. + +The following list of post-device registration readiness checks is performed in Windows Autopatch: + +| Check | Description | +| ----- | ----- | +| **Windows OS build, architecture, and edition** | Checks to see if devices support Windows 1809+ build (10.0.17763), 64-bit architecture and either Pro or Enterprise SKUs. | +| **Windows update policies managed via Microsoft Endpoint Manager-Intune** | Checks to see if devices have Windows Updates policies managed via Microsoft Endpoint Manager-Intune (MDM). | +| **Windows update policies managed via Group Policy Object (GPO)** | Checks to see if devices have Windows update policies managed via GPO. Windows Autopatch doesn’t support Windows update policies managed via GPOs. Windows update must be managed via Microsoft Endpoint Manager-Intune. | +| **Microsoft Office update policy managed via Group Policy Object (GPO)** | Checks to see if devices have Microsoft Office updates policies managed via GPO. Windows Autopatch doesn’t support Microsoft Office update policies managed via GPOs. Office updates must be managed via Microsoft Endpoint Manager-Intune or another Microsoft Office policy management method where Office update bits are downloaded directly from the Office Content Delivery Network (CDN). | +| **Windows Autopatch network endpoints** | There's a set of [network endpoints](../prepare/windows-autopatch-configure-network.md) that Windows Autopatch services must be able to reach for the various aspects of the Windows Autopatch service. | +| **Microsoft Teams network endpoints** | There's a set of [network endpoints](../prepare/windows-autopatch-configure-network.md) that devices with Microsoft Teams must be able to reach for software updates management. | +| **Microsoft Edge network endpoints** | There's a set of [network endpoints](../prepare/windows-autopatch-configure-network.md) that devices with Microsoft Edge must be able to reach for software updates management. | +| **Internet connectivity** | Checks to see if a device has internet connectivity to communicate with Microsoft cloud services. Windows Autopatch uses the PingReply class. Windows Autopatch tries to ping at least three different Microsoft’s public URLs two times each, to confirm that ping results aren't coming from the device’s cache. | + +## Daily operations in Windows Autopatch + +See the following end-to-end IT admin operation workflow: + +:::image type="content" source="../media/windows-autopatch-post-device-registration-readiness-checks.png" alt-text="Post-device registration readiness checks" lightbox="../media/windows-autopatch-post-device-registration-readiness-checks.png"::: + +| Step | Description | +| ----- | ----- | +| **Steps 1-7** | For more information, see the [Device registration overview diagram](windows-autopatch-device-registration-overview.md).| +| **Step 8: Perform readiness checks** |
        1. Once devices are successfully registered with Windows Autopatch, the devices are added to the **Ready** tab.
        2. The Microsoft Cloud Managed Desktop Extension agent performs readiness checks against devices in the **Ready** tab every 24 hours.
        | +| **Step 9: Check readiness status** |
        1. The Microsoft Cloud Managed Desktop Extension service evaluates the readiness results gathered by its agent.
        2. The readiness results are sent from the Microsoft Cloud Managed Desktop Extension service component to the Device Readiness component within the Windows Autopatch’s service.
        | +| **Step 10: Add devices to the Not ready** | When devices don’t pass one or more readiness checks, even if they’re registered with Windows Autopatch, they’re added to the **Not ready** tab so IT admins can remediate devices based on Windows Autopatch recommendations. | +| **Step 11: IT admin understands what the issue is and remediates** | The IT admin checks and remediates issues in the Devices blade (**Not ready** tab). It can take up to 24 hours for devices to show back up into the **Ready** tab. | + +## FAQ + +| Question | Answer | +| ----- | ----- | +| **How frequent are the post-device registration readiness checks performed?** |
        • The **Microsoft Cloud Managed Desktop Extension** agent collects device readiness statuses when it runs (once a day).
        • Once the agent collects results for the post-device registration readiness checks, it generates readiness results in the device in the `%programdata%\Microsoft\CMDExtension\Plugins\DeviceReadinessPlugin\Logs\DRCResults.json.log`.
        • The readiness results are sent over to the **Microsoft Cloud Managed Desktop Extension service**.
        • The **Microsoft Cloud Managed Desktop Extension** service component sends the readiness results to the Device Readiness component. The results appear in the Windows Autopatch Devices blade (**Not ready** tab).
        | +| **What to expect when one or more checks fail?** | Devices are automatically sent to the **Ready** tab once they're successfully registered with Windows Autopatch. When devices don’t meet one or more post-device registration readiness checks, the devices are moved to the **Not ready** tab. IT admins can learn about these devices and take appropriate actions to remediate them. Windows Autopatch will provide information about the failure and how to potentially remediate devices.

        Once devices are remediated, it can take up to **24 hours** to show up in the **Ready** tab.

        | + +## Additional resources + +- [Device registration overview](windows-autopatch-device-registration-overview.md) +- [Register your devices](windows-autopatch-register-devices.md) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index fb3df8f46b..ddd32f7d97 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -1,7 +1,7 @@ --- title: Register your devices description: This article details how to register devices in Autopatch -ms.date: 08/08/2022 +ms.date: 09/07/2022 ms.prod: w11 ms.technology: windows ms.topic: how-to @@ -28,7 +28,13 @@ Windows Autopatch can take over software update management control of devices th ### About the use of an Azure AD group to register devices -You must choose what devices to manage with Windows Autopatch by either adding them through direct membership or by nesting other Azure AD dynamic/assigned groups into the **Windows Autopatch Device Registration** Azure AD assigned group. Windows Autopatch automatically runs its discover devices function every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices. +You must choose what devices to manage with Windows Autopatch by adding them to the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can be added using the following methods: + +- Direct membership +- Nesting other Azure AD dynamic/assigned groups +- [Bulk add/import group members](/azure/active-directory/enterprise-users/groups-bulk-import-members) + +Windows Autopatch automatically runs its discover devices function every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices. > [!NOTE] > Devices that are intended to be managed by the Windows Autopatch service **must** be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device ID. Windows Autopatch scans the Azure AD group hourly to discover newly added devices to be registered. You can also use the **Discover devices** button in either the **Ready** or **Not ready** tab to register devices on demand. @@ -78,14 +84,26 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set For more information, see [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md). -## About the Ready and Not ready tabs +## About the Ready, Not ready and Not registered tabs -Windows Autopatch introduces a new user interface to help IT admins detect and troubleshoot device readiness statuses seamlessly with actionable in-UI device readiness reports for unregistered devices or unhealthy devices. +Windows Autopatch has three tabs within its device blade. Each tab is designed to provide a different set of device readiness status so IT admin knows where to go to monitor, and troubleshoot potential device health issues. -| Tab | Purpose | -| ----- | ----- | -| Ready | The purpose of the Ready tab is to show devices that were successfully registered to the Windows Autopatch service. | -| Not ready | The purpose of the Not ready tab is to help you identify and remediate devices that don't meet the pre-requisite checks to register into the Windows Autopatch service. This tab only shows devices that didn't successfully register into Windows Autopatch. | +| Device blade tab | Purpose | Expected device readiness status | +| ----- | ----- | ----- | +| Ready | The purpose of this tab is to show devices that were successfully registered with the Windows Autopatch service. | Active | +| Not ready | The purpose of this tab is to help you identify and remediate devices that failed to pass one or more post-device registration readiness checks. Devices showing up in this tab were successfully registered with Windows Autopatch. However, these devices aren't ready to have one or more software update workloads managed by the service. | Readiness failed and/or Inactive | +| Not registered | The purpose of this tab is to help you identify and remediate devices that don't meet one or more prerequisite checks to successfully register with the Windows Autopatch service. | Pre-requisites failed | + +## Device readiness statuses + +See all possible device readiness statuses in Windows Autopatch: + +| Readiness status | Description | Device blade tab | +| ----- | ----- | ----- | +| Active | Devices with this status successfully passed all prerequisite checks and subsequently successfully registered with Windows Autopatch. Additionally, devices with this status successfully passed all post-device registration readiness checks. | Ready | +| Readiness failed | Devices with this status haven't passed one or more post-device registration readiness checks. These devices aren't ready to have one or more software update workloads managed by Windows Autopatch. | Not ready | +| Inactive | Devices with this status haven't communicated with Microsoft Endpoint Manager-Intune in the last 28 days. | Not ready | +| Pre-requisites failed | Devices with this status haven't passed one or more pre-requisite checks and haven't successfully registered with Windows Autopatch | Not registered | ## Built-in roles required for device registration @@ -119,16 +137,16 @@ Since existing Windows 365 Cloud PCs already have an existing Azure AD device ID 1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). 2. Select **Devices** from the left navigation menu. 3. Under the **Windows Autopatch** section, select **Devices**. -4. Select either the **Ready** or the **Not ready** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens. +4. Select either the **Ready** or the **Not registered** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens. 5. Add either devices through direct membership, or other Azure AD dynamic or assigned groups as nested groups in the **Windows Autopatch Device Registration** group. > [!NOTE] -> The **Windows Autopatch Device Registration** hyperlink is in the center of the Ready tab when there's no devices registered with the Windows Autopatch service. Once you have one or more devices registered with the Windows Autopatch service, the **Windows Autopatch Device registration** hyperlink is at the top of both **Ready** and **Not ready** tabs. +> The **Windows Autopatch Device Registration** hyperlink is in the center of the Ready tab when there's no devices registered with the Windows Autopatch service. Once you have one or more devices registered with the Windows Autopatch service, the **Windows Autopatch Device registration** hyperlink is at the top of both **Ready** and **Not registered** tabs. Once devices or other Azure AD groups (either dynamic or assigned) containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch's device discovery hourly function discovers these devices, and runs software-based prerequisite checks to try to register them with its service. > [!TIP] -> You can also use the **Discover Devices** button in either the **Ready** or **Not ready** tab to discover devices from the **Windows Autopatch Device Registration** Azure AD group on demand. +> You can also use the **Discover Devices** button in either one of the **Ready**, **Not ready**, or **Not registered** device blade tabs to discover devices from the **Windows Autopatch Device Registration** Azure AD group on demand. On demand means you don't have to wait for Windows Autopatch to discover devices from the Azure AD group on your behalf. ### Windows Autopatch on Windows 365 Enterprise Workloads diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png index 3abdb9288e..f5a8284a8c 100644 Binary files a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png and b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-post-device-registration-readiness-checks.png b/windows/deployment/windows-autopatch/media/windows-autopatch-post-device-registration-readiness-checks.png new file mode 100644 index 0000000000..c6abcd6790 Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-post-device-registration-readiness-checks.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-quality-update-grace-period.png b/windows/deployment/windows-autopatch/media/windows-quality-update-grace-period.png index 043e275574..4e347dc3cf 100644 Binary files a/windows/deployment/windows-autopatch/media/windows-quality-update-grace-period.png and b/windows/deployment/windows-autopatch/media/windows-quality-update-grace-period.png differ diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md index 15a138fcdf..50e4fd586e 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md @@ -37,7 +37,7 @@ In this example, we'll be discussing a device in the First ring. The Autopatch s In the following example, the user schedules the restart and is notified 15 minutes prior to the scheduled restart time. The user can reschedule, if necessary, but isn't able to reschedule past the deadline. -:::image type="content" source="../media/windows-feature-typical-update-experience.png" alt-text="Typical Windows feature update experience"::: +:::image type="content" source="../media/windows-feature-typical-update-experience.png" alt-text="Typical Windows feature update experience" lightbox="../media/windows-feature-typical-update-experience.png"::: ### Feature update deadline forces an update @@ -45,7 +45,7 @@ The following example builds on the scenario outlined in the typical user experi The deadline specified in the update policy is five days. Therefore, once this deadline is passed, the device will ignore the active hours and force a restart to complete the installation. The user will receive a 15-minute warning, after which, the device will install the update and restart. -:::image type="content" source="../media/windows-feature-force-update.png" alt-text="Force Windows feature update"::: +:::image type="content" source="../media/windows-feature-force-update.png" alt-text="Force Windows feature update" lightbox="../media/windows-feature-force-update.png"::: ### Feature update grace period @@ -53,7 +53,7 @@ In the following example, the user is on holiday and the device is offline beyon Since the deadline has already passed, the device is granted a two-day grace period to install the update and restart. The user will be notified of a pending installation and given options to choose from. Once the two-day grace period has expired, the user is forced to restart with a 15-minute warning notification. -:::image type="content" source="../media/windows-feature-update-grace-period.png" alt-text="Window feature update grace period"::: +:::image type="content" source="../media/windows-feature-update-grace-period.png" alt-text="Windows feature update grace period" lightbox="../media/windows-feature-update-grace-period.png"::: ## Servicing window diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index 8e6075fd7e..1f19a0fd64 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -46,7 +46,7 @@ The final release schedule is communicated prior to release and may vary a littl | Fast | Release start + 60 days | | Broad | Release start + 90 days | -:::image type="content" source="../media/windows-feature-release-process-timeline.png" alt-text="Windows feature release timeline"::: +:::image type="content" source="../media/windows-feature-release-process-timeline.png" alt-text="Windows feature release timeline" lightbox="../media/windows-feature-release-process-timeline.png"::: ## New devices to Windows Autopatch @@ -64,7 +64,7 @@ When releasing a feature update, there are two policies that are configured by t | Ring | Target version (DSS) Policy | Feature update deferral | Feature update deadline | Feature update grace period | | ----- | ----- | ----- | ----- | ----- | | Test | 21H2 | 0 | 5 | 0 | -| First | 21H2 | 0 | 5 | 0 | +| First | 21H2 | 0 | 5 | 2 | | Fast | 21H2 | 0 | 5 | 2 | | Broad | 21H2 | 0 | 5 | 2 | diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md index 2515a08a9a..9fa7e60794 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md @@ -27,3 +27,7 @@ After you've completed enrollment in Windows Autopatch, some management settings | Setting | Description | | ----- | ----- | | Update rings for Windows 10 or later | For any update rings for Windows 10 or later policies you've created, exclude the **Modern Workplace Devices - All** Azure AD group from each policy. For more information, see [Create and assign update rings](/mem/intune/protect/windows-10-update-rings#create-and-assign-update-rings).

        Windows Autopatch will also have created some update ring policies. all of which The policies will have "**Modern Workplace**" in the name. For example:

        • Modern Workplace Update Policy [Broad]-[Windows Autopatch]
        • Modern Workplace Update Policy [Fast]-[Windows Autopatch]
        • Modern Workplace Update Policy [First]-[Windows Autopatch]
        • Modern Workplace Update Policy [Test]-[Windows Autopatch]

        When you update your own policies, ensure that you don't exclude the **Modern Workplace Devices - All** Azure AD group from the policies that Windows Autopatch created.

        **To resolve the Not ready result:**

        After enrolling into Autopatch, make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Azure Active Directory (AD) group.For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).

        **To resolve the Advisory result:**

        1. Make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Azure Active Directory (AD) group.
        2. If you have assigned Azure AD user groups to these policies, make sure that any update ring policies you have also **exclude** the **Modern Workplace - All** Azure AD group that you add your Windows Autopatch users to (or an equivalent group).

        For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).

        | + +## Windows Autopatch configurations + +Windows Autopatch deploys, manages and maintains all configurations related to the operation of the service, as described in [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). Don't make any changes to any of the Windows Autopatch configurations. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md index ddefb5977c..d3ef9e518e 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md @@ -33,7 +33,7 @@ For a device to be eligible for Microsoft 365 Apps for enterprise updates, as a All devices registered for Windows Autopatch will receive updates from the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). This practice provides your users with new features each month, and they'll receive just one update per month on a predictable release schedule. Updates are released on the second Tuesday of the month; these updates can include feature, security, and quality updates. These updates occur automatically and are pulled directly from the Office Content Delivery Network (CDN). -Unlike Windows update, the Office CDN doesn't make the update available to all devices at once. Over the course of the release, the Office CDN gradually makes the update available to the whole population of devices. Windows Autopatch doesn't control the order in which updates are offered to devices across your estate. After the update has been downloaded, there's a three-day [update deadline](/deployoffice/configure-update-settings-microsoft-365-apps) that specifies how long the user has until the user must apply the update. +Unlike Windows update, the Office CDN doesn't make the update available to all devices at once. Over the course of the release, the Office CDN gradually makes the update available to the whole population of devices. Windows Autopatch doesn't control the order in which updates are offered to devices across your estate. After the update has been downloaded, there's a seven day [update deadline](/deployoffice/configure-update-settings-microsoft-365-apps) that specifies how long the user has until the user must apply the update. ## Update rings diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md index 982440f7ea..3169d13cff 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md @@ -40,6 +40,9 @@ During the [tenant enrollment process](../prepare/windows-autopatch-enroll-tenan Each deployment ring has a different set of update deployment policies to control the updates rollout. +> [!WARNING] +> Adding or importing devices into any of these groups directly is not supported and doing so might cause an unexpected impact on the Windows Autopatch service. To move devices between these groups, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings). + > [!IMPORTANT] > Windows Autopatch device registration doesn't assign devices to its test deployment ring (**Modern Workplace Devices-Windows Autopatch-Test**). This is intended to prevent devices that are essential to a business from being affected or devices that are used by executives from receiving early software update deployments. @@ -58,7 +61,7 @@ The Windows Autopatch deployment ring calculation happens during the [device reg | Deployment ring | Default device balancing percentage | Description | | ----- | ----- | ----- | -| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring. The recommended number of devices in this ring, based upon your environment size, is as follows:
        • **0–500** devices: minimum **one** device.
        • **500–5000** devices: minimum **five** devices.
        • **5000+** devices: minimum **50** devices.
        Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | +| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring following the required procedure. For more information on these procedures, see [Moving devices in between deployment rings](/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management#moving-devices-in-between-deployment-rings). The recommended number of devices in this ring, based upon your environment size, is as follows:
        • **0–500** devices: minimum **one** device.
        • **500–5000** devices: minimum **five** devices.
        • **5000+** devices: minimum **50** devices.
        Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | | First | **1%** | The First ring is the first group of production users to receive a change.

        This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.

        Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.| | Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.

        The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.

        | | Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in an software update deployment.| @@ -80,7 +83,10 @@ When the assignment is complete, the **Ring assigned by** column changes to **Ad > [!NOTE] > You can only move devices to other deployment rings when they're in an active state in the **Ready** tab.

        If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check to see whether the device exists in Microsoft Endpoint Manager-Intune or not by searching for it in its device blade. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory). - + +> [!WARNING] +> Moving devices between deployment rings through directly changing Azure AD group membership isn't supported and may cause unintended configuration conflicts within the Windows Autopatch service. To avoid service interruption to devices, use the **Assign device to ring** action described previously to move devices between deployment rings. + ## Automated deployment ring remediation functions Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test** ring, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either: diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md index 555d20ee68..b83dc059df 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md @@ -36,7 +36,7 @@ Once the deferral period has passed, the device will download the update and not In the following example, the user schedules the restart and is notified 15 minutes prior to the scheduled restart time. The user can reschedule, if necessary, but isn't able to reschedule past the deadline. -:::image type="content" source="../media/windows-quality-typical-update-experience.png" alt-text="Typical windows quality update experience"::: +:::image type="content" source="../media/windows-quality-typical-update-experience.png" alt-text="Typical windows quality update experience" lightbox="../media/windows-quality-typical-update-experience.png"::: ### Quality update deadline forces an update @@ -48,7 +48,7 @@ In the following example, the user: The deadline specified in the update policy is five days. Therefore, once this deadline is passed, the device will ignore the [active hours](#servicing-window) and force a restart to complete the update installation. The user will receive a 15-minute warning, after which, the device will install the update and restart. -:::image type="content" source="../media/windows-quality-force-update.png" alt-text="Force Windows quality update"::: +:::image type="content" source="../media/windows-quality-force-update.png" alt-text="Force Windows quality update" lightbox="../media/windows-quality-force-update.png"::: ### Quality update grace period @@ -56,7 +56,7 @@ In the following example, the user is on holiday and the device is offline beyon Since the deadline has already passed, the device is granted a two-day grace period to install the update and restart. The user will be notified of a pending installation and given options to choose from. Once the two-day grace period has expired, the user is forced to restart with a 15-minute warning notification. -:::image type="content" source="../media/windows-quality-update-grace-period.png" alt-text="Windows quality update grace period"::: +:::image type="content" source="../media/windows-quality-update-grace-period.png" alt-text="Windows quality update grace period" lightbox="../media/windows-quality-update-grace-period.png"::: ## Servicing window diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md index c7c96c2575..a8da5aeb86 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md @@ -50,7 +50,7 @@ To release updates to devices in a gradual manner, Windows Autopatch deploys a s Windows Autopatch configures these policies differently across update rings to gradually release the update to devices in your estate. Devices in the Test ring receive changes first and devices in the Broad ring receive changes last. For more information, see [Windows Autopatch deployment rings](../operate/windows-autopatch-update-management.md#windows-autopatch-deployment-rings). -:::image type="content" source="../media/release-process-timeline.png" alt-text="Release process timeline"::: +:::image type="content" source="../media/release-process-timeline.png" alt-text="Release process timeline" lightbox="../media/release-process-timeline.png"::: ## Expedited releases @@ -74,10 +74,6 @@ If we pause the release, a policy will be deployed which prevents devices from u You can pause or resume a Windows quality update from the Release management tab in Microsoft Endpoint Manager. -## Rollback - -Windows Autopatch will rollback updates if we detect a [significant issue with a release](../operate/windows-autopatch-wqu-signals.md). - ## Incidents and outages If devices in your tenant aren't meeting the [service level objective](../operate/windows-autopatch-wqu-overview.md#service-level-objective) for Windows quality updates, an incident will be raised, and the Windows Autopatch Service Engineering Team will work to bring the devices back into compliance. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md index cf052fbba4..d8b16b880a 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md @@ -40,9 +40,9 @@ The update is released to the Test ring on the second Tuesday of the month. Thos ## Device reliability signals -Windows Autopatch monitors devices for a set of core reliability metrics as a part of the service. +Windows Autopatch monitors devices for a set of core reliability metrics as a part of the service. -The service then uses statistical models to assess if there are significant differences between the two Windows versions. To make a statistically significant assessment, Windows Autopatch requires that at least 500 devices have upgraded to the new version. +The service then uses statistical models to assess if there are significant differences between the two Windows versions. To make a statistically significant assessment, Windows Autopatch requires that at least 500 devices in your tenant have upgraded to the new version. As more devices update, the confidence of the analysis increases and gives us a clearer picture of release quality. If we determine that the user experience is impaired, Autopatch will either post a customer advisory or pause the release, depending on the criticality of the update. @@ -51,8 +51,8 @@ Autopatch monitors the following reliability signals: | Device reliability signal | Description | | ----- | ----- | | Blue screens | These events are highly disruptive to end users so are closely watched. | -| Overall app reliability | Tracks the total number of app crashes and freezes on a device. A known issue with this measure is that if one app becomes 10% more reliable and another becomes 10% less reliable then it shows up as a flat line in the measure. | -| Microsoft Office reliability | Tracks the number of Office crashes or freezes per application per device. | +| Overall app reliability | Tracks the total number of app crashes and freezes on a device. A known limitation with this measure is that if one app becomes 10% more reliable and another becomes 10% less reliable then it shows up as a flat line in the measure. | +| Microsoft Office reliability | Tracks the number of Office crashes and freezes per application per device. | | Microsoft Edge reliability | Tracks the number of Microsoft Edge crashes and freezes per device. | | Microsoft Teams reliability | Tracks the number of Microsoft Teams crashes and freezes per device. | diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index 8b42365ad6..0ab881bf82 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -51,7 +51,7 @@ sections: - [Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune](/mem/configmgr/comanage/how-to-switch-workloads) (minimum Pilot Intune. Pilot collection must contain the devices you want to register into Autopatch.) - question: What are the licensing requirements for Windows Autopatch? answer: | - - Windows Autopatch is included with Window 10/11 Enterprise E3 or higher. For more information, see [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). + - Windows Autopatch is included with Window 10/11 Enterprise E3 or higher (user-based only). For more information, see [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). - [Azure AD Premium](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses) (for Co-management) - [Microsoft Intune](/mem/intune/fundamentals/licenses) (includes Configuration Manager 2010 or greater via co-management) - question: Are there hardware requirements for Windows Autopatch? @@ -76,12 +76,13 @@ sections: - question: What systems does Windows Autopatch update? answer: | - Windows 10/11 quality updates: Windows Autopatch manages all aspects of update rings. + - Windows 10/11 feature updates: Windows Autopatch manages all aspects of update rings. - Microsoft 365 Apps for enterprise updates: All devices registered for Windows Autopatch will receive updates from the Monthly Enterprise Channel. - Microsoft Edge: Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel and will provide support for issues with Microsoft Edge updates. - Microsoft Teams: Windows Autopatch allows eligible devices to benefit from the standard automatic update channels and will provide support for issues with Teams updates. - question: What does Windows Autopatch do to ensure updates are done successfully? answer: | - For Windows quality updates, updates are applied to device in the Test ring first. The devices are evaluated, and then rolled out to the First, Fast then Broad rings. There's an evaluation period at each progression. This process is dependent on customer testing and verification of all updates during these rollout stages. The outcome is to ensure that registered devices are always up to date and disruption to business operations is minimized to free up your IT department from that ongoing task. + For Windows quality updates, updates are applied to devices in the Test ring first. The devices are evaluated, and then rolled out to the First, Fast then Broad rings. There's an evaluation period at each progression. This process is dependent on customer testing and verification of all updates during these rollout stages. The outcome is to ensure that registered devices are always up to date and disruption to business operations is minimized to free up your IT department from that ongoing task. - question: What happens if there's an issue with an update? answer: | Autopatch relies on the following capabilities to help resolve update issues: @@ -98,7 +99,7 @@ sections: No, you can't customize update scheduling. However, you can specify [active hours](../operate/windows-autopatch-wqu-end-user-exp.md#servicing-window) to prevent users from updating during business hours. - question: Does Autopatch support include and exclude groups, or dynamic groups to define deployment ring membership? answer: | - Windows autopatch doesn't support managing update deployment ring membership using your Azure AD groups. For more information, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings). + Windows Autopatch doesn't support managing update deployment ring membership using your Azure AD groups. For more information, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings). - question: Does Autopatch have two release cadences per update or are there two release cadences per-ring? answer: | The release cadences are defined based on the update type. For example, a [regular cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) (for a Windows quality update would be a gradual rollout from the Test ring to the Broad ring over 14 days whereas an [expedited release](../operate/windows-autopatch-wqu-overview.md#expedited-releases) would roll out more rapidly. diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index ab4daa7fe2..698612aa82 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -14,6 +14,11 @@ msreviewer: hathind # Changes made at tenant enrollment +The following configuration details are provided as information to help you understand the changes made to your tenant when enrolling into the Windows Autopatch service. + +> [!IMPORTANT] +> The service manages and maintains the following configuration items. Don't change, edit, add to, or remove any of the configurations. Doing so might cause unintended configuration conflicts and impact the Windows Autopatch service. + ## Service principal Windows Autopatch will create a service principal in your tenant allowing the service to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see [Application and service principal objects in Azure Active Directory](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). The service principal created by Windows Autopatch is: @@ -29,10 +34,10 @@ Windows Autopatch will create Azure Active Directory groups that are required to | Modern Workplace-All | All Modern Workplace users | | Modern Workplace - Windows 11 Pre-Release Test Devices | Device group for Windows 11 Pre-Release testing. | | Modern Workplace Devices-All | All Modern Workplace devices | -| Modern Workplace Devices-Windows Autopatch-Test | Immediate ring for device rollout | -| Modern Workplace Devices-Windows Autopatch-First | First production ring for early adopters | -| Modern Workplace Devices-Windows Autopatch-Fast | Fast ring for quick rollout and adoption | -| Modern Workplace Devices-Windows Autopatch-Broad | Final ring for broad rollout into an organization | +| Modern Workplace Devices-Windows Autopatch-Test | Deployment ring for testing update deployments prior production rollout | +| Modern Workplace Devices-Windows Autopatch-First | First production deployment ring for early adopters | +| Modern Workplace Devices-Windows Autopatch-Fast | Fast deployment ring for quick rollout and adoption | +| Modern Workplace Devices-Windows Autopatch-Broad | Final deployment ring for broad rollout into the organization | | Modern Workplace Devices Dynamic - Windows 10 | Microsoft Managed Desktop Devices with Windows 10

        Group Rule:

        • `(device.devicePhysicalIds -any _ -startsWith \"[OrderID]:Microsoft365Managed_\")`
        • `(device.deviceOSVersion -notStartsWith \"10.0.22000\")`

        Exclusions:
        • Modern Workplace - Telemetry Settings for Windows 11
        | | Modern Workplace Devices Dynamic - Windows 11 | Microsoft Managed Desktop Devices with Windows 11

        Group Rule:

        • `(device.devicePhysicalIds -any _ -startsWith \"[OrderID]:Microsoft365Managed_\")`
        • `(device.deviceOSVersion -startsWith \"10.0.22000\")`

        Exclusions:
        • Modern Workplace - Telemetry Settings for Windows 10
        | | Modern Workplace Roles - Service Administrator | All users granted access to Modern Workplace Service Administrator Role | @@ -132,4 +137,4 @@ Windows Autopatch creates an enterprise application in your tenant. This enterpr | Script | Description | | ----- | ----- | -| Modern Workplace - Autopatch Client Setup | Installs necessary client components for the Windows Autopatch service | +| Modern Workplace - Autopatch Client Setup v1.1 | Installs necessary client components for the Windows Autopatch service | diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md index ee8956decd..c90d19fae5 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md @@ -20,7 +20,7 @@ Windows Autopatch is a cloud service for enterprise customers designed to keep e Windows Autopatch provides its service to enterprise customers, and properly administers customers' enrolled devices by using data from various sources. -The sources include Azure Active Directory (AD), Microsoft Intune, and Microsoft Windows 10/11. The sources provide a comprehensive view of the devices that Windows Autopatch manages. The service also uses these Microsoft services to enable Windows Autopatch to provide IT as a Service (ITaaS) capabilities: +The sources include Azure Active Directory (Azure AD), Microsoft Intune, and Microsoft Windows 10/11. The sources provide a comprehensive view of the devices that Windows Autopatch manages. | Data source | Purpose | | ------ | ------ | @@ -74,7 +74,7 @@ Microsoft Windows Update for Business uses data from Windows diagnostics to anal ## Microsoft Azure Active Directory -Identifying data used by Windows Autopatch is stored by Azure Active Directory (Azure AD) in a geographical location. The geographical location is based on the location provided by the organization upon subscribing to Microsoft online services, such as Microsoft Apps for Enterprise and Azure. For more information on where your Azure AD data is located, see [Azure Active Directory - Where is your data located?](https://msit.powerbi.com/view?r=eyJrIjoiODdjOWViZDctMWRhZS00ODUzLWI4MmQtNWM5NjBkZTBkNjFlIiwidCI6IjcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0NyIsImMiOjV9) +Identifying data used by Windows Autopatch is stored by Azure Active Directory (AD) in a geographical location. The geographical location is based on the location provided by the organization upon subscribing to Microsoft online services, such as Microsoft Apps for Enterprise and Azure. For more information on where your Azure AD data is located, see [Azure Active Directory - Where is your data located?](https://msit.powerbi.com/view?r=eyJrIjoiODdjOWViZDctMWRhZS00ODUzLWI4MmQtNWM5NjBkZTBkNjFlIiwidCI6IjcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0NyIsImMiOjV9) ## Microsoft Intune diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index 0164891a96..b8fe13f82f 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -419,15 +419,9 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B > [!IMPORTANT] > If you've already registered your VM (or device) using Intune, then skip this step. -Optional: see the following video for an overview of the process. - -  - -> [!video https://www.youtube.com/embed/IpLIZU_j7Z0] - First, you need a Microsoft Store for Business account. You can use the same one you created above for Intune, or follow [these instructions](/microsoft-store/windows-store-for-business-overview) to create a new one. -Next, to sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) with your test account, select **Sign in** on the upper-right-corner of the main page. +Next, to sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/store) with your test account, select **Sign in** on the upper-right-corner of the main page. Select **Manage** from the top menu, then select the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example: @@ -528,8 +522,6 @@ Select **OK**, and then select **Create**. If you already created and assigned a profile via Intune with the steps immediately above, then skip this section. -A [video](https://www.youtube.com/watch?v=IpLIZU_j7Z0) is available that covers the steps required to create and assign profiles in Microsoft Store for Business. These steps are also summarized below. - First, sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/manage/dashboard) using the Intune account you initially created for this lab. Select **Manage** from the top menu, then select **Devices** from the left navigation tree. diff --git a/windows/hub/WaaS-infographic.pdf b/windows/hub/WaaS-infographic.pdf deleted file mode 100644 index cb1ef988a1..0000000000 Binary files a/windows/hub/WaaS-infographic.pdf and /dev/null differ diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json index 461e6028a8..508d741a9b 100644 --- a/windows/hub/docfx.json +++ b/windows/hub/docfx.json @@ -22,8 +22,7 @@ "**/*.png", "**/*.jpg", "**/*.svg", - "**/*.gif", - "**/*.pdf" + "**/*.gif" ], "exclude": [ "**/obj/**", diff --git a/windows/media/ModernSecureDeployment/Deploy-CleanInstallation.pdf b/windows/media/ModernSecureDeployment/Deploy-CleanInstallation.pdf deleted file mode 100644 index 557f45193a..0000000000 Binary files a/windows/media/ModernSecureDeployment/Deploy-CleanInstallation.pdf and /dev/null differ diff --git a/windows/media/ModernSecureDeployment/Deploy-InplaceUpgrade.pdf b/windows/media/ModernSecureDeployment/Deploy-InplaceUpgrade.pdf deleted file mode 100644 index d01542ed2b..0000000000 Binary files a/windows/media/ModernSecureDeployment/Deploy-InplaceUpgrade.pdf and /dev/null differ diff --git a/windows/media/ModernSecureDeployment/Deploy-WindowsAutoPilot.pdf b/windows/media/ModernSecureDeployment/Deploy-WindowsAutoPilot.pdf deleted file mode 100644 index 87110d6b3e..0000000000 Binary files a/windows/media/ModernSecureDeployment/Deploy-WindowsAutoPilot.pdf and /dev/null differ diff --git a/windows/media/ModernSecureDeployment/ProtectionSolutions.pdf b/windows/media/ModernSecureDeployment/ProtectionSolutions.pdf deleted file mode 100644 index 8d04e66910..0000000000 Binary files a/windows/media/ModernSecureDeployment/ProtectionSolutions.pdf and /dev/null differ diff --git a/windows/media/ModernSecureDeployment/Series-ModernAndSecureWindowsDeployment.pdf b/windows/media/ModernSecureDeployment/Series-ModernAndSecureWindowsDeployment.pdf deleted file mode 100644 index 86529c1665..0000000000 Binary files a/windows/media/ModernSecureDeployment/Series-ModernAndSecureWindowsDeployment.pdf and /dev/null differ diff --git a/windows/media/ModernSecureDeployment/WindowsServicing.pdf b/windows/media/ModernSecureDeployment/WindowsServicing.pdf deleted file mode 100644 index 19a419e3a9..0000000000 Binary files a/windows/media/ModernSecureDeployment/WindowsServicing.pdf and /dev/null differ diff --git a/windows/privacy/index.yml b/windows/privacy/index.yml index e518d55a86..a90c978811 100644 --- a/windows/privacy/index.yml +++ b/windows/privacy/index.yml @@ -45,17 +45,17 @@ productDirectory: # Card - title: Windows 11 required diagnostic data # imageSrc should be square in ratio with no whitespace - imageSrc: https://docs.microsoft.com/media/common/i_extend.svg + imageSrc: /media/common/i_extend.svg summary: Learn more about basic Windows diagnostic data events and fields collected. url: required-windows-11-diagnostic-events-and-fields.md # Card - title: Windows 10 required diagnostic data - imageSrc: https://docs.microsoft.com/media/common/i_build.svg + imageSrc: /media/common/i_build.svg summary: See what changes Windows is making to align to the new data collection taxonomy url: required-windows-diagnostic-data-events-and-fields-2004.md # Card - title: Optional diagnostic data - imageSrc: https://docs.microsoft.com/media/common/i_get-started.svg + imageSrc: /media/common/i_get-started.svg summary: Get examples of the types of optional diagnostic data collected from Windows url: windows-diagnostic-data.md @@ -181,4 +181,4 @@ additionalContent: - text: Support for GDPR Accountability on Service Trust Portal url: https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted # footer (optional) - # footer: "footertext [linktext](/footerfile)" \ No newline at end of file + # footer: "footertext [linktext](/footerfile)" diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 1b61031be8..319f5a8afd 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -5,7 +5,7 @@ ms.prod: m365-security ms.localizationpriority: medium author: paolomatarazzo ms.author: paoloma -ms.reviewer: erikdau +ms.reviewer: zwhittington manager: aaroncz ms.collection: - M365-identity-device-management @@ -22,6 +22,24 @@ appliesto: - ✅ Windows Server 2022 --- # Manage Windows Defender Credential Guard + +## Default Enablement + +Starting with Windows 11 Enterprise 22H2, compatible systems have Windows Defender Credential Guard turned on by default. This changes the default state of the feature in Windows, though system administrators can still modify this enablement state. Windows Defender Credential Guard can still be manually [enabled](#enable-windows-defender-credential-guard) or [disabled](#disable-windows-defender-credential-guard) via the methods documented below. + +### Requirements for automatic enablement + +Windows Defender Credential Guard will be enabled by default when a PC meets the following minimum requirements: + +|Component|Requirement| +|---|---| +|Operating System|Windows 11 Enterprise 22H2| +|Existing Windows Defender Credential Guard Requirements|Only devices which meet the [existing hardware and software requirements](credential-guard-requirements.md#hardware-and-software-requirements) to run Windows Defender Credential Guard will have it enabled by default.| +|Virtualization-based Security (VBS) Requirements|VBS must be enabled in order to run Windows Defender Credential Guard. Starting with Windows 11 Enterprise 22H2, devices that meet the requirements to run Windows Defender Credential Guard as well as the [minimum requirements to enable VBS](/windows-hardware/design/device-experiences/oem-vbs) will have both Windows Defender Credential Guard and VBS enabled by default. + +> [!NOTE] +> If Windows Defender Credential Guard or VBS has previously been explicitly disabled, default enablement will not overwrite this setting. + ## Enable Windows Defender Credential Guard Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the [Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard hardware readiness tool](#enable-windows-defender-credential-guard-by-using-the-hvci-and-windows-defender-credential-guard-hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md index e4d7f90a39..5688ac38d1 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md @@ -5,7 +5,7 @@ ms.prod: m365-security ms.localizationpriority: medium author: paolomatarazzo ms.author: paoloma -ms.reviewer: erikdau +ms.reviewer: zwhittington manager: aaroncz ms.collection: - M365-identity-device-management @@ -58,8 +58,8 @@ For information about Windows Defender Remote Credential Guard hardware and soft When Windows Defender Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatibility with the reduced functionality. > [!WARNING] -> Enabling Windows Defender Credential Guard on domain controllers is not supported. -> The domain controller hosts authentication services which integrate with processes isolated when Windows Defender Credential Guard is enabled, causing crashes. +> Enabling Windows Defender Credential Guard on domain controllers is not recommended at this time. +> Windows Defender Credential Guard does not provide any added security to domain controllers, and can cause application compatibility issues on domain controllers. > [!NOTE] > Windows Defender Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Windows Defender Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts). @@ -103,9 +103,6 @@ The following tables describe baseline protections, plus protections for improve |Firmware: **Secure firmware update process**|**Requirements**:
        - UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot.|UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed.| |Software: Qualified **Windows operating system**|**Requirement**:
        - At least Windows 10 Enterprise or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.| -> [!IMPORTANT] -> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. - > [!IMPORTANT] > The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Windows Defender Credential Guard can provide. diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md index ebbea60361..d057f242cd 100644 --- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md +++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md @@ -78,7 +78,7 @@ To allow facial recognition, you must have devices with integrated special infra - Effective, real world FRR with Anti-spoofing or liveness detection: <10% > [!NOTE] ->Windows Hello face authentication does not currently support wearing a mask during enrollment or authentication. Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock you device. The product group is aware of this behavior and is investigating this topic further. Please remove a mask if you are wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn’t allow you to remove a mask temporarily, please consider unenrolling from face authentication and only using PIN or fingerprint. +>Windows Hello face authentication does not currently support wearing a mask during enrollment or authentication. Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. The product group is aware of this behavior and is investigating this topic further. Please remove a mask if you are wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn’t allow you to remove a mask temporarily, please consider unenrolling from face authentication and only using PIN or fingerprint. ## Related topics diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index d995550c13..3a4f97b0d0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -69,9 +69,7 @@ If the error occurs again, check the error code against the following table to s | 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Azure AD and rejoin. | | | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. | | 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. | -| 0xC00000BB | Your PIN or this option is temporarily unavailable.| The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Use a different login method.| - - +| 0xC00000BB | Your PIN or this option is temporarily unavailable. | The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Another common cause can be the client can not verify the KDC certificate CRL. Use a different login method.| ## Errors with unknown mitigation @@ -100,6 +98,7 @@ For errors listed in this table, contact Microsoft Support for assistance. | 0x801C03F1 | ​There is no UPN in the token. | | ​0x801C044C | There is no core window for the current thread. | | 0x801c004D | DSREG_NO_DEFAULT_ACCOUNT: NGC provisioning is unable to find the default WAM account to use to request Azure Active Directory token for provisioning. Unable to enroll a device to use a PIN for login. | +| 0xCAA30193 | HTTP 403 Request Forbidden: it means request left the device, however either Server, proxy or firewall generated this response. | ## Related topics diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md index 8765cbc8c3..95583c6427 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md @@ -63,6 +63,11 @@ The following scenarios aren't supported using Windows Hello for Business cloud - Using cloud trust for "Run as" - Signing in with cloud trust on a Hybrid Azure AD joined device without previously signing in with DC connectivity +> [!NOTE] +> The default security policy for AD does not grant permission to sign high privilege accounts on to on-premises resources with Cloud Trust or FIDO2 security keys. +> +> To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object (CN=AzureADKerberos,OU=Domain Controllers,\). + ## Deployment Instructions Deploying Windows Hello for Business cloud trust consists of two steps: @@ -256,4 +261,4 @@ Windows Hello for Business cloud trust cannot be used as a supplied credential w ### Do all my domain controllers need to be fully patched as per the prerequisites for me to use Windows Hello for Business cloud trust? -No, only the number necessary to handle the load from all cloud trust devices. \ No newline at end of file +No, only the number necessary to handle the load from all cloud trust devices. diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index 7a9e8e62b1..f62e08bd4d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -38,7 +38,7 @@ The table shows the minimum requirements for each deployment. For key trust in a | **Domain and Forest Functional Level** | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |Windows Server 2008 R2 Domain/Forest functional level | | **Domain Controller Version** | Windows Server 2016 or later | Windows Server 2016 or later | Windows Server 2008 R2 or later | Windows Server 2008 R2 or later | | **Certificate Authority**| N/A | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | -| **AD FS Version** | N/A | N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) (hybrid Azure AD joined clients),
        and
        Windows Server 2012 or later Network Device Enrollment Service (Azure AD joined) | Windows Server 2012 or later Network Device Enrollment Service | +| **AD FS Version** | N/A | N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) (hybrid Azure AD joined clients managed by Group Policy),
        and
        Windows Server 2012 or later Network Device Enrollment Service (hybrid Azure AD joined & Azure AD joined managed by MDM) | Windows Server 2012 or later Network Device Enrollment Service | | **MFA Requirement** | Azure MFA tenant, or
        AD FS w/Azure MFA adapter, or
        AD FS w/Azure MFA Server adapter, or
        AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
        AD FS w/Azure MFA adapter, or
        AD FS w/Azure MFA Server adapter, or
        AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
        AD FS w/Azure MFA adapter, or
        AD FS w/Azure MFA Server adapter, or
        AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
        AD FS w/Azure MFA adapter, or
        AD FS w/Azure MFA Server adapter, or
        AD FS w/3rd Party MFA Adapter | | **Azure AD Connect** | N/A | Required | Required | Required | | **Azure AD License** | Azure AD Premium, optional | Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional. Intune license required | diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml index bdd841ab2c..a0fa9d6144 100644 --- a/windows/security/identity-protection/hello-for-business/index.yml +++ b/windows/security/identity-protection/hello-for-business/index.yml @@ -65,6 +65,8 @@ landingContent: url: hello-identity-verification.md - linkListType: how-to-guide links: + - text: Hybrid Cloud Trust Deployment + url: hello-hybrid-cloud-trust.md - text: Hybrid Azure AD Joined Key Trust Deployment url: hello-hybrid-key-trust.md - text: Hybrid Azure AD Joined Certificate Trust Deployment diff --git a/windows/security/identity-protection/hello-for-business/webauthn-apis.md b/windows/security/identity-protection/hello-for-business/webauthn-apis.md index 8926ad4417..26654a00e4 100644 --- a/windows/security/identity-protection/hello-for-business/webauthn-apis.md +++ b/windows/security/identity-protection/hello-for-business/webauthn-apis.md @@ -9,16 +9,18 @@ ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 08/30/2022 +ms.date: 09/15/2022 appliesto: - ✅ Windows 10 - ✅ Windows 11 --- # WebAuthn APIs for passwordless authentication on Windows - + Passwords can leave your customers vulnerable to data breaches and security attacks by malicious users. -Microsoft has long been a proponent of passwordless authentication, and introduced the W3C/Fast IDentity Online 2 (FIDO2) Win32 WebAuthn platform APIs in Windows 10 (version 1903). +Microsoft has long been a proponent of passwordless authentication, and has introduced the W3C/Fast IDentity Online 2 (FIDO2) Win32 WebAuthn platform APIs in Windows 10 (version 1903). + +Starting in **Windows 11, version 22H2**, WebAuthn APIs support ECC algorithms. ## What does this mean? @@ -29,11 +31,11 @@ Users of these apps or sites can use any browser that supports WebAuthn APIs for Developers should use the WebAuthn APIs to support FIDO2 authentication keys in a consistent way for users. Additionally, developers can use all the transports that are available per FIDO2 specifications (USB, NFC, and BLE) while avoiding the interaction and management overhead. > [!NOTE] -> When these APIs are in use, Windows 10 browsers or apps don't have direct access to the FIDO2 transports for FIDO-related messaging. +> When these APIs are in use, Windows 10 browsers or applications don't have direct access to the FIDO2 transports for FIDO-related messaging. ## The big picture -Client to Authenticator Protocol 2 (CTAP2) and WebAuthn define an abstraction layer that creates an ecosystem for strongly authenticated credentials. In this ecosystem, any interoperable client (such as a native app or browser) that runs on a given client device uses a standardized method to interact with any interoperable authenticator. Interoperable authenticators include authenticators that are built into the client device (platform authenticators) and authenticators that connect to the client device by using USB, BLE, or NFC connections (roaming authenticators). +The Client to Authenticator Protocol 2 (CTAP2) and WebAuthn define an abstraction layer that creates an ecosystem for strongly authenticated credentials. In this ecosystem, any interoperable client (such as a native app or browser) that runs on a given client device uses a standardized method to interact with any interoperable authenticator. Interoperable authenticators include authenticators that are built into the client device (platform authenticators) and authenticators that connect to the client device by using USB, BLE, or NFC connections (roaming authenticators). The authentication process starts when the user makes a specific user gesture that indicates consent for the operation. At the request of the client, the authenticator securely creates strong cryptographic keys and stores them locally. @@ -56,30 +58,30 @@ A combined WebAuthn/CTAP2 dance includes the following cast of characters: - As a relying party, a web application can't directly interact with the WebAuthn API. The relying party must broker the deal through the browser. > [!NOTE] - > The preceding diagram doesn't depict single sign-on authentication. Be careful not to confuse FIDO relying parties with federated relying parties. + > The preceding diagram doesn't depict Single Sign-On (SSO) authentication. Be careful not to confuse FIDO relying parties with federated relying parties. -- **WebAuthn API**. The *WebAuthn API* enables clients to make requests to authenticators. The client can request that the authenticator create a key, provide an assertion about a key, report capabilities, manage a PIN, and so on. +- **WebAuthn API**. The *WebAuthn API* enables clients to make requests to authenticators. The client can request the authenticator to create a key, provide an assertion about a key, report capabilities, manage a PIN, and so on. -- **CTAP2 platform/host**. The *platform* (also called the host in the CTAP2 spec) is the part of the client device that negotiates with authenticators. The platform is responsible for securely reporting the origin of the request and for calling the CTAP2 Concise Binary Object Representation (CBOR) APIs. If the platform isn't CTAP2-aware, the clients themselves take on more of the burden. In this case, the components and interactions of the preceding diagram may differ. +- **CTAP2 platform/host**. The *platform* (also called the host in the CTAP2 spec) is the part of the client device that negotiates with authenticators. The platform is responsible for securely reporting the origin of the request and for calling the CTAP2 Concise Binary Object Representation (CBOR) APIs. If the platform isn't CTAP2-aware, the clients themselves take on more of the burden. In this case, the components and interactions shown in the preceding diagram may differ. - **Platform authenticator**. A *platform authenticator* usually resides on a client device. Examples of platform authenticators include fingerprint recognition technology that uses a built-in laptop fingerprint reader and facial recognition technology that uses a built-in smartphone camera. Cross-platform transport protocols such as USB, NFC or BLE can't access platform authenticators. - **Roaming authenticator**. A *roaming authenticator* can connect to multiple client devices. Client devices must use a supported transport protocol to negotiate interactions. Examples of roaming authenticators include USB security keys, BLE-enabled smartphone applications, and NFC-enabled proximity cards. Roaming authenticators can support CTAP1, CTAP2, or both protocols. -Many relying parties and clients can interact with many authenticators on a single client device. A user can install multiple browsers that support WebAuthn, and might simultaneously have access to a built-in fingerprint reader, a plugged-in security key, and a BLE-enabled mobile app. +Many relying parties and clients can interact with many authenticators on a single client device. A user can install multiple browsers that support WebAuthn, and might simultaneously have access to a built-in fingerprint reader, a plugged-in security key, and a BLE-enabled mobile application. ## Interoperability -Before there was WebAuthn and CTAP2, there was U2F and CTAP1. U2F is the FIDO Alliance universal second-factor specification. There are many authenticators that speak CTAP1 and manage U2F credentials. WebAuthn was designed to be interoperable with CTAP1 Authenticators. A relying party that uses WebAuthn can still use U2F credentials if the relying party doesn't require FIDO2-only functionality. +Before WebAuthn and CTAP2, there were U2F and CTAP1. U2F is the FIDO Alliance universal second-factor specification. There are many authenticators that speak CTAP1 and manage U2F credentials. WebAuthn was designed to be interoperable with CTAP1 Authenticators. A relying party that uses WebAuthn can still use U2F credentials if the relying party doesn't require FIDO2-only functionality. -FIDO2 authenticators have already implemented and WebAuthn relying parties might require the following optional features: +FIDO2 authenticators have already been implemented and WebAuthn relying parties might require the following optional features: - Keys for multiple accounts (keys can be stored per relying party) - Client PIN - Location (the authenticator returns a location) - [Hash-based Message Authentication Code (HMAC)-secret](/dotnet/api/system.security.cryptography.hmac) (enables offline scenarios) -The following options and might be useful in the future, but haven't been observed in the wild yet: +The following options might be useful in the future, but haven't been observed in the wild yet: - Transactional approval - User verification index (servers can determine whether biometric data that's stored locally has changed over time) @@ -105,18 +107,18 @@ Here's an approximate layout of where the Microsoft bits go: > [!IMPORTANT] > Because Microsoft Account requires features and extensions that are unique to FIDO2 CTAP2 authenticators, it doesn't accept CTAP1 (U2F) credentials. -- **WebAuthn client: Microsoft Edge**. Microsoft Edge can handle the user interface for the WebAuthn and CTAP2 features that this article describes. It also supports the AppID extension. Microsoft Edge can interact with both CTAP1 and CTAP2 authenticators. This means that it can create and use both U2F and FIDO2 credentials. However, Microsoft Edge doesn't speak the U2F protocol. Therefore, relying parties must use only the WebAuthn specification. Microsoft Edge on Android doesn't support WebAuthn. +- **WebAuthn client: Microsoft Edge**. Microsoft Edge can handle the user interface for the WebAuthn and CTAP2 features that this article describes. It also supports the AppID extension. Microsoft Edge can interact with both CTAP1 and CTAP2 authenticators. This scope for interaction means that it can create and use both U2F and FIDO2 credentials. However, Microsoft Edge doesn't speak the U2F protocol. Therefore, relying parties must use only the WebAuthn specification. Microsoft Edge on Android doesn't support WebAuthn. > [!NOTE] > For authoritative information about Microsoft Edge support for WebAuthn and CTAP, see [Legacy Microsoft Edge developer documentation](/microsoft-edge/dev-guide/windows-integration/web-authentication). - **Platform: Windows 10, Windows 11**. Windows 10 and Windows 11 host the Win32 Platform WebAuthn APIs. -- **Roaming Authenticators**. You might notice that there's no *Microsoft* roaming authenticator. That's because there's already a strong ecosystem of products that specialize in strong authentication, and every one of our customers (whether corporations or individuals) has different requirements for security, ease of use, distribution, and account recovery. To see the ever-growing list of FIDO2 certified authenticators, see [FIDO Certified Products](https://fidoalliance.org/certification/fido-certified-products/). The list includes built-in authenticators, roaming authenticators, and even chip manufacturers who have certified designs. +- **Roaming Authenticators**. You might notice that there's no *Microsoft* roaming authenticator. The reason is because there's already a strong ecosystem of products that specialize in strong authentication, and every customer (whether corporations or individuals) has different requirements for security, ease of use, distribution, and account recovery. For more information on the ever-growing list of FIDO2-certified authenticators, see [FIDO Certified Products](https://fidoalliance.org/certification/fido-certified-products/). The list includes built-in authenticators, roaming authenticators, and even chip manufacturers who have certified designs. ## Developer references The WebAuthn APIs are documented in the [Microsoft/webauthn](https://github.com/Microsoft/webauthn) GitHub repo. To understand how FIDO2 authenticators work, review the following two specifications: - [Web Authentication: An API for accessing Public Key Credentials](https://www.w3.org/TR/webauthn/) (available on the W3C site). This document is known as the WebAuthn spec. -- [Client to Authenticator Protocol (CTAP)](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html). This is available at the [FIDO Alliance](http://fidoalliance.org/) site, on which hardware and platform teams are working together to solve the problem of FIDO authentication. +- [Client to Authenticator Protocol (CTAP)](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html). This document is available at the [FIDO Alliance](http://fidoalliance.org/) site, on which hardware and platform teams are working together to solve the problem of FIDO authentication. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index 92960da468..e02cee6ffc 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -1,18 +1,15 @@ --- title: System requirements for Microsoft Defender Application Guard description: Learn about the system requirements for installing and running Microsoft Defender Application Guard. -ms.prod: m365-security -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security +ms.prod: windows-client +ms.technology: itpro-security +ms.topic: overview ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb +author: vinaypamnani-msft +ms.author: vinpa ms.date: 08/25/2022 -ms.reviewer: -manager: dansimp -ms.custom: asr -ms.technology: windows-sec +ms.reviewer: sazankha +manager: aaroncz --- # System requirements for Microsoft Defender Application Guard @@ -48,6 +45,6 @@ Your environment must have the following hardware to run Microsoft Defender Appl | Software | Description | |--------|-----------| -| Operating system | Windows 10 Enterprise edition, version 1809 or higher
        Windows 10 Professional edition, version 1809 or higher
        Windows 10 Professional for Workstations edition, version 1809 or higher
        Windows 10 Professional Education edition, version 1809 or higher
        Windows 10 Education edition, version 1809 or higher
        Professional editions are only supported for non-managed devices; Intune or any other third-party mobile device management (MDM) solutions aren't supported with MDAG for Professional editions.
        Windows 11 Education, Enterprise, and Professional | +| Operating system | Windows 10 Enterprise edition, version 1809 or later
        Windows 10 Professional edition, version 1809 or later
        Windows 10 Professional for Workstations edition, version 1809 or later
        Windows 10 Professional Education edition, version 1809 or later
        Windows 10 Education edition, version 1809 or later
        Windows 11 Education, Enterprise, and Professional editions | | Browser | Microsoft Edge | | Management system
        (only for managed devices)| [Microsoft Intune](/intune/)

        **OR**

        [Microsoft Endpoint Configuration Manager](/configmgr/)

        **OR**

        [Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

        **OR**

        Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Mirosoft MDM solutions, see the documentation that came with your product. | diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md index 3f1a94a7ad..59695ee06d 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md @@ -2,8 +2,8 @@ title: Microsoft Defender SmartScreen overview description: Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. ms.prod: m365-security -author: mjcaparas -ms.author: macapara +author: dansimp +ms.author: dansimp ms.localizationpriority: high ms.reviewer: manager: dansimp diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md b/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md index 2606a9ef99..9f88d7f24f 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md @@ -24,9 +24,9 @@ Starting in Windows 11 22H2, Enhanced Phishing Protection in Microsoft Defender Enhanced Phishing Protection works alongside Windows security protections, and helps protect typed work or school passwords used to sign into Windows 11 in three ways: -- If users type their work or school password on any browser, into a site deemed malicious by Microsoft Defender SmartScreen, Enhanced Phishing Protection will alert them. It will also prompt them to change their password so attackers can't gain access to their account +- If users type their work or school password on any Chromium browser, into a site deemed malicious by Microsoft Defender SmartScreen, Enhanced Phishing Protection will alert them. It will also prompt them to change their password so attackers can't gain access to their account - Reusing work or school passwords makes it easy for attackers who compromise a user's password to gain access to their other accounts. Enhanced Phishing Protection can warn users if they reuse their work or school Microsoft account password on sites and apps and prompt them to change their password -- Since it's unsafe to store plaintext passwords in text editors, Enhanced Phishing Protection can warn users if they store their work or school password in Notepad, Word, or any Microsoft 365 Office app, and recommends them to delete their password from the file +- Since it's unsafe to store plaintext passwords in text editors, Enhanced Phishing Protection can warn users if they store their work or school password in Notepad, Word, or any Microsoft 365 Office app, and recommends they delete their password from the file ## Benefits of Enhanced Phishing Protection in Microsoft Defender SmartScreen @@ -35,7 +35,7 @@ Enhanced Phishing Protection provides robust phishing protections for work or sc - **Anti-phishing support:** Phishing attacks trick users through convincing imitations of safe content or through credential harvesting content hosted inside trusted sites and applications. Enhanced Phishing Protection helps protect users from reported phishing sites by evaluating the URLs a site or app is connecting to, along with other characteristics, to determine if they're known to distribute or host unsafe content - **Secure operating system integration:** Enhanced Phishing Protection is integrated directly into the Windows 11 operating system, so it can understand users' password entry context (including process connections, URLs, certificate information, etc.) in any browser or app. Because Enhanced Phishing Protection has unparalleled insight into what is happening at the OS level, it can identify when users type their work or school password unsafely. If users do use their work or school password unsafely, the feature empowers users to change their password to minimize chances of their compromised credential being weaponized against them - **Unparalleled telemetry shared throughout Microsoft's security suite:** Enhanced Phishing Protection is constantly learning from phishing attacks seen throughout the entire Microsoft security stack. It works alongside other Microsoft security products, to provide a layered approach to password security, especially for organizations early in their password-less authentication journey. If your organization uses Microsoft Defender for Endpoint, you'll be able to see valuable phishing sensors data in the M365D Portal. This enables you to view Enhanced Phishing Protection alerts and reports for unsafe password usage in your environment -- **Easy management through Group Policy and Microsoft Intune:** Enhanced Phishing Protection works with Group Policy and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Enhanced Phishing Protection, you can customize which phishing protection scenarios will show users warning dialogs +- **Easy management through Group Policy and Microsoft Intune:** Enhanced Phishing Protection works with Group Policy and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Enhanced Phishing Protection, you can customize which phishing protection scenarios will show users warning dialogs. For example, the Service Enabled setting determines whether the Enhanced Phishing Protection service is on or off. The feature will be in audit mode if the other settings, which correspond to notification policies, are not enabled. ## Configure Enhanced Phishing Protection for your organization diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md index f85611c594..fe15669214 100644 --- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md +++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md @@ -49,7 +49,7 @@ The general steps for expanding the S mode base policy on your Intune-managed de - Create a new base policy using [New-CIPolicy](/powershell/module/configci/new-cipolicy?view=win10-ps&preserve-view=true) ```powershell - New-CIPolicy -MultiplePolicyFormat -ScanPath -UserPEs -FilePath "\SupplementalPolicy.xml" -Level Publisher -Fallback Hash + New-CIPolicy -MultiplePolicyFormat -ScanPath -UserPEs -FilePath "\SupplementalPolicy.xml" -Level FilePublisher -Fallback SignedVersion,Publisher,Hash ``` - Change it to a supplemental policy using [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo?view=win10-ps&preserve-view=true) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md index e30b2c517a..b7d7521a48 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md @@ -3,13 +3,13 @@ title: Script rules in AppLocker (Windows) description: This article describes the file formats and available default rules for the script rule collection. ms.assetid: fee24ca4-935a-4c5e-8a92-8cf1d134d35f ms.reviewer: -ms.author: macapara +ms.author: dansimp ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: mjcaparas +author: dansimp manager: dansimp audience: ITPro ms.collection: M365-security-compliance diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md index f99766832e..005c1ddcc2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md @@ -3,13 +3,13 @@ title: Understand AppLocker enforcement settings (Windows) description: This topic describes the AppLocker enforcement settings for rule collections. ms.assetid: 48773007-a343-40bf-8961-b3ff0a450d7e ms.reviewer: -ms.author: macapara +ms.author: dansimp ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: mjcaparas +author: dansimp manager: dansimp audience: ITPro ms.collection: M365-security-compliance diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md index 8b30f46fa9..ca600a98a7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md @@ -59,7 +59,7 @@ To familiarize yourself with creating WDAC rules from audit events, follow these 4. Use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to generate a new WDAC policy from logged audit events. This example uses a **FilePublisher** file rule level and a **Hash** fallback level. Warning messages are redirected to a text file **EventsPolicyWarnings.txt**. ```powershell - New-CIPolicy -FilePath $EventsPolicy -Audit -Level FilePublisher -Fallback Hash –UserPEs -MultiplePolicyFormat 3> $EventsPolicyWarnings + New-CIPolicy -FilePath $EventsPolicy -Audit -Level FilePublisher -Fallback SignedVersion,FilePublisher,Hash –UserPEs -MultiplePolicyFormat 3> $EventsPolicyWarnings ``` > [!NOTE] diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md index 70a4c7cad7..63d3ee3fe4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md @@ -31,7 +31,7 @@ ms.technology: windows-sec ## Using fsutil to query SmartLocker EA -Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph enabled can use fsutil to determine whether a file was allowed to run by one of these features. This verification can be done by querying the EAs on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This EA's presence can be used in conjunction with enabling the MI and ISG logging events. +Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph (ISG) enabled can use fsutil to determine whether a file was allowed to run by one of these features. This verification can be done by querying the Extended Attributes (EAs) on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This EA's presence can be used in conjunction with enabling the MI and ISG logging events. **Example:** diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md index c15d853296..b81414e10f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md @@ -126,13 +126,13 @@ Deny rules and policies can be created using the PowerShell cmdlets or the [WDAC ### Software Publisher Based Deny Rule ```Powershell -$DenyRules += New-CIPolicyRule -Level FilePublisher -DriverFilePath -Deny -Fallback FileName,Hash +$DenyRules += New-CIPolicyRule -Level FilePublisher -DriverFilePath -Fallback SignedVersion,Publisher,Hash -Deny ``` ### Software Attributes Based Deny Rule ```Powershell -$DenyRules += New-CIPolicyRule -Level FileName -DriverFilePath -Deny -Fallback Hash +$DenyRules += New-CIPolicyRule -Level FileName -DriverFilePath -Fallback Hash -Deny ``` ### Hash Based Deny Rule diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md index 65565ec200..cfea5dc30f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance author: jsuther1974 -ms.reviewer: isbrahm +ms.reviewer: jgeurten ms.author: dansimp manager: dansimp ms.date: 02/28/2018 @@ -49,7 +49,9 @@ To create a catalog file, you use a tool called **Package Inspector**. You must 2. Start Package Inspector, and then start scanning a local drive, for example, drive C: - `PackageInspector.exe Start C:` + ```powershell + PackageInspector.exe Start C: + ``` > [!NOTE] > Package inspector can monitor installations on any local drive. Specify the appropriate drive on the local computer. @@ -77,13 +79,12 @@ To create a catalog file, you use a tool called **Package Inspector**. You must For the last command, which stops Package Inspector, be sure to type the drive letter of the drive you have been scanning, for example, C:. - `$ExamplePath=$env:userprofile+"\Desktop"` - - `$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"` - - `$CatDefName=$ExamplePath+"\LOBApp.cdf"` - - `PackageInspector.exe Stop C: -Name $CatFileName -cdfpath $CatDefName` + ```powershell + $ExamplePath=$env:userprofile+"\Desktop" + $CatFileName=$ExamplePath+"\LOBApp-Contoso.cat" + $CatDefName=$ExamplePath+"\LOBApp.cdf" + PackageInspector.exe Stop C: -Name $CatFileName -cdfpath $CatDefName + ``` >[!NOTE] >Package Inspector catalogs the hash values for each discovered binary file. If the applications that were scanned are updated, complete this process again to trust the new binaries' hash values. @@ -125,15 +126,18 @@ To sign the existing catalog file, copy each of the following commands into an e 1. Initialize the variables that will be used. Replace the *$ExamplePath* and *$CatFileName* variables as needed: - `$ExamplePath=$env:userprofile+"\Desktop"` - - `$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"` + ```powershell + $ExamplePath=$env:userprofile+"\Desktop" + $CatFileName=$ExamplePath+"\LOBApp-Contoso.cat" + ``` 2. Import the code signing certificate that will be used to sign the catalog file. Import it to the signing user's personal store. 3. Sign the catalog file with Signtool.exe: - ` sign /n "ContosoDGSigningCert" /fd sha256 /v $CatFileName` + ```powershell + sign /n "ContosoDGSigningCert" /fd sha256 /v $CatFileName + ``` >[!NOTE] >The *<Path to signtool.exe>* variable should be the full path to the Signtool.exe utility. *ContosoDGSigningCert* represents the subject name of the certificate that you will use to sign the catalog file. This certificate should be imported to your personal certificate store on the computer on which you are attempting to sign the catalog file. @@ -156,16 +160,20 @@ After the catalog file is signed, add the signing certificate to a WDAC policy, 1. If you haven't already verified the catalog file digital signature, right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with the algorithm you expect. -2. If you already have an XML policy file that you want to add the signing certificate to, skip to the next step. Otherwise, use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to create a Windows Defender Application Control policy that you'll later merge into another policy (not deploy as-is). This example creates a policy called **CatalogSignatureOnly.xml** in the location **C:\\PolicyFolder**: +2. If you already have an XML policy file that you want to add the signing certificate to, skip to the next step. Otherwise, use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to create a Windows Defender Application Control policy that you will later merge into another policy (not deploy as-is). This example creates a policy called **CatalogSignatureOnly.xml** in the location **C:\\PolicyFolder** by scanning the system and allowlisting by signer and original filename: - `New-CIPolicy -Level PcaCertificate -FilePath C:\PolicyFolder\CatalogSignatureOnly.xml –UserPEs` + ```powershell + New-CIPolicy -Level FilePublisher -FilePath C:\PolicyFolder\CatalogSignatureOnly.xml –UserPEs -MultiplePolicyFormat -Fallback SignedVersion,Publisher,Hash + ``` > [!NOTE] > Include the **-UserPEs** parameter to ensure that the policy includes user mode code integrity. -3. Use [Add-SignerRule](/powershell/module/configci/add-signerrule) to add the signing certificate to the WDAC policy, filling in the correct path and filenames for `` and ``: +3. Use [Add-SignerRule](/powershell/module/configci/add-signerrule) to add the signing certificate to the WDAC policy, filling in the correct path and filenames for `` and ``: - `Add-SignerRule -FilePath -CertificatePath -User` + ```powershell + Add-SignerRule -FilePath -CertificatePath -User + ``` If you used step 2 to create a new WDAC policy, and want information about merging policies together, see [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index dbe28e8b2a..b3cffd3fb8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -56,19 +56,19 @@ Prior to Windows 10 1903, Windows Defender Application Control only supported a In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](/powershell/module/configci/new-cipolicy?preserve-view=true&view=win10-ps) results in 1) unique GUIDs being generated for the policy ID and 2) the policy type being specified as base. The below example describes the process of creating a new policy in the multiple policy format. ```powershell -New-CIPolicy -MultiplePolicyFormat -ScanPath "" -UserPEs -FilePath ".\policy.xml" -Level Publisher -Fallback Hash +New-CIPolicy -MultiplePolicyFormat -ScanPath "" -UserPEs -FilePath ".\policy.xml" -Level FilePublisher -Fallback SignedVersion,Publisher,Hash ``` Optionally, you can choose to make the new base policy allow for supplemental policies. ```powershell -Set-RuleOption -FilePath -Option 17 +Set-RuleOption -FilePath ".\policy.xml" -Option 17 ``` For signed base policies to allow for supplemental policies, make sure that supplemental signers are defined. Use the **Supplemental** switch in **Add-SignerRule** to provide supplemental signers. ```powershell -Add-SignerRule -FilePath -CertificatePath [-Kernel] [-User] [-Update] [-Supplemental] [-Deny] [] +Add-SignerRule -FilePath ".\policy.xml" -CertificatePath [-Kernel] [-User] [-Update] [-Supplemental] [-Deny] ``` ### Supplemental policy creation @@ -79,12 +79,9 @@ In order to create a supplemental policy, begin by creating a new policy in the - "BasePolicyToSupplementPath": path to base policy file that the supplemental policy applies to ```powershell -Set-CIPolicyIdInfo [-FilePath] [-PolicyName ] [-SupplementsBasePolicyID ] [-BasePolicyToSupplementPath ] [-ResetPolicyID] [-PolicyId ] [] +Set-CIPolicyIdInfo -FilePath ".\supplemental_policy.xml" [-SupplementsBasePolicyID ] [-BasePolicyToSupplementPath ] -PolicyId -PolicyName ``` -> [!NOTE] -> **ResetPolicyId** reverts a supplemental policy to a base policy, and resets the policy GUIDs back to a random GUID. - ### Merging policies When you're merging policies, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID \, then regardless of what the GUIDs and types are for any subsequent policies, the merged policy will be a base policy with ID \. diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md index 407a00c553..9db5920c58 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md @@ -1,21 +1,16 @@ --- title: Deploy WDAC policies using Mobile Device Management (MDM) (Windows) description: You can use an MDM like Microsoft Intune to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide. -keywords: security, malware -ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security +ms.prod: windows-client +ms.technology: itpro-security ms.localizationpriority: medium -audience: ITPro ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: isbrahm -ms.author: dansimp -manager: dansimp +ms.author: vinpa +manager: aaroncz ms.date: 06/27/2022 -ms.technology: windows-sec +ms.topic: how-to --- # Deploy WDAC policies using Mobile Device Management (MDM) @@ -61,13 +56,13 @@ The steps to use Intune's custom OMA-URI functionality are: 1. Know a generated policy's GUID, which can be found in the policy xml as `` -2. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. +2. Convert the policy XML to binary format using the [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) cmdlet in order to be deployed. The binary policy may be signed or unsigned. 3. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10). 4. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings: - - **OMA-URI**: ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy - - **Data type**: Base64 + - **OMA-URI**: `./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy` + - **Data type**: Base64 (file) - **Certificate file**: upload your binary format policy file. You don't need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf. > [!div class="mx-imgBorder"] @@ -86,13 +81,13 @@ Upon deletion, policies deployed through Intune via the ApplicationControl CSP a The steps to use Intune's Custom OMA-URI functionality to apply the [AppLocker CSP](/windows/client-management/mdm/applocker-csp) and deploy a custom WDAC policy to pre-1903 systems are: -1. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. +1. Convert the policy XML to binary format using the [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) cmdlet in order to be deployed. The binary policy may be signed or unsigned. 2. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10). 3. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings: - - **OMA-URI**: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy) - - **Data type**: Base64 + - **OMA-URI**: `./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy` + - **Data type**: Base64 (file) - **Certificate file**: upload your binary format policy file > [!NOTE] diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index 562849c65a..64e6685f37 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -1,21 +1,16 @@ --- -title: Microsoft recommended block rules (Windows) +title: Microsoft recommended block rules description: View a list of recommended block rules, based on knowledge shared between Microsoft and the wider security community. -keywords: security, malware -ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: m365-security -ms.technology: windows-sec -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security +ms.prod: windows-client +ms.technology: itpro-security ms.localizationpriority: medium -audience: ITPro ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: isbrahm -ms.author: dansimp -manager: dansimp -ms.date: 08/11/2022 +ms.author: vinpa +manager: aaroncz +ms.date: 09/29/2021 +ms.topic: reference --- # Microsoft recommended block rules @@ -75,7 +70,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you - wslconfig.exe - wslhost.exe -1 A vulnerability in bginfo.exe has been fixed in the latest version 4.22. If you use BGInfo, for security, make sure to download and run the latest version here [BGInfo 4.22](/sysinternals/downloads/bginfo). BGInfo versions earlier than 4.22 are still vulnerable and should be blocked. +1 A vulnerability in bginfo.exe was fixed in version 4.22. If you use BGInfo, for security, make sure to download and run the latest version of [BGInfo](/sysinternals/downloads/bginfo). BGInfo versions earlier than 4.22 are still vulnerable and should be blocked. 2 If you're using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you allow msbuild.exe in your code integrity policies. However, if your reference system is an end-user device that isn't being used in a development context, we recommend that you block msbuild.exe. @@ -105,11 +100,11 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you Certain software applications may allow other code to run by design. Such applications should be blocked by your Windows Defender Application Control policy. In addition, when an application version is upgraded to fix a security vulnerability or potential Windows Defender Application Control bypass, you should add *deny* rules to your application control policies for that application’s previous, less secure versions. -Microsoft recommends that you install the latest security updates. The June 2017 Windows updates resolve several issues in PowerShell modules that allowed an attacker to bypass Windows Defender Application Control. These modules can't be blocked by name or version, and therefore must be blocked by their corresponding hashes. +Microsoft recommends that you install the latest security updates. For example, updates help resolve several issues in PowerShell modules that allowed an attacker to bypass Windows Defender Application Control. These modules can't be blocked by name or version, and therefore must be blocked by their corresponding hashes. -For October 2017, we're announcing an update to system.management.automation.dll in which we're revoking older versions by hash values, instead of version rules. +As of October 2017, system.management.automation.dll is updated to revoke earlier versions by hash values, instead of version rules. -Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet. Beginning with the March 2019 quality update, each version of Windows requires blocking a specific version of the following files: +Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet. As of March 2019, each version of Windows requires blocking a specific version of the following files: - msxml3.dll - msxml6.dll diff --git a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md index c731e404ee..bcfc28eb19 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md @@ -1,21 +1,15 @@ --- title: Understanding Windows Defender Application Control (WDAC) secure settings description: Learn about secure settings in Windows Defender Application Control. -keywords: security, malware -ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security +ms.prod: windows-client +ms.technology: itpro-security ms.localizationpriority: medium -audience: ITPro ms.collection: M365-security-compliance author: jgeurten -ms.reviewer: jgeurten -ms.author: dansimp -manager: dansimp +ms.reviewer: vinpa +ms.author: jogeurte +manager: aaroncz ms.date: 10/11/2021 -ms.technology: mde --- # Understanding WDAC Policy Settings diff --git a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md index f031321396..1c50e07a18 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md +++ b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md @@ -84,3 +84,38 @@ As Windows 10 boots, a series of integrity measurements are taken by Windows Def After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or Microsoft Endpoint Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources. +## System requirements for System Guard + +|For Intel® vPro™ processors starting with Intel® Coffeelake, Whiskeylake, or later silicon|Description| +|--------|-----------| +|64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more information about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more information about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).| +|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0. Integrated/firmware TPMs aren't supported, except Intel chips that support Platform Trust Technology (PTT), which is a type of integrated hardware TPM that meets the TPM 2.0 spec.| +|Windows DMA Protection|Platforms must meet the Windows DMA Protection Specification (all external DMA ports must be off by default until the OS explicitly powers them).| +|SMM communication buffers| All SMM communication buffers must be implemented in EfiRuntimeServicesData, EfiRuntimeServicesCode, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types. | +|SMM Page Tables| Must NOT contain any mappings to EfiConventionalMemory (for example no OS/VMM owned memory).
        Must NOT contain any mappings to code sections within EfiRuntimeServicesCode.
        Must NOT have execute and write permissions for the same page
        Must allow ONLY that TSEG pages can be marked executable and the memory map must report TSEG EfiReservedMemoryType.
        BIOS SMI handler must be implemented such that SMM page tables are locked on every SMM entry. | +|Modern/Connected Standby|Platforms must support Modern/Connected Standby.| +|TPM AUX Index|Platform must set up a AUX index with index, attributes, and policy that exactly corresponds to the AUX index specified in the TXT DG with a data size of exactly 104 bytes (for SHA256 AUX data). (NameAlg = SHA256)
        Platforms must set up a PS (Platform Supplier) index with:

        • Exactly the "TXT PS2" style Attributes on creation as follows:
          • AuthWrite
          • PolicyDelete
          • WriteLocked
          • WriteDefine
          • AuthRead
          • WriteDefine
          • NoDa
          • Written
          • PlatformCreate
        • A policy of exactly PolicyCommandCode(CC = TPM2_CC_UndefineSpaceSpecial) (SHA256 NameAlg and Policy)
        • Size of exactly 70 bytes
        • NameAlg = SHA256
        • Also, it must have been initialized and locked (TPMA_NV_WRITTEN = 1, TPMA_NV_WRITELOCKED = 1) at time of OS launch.
        PS index data DataRevocationCounters, SINITMinVersion, and PolicyControl must all be 0x00 | +|AUX Policy|The required AUX policy must be as follows:
        • A = TPM2_PolicyLocality (Locality 3 & Locality 4)
        • B = TPM2_PolicyCommandCode (TPM_CC_NV_UndefineSpecial)
        • authPolicy = \{A} OR {{A} AND \{B}}
        • authPolicy digest = 0xef, 0x9a, 0x26, 0xfc, 0x22, 0xd1, 0xae, 0x8c, 0xec, 0xff, 0x59, 0xe9, 0x48, 0x1a, 0xc1, 0xec, 0x53, 0x3d, 0xbe, 0x22, 0x8b, 0xec, 0x6d, 0x17, 0x93, 0x0f, 0x4c, 0xb2, 0xcc, 0x5b, 0x97, 0x24
        | +|TPM NV Index|Platform firmware must set up a TPM NV index for use by the OS with:
        • Handle: 0x01C101C0
        • Attributes:
          • TPMA_NV_POLICYWRITE
          • TPMA_NV_PPREAD
          • TPMA_NV_OWNERREAD
          • TPMA_NV_AUTHREAD
          • TPMA_NV_POLICYREAD
          • TPMA_NV_NO_DA
          • TPMA_NV_PLATFORMCREATE
          • TPMA_NV_POLICY_DELETE
        • A policy of:
          • A = TPM2_PolicyAuthorize(MSFT_DRTM_AUTH_BLOB_SigningKey)
          • B = TPM2_PolicyCommandCode(TPM_CC_NV_UndefineSpaceSpecial)
          • authPolicy = \{A} OR {{A} AND \{B}}
          • Digest value of 0xcb, 0x45, 0xc8, 0x1f, 0xf3, 0x4b, 0xcf, 0x0a, 0xfb, 0x9e, 0x1a, 0x80, 0x29, 0xfa, 0x23, 0x1c, 0x87, 0x27, 0x30, 0x3c, 0x09, 0x22, 0xdc, 0xce, 0x68, 0x4b, 0xe3, 0xdb, 0x81, 0x7c, 0x20, 0xe1
        | +|Platform firmware|Platform firmware must carry all code required to execute an Intel® Trusted Execution Technology secure launch:
        • Intel® SINIT ACM must be carried in the OEM BIOS
        • Platforms must ship with a production ACM signed by the correct production Intel® ACM signer for the platform
        | +|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. | + +|For AMD® processors starting with Zen2 or later silicon|Description| +|--------|-----------| +|64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more information about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more information about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).| +|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0 OR Microsoft Pluton TPM.| +|Windows DMA Protection|Platforms must meet the Windows DMA Protection Specification (all external DMA ports must be off by default until the OS explicitly powers them).| +|SMM communication buffers| All SMM communication buffers must be implemented in EfiRuntimeServicesData, EfiRuntimeServicesCode, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types. | +|SMM Page Tables| Must NOT contain any mappings to EfiConventionalMemory (for example no OS/VMM owned memory).
        Must NOT contain any mappings to code sections within EfiRuntimeServicesCode.
        Must NOT have execute and write permissions for the same page
        BIOS SMI handler must be implemented such that SMM page tables are locked on every SMM entry. | +|Modern/Connected Standby|Platforms must support Modern/Connected Standby.| +|TPM NV Index|Platform firmware must set up a TPM NV index for use by the OS with:
        • Handle: 0x01C101C0
        • Attributes:
          • TPMA_NV_POLICYWRITE
          • TPMA_NV_PPREAD
          • TPMA_NV_OWNERREAD
          • TPMA_NV_AUTHREAD
          • TPMA_NV_POLICYREAD
          • TPMA_NV_NO_DA
          • TPMA_NV_PLATFORMCREATE
          • TPMA_NV_POLICY_DELETE
        • A policy of:
          • A = TPM2_PolicyAuthorize(MSFT_DRTM_AUTH_BLOB_SigningKey)
          • B = TPM2_PolicyCommandCode(TPM_CC_NV_UndefineSpaceSpecial)
          • authPolicy = \{A} OR {{A} AND \{B}}
          • Digest value of 0xcb, 0x45, 0xc8, 0x1f, 0xf3, 0x4b, 0xcf, 0x0a, 0xfb, 0x9e, 0x1a, 0x80, 0x29, 0xfa, 0x23, 0x1c, 0x87, 0x27, 0x30, 0x3c, 0x09, 0x22, 0xdc, 0xce, 0x68, 0x4b, 0xe3, 0xdb, 0x81, 0x7c, 0x20, 0xe1
        | +|Platform firmware|Platform firmware must carry all code required to execute Secure Launch:
        • AMD® Secure Launch platforms must ship with AMD® DRTM driver devnode exposed and the AMD® DRTM driver installed

        Platform must have AMD® Secure Processor Firmware Anti-Rollback protection enabled
        Platform must have AMD® Memory Guard enabled.| +|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. | + +|For Qualcomm® processors with SD850 or later chipsets|Description| +|--------|-----------| +|Monitor Mode Communication|All Monitor Mode communication buffers must be implemented in either EfiRuntimeServicesData (recommended), data sections of EfiRuntimeServicesCode as described by the Memory Attributes Table, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types| +|Monitor Mode Page Tables|All Monitor Mode page tables must:
        • NOT contain any mappings to EfiConventionalMemory (for example no OS/VMM owned memory)
        • They must NOT have execute and write permissions for the same page
        • Platforms must only allow Monitor Mode pages marked as executable
        • The memory map must report Monitor Mode as EfiReservedMemoryType
        • Platforms must provide mechanism to protect the Monitor Mode page tables from modification
        | +|Modern/Connected Standby|Platforms must support Modern/Connected Standby.| +|Platform firmware|Platform firmware must carry all code required to launch.| +|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. | diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index 5c9e29a065..e3cc007d51 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -72,43 +72,7 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic ![Verifying Secure Launch is running in the Windows Security app.](images/secure-launch-msinfo.png) > [!NOTE] -> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs). - -## System requirements for System Guard - -|For Intel® vPro™ processors starting with Intel® Coffeelake, Whiskeylake, or later silicon|Description| -|--------|-----------| -|64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more information about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more information about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).| -|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0. Integrated/firmware TPMs aren't supported, except Intel chips that support Platform Trust Technology (PTT), which is a type of integrated hardware TPM that meets the TPM 2.0 spec.| -|Windows DMA Protection|Platforms must meet the Windows DMA Protection Specification (all external DMA ports must be off by default until the OS explicitly powers them).| -|SMM communication buffers| All SMM communication buffers must be implemented in EfiRuntimeServicesData, EfiRuntimeServicesCode, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types. | -|SMM Page Tables| Must NOT contain any mappings to EfiConventionalMemory (for example no OS/VMM owned memory).
        Must NOT contain any mappings to code sections within EfiRuntimeServicesCode.
        Must NOT have execute and write permissions for the same page
        Must allow ONLY that TSEG pages can be marked executable and the memory map must report TSEG EfiReservedMemoryType.
        BIOS SMI handler must be implemented such that SMM page tables are locked on every SMM entry. | -|Modern/Connected Standby|Platforms must support Modern/Connected Standby.| -|TPM AUX Index|Platform must set up a AUX index with index, attributes, and policy that exactly corresponds to the AUX index specified in the TXT DG with a data size of exactly 104 bytes (for SHA256 AUX data). (NameAlg = SHA256)
        Platforms must set up a PS (Platform Supplier) index with:
        • Exactly the "TXT PS2" style Attributes on creation as follows:
          • AuthWrite
          • PolicyDelete
          • WriteLocked
          • WriteDefine
          • AuthRead
          • WriteDefine
          • NoDa
          • Written
          • PlatformCreate
        • A policy of exactly PolicyCommandCode(CC = TPM2_CC_UndefineSpaceSpecial) (SHA256 NameAlg and Policy)
        • Size of exactly 70 bytes
        • NameAlg = SHA256
        • Also, it must have been initialized and locked (TPMA_NV_WRITTEN = 1, TPMA_NV_WRITELOCKED = 1) at time of OS launch.
        PS index data DataRevocationCounters, SINITMinVersion, and PolicyControl must all be 0x00 | -|AUX Policy|The required AUX policy must be as follows:
        • A = TPM2_PolicyLocality (Locality 3 & Locality 4)
        • B = TPM2_PolicyCommandCode (TPM_CC_NV_UndefineSpecial)
        • authPolicy = \{A} OR {{A} AND \{B}}
        • authPolicy digest = 0xef, 0x9a, 0x26, 0xfc, 0x22, 0xd1, 0xae, 0x8c, 0xec, 0xff, 0x59, 0xe9, 0x48, 0x1a, 0xc1, 0xec, 0x53, 0x3d, 0xbe, 0x22, 0x8b, 0xec, 0x6d, 0x17, 0x93, 0x0f, 0x4c, 0xb2, 0xcc, 0x5b, 0x97, 0x24
        | -|TPM NV Index|Platform firmware must set up a TPM NV index for use by the OS with:
        • Handle: 0x01C101C0
        • Attributes:
          • TPMA_NV_POLICYWRITE
          • TPMA_NV_PPREAD
          • TPMA_NV_OWNERREAD
          • TPMA_NV_AUTHREAD
          • TPMA_NV_POLICYREAD
          • TPMA_NV_NO_DA
          • TPMA_NV_PLATFORMCREATE
          • TPMA_NV_POLICY_DELETE
        • A policy of:
          • A = TPM2_PolicyAuthorize(MSFT_DRTM_AUTH_BLOB_SigningKey)
          • B = TPM2_PolicyCommandCode(TPM_CC_NV_UndefineSpaceSpecial)
          • authPolicy = \{A} OR {{A} AND \{B}}
          • Digest value of 0xcb, 0x45, 0xc8, 0x1f, 0xf3, 0x4b, 0xcf, 0x0a, 0xfb, 0x9e, 0x1a, 0x80, 0x29, 0xfa, 0x23, 0x1c, 0x87, 0x27, 0x30, 0x3c, 0x09, 0x22, 0xdc, 0xce, 0x68, 0x4b, 0xe3, 0xdb, 0x81, 0x7c, 0x20, 0xe1
        | -|Platform firmware|Platform firmware must carry all code required to execute an Intel® Trusted Execution Technology secure launch:
        • Intel® SINIT ACM must be carried in the OEM BIOS
        • Platforms must ship with a production ACM signed by the correct production Intel® ACM signer for the platform
        | -|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. | - -|For AMD® processors starting with Zen2 or later silicon|Description| -|--------|-----------| -|64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more information about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more information about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).| -|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0 OR Microsoft Pluton TPM.| -|Windows DMA Protection|Platforms must meet the Windows DMA Protection Specification (all external DMA ports must be off by default until the OS explicitly powers them).| -|SMM communication buffers| All SMM communication buffers must be implemented in EfiRuntimeServicesData, EfiRuntimeServicesCode, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types. | -|SMM Page Tables| Must NOT contain any mappings to EfiConventionalMemory (for example no OS/VMM owned memory).
        Must NOT contain any mappings to code sections within EfiRuntimeServicesCode.
        Must NOT have execute and write permissions for the same page
        BIOS SMI handler must be implemented such that SMM page tables are locked on every SMM entry. | -|Modern/Connected Standby|Platforms must support Modern/Connected Standby.| -|TPM NV Index|Platform firmware must set up a TPM NV index for use by the OS with:
        • Handle: 0x01C101C0
        • Attributes:
          • TPMA_NV_POLICYWRITE
          • TPMA_NV_PPREAD
          • TPMA_NV_OWNERREAD
          • TPMA_NV_AUTHREAD
          • TPMA_NV_POLICYREAD
          • TPMA_NV_NO_DA
          • TPMA_NV_PLATFORMCREATE
          • TPMA_NV_POLICY_DELETE
        • A policy of:
          • A = TPM2_PolicyAuthorize(MSFT_DRTM_AUTH_BLOB_SigningKey)
          • B = TPM2_PolicyCommandCode(TPM_CC_NV_UndefineSpaceSpecial)
          • authPolicy = \{A} OR {{A} AND \{B}}
          • Digest value of 0xcb, 0x45, 0xc8, 0x1f, 0xf3, 0x4b, 0xcf, 0x0a, 0xfb, 0x9e, 0x1a, 0x80, 0x29, 0xfa, 0x23, 0x1c, 0x87, 0x27, 0x30, 0x3c, 0x09, 0x22, 0xdc, 0xce, 0x68, 0x4b, 0xe3, 0xdb, 0x81, 0x7c, 0x20, 0xe1
        | -|Platform firmware|Platform firmware must carry all code required to execute Secure Launch:
        • AMD® Secure Launch platforms must ship with AMD® DRTM driver devnode exposed and the AMD® DRTM driver installed

        Platform must have AMD® Secure Processor Firmware Anti-Rollback protection enabled
        Platform must have AMD® Memory Guard enabled.| -|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. | - -|For Qualcomm® processors with SD850 or later chipsets|Description| -|--------|-----------| -|Monitor Mode Communication|All Monitor Mode communication buffers must be implemented in either EfiRuntimeServicesData (recommended), data sections of EfiRuntimeServicesCode as described by the Memory Attributes Table, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types| -|Monitor Mode Page Tables|All Monitor Mode page tables must:
        • NOT contain any mappings to EfiConventionalMemory (for example no OS/VMM owned memory)
        • They must NOT have execute and write permissions for the same page
        • Platforms must only allow Monitor Mode pages marked as executable
        • The memory map must report Monitor Mode as EfiReservedMemoryType
        • Platforms must provide mechanism to protect the Monitor Mode page tables from modification
        | -|Modern/Connected Standby|Platforms must support Modern/Connected Standby.| -|Platform firmware|Platform firmware must carry all code required to launch.| -|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. | +> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](../windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md), [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs). > [!NOTE] > For more information around AMD processors, see [Microsoft Security Blog: Force firmware code to be measured and attested by Secure Launch on Windows 10](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/). diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md index e42fab8ddb..5325926107 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md @@ -28,13 +28,8 @@ Windows Sandbox has the following properties: - **Secure**: Uses hardware-based virtualization for kernel isolation. It relies on the Microsoft hypervisor to run a separate kernel that isolates Windows Sandbox from the host. - **Efficient:** Uses the integrated kernel scheduler, smart memory management, and virtual GPU. - > [!IMPORTANT] - > Windows Sandbox enables network connection by default. It can be disabled using the [Windows Sandbox configuration file](/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file#networking). - -The following video provides an overview of Windows Sandbox. - -> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4rFAo] - +> [!IMPORTANT] +> Windows Sandbox enables network connection by default. It can be disabled using the [Windows Sandbox configuration file](/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file#networking). ## Prerequisites