diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md index fc74fcd614..d343391f22 100644 --- a/education/windows/edu-deployment-recommendations.md +++ b/education/windows/edu-deployment-recommendations.md @@ -1,7 +1,7 @@ --- title: Deployment recommendations for school IT administrators description: Provides guidance on ways to customize the OS privacy settings, and some of the apps, for Windows-based devices used in schools so that you can choose what information is shared with Microsoft. -ms.topic: conceptual +ms.topic: best-practice ms.date: 08/10/2022 appliesto: - ✅ Windows 10 diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md index 012b66b62e..98999d7cc0 100644 --- a/education/windows/set-up-school-pcs-azure-ad-join.md +++ b/education/windows/set-up-school-pcs-azure-ad-join.md @@ -1,7 +1,7 @@ --- title: Azure AD Join with Set up School PCs app description: Learn how Azure AD Join is configured in the Set up School PCs app. -ms.topic: conceptual +ms.topic: reference ms.date: 08/10/2022 appliesto: - ✅ Windows 10 diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md index e30614fd73..1193a202d9 100644 --- a/education/windows/set-up-windows-10.md +++ b/education/windows/set-up-windows-10.md @@ -1,7 +1,7 @@ --- title: Set up Windows devices for education description: Decide which option for setting up Windows 10 is right for you. -ms.topic: conceptual +ms.topic: overview ms.date: 08/10/2022 appliesto: - ✅ Windows 10 diff --git a/education/windows/take-tests-in-windows.md b/education/windows/take-tests-in-windows.md index 2533467fca..d9663d6d32 100644 --- a/education/windows/take-tests-in-windows.md +++ b/education/windows/take-tests-in-windows.md @@ -2,7 +2,7 @@ title: Take tests and assessments in Windows description: Learn about the built-in Take a Test app for Windows and how to use it. ms.date: 03/31/2023 -ms.topic: conceptual +ms.topic: how-to --- # Take tests and assessments in Windows diff --git a/education/windows/tutorial-school-deployment/index.md b/education/windows/tutorial-school-deployment/index.md index b91d83d780..89577e6e9f 100644 --- a/education/windows/tutorial-school-deployment/index.md +++ b/education/windows/tutorial-school-deployment/index.md @@ -2,7 +2,7 @@ title: Introduction to the tutorial deploy and manage Windows devices in a school description: Introduction to deployment and management of Windows devices in education environments. ms.date: 08/31/2022 -ms.topic: conceptual +ms.topic: tutorial --- # Tutorial: deploy and manage Windows devices in a school diff --git a/education/windows/windows-11-se-settings-list.md b/education/windows/windows-11-se-settings-list.md index 633ac67aa7..6536c45279 100644 --- a/education/windows/windows-11-se-settings-list.md +++ b/education/windows/windows-11-se-settings-list.md @@ -1,8 +1,8 @@ --- title: Windows 11 SE settings list description: Windows 11 SE automatically configures settings in the operating system. Learn more about the settings you can control and manage, and the settings you can't change. -ms.topic: article -ms.date: 03/09/2023 +ms.topic: reference +ms.date: 08/18/2023 appliesto: - ✅ Windows 11 SE ms.collection: diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md index 0da408d581..7c6ecca23b 100644 --- a/education/windows/windows-editions-for-education-customers.md +++ b/education/windows/windows-editions-for-education-customers.md @@ -1,7 +1,7 @@ --- title: Windows 10 editions for education customers description: Learn about the two Windows 10 editions that are designed for the needs of education institutions. -ms.topic: conceptual +ms.topic: overview ms.date: 07/25/2023 appliesto: - ✅ Windows 10 diff --git a/includes/configure/gpo-settings-1.md b/includes/configure/gpo-settings-1.md new file mode 100644 index 0000000000..8f3cdce242 --- /dev/null +++ b/includes/configure/gpo-settings-1.md @@ -0,0 +1,9 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/15/2023 +ms.topic: include +ms.prod: windows-client +--- + +To configure devices using group policy, [create a group policy object (GPO)](/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object) and use the settings located under \ No newline at end of file diff --git a/includes/configure/gpo-settings-2.md b/includes/configure/gpo-settings-2.md new file mode 100644 index 0000000000..bf8ee52309 --- /dev/null +++ b/includes/configure/gpo-settings-2.md @@ -0,0 +1,9 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/15/2023 +ms.topic: include +ms.prod: windows-client +--- + +The policy settings can be configured locally by using the Local Group Policy Editor (`gpedit.msc`), linked to the domain or organizational units, and filtered to security groups. \ No newline at end of file diff --git a/includes/configure/intune-custom-settings-1.md b/includes/configure/intune-custom-settings-1.md new file mode 100644 index 0000000000..60125a46d1 --- /dev/null +++ b/includes/configure/intune-custom-settings-1.md @@ -0,0 +1,16 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/15/2023 +ms.topic: include +ms.prod: windows-client +--- + +To configure devices with Microsoft Intune, use a custom policy: + +1. Go to the Microsoft Intune admin center +2. Select **Devices > Configuration profiles > Create profile** +3. Select **Platform > Windows 10 and later** and **Profile type > Templates > Custom** +4. Select **Create** +5. Specify a **Name** and, optionally, a **Description > Next** +6. Add the following settings: \ No newline at end of file diff --git a/includes/configure/intune-custom-settings-2.md b/includes/configure/intune-custom-settings-2.md new file mode 100644 index 0000000000..03977b7a0d --- /dev/null +++ b/includes/configure/intune-custom-settings-2.md @@ -0,0 +1,12 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/15/2023 +ms.topic: include +ms.prod: windows-client +--- + +7. Select **Next** +8. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next** +9. Under **Applicability Rules**, select **Next** +10. Review the policy configuration and select **Create** \ No newline at end of file diff --git a/includes/configure/intune-custom-settings-info.md b/includes/configure/intune-custom-settings-info.md new file mode 100644 index 0000000000..8f406cf058 --- /dev/null +++ b/includes/configure/intune-custom-settings-info.md @@ -0,0 +1,9 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/15/2023 +ms.topic: include +ms.prod: windows-client +--- + +For more information about how to create custom settings using Intune, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10). \ No newline at end of file diff --git a/includes/configure/intune-settings-catalog-1.md b/includes/configure/intune-settings-catalog-1.md new file mode 100644 index 0000000000..9aae47a0fa --- /dev/null +++ b/includes/configure/intune-settings-catalog-1.md @@ -0,0 +1,9 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/15/2023 +ms.topic: include +ms.prod: windows-client +--- + +To configure devices using Microsoft Intune, [create a *Settings catalog policy*](/mem/intune/configuration/settings-catalog) and use the following settings: \ No newline at end of file diff --git a/includes/configure/intune-settings-catalog-2.md b/includes/configure/intune-settings-catalog-2.md new file mode 100644 index 0000000000..287d5ebbf1 --- /dev/null +++ b/includes/configure/intune-settings-catalog-2.md @@ -0,0 +1,9 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/15/2023 +ms.topic: include +ms.prod: windows-client +--- + +Assign the policy to a group that contains as members the devices or users that you want to configure. \ No newline at end of file diff --git a/includes/configure/tab-intro.md b/includes/configure/tab-intro.md new file mode 100644 index 0000000000..a818e4df8b --- /dev/null +++ b/includes/configure/tab-intro.md @@ -0,0 +1,9 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/15/2023 +ms.topic: include +ms.prod: windows-client +--- + +The following instructions provide details how to configure your devices. Select the option that best suits your needs. \ No newline at end of file diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md index 5c9f5e618a..af54ebd7c7 100644 --- a/store-for-business/microsoft-store-for-business-education-powershell-module.md +++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md @@ -9,6 +9,7 @@ author: cmcatee-MSFT manager: scotv ms.topic: conceptual ms.localizationpriority: medium +ms.custom: has-azure-ad-ps-ref ms.date: 05/24/2023 ms.reviewer: --- diff --git a/windows/application-management/add-apps-and-features.md b/windows/application-management/add-apps-and-features.md index bc31b8b6e5..db4571a9c6 100644 --- a/windows/application-management/add-apps-and-features.md +++ b/windows/application-management/add-apps-and-features.md @@ -1,74 +1,98 @@ --- -title: Add or hide optional apps and features on Windows devices | Microsoft Docs -description: Learn how to add Windows 10 and Windows 11 optional features using the Apps & features page in the Settings app. Also see the group policy objects (GPO) and MDM policies that show or hide Apps and Windows Features in the Settings app. Use Windows PowerShell to show or hide specific features in Windows Features. +title: Add or hide Windows features +description: Learn how to add Windows optional features using the Apps & features page in the Settings app. Also see the group policy objects (GPO) and MDM policies that show or hide Apps and Windows Features in the Settings app. Use Windows PowerShell to show or hide specific features in Windows Features. author: aczechowski ms.author: aaroncz manager: aaroncz -ms.date: 08/30/2021 -ms.topic: article +ms.date: 08/18/2023 +ms.topic: how-to ms.prod: windows-client ms.technology: itpro-apps ms.localizationpriority: medium ms.collection: tier2 -ms.reviewer: +appliesto: + - ✅ Windows 11 + - ✅ Windows 10 --- -# Add or hide features on the Windows client OS +# Add or hide Windows features -**Applies to**: +Windows includes optional features that aren't installed by default, but you can add later. These features are called [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities), and can be installed at any time. Some of these features are language resources like language packs or handwriting support. On organization-owned devices, you can control access to these other features. You can use group policy or mobile device management (MDM) policies to hide the UI from users, or use Windows PowerShell to enable or disable specific features. -- Windows 10 -- Windows 11 +## Use the Windows Settings app to add or uninstall features -The Windows client operating systems include more features that you and your users can install. These features are called [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (opens another Microsoft web site), and can be installed at any time. On your organization-owned devices, you may want to control access to these other features. +### Windows 11 -This article: +1. Open the Start menu and search for **Settings**. -- Shows you how to add features using the user interface. -- Lists the group policies and Mobile device management (MDM) policies to hide Windows Features. -- Includes information on using Windows PowerShell to disable specific Windows Features. +1. In the Settings app, search for "optional" and select **Optional features**. -If you're working on your own device, use the **Settings** app to add features. + > [!TIP] + > You can also use the following shortcut to open it directly: [`ms-settings:optionalfeatures`](ms-settings:optionalfeatures). -## Add or uninstall features +1. To add a feature: -1. In the Search bar, search for "apps", and select **Apps and features**. -2. Select **Optional features** > **Add a feature**. -3. Select the feature you want to add, like **XPS Viewer**, and then select **Install.** + 1. Select **View features** next to "Add an optional feature." + + 1. Find the feature you want to add, like **XPS Viewer**. Select the box to add it. You can select multiple features. + + 1. Select **Next**. Review the list of features you selected, and then select **Install** to add the selected features. + +1. To uninstall a feature: + + 1. Search for it in the list of **Installed features**. + + 1. Expand the section, and select **Uninstall**. + +### Windows 10 + +1. In the Search bar, search for "apps" and select **Apps and features**. + +1. Select **Optional features** > **Add a feature**. + +1. Select the feature you want to add, like **XPS Viewer**, and then select **Install.** When the installation completes, the feature is listed in **Apps & features**. In **Apps & features** > **Optional features** > **More Windows features**, there are more features that you and your users can install. To uninstall a feature, open the **Settings** app. Select the feature, and then select **Uninstall**. -## Use Group Policy or MDM to hide Windows Features +## Use group policy or MDM policies to hide Windows features -By default, the OS might show Windows Features, and allow users to install and uninstall these optional apps and features. +By default, the OS might show Windows features and allow users to install and uninstall these optional apps and features. To hide Windows features on your user devices, you can use group policy or an MDM provider like Microsoft Intune. -To hide Windows Features on your user devices, you can use Group Policy (on-premises), or use an MDM provider, such as Microsoft Intune (cloud). +### Group policy -### Group Policy +If you use group policy, use the `User Configuration\Administrative Template\Control Panel\Programs\Hide "Windows Features"` policy. By default, this policy may be set to **Not configured**, which means users can add or remove features. When this setting is **Enabled**, the settings page to add optional features is hidden on the device. -If you use Group Policy, use the `User Configuration\Administrative Template\Control Panel\Programs\Hide "Windows Features"` policy. By default, this policy may be set to **Not configured**, which means users can add or remove features. When this setting is **Enabled**, the Windows Features is hidden on the device. - -You can't use Group Policy to disable specific Windows Features, such as XPS Viewer. If you want to disable specific features, use [Windows PowerShell](#use-windows-powershell-to-disable-specific-features) (in this article). +You can't use group policy to disable specific Windows features, such as XPS Viewer. If you want to disable specific features, use [Windows PowerShell](#use-windows-powershell-to-disable-specific-features). If you want to hide the entire **Apps** feature in the Settings app, use the `User Configuration\Administrative Template\Control Panel\Programs\Hide "Programs and Features" page` policy. ### MDM -Using Microsoft Intune, you can use [Administrative Templates](/mem/intune/configuration/administrative-templates-windows) (opens another Microsoft web site) or the [Settings Catalog](/mem/intune/configuration/settings-catalog) (opens another Microsoft web site) to hide Windows Features. +Using Microsoft Intune, you can use [administrative templates](/mem/intune/configuration/administrative-templates-windows) or the [settings catalog](/mem/intune/configuration/settings-catalog) to hide Windows features. -If you want to hide the entire **Apps** feature in the Settings app, you can use a configuration policy on Intune enrolled devices. For more information on the Control Panel settings you can configure, see [Control Panel settings in Microsoft Intune](/mem/intune/configuration/device-restrictions-windows-10#control-panel-and-settings). +If you want to hide the entire **Apps** feature in the Settings app, you can use a configuration policy on Intune enrolled devices. For more information on the settings you can configure, see [Control Panel and Settings device restrictions in Microsoft Intune](/mem/intune/configuration/device-restrictions-windows-10#control-panel-and-settings). ## Use Windows PowerShell to disable specific features -To disable specific features, you can use the Windows PowerShell [Disable-WindowsOptionalFeature](/powershell/module/dism/disable-windowsoptionalfeature) command. There isn't a Group Policy that disables specific Windows Features. +To disable specific features, use the Windows PowerShell [Disable-WindowsOptionalFeature](/powershell/module/dism/disable-windowsoptionalfeature) cmdlet. -If you're looking to automate disabling specific features, you can create a scheduled task. Then, use the scheduled task to run your Windows PowerShell script. For more information about Task Scheduler, see [Task Scheduler for developers](/windows/win32/taskschd/task-scheduler-start-page). +> [!NOTE] +> There isn't a group policy that disables specific Windows features. -Microsoft Intune can also execute Windows PowerShell scripts. For more information, see [Use PowerShell scripts on Windows client devices in Intune](/mem/intune/apps/intune-management-extension). +To automate disabling specific features, create a scheduled task to run a PowerShell script. For more information about Windows task scheduler, see [Task Scheduler for developers](/windows/win32/taskschd/task-scheduler-start-page). -## Restore Windows features +Microsoft Intune can also run PowerShell scripts. For more information, see [Use PowerShell scripts on Windows client devices in Intune](/mem/intune/apps/intune-management-extension). -- If you use Group Policy or MDM to hide Windows Features or the entire Apps feature, you can set the policy to **Not configured**. Then, deploy your policy. When the device receives the policy, the features are configurable. -- Using Windows PowerShell, you can also enable specific features using the [Enable-WindowsOptionalFeature](/powershell/module/dism/enable-windowsoptionalfeature) command. +To enable specific features, use the [Enable-WindowsOptionalFeature](/powershell/module/dism/enable-windowsoptionalfeature) cmdlet. + +Another useful PowerShell cmdlet is [Get-WindowsOptionalFeature](/powershell/module/dism/get-windowsoptionalfeature). Use this cmdlet to view information about optional features in the current OS or a mounted image. This cmdlet returns the current state of features, and whether a restart may be required when the state changes. + +## Related articles + +- [Features on Demand overview](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) + +- [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod) + +- [Language and region Features on Demand (FOD)](/windows-hardware/manufacture/desktop/features-on-demand-language-fod) diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index d96a55ee1f..d8e784b9e5 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -1,25 +1,22 @@ --- -title: Learn about the different app types in Windows 10/11 | Microsoft Docs +title: Overview of apps on Windows client devices description: Learn more and understand the different types of apps that run on Windows 10 and Windows 11. For example, learn more about UWP, WPF, Win32, and Windows Forms apps, including the best way to install these apps. author: aczechowski ms.author: aaroncz manager: aaroncz ms.date: 02/09/2023 -ms.topic: article +ms.topic: overview ms.prod: windows-client ms.technology: itpro-apps ms.localizationpriority: medium ms.collection: tier2 -ms.reviewer: +appliesto: + - ✅ Windows 11 + - ✅ Windows 10 --- # Overview of apps on Windows client devices -**Applies to**: - -- Windows 10 -- Windows 11 - ## Before you begin As organizations become more global, and to support employees working from anywhere, it's recommended to use a Mobile Device Management (MDM) provider. MDM providers help manage your devices, and help manage apps on your devices. You can use the Microsoft Intune family of products. This family includes Microsoft Intune, which is a cloud service, and Configuration Manager, which is on-premises. diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml index adca0baba0..30b7ab9bfc 100644 --- a/windows/application-management/index.yml +++ b/windows/application-management/index.yml @@ -1,39 +1,46 @@ ### YamlMime:Landing title: Windows application management -summary: Learn about managing applications in Windows client, including how to remove background task resource restrictions. +summary: Learn about managing applications in Windows client, including common app types. metadata: title: Windows application management - description: Learn about managing applications in Windows 10 and Windows 11. + description: Learn about managing applications in Windows client. author: aczechowski ms.author: aaroncz manager: aaroncz - ms.date: 08/24/2021 + ms.date: 08/18/2023 ms.topic: landing-page ms.prod: windows-client ms.collection: - tier1 - highpri +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | tutorial | overview | quickstart | reference | sample | tutorial | video | whats-new + landingContent: -# Cards and links should be based on top customer tasks or top subjects -# Start card title with a verb - # Card (optional) - - title: Manage Windows applications + - title: Manage applications linkLists: - - linkListType: overview + - linkListType: how-to-guide links: - - text: Understand apps in Windows client OS + - text: Overview of apps in Windows url: apps-in-windows-10.md - - text: How to add features + - text: Add or hide Windows features url: add-apps-and-features.md - text: Sideload LOB apps url: sideload-apps-in-windows-10.md - text: Keep removed apps from returning during an update url: remove-provisioned-apps-during-update.md - # Card (optional) + - title: Manage services + linkLists: + - linkListType: reference + links: + - text: Per-user services in Windows + url: per-user-services-in-windows.md + - text: Changes to Service Host grouping in Windows 10 + url: svchost-service-refactoring.md + - title: Application Virtualization (App-V) linkLists: - linkListType: overview @@ -52,15 +59,3 @@ landingContent: url: app-v/appv-troubleshooting.md - text: Technical Reference for App-V url: app-v/appv-technical-reference.md - - # Card (optional) - - title: Windows System Services - linkLists: - - linkListType: overview - links: - - text: Changes to Service Host grouping in Windows 10 - url: svchost-service-refactoring.md - - text: Per-user services in Windows - url: per-user-services-in-windows.md - - text: Per-user services in Windows - url: per-user-services-in-windows.md diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md index 1b840ef5a8..200ea7e859 100644 --- a/windows/application-management/per-user-services-in-windows.md +++ b/windows/application-management/per-user-services-in-windows.md @@ -1,24 +1,21 @@ --- -title: Per-user services in Windows 10 and Windows Server +title: Per-user services description: Learn about per-user services, how to change the template service Startup Type, and manage per-user services through Group Policy and security templates. author: aczechowski ms.author: aaroncz manager: aaroncz ms.date: 09/14/2017 -ms.topic: article +ms.topic: how-to ms.prod: windows-client ms.technology: itpro-apps ms.localizationpriority: medium ms.collection: tier2 -ms.reviewer: +appliesto: + - ✅ Windows 10 + - ✅ Windows Server --- -# Per-user services in Windows 10 and Windows Server - -**Applies to**: - -- Windows 10 -- Windows Server +# Per-user services in Windows Per-user services are services that are created when a user signs into Windows or Windows Server and are stopped and deleted when that user signs out. These services run in the security context of the user account - this provides better resource management than the previous approach of running these kinds of services in Explorer, associated with a preconfigured account, or as tasks. @@ -80,9 +77,9 @@ In light of these restrictions, you can use the following methods to manage per- You can manage the CDPUserSvc and OneSyncSvc per-user services with a [security template](/windows/device-security/security-policy-settings/administer-security-policy-settings#bkmk-sectmpl). For more information, visit [Administer security policy settings](/windows/device-security/security-policy-settings/administer-security-policy-settings). -For example: +For example: -``` +```ini [Unicode] Unicode=yes [Version] @@ -128,7 +125,7 @@ If you can't use Group Policy Preferences to manage the per-user services, you c To disable the Template Services, change the Startup Type for each service to 4 (disabled). For example: -```code +```cmd REG.EXE ADD HKLM\System\CurrentControlSet\Services\CDPUserSvc /v Start /t REG_DWORD /d 4 /f REG.EXE ADD HKLM\System\CurrentControlSet\Services\OneSyncSvc /v Start /t REG_DWORD /d 4 /f REG.EXE ADD HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc /v Start /t REG_DWORD /d 4 /f @@ -163,9 +160,10 @@ You can create a script to change the Startup Type for the per-user services. Th Sample script using [sc.exe](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc990290(v=ws.11)?f=255&MSPPError=-2147217396): -``` +```cmd sc.exe configure start= disabled ``` + The space after "=" is intentional. Sample script using the [Set-Service PowerShell cmdlet](/previous-versions/windows/it-pro/windows-powershell-1.0/ee176963(v=technet.10)): diff --git a/windows/application-management/remove-provisioned-apps-during-update.md b/windows/application-management/remove-provisioned-apps-during-update.md index a7d6df5901..23b08e028e 100644 --- a/windows/application-management/remove-provisioned-apps-during-update.md +++ b/windows/application-management/remove-provisioned-apps-during-update.md @@ -1,22 +1,21 @@ --- -title: How to keep apps removed from Windows 10 from returning during an update -description: How to keep provisioned apps that were removed from your machine from returning during an update. +title: Keep removed apps from returning during an update +description: When you remove provisioned apps from devices, this article explains how to keep those apps from returning during an update. author: aczechowski ms.author: aaroncz manager: aaroncz ms.date: 05/25/2018 -ms.topic: article +ms.topic: how-to ms.prod: windows-client ms.technology: itpro-apps ms.localizationpriority: medium ms.collection: tier1 -ms.reviewer: +appliesto: + - ✅ Windows 10 --- -# How to keep apps removed from Windows 10 from returning during an update -**Applies to**: +# Keep removed apps from returning during an update -- Windows 10 When you update a computer running Windows 10, version 1703 or 1709, you might see provisioned apps that you previously removed post-update. This can happen if the computer was offline when you removed the apps. Windows 10, version 1803 has fixed this issue. @@ -97,7 +96,7 @@ You're now ready to update your computer. After the update, check the list of ap ## Registry keys for provisioned apps -```syntax +```console Windows Registry Editor Version 5.00 ;1709 Registry Keys diff --git a/windows/application-management/sideload-apps-in-windows-10.md b/windows/application-management/sideload-apps-in-windows-10.md index 70f3c50177..be0e459235 100644 --- a/windows/application-management/sideload-apps-in-windows-10.md +++ b/windows/application-management/sideload-apps-in-windows-10.md @@ -1,24 +1,21 @@ --- -title: Sideload LOB apps in Windows client OS | Microsoft Docs -description: Learn how to sideload line-of-business (LOB) apps in Windows client operating systems, including Windows 10/11. When you sideload an app, you deploy a signed app package to a device. +title: Sideload line of business apps +description: Learn how to sideload line-of-business (LOB) apps in Windows client operating systems. When you sideload an app, you deploy a signed app package to a device. author: aczechowski ms.author: aaroncz manager: aaroncz ms.date: 12/07/2017 -ms.topic: article +ms.topic: how-to ms.prod: windows-client ms.technology: itpro-apps ms.localizationpriority: medium ms.collection: tier2 -ms.reviewer: +appliesto: + - ✅ Windows 11 + - ✅ Windows 10 --- -# Sideload line of business (LOB) apps in Windows client devices - -**Applies to**: - -- Windows 10 -- Windows 11 +# Sideload line of business (LOB) apps > [!NOTE] > Starting with Windows 10 2004, sideloading is enabled by default. You can deploy a signed package onto a device without a special configuration. @@ -27,7 +24,7 @@ Sideloading apps is when you install apps that aren't from an official source, s When you sideload an app, you deploy a signed app package to a device. You maintain the signing, hosting, and deployment of these apps. Sideloading was also available with Windows 8 and Windows 8.1 -Starting with Windows 10, sideloading is different than earlier versions of Windows: +Starting with Windows 10, sideloading is different than earlier versions of Windows: - You can unlock a device for sideloading using an enterprise policy, or through the **Settings** app. - License keys aren't required. diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md index eef38fed3e..7bc1bcf117 100644 --- a/windows/application-management/svchost-service-refactoring.md +++ b/windows/application-management/svchost-service-refactoring.md @@ -1,23 +1,20 @@ --- -title: Service Host service refactoring in Windows 10 version 1703 -description: Learn about the SvcHost Service Refactoring introduced in Windows 10 version 1703. +title: Service host grouping in Windows 10 +description: Learn about the Service Host (SvcHost) service refactoring introduced in Windows 10 version 1703. author: aczechowski ms.author: aaroncz manager: aaroncz ms.date: 07/20/2017 -ms.topic: article +ms.topic: concept-article ms.prod: windows-client ms.technology: itpro-apps ms.localizationpriority: medium -ms.colletion: tier1 -ms.reviewer: +ms.colletion: tier2 +appliesto: + - ✅ Windows 10 --- -# Changes to Service Host grouping in Windows 10 - -**Applies to**: - -- Windows 10 +# Service host grouping in Windows 10 The **Service Host (svchost.exe)** is a shared-service process that serves as a shell for loading services from DLL files. Services are organized into related host groups, and each group runs inside a different instance of the Service Host process. In this way, a problem in one instance doesn't affect other instances. Service Host groups are determined by combining the services with matching security requirements. For example: diff --git a/windows/application-management/toc.yml b/windows/application-management/toc.yml index 0e7673be7a..cc596076a4 100644 --- a/windows/application-management/toc.yml +++ b/windows/application-management/toc.yml @@ -3,18 +3,22 @@ items: href: index.yml - name: Application management items: - - name: Common app types + - name: Overview of apps in Windows href: apps-in-windows-10.md - - name: Add features in Windows client + - name: Add or hide Windows features href: add-apps-and-features.md - - name: Sideload apps + - name: Sideload line of business (LOB) apps href: sideload-apps-in-windows-10.md - name: Private app repo on Windows 11 href: private-app-repository-mdm-company-portal-windows-11.md - name: Remove background task resource restrictions href: enterprise-background-activity-controls.md - - name: Enable or block Windows Mixed Reality apps in the enterprise - href: /windows/mixed-reality/enthusiast-guide/manage-windows-mixed-reality + - name: Service host grouping in Windows 10 + href: svchost-service-refactoring.md + - name: Per-user services in Windows + href: per-user-services-in-windows.md + - name: Keep removed apps from returning during an update + href: remove-provisioned-apps-during-update.md - name: Application Virtualization (App-V) items: - name: App-V for Windows overview @@ -251,14 +255,3 @@ items: href: app-v/appv-viewing-appv-server-publishing-metadata.md - name: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications href: app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md - -- name: Reference - items: - - name: Service Host process refactoring - href: svchost-service-refactoring.md - - name: Per-user services in Windows - href: per-user-services-in-windows.md - - name: Disabling System Services in Windows Server - href: /windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server - - name: How to keep apps removed from Windows from returning during an update - href: remove-provisioned-apps-during-update.md \ No newline at end of file diff --git a/windows/configuration/customize-taskbar-windows-11.md b/windows/configuration/customize-taskbar-windows-11.md index a97023b5d9..a38e34c05c 100644 --- a/windows/configuration/customize-taskbar-windows-11.md +++ b/windows/configuration/customize-taskbar-windows-11.md @@ -11,7 +11,7 @@ ms.collection: - highpri - tier1 ms.technology: itpro-configure -ms.date: 12/31/2017 +ms.date: 08/17/2023 ms.topic: article --- diff --git a/windows/configuration/shared-devices-concepts.md b/windows/configuration/shared-devices-concepts.md index cabee079ab..0138bae2ca 100644 --- a/windows/configuration/shared-devices-concepts.md +++ b/windows/configuration/shared-devices-concepts.md @@ -1,14 +1,12 @@ --- title: Manage multi-user and guest Windows devices description: options to optimize Windows devices used in shared scenarios, such touchdown spaces in an enterprise, temporary customer use in retail or shared devices in a school. -ms.date: 10/15/2022 +ms.date: 08/18/2023 ms.prod: windows-client ms.technology: itpro-configure -ms.topic: conceptual -ms.localizationpriority: medium +ms.topic: concept-article author: paolomatarazzo ms.author: paoloma -ms.reviewer: manager: aaroncz ms.collection: tier2 appliesto: diff --git a/windows/deployment/do/TOC.yml b/windows/deployment/do/TOC.yml index ff00445b6c..1697bfc141 100644 --- a/windows/deployment/do/TOC.yml +++ b/windows/deployment/do/TOC.yml @@ -13,6 +13,8 @@ items: - name: Set up Delivery Optimization for Windows href: waas-delivery-optimization-setup.md + - name: Monitor Delivery Optimization for Windows + href: waas-delivery-optimization-monitor.md - name: Configure Delivery Optimization settings using Microsoft Intune href: /mem/intune/configuration/delivery-optimization-windows - name: Resources for Delivery Optimization @@ -36,11 +38,13 @@ - name: Requirements href: mcc-enterprise-prerequisites.md - name: Deploy Microsoft Connected Cache - href: mcc-enterprise-deploy.md + href: mcc-enterprise-portal-deploy.md - name: Update or uninstall MCC href: mcc-enterprise-update-uninstall.md - name: Appendix href: mcc-enterprise-appendix.md + - name: MCC for Enterprise and Education (early preview) + href: mcc-enterprise-deploy.md - name: MCC for ISPs items: - name: MCC for ISPs Overview diff --git a/windows/deployment/do/delivery-optimization-proxy.md b/windows/deployment/do/delivery-optimization-proxy.md index a94dbfaf85..922909b41d 100644 --- a/windows/deployment/do/delivery-optimization-proxy.md +++ b/windows/deployment/do/delivery-optimization-proxy.md @@ -10,6 +10,7 @@ ms.topic: article ms.technology: itpro-updates ms.date: 12/31/2017 ms.collection: tier3 +ms.reviewer: mstewart --- # Using a proxy with Delivery Optimization diff --git a/windows/deployment/do/delivery-optimization-workflow.md b/windows/deployment/do/delivery-optimization-workflow.md index b0a7f34819..c201a86893 100644 --- a/windows/deployment/do/delivery-optimization-workflow.md +++ b/windows/deployment/do/delivery-optimization-workflow.md @@ -10,6 +10,7 @@ ms.topic: article ms.technology: itpro-updates ms.date: 12/31/2017 ms.collection: tier3 +ms.reviewer: mstewart --- # Delivery Optimization client-service communication explained diff --git a/windows/deployment/do/images/ent-mcc-deployment-complete.png b/windows/deployment/do/images/ent-mcc-deployment-complete.png new file mode 100644 index 0000000000..3586c6019f Binary files /dev/null and b/windows/deployment/do/images/ent-mcc-deployment-complete.png differ diff --git a/windows/deployment/do/images/ent-mcc-portal-create.png b/windows/deployment/do/images/ent-mcc-portal-create.png new file mode 100644 index 0000000000..194220be72 Binary files /dev/null and b/windows/deployment/do/images/ent-mcc-portal-create.png differ diff --git a/windows/deployment/do/images/ent-mcc-portal-resource.png b/windows/deployment/do/images/ent-mcc-portal-resource.png new file mode 100644 index 0000000000..383db09303 Binary files /dev/null and b/windows/deployment/do/images/ent-mcc-portal-resource.png differ diff --git a/windows/deployment/do/images/ent-mcc-provisioning.png b/windows/deployment/do/images/ent-mcc-provisioning.png new file mode 100644 index 0000000000..1c1dc4f0d0 Binary files /dev/null and b/windows/deployment/do/images/ent-mcc-provisioning.png differ diff --git a/windows/deployment/do/includes/get-azure-subscription.md b/windows/deployment/do/includes/get-azure-subscription.md index b0039d5c54..cce1f7f7f6 100644 --- a/windows/deployment/do/includes/get-azure-subscription.md +++ b/windows/deployment/do/includes/get-azure-subscription.md @@ -1,6 +1,7 @@ --- -author: amymzhou -ms.author: amyzhou +ms.author: carmenf +author: cmknox +ms.reviewer: mstewart manager: aaroncz ms.date: 10/18/2022 ms.prod: windows-client diff --git a/windows/deployment/do/includes/mcc-prerequisites.md b/windows/deployment/do/includes/mcc-prerequisites.md index d264cc0f93..fbe43f8660 100644 --- a/windows/deployment/do/includes/mcc-prerequisites.md +++ b/windows/deployment/do/includes/mcc-prerequisites.md @@ -1,6 +1,7 @@ --- -author: amyzhou -ms.author: amyzhou +ms.author: carmenf +author: cmknox +ms.reviewer: mstewart manager: aaroncz ms.prod: windows-client ms.technology: itpro-deploy diff --git a/windows/deployment/do/index.yml b/windows/deployment/do/index.yml index 3d120dad99..c886372c0f 100644 --- a/windows/deployment/do/index.yml +++ b/windows/deployment/do/index.yml @@ -41,10 +41,10 @@ landingContent: linkLists: - linkListType: how-to-guide links: - - text: Delivery Optimization settings + - text: Delivery Optimization recommended settings url: waas-delivery-optimization-setup.md#recommended-delivery-optimization-settings - - text: Windows PowerShell for Delivery Optimization - url: waas-delivery-optimization-setup.md#windows-powershell-cmdlets + - text: Monitor Delivery Optimization for Windows + url: waas-delivery-optimization-monitor.md - text: Troubleshoot Delivery Optimization url: waas-delivery-optimization-setup.md#troubleshooting - text: Delivery Optimization Frequently Asked Questions diff --git a/windows/deployment/do/mcc-ent-edu-overview.md b/windows/deployment/do/mcc-ent-edu-overview.md index 5702d64fde..566e605a7c 100644 --- a/windows/deployment/do/mcc-ent-edu-overview.md +++ b/windows/deployment/do/mcc-ent-edu-overview.md @@ -3,12 +3,13 @@ title: MCC for Enterprise and Education Overview manager: aaroncz description: Overview of Microsoft Connected Cache (MCC) for Enterprise and Education. ms.prod: windows-client -author: amymzhou -ms.author: amyzhou +ms.author: carmenf +author: cmknox ms.topic: article ms.date: 05/09/2023 ms.technology: itpro-updates ms.collection: tier3 +ms.reviewer: mstewart --- # Microsoft Connected Cache for Enterprise and Education Overview @@ -37,9 +38,9 @@ Connected Cache (early preview) supports the following scenarios: When clients download cloud-managed content, they use Delivery Optimization from the cache server installed on a Windows server or VM. Cloud-managed content includes the following types: -- Windows Update for Business: Windows feature and quality updates +- Windows updates: Windows feature and quality updates - Office Click-to-Run apps: Microsoft 365 Apps and updates -- Client apps: Microsoft Store apps and updates +- Client apps: Intune, store apps, and updates - Endpoint protection: Windows Defender definition updates For the full list of content endpoints that Microsoft Connected Cache for Enterprise and Education supports, see [Microsoft Connected Cache content and services endpoints](delivery-optimization-endpoints.md). diff --git a/windows/deployment/do/mcc-enterprise-appendix.md b/windows/deployment/do/mcc-enterprise-appendix.md index 7f45db43f3..20462921af 100644 --- a/windows/deployment/do/mcc-enterprise-appendix.md +++ b/windows/deployment/do/mcc-enterprise-appendix.md @@ -3,8 +3,9 @@ title: Appendix manager: aaroncz description: Appendix on Microsoft Connected Cache (MCC) for Enterprise and Education. ms.prod: windows-client -author: amymzhou -ms.author: amyzhou +ms.author: carmenf +author: cmknox +ms.reviewer: mstewart ms.topic: article ms.date: 12/31/2017 ms.technology: itpro-updates diff --git a/windows/deployment/do/mcc-enterprise-deploy.md b/windows/deployment/do/mcc-enterprise-deploy.md index 4c015f9471..cdcf5c1b5d 100644 --- a/windows/deployment/do/mcc-enterprise-deploy.md +++ b/windows/deployment/do/mcc-enterprise-deploy.md @@ -1,17 +1,18 @@ --- -title: Deploying your cache node +title: MCC for Enterprise and Education (early preview) manager: aaroncz -description: How to deploy Microsoft Connected Cache (MCC) for Enterprise and Education cache node +description: How to deploy a Microsoft Connected Cache (MCC) for Enterprise and Education cache node ms.prod: windows-client -author: amymzhou -ms.author: amyzhou +ms.author: carmenf +author: cmknox +ms.reviewer: mstewart ms.topic: article ms.date: 12/31/2017 ms.technology: itpro-updates ms.collection: tier3 --- -# Deploying your cache node +# Deploying your enterprise cache node **Applies to** @@ -129,7 +130,7 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p - Downloads, installs, and deploys EFLOW - Enables Microsoft Update so EFLOW can stay up to date - Creates a virtual machine -- Enables the firewall and opens ports 80 and 22 for inbound and outbound traffic. Port 80 is used by MCC, and port 22 is used for SSH communications. +- Enables the firewall and opens ports 80 for inbound and outbound traffic. Port 80 is used by MCC. - Configures Connected Cache tuning settings. - Creates the necessary *FREE* Azure resource - IoT Hub/IoT Edge. - Deploys the MCC container to server. diff --git a/windows/deployment/do/mcc-enterprise-portal-deploy.md b/windows/deployment/do/mcc-enterprise-portal-deploy.md new file mode 100644 index 0000000000..eea23e3bad --- /dev/null +++ b/windows/deployment/do/mcc-enterprise-portal-deploy.md @@ -0,0 +1,145 @@ +--- +title: Deploying your cache node +manager: aaroncz +description: How to deploy Microsoft Connected Cache (MCC) for Enterprise and Education cache node +ms.prod: windows-client +ms.author: carmenf +author: cmknox +ms.reviewer: mstewart +ms.topic: article +ms.date: 12/31/2017 +ms.technology: itpro-updates +ms.collection: tier3 +--- + +# Deploying your cache node + +**Applies to** + +- Windows 10 +- Windows 11 + +## Create the Microsoft Connected Cache resource + +1. Navigate to Azure portal by using the [following link](https://aka.ms/mcc-enterprise-preview): + > [!IMPORTANT] + > You must access Azure portal using this link (https://aka.ms/mcc-enterprise-preview) in order to find the correct Microsoft Connected Cache resource. + + ![Screenshot of Azure portal "Create a resource" page, where you search for the Microsoft Connected Cache resource](images/ent-mcc-portal-create.png) + +1. In the search bar by **Get Started**, search for `Microsoft Connected Cache for Enterprise`. + ![Screenshot of Azure portal after searching for the Microsoft Connected Cache resource](images/ent-mcc-portal-resource.png) +1. Select **Create** to create your Microsoft Connected Cache resource. When prompted, choose the subscription, resource group, and location of your cache node. Also, enter a name for your cache node. +1. The creation of the cache node may take a few minutes. After a successful creation, you'll see a “Deployment complete” page as below. Select **Go to resource**. +![Screenshot of Azure portal after the deployment is complete](images/ent-mcc-deployment-complete.png) + +## Create, provision, and deploy the cache node in Azure portal + +To create, provision, and deploy the cache node in Azure portal, follow these steps: +1. Open Azure portal and navigate to the Microsoft Connected Cache for Enterprise (preview) resource. +1. Navigate to **Settings** > **Cache nodes** and select **Create Cache Node**. +1. Provide a name for your cache node and select **Create** to create your cache node. +1. You may need to refresh to see the cache node. Select the cache node to configure it. +1. Fill out the Basics and Storage fields. Enter the cache drive size in GB - this has a minimum size of 50 GB. + + ![Screenshot of Azure portal on the Provisioning page, where the user can configure their cache node.](images/ent-mcc-provisioning.png) +Once complete, select **Save** at the top of the page and select **Provision server**. +1. To deploy your cache node, download the installer by selecting **Download provisioning package**. +1. Run the provided provisioning script - note that this is unique to each cache node. + +## Verify proper functioning MCC server + +#### Verify client side + +Connect to the EFLOW VM and check if MCC is properly running: + +1. Open PowerShell as an Administrator. +2. Enter the following commands: + + ```powershell + Connect-EflowVm + sudo -s + iotedge list + ``` + + :::image type="content" source="./images/ent-mcc-connect-eflowvm.png" alt-text="Screenshot of running connect-EflowVm, sudo -s, and iotedge list from PowerShell." lightbox="./images/ent-mcc-connect-eflowvm.png"::: + +You should see MCC, edgeAgent, and edgeHub running. If you see edgeAgent or edgeHub but not MCC, try this command in a few minutes. The MCC container can take a few minutes to deploy. + +#### Verify server side + +For a validation of properly functioning MCC, execute the following command in the EFLOW VM or any device in the network. Replace with the IP address of the cache server. + +```powershell +wget [http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com] +``` + +A successful test result will display a status code of 200 along with additional information. + +:::image type="content" source="./images/ent-mcc-verify-server-ssh.png" alt-text="Screenshot of a successful wget with an SSH client." lightbox="./images/ent-mcc-verify-server-ssh.png"::: + + :::image type="content" source="./images/ent-mcc-verify-server-powershell.png" alt-text="Screenshot of a successful wget using PowerShell." lightbox="./images/ent-mcc-verify-server-powershell.png"::: + +Similarly, enter the following URL from a browser in the network: + +`http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com` + +If the test fails, see the [common issues](#common-issues) section for more information. + +### Monitoring your metrics + +To view the metrics associated with your cache nodes, navigate to the **Overview** > **Monitoring** tab within the Azure portal. + +:::image type="content" source="./images/mcc-isp-metrics.png" alt-text="Screenshot of the Azure portal displaying the metrics view in the Overview tab."::: + +You can choose to monitor the health and performance of all cache nodes or one at a time by using the dropdown menu. The **Egress bits per second** graph shows your inbound and outbound traffic of your cache nodes over time. You can change the time range (1 hour, 12 hours, 1 day, 7 days, 14 days, and 30 days) by selecting the time range of choice on the top bar. + +If you're unable to view metrics for your cache node, it may be that your cache node is unhealthy, inactive, or hasn't been fully configured. + + +### Intune (or other management software) configuration for MCC + +For an [Intune](/mem/intune/) deployment, create a **Configuration Profile** and include the Cache Host eFlow IP Address or FQDN: + +:::image type="content" source="./images/ent-mcc-intune-do.png" alt-text="Screenshot of Intune showing the Delivery Optimization cache server host names."::: + +## Common Issues + +#### PowerShell issues + +If you're seeing errors similar to this error: `The term Get- isn't recognized as the name of a cmdlet, function, script file, or operable program.` + +1. Ensure you're running Windows PowerShell version 5.x. + +1. Run \$PSVersionTable and ensure you're running version 5.x and *not version 6 or 7*. + +1. Ensure you have Hyper-V enabled: + + **Windows 10:** [Enable Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v) + + **Windows Server:** [Install the Hyper-V role on Windows Server](/windows-server/virtualization/hyper-v/get-started/install-the-hyper-v-role-on-windows-server) + +#### Verify Running MCC Container + +Connect to the Connected Cache server and check the list of running IoT Edge modules using the following commands: + +```bash +Connect-EflowVm +sudo iotedge list +``` + +:::image type="content" source="./images/ent-mcc-iotedge-list.png" alt-text="Screenshot of the iotedge list command." lightbox="./images/ent-mcc-iotedge-list.png"::: + +If edgeAgent and edgeHub containers are listed, but not "MCC", you may view the status of the IoT Edge security manager by using the command: + +```bash +sudo journalctl -u iotedge -f +``` + +This command will provide the current status of the starting, stopping of a container, or the container pull and start. + +:::image type="content" source="./images/ent-mcc-journalctl.png" alt-text="Screenshot of the output from journalctl -u iotedge -f." lightbox="./images/ent-mcc-journalctl.png"::: + + +> [!NOTE] +> You should consult the IoT Edge troubleshooting guide ([Common issues and resolutions for Azure IoT Edge](/azure/iot-edge/troubleshoot)) for any issues you may encounter configuring IoT Edge, but we've listed a few issues that we encountered during our internal validation. diff --git a/windows/deployment/do/mcc-enterprise-prerequisites.md b/windows/deployment/do/mcc-enterprise-prerequisites.md index d8282ff774..dec45fd83c 100644 --- a/windows/deployment/do/mcc-enterprise-prerequisites.md +++ b/windows/deployment/do/mcc-enterprise-prerequisites.md @@ -3,8 +3,9 @@ title: Requirements for Microsoft Connected Cache (MCC) for Enterprise and Educa manager: aaroncz description: Overview of requirements for Microsoft Connected Cache (MCC) for Enterprise and Education. ms.prod: windows-client -author: amymzhou -ms.author: amyzhou +ms.author: carmenf +author: cmknox +ms.reviewer: mstewart ms.topic: article ms.date: 12/31/2017 ms.technology: itpro-updates diff --git a/windows/deployment/do/mcc-enterprise-update-uninstall.md b/windows/deployment/do/mcc-enterprise-update-uninstall.md index 1a995a17cf..d79c144a59 100644 --- a/windows/deployment/do/mcc-enterprise-update-uninstall.md +++ b/windows/deployment/do/mcc-enterprise-update-uninstall.md @@ -3,8 +3,9 @@ title: Update or uninstall Microsoft Connected Cache for Enterprise and Educatio manager: aaroncz description: Details on updating or uninstalling Microsoft Connected Cache (MCC) for Enterprise and Education. ms.prod: windows-client -author: amymzhou -ms.author: amyzhou +ms.author: carmenf +author: cmknox +ms.reviewer: mstewart ms.topic: article ms.date: 12/31/2017 ms.technology: itpro-updates diff --git a/windows/deployment/do/mcc-isp-cache-node-configuration.md b/windows/deployment/do/mcc-isp-cache-node-configuration.md index 7c71fe158d..b7bea13484 100644 --- a/windows/deployment/do/mcc-isp-cache-node-configuration.md +++ b/windows/deployment/do/mcc-isp-cache-node-configuration.md @@ -3,8 +3,9 @@ title: Cache node configuration manager: aaroncz description: Configuring a cache node on Azure portal ms.prod: windows-client -author: amymzhou -ms.author: amyzhou +ms.author: carmenf +author: cmknox +ms.reviewer: mstewart ms.topic: article ms.date: 12/31/2017 ms.technology: itpro-updates diff --git a/windows/deployment/do/mcc-isp-create-provision-deploy.md b/windows/deployment/do/mcc-isp-create-provision-deploy.md index d7bf5ee7a4..d118693501 100644 --- a/windows/deployment/do/mcc-isp-create-provision-deploy.md +++ b/windows/deployment/do/mcc-isp-create-provision-deploy.md @@ -9,6 +9,7 @@ ms.topic: article ms.date: 05/09/2023 ms.technology: itpro-updates ms.collection: tier3 +ms.reviewer: mstewart --- # Create, configure, provision, and deploy the cache node in Azure portal @@ -82,7 +83,7 @@ To set up and enable BGP routing for your cache node, follow the steps below: 1. Under **Routing information**, select the routing method you would like to use. For more information, see [Client routing](#client-routing). - If you choose **Manual routing**, enter your address range/CIDR blocks. - - If you choose **BGP routing**, enter the ASN and IP addresses of the neighborship. + - If you choose **BGP routing**, enter the ASN and IP addresses of the neighborship. Use your ASN, the one used to sign up for MCC. MCC will be automatically assigned as the same ASN as the neighbor. > [!NOTE] > **Prefix count** and **IP Space** will stop displaying `0` when BGP is successfully established. diff --git a/windows/deployment/do/mcc-isp-faq.yml b/windows/deployment/do/mcc-isp-faq.yml index 61cf0eeef2..f04f2e3dc9 100644 --- a/windows/deployment/do/mcc-isp-faq.yml +++ b/windows/deployment/do/mcc-isp-faq.yml @@ -2,8 +2,9 @@ metadata: title: Microsoft Connected Cache Frequently Asked Questions description: The following article is a list of frequently asked questions for Microsoft Connected Cache. - author: amymzhou - ms.author: amyzhou + ms.author: carmenf + author: cmknox + ms.reviewer: mstewart manager: aaroncz ms.collection: - highpri diff --git a/windows/deployment/do/mcc-isp-overview.md b/windows/deployment/do/mcc-isp-overview.md index 0c49510bf3..9c0aa7fd80 100644 --- a/windows/deployment/do/mcc-isp-overview.md +++ b/windows/deployment/do/mcc-isp-overview.md @@ -3,8 +3,9 @@ title: MCC for ISPs Overview manager: aaroncz description: Overview for Microsoft Connected Cache for ISPs ms.prod: windows-client -author: amymzhou -ms.author: amyzhou +ms.author: carmenf +author: cmknox +ms.reviewer: mstewart ms.topic: article ms.date: 07/27/2023 ms.technology: itpro-updates @@ -31,9 +32,9 @@ Microsoft Connected Cache (preview) supports the following scenarios: Microsoft Connected Cache uses Delivery Optimization as the backbone for Microsoft content delivery. Microsoft Connected Cache caches the following types: -- Windows Update for Business: Windows feature and quality updates +- Windows updates: Windows feature and quality updates - Office Click-to-Run apps: Microsoft 365 Apps and updates -- Client apps: Microsoft Store apps and updates +- Client apps: Intune, store apps, and updates - Endpoint protection: Windows Defender definition updates - Xbox: Xbox Game Pass (PC only) diff --git a/windows/deployment/do/mcc-isp-signup.md b/windows/deployment/do/mcc-isp-signup.md index fc6cf1cc8d..087a11d27f 100644 --- a/windows/deployment/do/mcc-isp-signup.md +++ b/windows/deployment/do/mcc-isp-signup.md @@ -9,6 +9,7 @@ ms.topic: article ms.date: 12/31/2017 ms.technology: itpro-updates ms.collection: tier3 +ms.reviewer: mstewart --- # Operator sign up and service onboarding for Microsoft Connected Cache diff --git a/windows/deployment/do/mcc-isp-support.md b/windows/deployment/do/mcc-isp-support.md index 2be225b039..dba3bbfc15 100644 --- a/windows/deployment/do/mcc-isp-support.md +++ b/windows/deployment/do/mcc-isp-support.md @@ -9,6 +9,7 @@ ms.topic: reference ms.date: 12/31/2017 ms.technology: itpro-updates ms.collection: tier3 +ms.reviewer: mstewart --- # Support and troubleshooting diff --git a/windows/deployment/do/mcc-isp-update.md b/windows/deployment/do/mcc-isp-update.md index 3f3cc8f176..ab13ed3b58 100644 --- a/windows/deployment/do/mcc-isp-update.md +++ b/windows/deployment/do/mcc-isp-update.md @@ -3,8 +3,9 @@ title: Update or uninstall your cache node manager: aaroncz description: How to update or uninstall your cache node ms.prod: windows-client -author: amymzhou -ms.author: amyzhou +ms.author: carmenf +author: cmknox +ms.reviewer: mstewart ms.topic: article ms.date: 12/31/2017 ms.technology: itpro-updates diff --git a/windows/deployment/do/mcc-isp-verify-cache-node.md b/windows/deployment/do/mcc-isp-verify-cache-node.md index 912aedb9ee..9dc6e22466 100644 --- a/windows/deployment/do/mcc-isp-verify-cache-node.md +++ b/windows/deployment/do/mcc-isp-verify-cache-node.md @@ -3,8 +3,9 @@ title: Verify cache node functionality and monitor health and performance manager: aaroncz description: How to verify the functionality of a cache node ms.prod: windows-client -author: amymzhou -ms.author: amyzhou +ms.author: carmenf +author: cmknox +ms.reviewer: mstewart ms.topic: article ms.date: 12/31/2017 ms.technology: itpro-updates diff --git a/windows/deployment/do/mcc-isp-vm-performance.md b/windows/deployment/do/mcc-isp-vm-performance.md index 8d49b53f07..7d3b9de1cc 100644 --- a/windows/deployment/do/mcc-isp-vm-performance.md +++ b/windows/deployment/do/mcc-isp-vm-performance.md @@ -3,8 +3,9 @@ title: Enhancing cache performance manager: aaroncz description: How to enhance performance on a virtual machine used with Microsoft Connected Cache for ISPs ms.prod: windows-client -author: amymzhou -ms.author: amyzhou +ms.author: carmenf +author: cmknox +ms.reviewer: mstewart ms.topic: reference ms.technology: itpro-updates ms.date: 12/31/2017 diff --git a/windows/deployment/do/mcc-isp.md b/windows/deployment/do/mcc-isp.md index 9a067c4a51..097b922aa9 100644 --- a/windows/deployment/do/mcc-isp.md +++ b/windows/deployment/do/mcc-isp.md @@ -4,9 +4,9 @@ description: Details on Microsoft Connected Cache (MCC) for Internet Service Pro ms.prod: windows-client ms.technology: itpro-updates ms.localizationpriority: medium -author: amymzhou -ms.author: amyzhou -ms.reviewer: carmenf +ms.author: carmenf +author: cmknox +ms.reviewer: mstewart manager: aaroncz ms.topic: how-to ms.date: 05/20/2022 diff --git a/windows/deployment/do/includes/waas-delivery-optimization-monitor.md b/windows/deployment/do/waas-delivery-optimization-monitor.md similarity index 76% rename from windows/deployment/do/includes/waas-delivery-optimization-monitor.md rename to windows/deployment/do/waas-delivery-optimization-monitor.md index 94a8439074..2a44035bf3 100644 --- a/windows/deployment/do/includes/waas-delivery-optimization-monitor.md +++ b/windows/deployment/do/waas-delivery-optimization-monitor.md @@ -1,22 +1,36 @@ --- -author: mestew -ms.author: mstewart manager: aaroncz +title: Monitor Delivery Optimization +description: How to monitor Delivery Optimization +ms.collection: + - tier3 ms.prod: windows-client -ms.technology: itpro-deploy -ms.topic: include -ms.date: 07/31/2023 +ms.technology: itpro-updates +ms.topic: reference +ms.date: 08/13/2023 ms.localizationpriority: medium +ms.author: carmenf +author: cmknox +ms.reviewer: mstewart --- - -## Monitor Delivery Optimization +# Monitor Delivery Optimization -### Windows PowerShell cmdlets +To monitor Delivery Optimization, you can use either the Windows Update for Business Delivery Optimization Report or Windows PowerShell cmdlets. + +## Monitor with Windows Update for Business Delivery Optimization Report + +Windows Update for Business Delivery Optimization Report provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer, Microsoft Connected Cache (MCC), HTTP source/CDN distribution over the past 28 days. + +:::image type="content" source="../update/media/wufb-do-overview.png" alt-text="This screenshot shows the Windows Update for Business report, Delivery Optimization status in Update Compliance." lightbox= "../update/media/wufb-do-overview.png"::: + +For details, see [Windows Update for Business Delivery Optimization Report](/windows/deployment/update/wufb-reports-overview). + +## Windows PowerShell cmdlets **Starting in Windows 10, version 1703**, you can use new PowerShell cmdlets to check the performance of Delivery Optimization. -#### Analyze usage +### Analyze usage `Get-DeliveryOptimizationStatus` returns a real-time snapshot of all current Delivery Optimization jobs. @@ -112,7 +126,7 @@ Using the `-Verbose` option returns additional information: Starting in Windows 10, version 1803, `Get-DeliveryOptimizationPerfSnapThisMonth` returns data similar to data from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month. -#### Manage the Delivery Optimization cache +### Manage the Delivery Optimization cache **Starting in Windows 10, version 1903:** @@ -132,7 +146,7 @@ You can now "pin" files to keep them persistent in the cache, only with files th - `-IncludePinnedFiles` deletes all files that are pinned. - `-Force` deletes the cache with no prompts. -#### Work with Delivery Optimization logs +### Work with Delivery Optimization logs **Starting in Windows 10, version 2004:** @@ -183,18 +197,19 @@ The provider is listed as "Default Provider" if it's using the Delivery Optimiza The cmdlet returns the following data: -- BatteryPctToSeed: Corresponds to the [DOMinBatteryPercentageAllowedToUpload](../waas-delivery-optimization-reference.md#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) policy. +- BatteryPctToSeed: Corresponds to the [DOMinBatteryPercentageAllowedToUpload](waas-delivery-optimization-reference.md#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) policy. - WorkingDirectory: The local folder containing the Delivery Optimization cache. -- MinTotalDiskSize: Corresponds to the [DOMinDiskSizeAllowedToPeer](../waas-delivery-optimization-reference.md#minimum-disk-size-allowed-to-use-peer-caching) policy. -- MinTotalRAM: Corresponds to the [DOMinRAMAllowedToPeer](../waas-delivery-optimization-reference.md#minimum-ram-inclusive-allowed-to-use-peer-caching) policy. -- VpnPeerCachingAllowed: Corresponds to the [DOAllowVPNPeerCaching](../waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. +- MinTotalDiskSize: Corresponds to the [DOMinDiskSizeAllowedToPeer](waas-delivery-optimization-reference.md#minimum-disk-size-allowed-to-use-peer-caching) policy. +- MinTotalRAM: Corresponds to the [DOMinRAMAllowedToPeer](waas-delivery-optimization-reference.md#minimum-ram-inclusive-allowed-to-use-peer-caching) policy. +- VpnPeerCachingAllowed: Corresponds to the [DOAllowVPNPeerCaching](waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. - VpnKeywords: List of keywords used to identify a VPN adapter. -- SetHoursToLimitDownloadBackground: Corresponds to the [DOSetHoursToLimitBackgroundDownloadBandwidth](../waas-delivery-optimization-reference.md#set-business-hours-to-limit-background-download-bandwidth) policy. -- SetHoursToLimitDownloadForeground: Corresponds to the [DOSetHoursToLimitForegroundDownloadBandwidth](../waas-delivery-optimization-reference.md#set-business-hours-to-limit-foreground-download-bandwidth) policy. -- DownloadMode: Corresponds to the [DODownloadMode](../waas-delivery-optimization-reference.md#download-mode) policy. -- DownBackLimitBps: Corresponds to the [DOMaxBackgroundDownloadBandwidth](../waas-delivery-optimization-reference.md#maximum-background-download-bandwidth-in-kbs) policy. -- DownloadForegroundLimitBps: Corresponds to the [DOMaxForegroundDownloadBandwidth](../waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) policy. -- DownBackLimitPct: Corresponds to the [DOPercentageMaxBackgroundBandwidth](../waas-delivery-optimization-reference.md#maximum-background-download-bandwidth) policy. -- DownloadForegroundLimitPct: Corresponds to the [DOPercentageMaxForegroundBandwidth](../waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth) policy. -- MaxUploadRatePct: Corresponds to the [DOMaxUploadBandwidth](../waas-delivery-optimization-reference.md#max-upload-bandwidth) policy (deprecated in Windows 10, version 2004). -- UploadLimitMonthlyGB: Corresponds to the [DOMonthlyUploadDataCap](../waas-delivery-optimization-reference.md#monthly-upload-data-cap) policy. +- SetHoursToLimitDownloadBackground: Corresponds to the [DOSetHoursToLimitBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#set-business-hours-to-limit-background-download-bandwidth) policy. +- SetHoursToLimitDownloadForeground: Corresponds to the [DOSetHoursToLimitForegroundDownloadBandwidth](waas-delivery-optimization-reference.md#set-business-hours-to-limit-foreground-download-bandwidth) policy. +- DownloadMode: Corresponds to the [DODownloadMode](waas-delivery-optimization-reference.md#download-mode) policy. +- DownBackLimitBps: Corresponds to the [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-background-download-bandwidth-in-kbs) policy. +- DownloadForegroundLimitBps: Corresponds to the [DOMaxForegroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) policy. +- DownBackLimitPct: Corresponds to the [DOPercentageMaxBackgroundBandwidth](waas-delivery-optimization-reference.md#maximum-background-download-bandwidth) policy. +- DownloadForegroundLimitPct: Corresponds to the [DOPercentageMaxForegroundBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth) policy. +- MaxUploadRatePct: Corresponds to the [DOMaxUploadBandwidth](waas-delivery-optimization-reference.md#max-upload-bandwidth) policy (deprecated in Windows 10, version 2004). +- UploadLimitMonthlyGB: Corresponds to the [DOMonthlyUploadDataCap](waas-delivery-optimization-reference.md#monthly-upload-data-cap) policy. + diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index 4407a465a2..2103cab516 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -10,6 +10,7 @@ ms.topic: reference ms.technology: itpro-updates ms.date: 07/31/2023 ms.collection: tier3 +ms.reviewer: mstewart --- # Delivery Optimization reference @@ -323,7 +324,7 @@ The device can download from peers while on battery regardless of this policy. MDM Setting: **DOCacheHost** -Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma-separated, for example: myhost.somerandomhost.com,myhost2.somerandomhost.com,10.10.1.7. **By default, this policy has no value.** +Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma-separated, for example: myhost.somerandomhost.com,myhost2.somerandomhost.com,10.10.1.7. **By default, this policy has no value.** Delivery Optimization client will connect to the listed Microsoft Connected Cache servers in the order as they are listed. When multiple FQDNs or IP Addresses are listed, the Microsoft Connected Cache server priority order is determined based on the order as they are listed. If the first server fails, it will move the the next one. When the last server fails, it will fallback to the CDN. >[!IMPORTANT] > Any value will signify that the policy is set. For example, an empty string ("") isn't considered empty. diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index 550dbf7563..61df7a10d6 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -110,17 +110,6 @@ Using MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** an [Learn more](delivery-optimization-test.md) about Delivery Optimization testing scenarios. - -[!INCLUDE [Monitor Delivery Optimization](includes/waas-delivery-optimization-monitor.md)] - -### Monitor with Windows Update for Business Delivery Optimization Report - -Windows Update for Business Delivery Optimization Report provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer, Microsoft Connected Cache (MCC), HTTP source/CDN distribution over the past 28 days. - -:::image type="content" source="/windows/deployment/update/images/wufb-do-overview.png" alt-text="This screenshot shows the Windows Update for Business report, Delivery Optimization status in Update Compliance." lightbox="/windows/deployment/update/images/wufb-do-overview.png"::: - -For details, see [Windows Update for Business Delivery Optimization Report](../update/wufb-reports-overview.md). - ## Troubleshooting This section summarizes common problems and some solutions to try. diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md index ba8be8bce6..14d8a8a7d9 100644 --- a/windows/deployment/do/waas-delivery-optimization.md +++ b/windows/deployment/do/waas-delivery-optimization.md @@ -12,6 +12,7 @@ ms.collection: - highpri ms.topic: overview ms.date: 12/31/2017 +ms.reviewer: mstewart --- # What is Delivery Optimization? diff --git a/windows/deployment/do/waas-microsoft-connected-cache.md b/windows/deployment/do/waas-microsoft-connected-cache.md index 4be489751a..398ef9a635 100644 --- a/windows/deployment/do/waas-microsoft-connected-cache.md +++ b/windows/deployment/do/waas-microsoft-connected-cache.md @@ -10,6 +10,7 @@ ms.topic: article ms.technology: itpro-updates ms.date: 05/09/2023 ms.collection: tier3 +ms.reviewer: mstewart --- # What is Microsoft Connected Cache? diff --git a/windows/deployment/do/waas-optimize-windows-10-updates.md b/windows/deployment/do/waas-optimize-windows-10-updates.md index c3d46c8e64..e8fa21b8c3 100644 --- a/windows/deployment/do/waas-optimize-windows-10-updates.md +++ b/windows/deployment/do/waas-optimize-windows-10-updates.md @@ -3,8 +3,9 @@ title: Optimize Windows update delivery description: Two methods of peer-to-peer content distribution are available, Delivery Optimization and BranchCache. ms.prod: windows-client ms.localizationpriority: medium -author: mestew -ms.author: mstewart +ms.author: carmenf +author: cmknox +ms.reviewer: mstewart manager: aaroncz ms.topic: article ms.technology: itpro-updates diff --git a/windows/deployment/do/whats-new-do.md b/windows/deployment/do/whats-new-do.md index d63bb5d612..6236a48963 100644 --- a/windows/deployment/do/whats-new-do.md +++ b/windows/deployment/do/whats-new-do.md @@ -10,6 +10,7 @@ ms.topic: article ms.technology: itpro-updates ms.date: 12/31/2017 ms.collection: tier3 +ms.reviewer: mstewart --- # What's new in Delivery Optimization diff --git a/windows/deployment/update/check-release-health.md b/windows/deployment/update/check-release-health.md index c77bd7cf97..a5732df6ef 100644 --- a/windows/deployment/update/check-release-health.md +++ b/windows/deployment/update/check-release-health.md @@ -1,14 +1,19 @@ --- title: How to check Windows release health description: Check the release health status of Microsoft 365 services before you call support to see if there's an active service interruption. -ms.date: 06/07/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: conceptual ms.author: mstewart author: mestew manager: aaroncz -ms.reviewer: mstewart -ms.topic: how-to -ms.prod: windows-client -ms.technology: itpro-updates +ms.collection: + - tier2 +ms.localizationpriority: medium +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 +ms.date: 06/07/2023 --- # How to check Windows release health diff --git a/windows/deployment/update/create-deployment-plan.md b/windows/deployment/update/create-deployment-plan.md index 0f0a693609..89a981ff58 100644 --- a/windows/deployment/update/create-deployment-plan.md +++ b/windows/deployment/update/create-deployment-plan.md @@ -1,28 +1,28 @@ --- title: Create a deployment plan -description: Devise the number of deployment rings you need and how you want to populate them +description: Devise the number of deployment rings you need and how you want to populate each of the deployment rings. ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: conceptual author: mestew -ms.localizationpriority: medium ms.author: mstewart manager: aaroncz -ms.topic: article -ms.technology: itpro-updates +ms.collection: + - tier2 +ms.localizationpriority: medium +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 ms.date: 12/31/2017 --- # Create a deployment plan -**Applies to** - -- Windows 10 -- Windows 11 - A "service management" mindset means that the devices in your organization fall into a continuum, with the software update process being constantly planned, deployed, monitored, and optimized. And once you use this process for feature updates, quality updates become a lightweight procedure that is simple and fast to execute, ultimately increasing velocity. -When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices. We’ve found that a ring-based deployment works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows client are similar to the deployment groups most organizations constructed for previous major revision upgrades. They're simply a method to separate devices into a deployment timeline. +When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices. We've found that a ring-based deployment works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows client are similar to the deployment groups most organizations constructed for previous major revision upgrades. They're simply a method to separate devices into a deployment timeline. -At the highest level, each “ring” comprises a group of users or devices that receive a particular update concurrently. For each ring, IT administrators set criteria to control deferral time or adoption (completion) that should be met before deployment to the next broader ring of devices or users can occur. +At the highest level, each ring comprises a group of users or devices that receive a particular update concurrently. For each ring, IT administrators set criteria to control deferral time or adoption (completion) that should be met before deployment to the next broader ring of devices or users can occur. A common ring structure uses three deployment groups: @@ -31,7 +31,7 @@ A common ring structure uses three deployment groups: - Broad: Wide deployment > [!NOTE] -> Organizations often use different names for their “rings," for example: +> Organizations often use different names for their rings, for example: > - First > Fast > Broad > - Canaries > Early Adopters > Users > - Preview > Broad > Critical @@ -45,8 +45,8 @@ There are no definite rules for exactly how many rings to have for your deployme There are basically two strategies for moving deployments from one ring to the next. One is service-based, the other project based. -- "Red button" (service based): Assumes that content is good until proven bad. Content flows until an issue is discovered, at which point the IT administrator presses the “red button” to stop further distribution. -- Green button (project based): Assumes that content is bad until proven good. Once all validation has passed, the IT administrator presses the “green button” to push the content to the next ring. +- "Red button" (service based): Assumes that content is good until proven bad. Content flows until an issue is discovered, at which point the IT administrator presses the "red button" to stop further distribution. +- Green button (project based): Assumes that content is bad until proven good. Once all validation has passed, the IT administrator presses the "green button" to push the content to the next ring. When it comes to deployments, having manual steps in the process usually impedes update velocity. A "red button" strategy is better when that is your goal. @@ -84,7 +84,7 @@ Analytics can help with defining a good Limited ring of representative devices a ### Who goes in the Limited ring? -The most important part of this phase is finding a representative sample of devices and applications across your network. If possible, all hardware and all applications should be represented. It's important that the people selected for this ring are using their devices regularly to generate the data you'll need to make a decision for broader deployment across your organization. The IT department, lab devices, and users with the most cutting-edge hardware usually don’t have the applications or device drivers that are truly a representative sample of your network. +The most important part of this phase is finding a representative sample of devices and applications across your network. If possible, all hardware and all applications should be represented. It's important that the people selected for this ring are using their devices regularly to generate the data you'll need to make a decision for broader deployment across your organization. The IT department, lab devices, and users with the most cutting-edge hardware usually don't have the applications or device drivers that are truly a representative sample of your network. During your pilot and validate phases, you should focus on the following activities: @@ -93,11 +93,11 @@ During your pilot and validate phases, you should focus on the following activit - Assess and act if issues are encountered. - Move forward unless blocked. -When you deploy to the Limited ring, you’ll be able to gather data and react to incidents happening in the environment, quickly addressing any issues that might arise. Ensure you monitor for sufficient adoption within this ring. Your Limited ring represents your organization across the board. When you achieve sufficient adoption, you can have confidence that your broader deployment will run more smoothly. +When you deploy to the Limited ring, you'll be able to gather data and react to incidents happening in the environment, quickly addressing any issues that might arise. Ensure you monitor for sufficient adoption within this ring. Your Limited ring represents your organization across the board. When you achieve sufficient adoption, you can have confidence that your broader deployment will run more smoothly. ## Broad deployment -Once the devices in the Limited ring have had a sufficient stabilization period, it’s time for broad deployment across the network. +Once the devices in the Limited ring have had a sufficient stabilization period, it's time for broad deployment across the network. ### Who goes in the Broad deployment ring? diff --git a/windows/deployment/update/deployment-service-drivers.md b/windows/deployment/update/deployment-service-drivers.md index 15d3739ce1..40235bc9bf 100644 --- a/windows/deployment/update/deployment-service-drivers.md +++ b/windows/deployment/update/deployment-service-drivers.md @@ -1,19 +1,24 @@ --- -title: Deploy drivers and firmware updates with Windows Update for Business deployment service. -description: Use Windows Update for Business deployment service to deploy driver and firmware updates. +title: Deploy drivers and firmware updates +titlesuffix: Windows Update for Business deployment service +description: Use Windows Update for Business deployment service to deploy driver and firmware updates to devices. ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: conceptual author: mestew -ms.localizationpriority: medium ms.author: mstewart manager: aaroncz -ms.topic: article -ms.technology: itpro-updates +ms.collection: + - tier1 +ms.localizationpriority: medium +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 ms.date: 06/22/2023 --- # Deploy drivers and firmware updates with Windows Update for Business deployment service -***(Applies to: Windows 11 & Windows 10)*** The Windows Update for Business deployment service is used to approve and schedule software updates. The deployment service exposes its capabilities through the [Microsoft Graph API](/graph/use-the-api). You can call the API directly, through a [Graph SDK](/graph/sdks/sdks-overview), or integrate them with a management tool such as [Microsoft Intune](/mem/intune). diff --git a/windows/deployment/update/deployment-service-expedited-updates.md b/windows/deployment/update/deployment-service-expedited-updates.md index 14b6fec38a..ece5c1e592 100644 --- a/windows/deployment/update/deployment-service-expedited-updates.md +++ b/windows/deployment/update/deployment-service-expedited-updates.md @@ -1,20 +1,24 @@ --- -title: Deploy expedited updates with Windows Update for Business deployment service -description: Use Windows Update for Business deployment service to deploy expedited updates. +title: Deploy expedited updates +titlesuffix: Windows Update for Business deployment service +description: Learn how to use Windows Update for Business deployment service to deploy expedited updates to devices in your organization. ms.prod: windows-client -author: mestew -ms.localizationpriority: medium -ms.author: mstewart -manager: aaroncz -ms.topic: article ms.technology: itpro-updates +ms.topic: conceptual +ms.author: mstewart +author: mestew +manager: aaroncz +ms.collection: + - tier1 +ms.localizationpriority: medium +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 ms.date: 02/14/2023 --- # Deploy expedited updates with Windows Update for Business deployment service - -***(Applies to: Windows 11 & Windows 10)*** In this article, you will: > [!div class="checklist"] diff --git a/windows/deployment/update/deployment-service-feature-updates.md b/windows/deployment/update/deployment-service-feature-updates.md index b1a289befa..c5cab745c1 100644 --- a/windows/deployment/update/deployment-service-feature-updates.md +++ b/windows/deployment/update/deployment-service-feature-updates.md @@ -1,20 +1,24 @@ --- -title: Deploy feature updates with Windows Update for Business deployment service. -description: Use Windows Update for Business deployment service to deploy feature updates. +title: Deploy feature updates +titlesuffix: Windows Update for Business deployment service +description: Use Windows Update for Business deployment service to deploy feature updates to devices in your organization. ms.prod: windows-client -author: mestew -ms.localizationpriority: medium -ms.author: mstewart -manager: aaroncz -ms.topic: article ms.technology: itpro-updates +ms.topic: conceptual +ms.author: mstewart +author: mestew +manager: aaroncz +ms.collection: + - tier1 +ms.localizationpriority: medium +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 ms.date: 02/14/2023 --- # Deploy feature updates with Windows Update for Business deployment service -***(Applies to: Windows 11 & Windows 10)*** - The Windows Update for Business deployment service is used to approve and schedule software updates. The deployment service exposes its capabilities through the [Microsoft Graph API](/graph/use-the-api). You can call the API directly, through a [Graph SDK](/graph/sdks/sdks-overview), or integrate them with a management tool such as [Microsoft Intune](/mem/intune). This article uses [Graph Explorer](/graph/graph-explorer/graph-explorer-overview) to walk through the entire process of deploying a feature update to clients. In this article, you will: diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index 4b8e52781b..b56ef4dffb 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -1,20 +1,24 @@ --- -title: Windows Update for Business deployment service -description: Overview of deployment service to control approval, scheduling, and safeguarding of Windows updates +title: Overview of the deployment service +titlesuffix: Windows Update for Business deployment service +description: Overview of deployment service to control approval, scheduling, and safeguarding of Windows updates with the deployment service. ms.prod: windows-client -author: mestew -ms.localizationpriority: medium -ms.author: mstewart -manager: aaroncz -ms.topic: overview ms.technology: itpro-updates -ms.date: 12/31/2017 +ms.topic: conceptual +ms.author: mstewart +author: mestew +manager: aaroncz +ms.collection: + - tier1 +ms.localizationpriority: medium +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 +ms.date: 02/14/2023 --- # Windows Update for Business deployment service -***(Applies to: Windows 11 & Windows 10)*** - The Windows Update for Business deployment service is a cloud service within the Windows Update for Business product family. It's designed to work with your existing [Windows Update for Business](waas-manage-updates-wufb.md) policies and [Windows Update for Business reports](wufb-reports-overview.md). The deployment service provides control over the approval, scheduling, and safeguarding of updates delivered from Windows Update to managed devices. The service is privacy focused and backed by leading industry compliance certifications. Windows Update for Business product family has three elements: diff --git a/windows/deployment/update/deployment-service-prerequisites.md b/windows/deployment/update/deployment-service-prerequisites.md index ad489103a6..c75475842c 100644 --- a/windows/deployment/update/deployment-service-prerequisites.md +++ b/windows/deployment/update/deployment-service-prerequisites.md @@ -1,20 +1,24 @@ --- -title: Prerequisites for the Windows Update for Business deployment service -description: Prerequisites for using the Windows Update for Business deployment service. +title: Prerequisites for the deployment service +titlesuffix: Windows Update for Business deployment service +description: Prerequisites for using the Windows Update for Business deployment service for updating devices in your organization. ms.prod: windows-client -author: mestew -ms.localizationpriority: medium -ms.author: mstewart -manager: aaroncz -ms.topic: article ms.technology: itpro-updates +ms.topic: conceptual +ms.author: mstewart +author: mestew +manager: aaroncz +ms.collection: + - tier1 +ms.localizationpriority: medium +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 ms.date: 02/14/2023 --- # Windows Update for Business deployment service prerequisites -***(Applies to: Windows 11 & Windows 10)*** - Before you begin the process of deploying updates with Windows Update for Business deployment service, ensure you meet the prerequisites. ## Azure and Azure Active Directory diff --git a/windows/deployment/update/deployment-service-troubleshoot.md b/windows/deployment/update/deployment-service-troubleshoot.md index f6be148c37..836eba7c18 100644 --- a/windows/deployment/update/deployment-service-troubleshoot.md +++ b/windows/deployment/update/deployment-service-troubleshoot.md @@ -1,22 +1,24 @@ --- -title: Troubleshoot the Windows Update for Business deployment service -description: Solutions to common problems with the service +title: Troubleshoot the deployment service +titlesuffix: Windows Update for Business deployment service +description: Solutions to commonly encountered problems when using the Windows Update for Business deployment service. ms.prod: windows-client -author: mestew -ms.localizationpriority: medium -ms.author: mstewart -manager: aaroncz -ms.topic: article ms.technology: itpro-updates -ms.date: 12/31/2017 +ms.topic: troubleshooting +ms.author: mstewart +author: mestew +manager: aaroncz +ms.collection: + - tier1 +ms.localizationpriority: medium +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 +ms.date: 02/14/2023 --- - - # Troubleshoot the Windows Update for Business deployment service -***(Applies to: Windows 11 & Windows 10)*** - This troubleshooting guide addresses the most common issues that IT administrators face when using the Windows Update for Business [deployment service](deployment-service-overview.md). For a general troubleshooting guide for Windows Update, see [Windows Update troubleshooting](/troubleshoot/windows-client/deployment/windows-update-issues-troubleshooting?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json). ## The device isn't receiving an update that I deployed diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md index e0298e93f1..df57df3874 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md @@ -1,7 +1,7 @@ --- title: Manage driver and firmware updates description: This article explains how you can manage driver and firmware updates with Windows Autopatch -ms.date: 07/04/2023 +ms.date: 08/21/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to @@ -15,10 +15,7 @@ ms.collection: - tier1 --- -# Manage driver and firmware updates (public preview) - -> [!IMPORTANT] -> This feature is in **public preview**. The feature is being actively developed, and might not be complete. You can test and use these features in production environments and provide feedback. +# Manage driver and firmware updates You can manage and control your driver and firmware updates with Windows Autopatch. You can choose to receive driver and firmware updates automatically, or self-manage the deployment. diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index 30b2c45a91..d814cd921f 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -1,7 +1,7 @@ --- title: What's new 2023 description: This article lists the 2023 feature releases and any corresponding Message center post numbers. -ms.date: 08/08/2023 +ms.date: 08/21/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: whats-new @@ -27,7 +27,8 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | Article | Description | | ----- | ----- | -| [Exclude a device](../operate/windows-autopatch-exclude-device.md) | Renamed Deregister a device to [Exclude a device](../operate/windows-autopatch-exclude-device.md). Added the [Restore device](../operate/windows-autopatch-exclude-device.md#restore-a-device-or-multiple-devices-previously-excluded) feature | +| [Manage driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md) | General Availability
  • [MC661218](https://admin.microsoft.com/adminportal/home#/MessageCenter)
| +| [Exclude a device](../operate/windows-autopatch-exclude-device.md) | Renamed Deregister a device to [Exclude a device](../operate/windows-autopatch-exclude-device.md). Added the [Restore device](../operate/windows-autopatch-exclude-device.md#restore-a-device-or-multiple-devices-previously-excluded) feature
  • [MC667662](https://admin.microsoft.com/adminportal/home#/MessageCenter)
| | [Device alerts](../operate/windows-autopatch-device-alerts.md) | Added `'InstallSetupBlock'` to the [Alert resolutions section](../operate/windows-autopatch-device-alerts.md#alert-resolutions) | ## July 2023 diff --git a/windows/security/application-security/application-control/user-account-control/how-it-works.md b/windows/security/application-security/application-control/user-account-control/how-it-works.md index b4983f373e..2e4ec8b5e5 100644 --- a/windows/security/application-security/application-control/user-account-control/how-it-works.md +++ b/windows/security/application-security/application-control/user-account-control/how-it-works.md @@ -4,7 +4,7 @@ description: Learn about User Account Control (UAC) components and how it intera ms.collection: - highpri - tier2 -ms.topic: conceptual +ms.topic: concept-article ms.date: 05/24/2023 --- diff --git a/windows/security/application-security/application-control/user-account-control/index.md b/windows/security/application-security/application-control/user-account-control/index.md index d0f5b5db9d..aad3fb9eab 100644 --- a/windows/security/application-security/application-control/user-account-control/index.md +++ b/windows/security/application-security/application-control/user-account-control/index.md @@ -4,7 +4,7 @@ description: Learn how User Account Control (UAC) helps to prevent unauthorized ms.collection: - highpri - tier2 -ms.topic: conceptual +ms.topic: overview ms.date: 05/24/2023 --- diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md index 24f07d7ca7..a190d84898 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md @@ -41,8 +41,6 @@ The blocklist is updated with each new major release of Windows, typically 1-2 t Customers who always want the most up-to-date driver blocklist can also use Windows Defender Application Control (WDAC) to apply the latest recommended driver blocklist contained in this article. For your convenience, we've provided a download of the most up-to-date vulnerable driver blocklist along with instructions to apply it on your computer at the end of this article. Otherwise, you can use the XML provided below to create your own custom WDAC policies. -[!INCLUDE [microsoft-vulnerable-driver-blocklist](../../../../../../includes/licensing/microsoft-vulnerable-driver-blocklist.md)] - ## Blocking vulnerable drivers using WDAC Microsoft recommends enabling [HVCI](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) or S mode to protect your devices against security threats. If this setting isn't possible, Microsoft recommends blocking [this list of drivers](#vulnerable-driver-blocklist-xml) within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can cause devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies) and review the audit block events. diff --git a/windows/security/cloud-security/index.md b/windows/security/cloud-security/index.md index 4a758c6aa6..b31f712e0f 100644 --- a/windows/security/cloud-security/index.md +++ b/windows/security/cloud-security/index.md @@ -2,7 +2,7 @@ title: Windows and cloud security description: Get an overview of cloud security features in Windows ms.date: 08/02/2023 -ms.topic: conceptual +ms.topic: overview author: paolomatarazzo ms.author: paoloma --- diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md index 101a50568b..1b41b86816 100644 --- a/windows/security/identity-protection/access-control/local-accounts.md +++ b/windows/security/identity-protection/access-control/local-accounts.md @@ -2,7 +2,7 @@ ms.date: 08/03/2023 title: Local Accounts description: Learn how to secure and manage access to the resources on a standalone or member server for services or users. -ms.topic: conceptual +ms.topic: concept-article appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md index 47f0d59394..e384f47efe 100644 --- a/windows/security/identity-protection/enterprise-certificate-pinning.md +++ b/windows/security/identity-protection/enterprise-certificate-pinning.md @@ -1,7 +1,7 @@ --- title: Enterprise certificate pinning description: Enterprise certificate pinning is a Windows feature for remembering, or pinning, a root issuing certificate authority, or end-entity certificate to a domain name. -ms.topic: conceptual +ms.topic: concept-article ms.date: 05/24/2023 --- diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index dc32004a43..64d320047f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -3,6 +3,7 @@ title: Windows Hello for Business cloud-only deployment description: Learn how to configure Windows Hello for Business in a cloud-only deployment scenario. ms.date: 06/23/2021 ms.topic: how-to +ms.custom: has-azure-ad-ps-ref --- # Cloud-only deployment diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md index b7b8a64228..7882589fd0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -22,7 +22,7 @@ If you're a customer of *Azure US Government* cloud, PIN reset also attempts to ### Resolve PIN Reset allowed domains issue -To resolve the error, you can configure a list of allowed domains for PIN reset using the [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy. For information on how to configure the policy, see [PIN Reset - Configure Web Sign-in Allowed URLs for Third Party Identity Providers on Azure AD Joined Devices](hello-feature-pin-reset.md#configure-web-sign-in-allowed-urls-for-third-party-identity-providers-on-azure-ad-joined-devices). +To resolve the error, you can configure a list of allowed domains for PIN reset using the [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy. For information on how to configure the policy, see [Configure allowed URLs for federated identity providers on Azure AD joined devices](hello-feature-pin-reset.md#configure-allowed-urls-for-federated-identity-providers-on-azure-ad-joined-devices). ## Hybrid key trust sign in broken due to user public key deletion diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index e2c5e5c7c4..9f0e8d48ae 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -1,166 +1,117 @@ --- -title: Pin Reset -description: Learn how Microsoft PIN reset services enable you to help users recover who have forgotten their PIN. +title: PIN reset +description: Learn how Microsoft PIN reset service enables your users to recover a forgotten Windows Hello for Business PIN. ms.collection: - highpri - tier1 -ms.date: 07/03/2023 +ms.date: 08/15/2023 ms.topic: how-to --- # PIN reset -Windows Hello for Business provides the capability for users to reset forgotten PINs using the *I forgot my PIN* link from the Sign-in options page in *Settings* or from the Windows lock screen. Users are required to authenticate and complete multi-factor authentication to reset their PIN. +This article describes how *Microsoft PIN reset service* enables your users to recover a forgotten Windows Hello for Business PIN. -There are two forms of PIN reset: +## Overview -- **Destructive PIN reset**: with this option, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, are deleted from the client and a new login key and PIN are provisioned. Destructive PIN reset is the default option, and doesn't require configuration. -- **Non-destructive PIN reset**: with this option, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. For non-destructive PIN reset, you must deploy the **Microsoft PIN Reset Service** and configure your clients' policy to enable the **PIN Recovery** feature. -## Using PIN reset +Windows Hello for Business provides the capability for users to reset forgotten PINs. There are two forms of PIN reset: -There are two forms of PIN reset called destructive and non-destructive. Destructive PIN reset is the default and doesn't require configuration. During a destructive PIN reset, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned. For non-destructive PIN reset, you must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. +- *Destructive PIN reset*: with this option, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, are deleted from the client and a new sign in key and PIN are provisioned. Destructive PIN reset is the default option, and doesn't require configuration +- *Non-destructive PIN reset*: with this option, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. For non-destructive PIN reset, you must deploy the *Microsoft PIN reset service* and configure your clients' policy to enable the *PIN recovery* feature -Destructive and non-destructive PIN reset use the same steps for initiating a PIN reset. If users have forgotten their PINs, but have an alternate sign-in method, they can navigate to Sign-in options in *Settings* and initiate a PIN reset from the PIN options. If users don't have an alternate way to sign into their devices, PIN reset can also be initiated from the Windows lock screen in the PIN credential provider. - ->[!IMPORTANT] ->For hybrid Azure AD-joined devices, users must have corporate network connectivity to domain controllers to complete destructive PIN reset. If AD FS is being used for certificate trust or for on-premises only deployments, users must also have corporate network connectivity to federation services to reset their PIN. - -### Reset PIN from Settings - -1. Sign-in to Windows 10 using an alternate credential. -1. Open **Settings**, select **Accounts** > **Sign-in options**. -1. Select **PIN (Windows Hello)** > **I forgot my PIN** and follow the instructions. - -### Reset PIN above the Lock Screen - -For Azure AD-joined devices: - -1. If the PIN credential provider isn't selected, expand the **Sign-in options** link, and select the PIN pad icon. -1. Select **I forgot my PIN** from the PIN credential provider. -1. Select an authentication option from the list of presented options. This list will be based on the different authentication methods enabled in your tenant (like Password, PIN, Security key). -1. Follow the instructions provided by the provisioning process. -1. When finished, unlock your desktop using your newly created PIN. - -For Hybrid Azure AD-joined devices: - -1. If the PIN credential provider isn't selected, expand the **Sign-in options** link, and select the PIN pad icon. -1. Select **I forgot my PIN** from the PIN credential provider. -1. Enter your password and press enter. -1. Follow the instructions provided by the provisioning process. -1. When finished, unlock your desktop using your newly created PIN. - -> [!NOTE] -> Key trust on hybrid Azure AD-joined devices does not support destructive PIN reset from above the Lock Screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. For this deployment model, you must deploy non-destructive PIN reset for above lock PIN reset to work. - -You may find that PIN reset from settings only works post login. Also, the lock screen PIN reset function won't work if you have any matching limitation of self-service password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - General ](/azure/active-directory/authentication/howto-sspr-windows#general-limitations). - -## Non-Destructive PIN reset +## How non-destructive PIN reset works **Requirements:** -- Azure Active Directory -- Windows Enterprise and Pro editions. There's no licensing requirement for this feature. -- Hybrid Windows Hello for Business deployment -- Azure AD registered, Azure AD joined, and Hybrid Azure AD joined +- Hybrid or cloud-only Windows Hello for Business deployments +- Windows Enterprise, Education and Pro editions. There's no licensing requirement for this feature -When non-destructive PIN reset is enabled on a client, a 256-bit AES key is generated locally. The key is added to a user's Windows Hello for Business container and keys as the PIN reset protector. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication and multi-factor authentication to Azure AD, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it's then cleared from memory. +When non-destructive PIN reset is enabled on a client, a *256-bit AES* key is generated locally. The key is added to a user's Windows Hello for Business container and keys as the *PIN reset protector*. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication and multi-factor authentication to Azure AD, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it's then cleared from memory. -Using Group Policy, Microsoft Intune or a compatible MDM solution, you can configure Windows devices to securely use the **Microsoft PIN Reset Service** which enables users to reset their forgotten PIN without requiring re-enrollment. +Using Group Policy, Microsoft Intune or a compatible MDM solution, you can configure Windows devices to securely use the Microsoft PIN reset service, which enables users to reset their forgotten PIN without requiring re-enrollment. ->[!IMPORTANT] -> The Microsoft PIN Reset service is not currently available in Azure Government. +The following table compares destructive and non-destructive PIN reset: -### Summary - -|Category|Destructive PIN Reset|Non-Destructive PIN Reset| +|Category|Destructive PIN reset|Non-Destructive PIN reset| |--- |--- |--- | -|**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. For more information on how to deploy the Microsoft PIN reset service and client policy, see [Connect Azure Active Directory with the PIN reset service](#connect-azure-active-directory-with-the-pin-reset-service). During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.| -|**Windows editions and versions**| Windows Enterprise and Pro editions.| +|**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, are deleted from the client and a new sign in key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.| |**Azure Active Directory Joined**|Cert Trust, Key Trust, and cloud Kerberos trust|Cert Trust, Key Trust, and cloud Kerberos trust| -|**Hybrid Azure Active Directory Joined**|Cert Trust and cloud Kerberos trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and cloud Kerberos trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.| -|**On Premises**|If ADFS is being used for on premises deployments, users must have a corporate network connectivity to federation services. |The PIN reset service relies on Azure Active Directory identities, so it's only available for Hybrid Azure Active Directory Joined and Azure Active Directory Joined devices.| -|**Additional Configuration required**|Supported by default and doesn't require configuration|Deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature On-board the Microsoft PIN reset service to respective Azure Active Directory tenant Configure Windows devices to use PIN reset using Group *Policy\MDM*.| +|**Hybrid Azure Active Directory Joined**|Cert Trust and cloud Kerberos trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this option from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and cloud Kerberos trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.| +|**On Premises**|If AD FS is used for on premises deployments, users must have a corporate network connectivity to federation services. |The PIN reset service relies on Azure Active Directory identities, so it's only available for hybrid Azure AD joined and Azure AD Joined devices.| +|**Additional configuration required**|Supported by default and doesn't require configuration|Deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature.| |**MSA/Enterprise**|MSA and Enterprise|Enterprise only.| -### Onboarding the Microsoft PIN reset service to your Intune tenant +## Enable the Microsoft PIN Reset Service in your Azure AD tenant -> The **Microsoft PIN Reset Service** is not currently available in Azure Government. +Before you can use non-destructive PIN reset, you must register two applications in your Azure Active Directory tenant: -### Enable the Microsoft PIN Reset Service in your Azure AD tenant +- Microsoft Pin Reset Service Production +- Microsoft Pin Reset Client Production -Before you can remotely reset PINs, you must register two applications in your Azure Active Directory tenant: +To register the applications, follow these steps: -- PIN Reset Service -- PIN Reset Client +:::row::: + :::column span="3"::: + 1. Go to the [Microsoft PIN Reset Service Production website][APP-1], and sign in using a *Global Administrator* account you use to manage your Azure Active Directory tenant. Review the permissions requested by the *Microsoft Pin Reset Service Production* application and select **Accept** to give consent to the application to access your organization + :::column-end::: + :::column span="1"::: + :::image type="content" alt-text="Screenshot showing the PIN reset service permissions page." source="images/pinreset/pin-reset-service-prompt.png" lightbox="images/pinreset/pin-reset-service-prompt.png" border="true"::: + :::column-end::: +:::row-end::: +:::row::: + :::column span="3"::: + 2. Go to the [Microsoft PIN Reset Client Production website][APP-2], and sign in using a *Global Administrator* account you use to manage your Azure Active Directory tenant. Review the permissions requested by the *Microsoft Pin Reset Client Production* application, and select **Next**. + :::column-end::: + :::column span="1"::: + :::image type="content" alt-text="Screenshot showing the PIN reset client permissions page." source="images/pinreset/pin-reset-client-prompt.png" lightbox="images/pinreset/pin-reset-client-prompt.png" border="true"::: + :::column-end::: +:::row-end::: +:::row::: + :::column span="3"::: + 3. Review the permissions requested by the *Microsoft Pin Reset Service Production* application and select **Accept** to confirm consent to both applications to access your organization + :::column-end::: + :::column span="1"::: + :::image type="content" alt-text="Screenshot showing the PIN reset service permissions final page." source="images/pinreset/pin-reset-service-prompt-2.png" lightbox="images/pinreset/pin-reset-service-prompt-2.png" border="true"::: + :::column-end::: +:::row-end::: -#### Connect Azure Active Directory with the PIN Reset Service +### Confirm that the two PIN Reset service principals are registered in your tenant -1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using a Global Administrator account you use to manage your Azure Active Directory tenant. -1. After you've logged in, select **Accept** to give consent to the **PIN Reset Service** to access your organization. - ![PIN reset service application in Azure.](images/pinreset/pin-reset-service-prompt.png) - -#### Connect Azure Active Directory with the PIN Reset Client - -1. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using a Global Administrator account you use to manage your Azure Active Directory tenant. -1. After you've logged in, select **Accept** to give consent for the **PIN Reset Client** to access your organization. - ![PIN reset client application in Azure.](images/pinreset/pin-reset-client-prompt.png) - -#### Confirm that the two PIN Reset service principals are registered in your tenant - -1. Sign in to the [Microsoft Entra Manager admin center](https://entra.microsoft.com). -1. Select **Azure Active Directory** > **Applications** > **Enterprise applications**. -1. Search by application name "Microsoft PIN" and both **Microsoft Pin Reset Service Production** and **Microsoft Pin Reset Client Production** will show up in the list. +1. Sign in to the [Microsoft Entra Manager admin center](https://entra.microsoft.com) +1. Select **Azure Active Directory > Applications > Enterprise applications** +1. Search by application name "Microsoft PIN" and verify that both **Microsoft Pin Reset Service Production** and **Microsoft Pin Reset Client Production** are in the list :::image type="content" alt-text="PIN reset service permissions page." source="images/pinreset/pin-reset-applications.png" lightbox="images/pinreset/pin-reset-applications-expanded.png"::: -### Enable PIN Recovery on your devices +## Enable PIN recovery on the clients -Before you can remotely reset PINs, your devices must be configured to enable PIN Recovery. Follow the instructions below to configure your devices using either Microsoft Intune, Group Policy Objects (GPO), or Configuration Service Providers (CSP). +To enable PIN recovery on the clients, you can use: + +- Microsoft Intune/MDM +- Group policy + +The following instructions provide details how to configure your devices. Select the option that best suits your needs. #### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune) -You can configure Windows devices to use the **Microsoft PIN Reset Service** using Microsoft Intune. +[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)] -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Select **Devices** > **Configuration profiles** > **Create profile**. -1. Enter the following properties: - - **Platform**: Select **Windows 10 and later**. - - **Profile type**: Select **Settings catalog**. -1. Select **Create**. -1. In **Basics**, enter the following properties: - - **Name**: Enter a descriptive name for the profile. - - **Description**: Enter a description for the profile. This setting is optional, but recommended. -1. Select **Next**. -1. In **Configuration settings**, select **Add settings**. -1. In the settings picker, select **Windows Hello For Business** > **Enable Pin Recovery**. -1. Configure **Enable Pin Recovery** to **true**. -1. Select **Next**. -1. In **Scope tags**, assign any applicable tags (optional). -1. Select **Next**. -1. In **Assignments**, select the security groups that will receive the policy. -1. Select **Next**. -1. In **Review + create**, review your settings and select **Create**. +| Category | Setting name | Value | +|--|--|--| +| **Windows Hello For Business** | Enable Pin Recovery | True | + +[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)] >[!NOTE] > You can also configure PIN recovery from the **Endpoint security** blade: -> 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -> 1. Select **Endpoint security** > **Account protection** > **Create Policy**. +> +> 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) +> 1. Select **Endpoint security > Account protection > Create Policy** -#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo) +Alternatively, you can configure devices using a [custom policy][INT-1] with the [PassportForWork CSP][CSP-1]. -You can configure Windows devices to use the **Microsoft PIN Reset Service** using a Group Policy Object (GPO). - -1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory. -1. Edit the Group Policy object from Step 1. -1. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**. -1. Close the Group Policy Management Editor to save the Group Policy object. - -#### [:::image type="icon" source="../../images/icons/windows-os.svg"::: **CSP**](#tab/CSP) - -You can configure Windows devices to use the **Microsoft PIN Reset Service** using the [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). - -- OMA-URI: `./Vendor/MSFT/Policy/PassportForWork/`*TenantId*`/Policies/EnablePinRecovery` -- Data type: **Boolean** -- Value: **True** +| OMA-URI |Data type| Value| +|-|-|-| +| `./Vendor/MSFT/Policy/PassportForWork/`*TenantId*`/Policies/EnablePinRecovery`| Boolean | Tue | >[!NOTE] > You must replace `TenantId` with the identifier of your Azure Active Directory tenant. To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account:: @@ -169,6 +120,16 @@ You can configure Windows devices to use the **Microsoft PIN Reset Service** usi GET https://graph.microsoft.com/v1.0/organization?$select=id ``` +#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo) + +[!INCLUDE [gpo-settings-1](../../../../includes/configure/gpo-settings-1.md)] **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**: + +| Group policy setting | Value | +| - | - | +| **Use PIN Recovery** | **Enabled** | + +[!INCLUDE [gpo-settings-2](../../../../includes/configure/gpo-settings-2.md)] + --- #### Confirm that PIN Recovery policy is enforced on the devices @@ -177,7 +138,7 @@ The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**](/a **Sample User state Output for Destructive PIN Reset** -```console +```cmd +----------------------------------------------------------------------+ | User State | +----------------------------------------------------------------------+ @@ -196,7 +157,7 @@ The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**](/a **Sample User state Output for Non-Destructive PIN Reset** -```console +```cmd +----------------------------------------------------------------------+ | User State | +----------------------------------------------------------------------+ @@ -213,49 +174,72 @@ The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**](/a +----------------------------------------------------------------------+ ``` -## Configure Web Sign-in Allowed URLs for Third Party Identity Providers on Azure AD Joined Devices +## Configure allowed URLs for federated identity providers on Azure AD joined devices -**Applies to:** +**Applies to:** Azure AD joined devices -- Azure AD joined devices +PIN reset on Azure AD-joined devices uses a flow called *web sign-in* to authenticate users in the lock screen. Web sign-in only allows navigation to specific domains. If web sign-in attempts to navigate to a domain that isn't allowed, it displays a page with the error message: *We can't open that page right now*.\ +If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, then you must configure your devices with a policy to allow a list of domains that can be reached during PIN reset flows. When set, it ensures that authentication pages from that identity provider can be used during Azure AD joined PIN reset. -The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy allows you to specify a list of domains that can be reached during PIN reset flows on Azure AD-joined devices. If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, then this policy should be set. When set, it ensures that authentication pages from that identity provider can be used during Azure AD joined PIN reset. +[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)] -### Configure Web Sign-in Allowed URLs using Microsoft Intune +| Category | Setting name | Value | +|--|--|--| +| **Authentication** | Configure Web Sign In Allowed Urls | Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be **signin.contoso.com;portal.contoso.com**| -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) -1. Select **Devices** > **Configuration profiles** > **Create profile** -1. Enter the following properties: - - **Platform**: Select **Windows 10 and later** - - **Profile type**: Select **Templates** - - In the list of templates that is loaded, select **Custom** > **Create** -1. In **Basics**, enter the following properties: - - **Name**: Enter a descriptive name for the profile - - **Description**: Enter a description for the profile. This setting is optional, but recommended -1. Select **Next** -1. In **Configuration settings**, select **Add** and enter the following settings: - - Name: **Web Sign In Allowed URLs** - - Description: **(Optional) List of domains that are allowed during PIN reset flows** - - OMA-URI: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls` - - Data type: **String** - - Value: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be **signin.contoso.com;portal.contoso.com** - :::image type="content" alt-text="Custom Configuration for ConfigureWebSignInAllowedUrls policy." source="images/pinreset/allowlist.png" lightbox="images/pinreset/allowlist-expanded.png"::: -1. Select **Save** > **Next** -1. In **Assignments**, select the security groups that will receive the policy -1. Select **Next** -1. In **Applicability Rules**, select **Next** -1. In **Review + create**, review your settings and select **Create** +[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)] + +Alternatively, you can configure devices using a [custom policy][INT-1] with the [Policy CSP][CSP-2]. + +| Setting | +|--------| +|
  • OMA-URI: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`
  • Data type: String
  • Value: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be **signin.contoso.com;portal.contoso.com**
    • | > [!NOTE] > For Azure Government, there is a known issue with PIN reset on Azure AD Joined devices failing. When the user attempts to launch PIN reset, the PIN reset UI shows an error page that says, "We can't open that page right now." The ConfigureWebSignInAllowedUrls policy can be used to work around this issue. If you are experiencing this problem and you are using Azure US Government cloud, set **login.microsoftonline.us** as the value for the ConfigureWebSignInAllowedUrls policy. -## Related articles +## Use PIN reset -- [Windows Hello for Business](hello-identity-verification.md) -- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) -- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) -- [Windows Hello and password changes](hello-and-password-changes.md) -- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) +Destructive and non-destructive PIN reset scenarios use the same steps for initiating a PIN reset. If users have forgotten their PINs, but have an alternate sign-in method, they can navigate to Sign-in options in *Settings* and initiate a PIN reset from the PIN options. If users don't have an alternate way to sign into their devices, PIN reset can also be initiated from the Windows lock screen with the *PIN credential provider*. Users must authenticate and complete multi-factor authentication to reset their PIN. After PIN reset is complete, users can sign in using their new PIN. + +>[!IMPORTANT] +>For hybrid Azure AD-joined devices, users must have corporate network connectivity to domain controllers to complete destructive PIN reset. If AD FS is being used for certificate trust or for on-premises only deployments, users must also have corporate network connectivity to federation services to reset their PIN. + +### Reset PIN from Settings + +1. Sign-in to Windows 10 using an alternate credential +1. Open **Settings > Accounts > Sign-in options** +1. Select **PIN (Windows Hello) > I forgot my PIN** and follow the instructions + +### Reset PIN from the lock screen + +For Azure AD-joined devices: + +1. If the PIN credential provider isn't selected, expand the **Sign-in options** link, and select the PIN pad icon +1. Select **I forgot my PIN** from the PIN credential provider +1. Select an authentication option from the list of presented options. This list is based on the different authentication methods enabled in your tenant (like Password, PIN, Security key) +1. Follow the instructions provided by the provisioning process +1. When finished, unlock your desktop using your newly created PIN + +:::image type="content" alt-text="Animation showing the PIN reset experience from the lock screen." source="images/pinreset/pin-reset.gif" border="false"::: + +For Hybrid Azure AD-joined devices: + +1. If the PIN credential provider isn't selected, expand the **Sign-in options** link, and select the PIN pad icon +1. Select **I forgot my PIN** from the PIN credential provider +1. Enter your password and press enter +1. Follow the instructions provided by the provisioning process +1. When finished, unlock your desktop using your newly created PIN + +> [!NOTE] +> Key trust on hybrid Azure AD-joined devices doesn't support destructive PIN reset from above the Lock Screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. For this deployment model, you must deploy non-destructive PIN reset for above lock PIN reset to work. + +You may find that PIN reset from Settings only works post sign in. Also, the lock screen PIN reset function doesn't work if you have any matching limitation of self-service password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen](/azure/active-directory/authentication/howto-sspr-windows#general-limitations). + + + +[CSP-1]: /windows/client-management/mdm/passportforwork-csp +[CSP-2]: /windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls +[INT-1]: /mem/intune/configuration/settings-catalog +[APP-1]: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&redirect_uri=https%3A%2F%2Fcred.microsoft.com&prompt=admin_consent +[APP-2]: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&prompt=admin_consent diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md index 219e82d35c..ee7ba7e558 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md @@ -2,7 +2,7 @@ title: How Windows Hello for Business works - Provisioning description: Explore the provisioning flows for Windows Hello for Business, from within a variety of environments. ms.date: 2/15/2022 -ms.topic: article +ms.topic: overview --- # Windows Hello for Business Provisioning diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index b1338f11e5..8c6856a2da 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -2,7 +2,7 @@ title: How Windows Hello for Business works - technology and terms description: Explore technology and terms associated with Windows Hello for Business. Learn how Windows Hello for Business works. ms.date: 10/08/2018 -ms.topic: article +ms.topic: glossary --- # Technology and terms diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md index 93bfd6d56a..a39e31f06f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md @@ -2,7 +2,7 @@ title: How Windows Hello for Business works description: Learn how Windows Hello for Business works, and how it can help your users authenticate to services. ms.date: 05/05/2018 -ms.topic: article +ms.topic: overview --- # How Windows Hello for Business works in Windows Devices diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md index bcd910f606..b512d1a236 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md @@ -2,7 +2,7 @@ title: Configure single sign-on (SSO) for Azure AD joined devices description: Learn how to configure single sign-on to on-premises resources for Azure AD-joined devices, using Windows Hello for Business. ms.date: 12/30/2022 -ms.topic: article +ms.topic: how-to --- # Configure single sign-on for Azure AD joined devices diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md index d1059a1570..4765ae8d4e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md @@ -174,7 +174,7 @@ If you deployed Windows Hello for Business using the key trust model, and want t 1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos). 1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy). -1. For hybrid Azure AD joined devices, sign out and sign in to the device using Windows Hello for Business. +1. For Azure AD joined devices, sign out and sign in to the device using Windows Hello for Business. > [!NOTE] > For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC. diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md index 576ffdb0a4..2efe441a67 100644 --- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md +++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md @@ -5,7 +5,7 @@ ms.collection: - highpri - tier1 ms.date: 2/15/2022 -ms.topic: article +ms.topic: how-to --- # Manage Windows Hello for Business in your organization diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 3363f0ae55..0ce80daac5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -2,7 +2,7 @@ title: Planning a Windows Hello for Business Deployment description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure. ms.date: 09/16/2020 -ms.topic: article +ms.topic: overview --- # Planning a Windows Hello for Business Deployment diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md index fc9083049d..96c1df3462 100644 --- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md +++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md @@ -2,7 +2,7 @@ title: Prepare people to use Windows Hello description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization. ms.date: 08/19/2018 -ms.topic: article +ms.topic: end-user-help --- # Prepare people to use Windows Hello diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md index 0963b04163..4ba5142f01 100644 --- a/windows/security/identity-protection/hello-for-business/hello-videos.md +++ b/windows/security/identity-protection/hello-for-business/hello-videos.md @@ -2,7 +2,7 @@ title: Windows Hello for Business Videos description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10 and Windows 11. ms.date: 03/09/2023 -ms.topic: article +ms.topic: get-started --- # Windows Hello for Business Videos ## Overview of Windows Hello for Business and Features diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist-expanded.png b/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist-expanded.png deleted file mode 100644 index df2fc5634a..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist-expanded.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist.png b/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist.png deleted file mode 100644 index 35eee9bc5e..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-client-prompt.png b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-client-prompt.png index 2bfb558bbf..d5c3416a67 100644 Binary files a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-client-prompt.png and b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-client-prompt.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-prompt-2.png b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-prompt-2.png new file mode 100644 index 0000000000..86d43fcb2c Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-prompt-2.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-prompt.png b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-prompt.png index 39f21df392..755c1b66e0 100644 Binary files a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-prompt.png and b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-prompt.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset.gif b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset.gif new file mode 100644 index 0000000000..2ef07cd63c Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset.gif differ diff --git a/windows/security/identity-protection/hello-for-business/index.md b/windows/security/identity-protection/hello-for-business/index.md index 84acf6b19c..86a2aa8e8d 100644 --- a/windows/security/identity-protection/hello-for-business/index.md +++ b/windows/security/identity-protection/hello-for-business/index.md @@ -4,7 +4,7 @@ description: Learn how Windows Hello for Business replaces passwords with strong ms.collection: - highpri - tier1 -ms.topic: conceptual +ms.topic: overview ms.date: 04/24/2023 --- # Windows Hello for Business Overview diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml index d19b1a018c..ad2fc7674a 100644 --- a/windows/security/identity-protection/hello-for-business/toc.yml +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -110,9 +110,9 @@ items: href: hello-and-password-changes.md - name: Windows Hello for Business features items: - - name: PIN Reset + - name: PIN reset href: hello-feature-pin-reset.md - - name: Dual Enrollment + - name: Dual enrollment href: hello-feature-dual-enrollment.md - name: Dynamic Lock href: hello-feature-dynamic-lock.md diff --git a/windows/security/identity-protection/hello-for-business/webauthn-apis.md b/windows/security/identity-protection/hello-for-business/webauthn-apis.md index 7646115753..1eb2da9944 100644 --- a/windows/security/identity-protection/hello-for-business/webauthn-apis.md +++ b/windows/security/identity-protection/hello-for-business/webauthn-apis.md @@ -2,7 +2,7 @@ title: WebAuthn APIs description: Learn how to use WebAuthn APIs to enable passwordless authentication for your sites and apps. ms.date: 07/27/2023 -ms.topic: article +ms.topic: how-to --- # WebAuthn APIs for passwordless authentication on Windows diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md index 5443446244..35ace33d60 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md +++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md @@ -2,7 +2,7 @@ ms.date: 09/24/2021 title: Smart Card and Remote Desktop Services description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in. -ms.topic: article +ms.topic: conceptual ms.reviewer: ardenw --- # Smart Card and Remote Desktop Services diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md index d305de2eae..f66eedf547 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md +++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md @@ -2,7 +2,7 @@ title: Smart Card Architecture description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system. ms.reviewer: ardenw -ms.topic: article +ms.topic: reference-architecture ms.date: 09/24/2021 --- diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md index f44786fcb1..62737034ae 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md @@ -2,7 +2,7 @@ title: Certificate Propagation Service description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation. ms.reviewer: ardenw -ms.topic: article +ms.topic: concept-article ms.date: 08/24/2021 --- diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md index ac153d8216..9931e52d1f 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md @@ -2,7 +2,7 @@ title: Certificate Requirements and Enumeration description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in. ms.reviewer: ardenw -ms.topic: article +ms.topic: concept-article ms.date: 09/24/2021 --- @@ -175,7 +175,7 @@ The smart card certificate has specific format requirements when it is used with | **Component** | **Requirements for Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows 10, and Windows 11** | **Requirements for Windows XP** | |--------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| CRL distribution point location | Not required | The location must be specified, online, and available, for example:
    \[1\]CRL Distribution Point
    Distribution Point Name:
    Full Name:
    URL=`` | +| CRL distribution point location | Not required | The location must be specified, online, and available, for example:
    \[1\]CRL Distribution Point
    Distribution Point Name:
    Full Name:
    URL=`` | | Key usage | Digital signature | Digital signature | | Basic constraints | Not required | \[Subject Type=End Entity, Path Length Constraint=None\] (Optional) | | extended key usage (EKU) | The smart card sign-in object identifier is not required.

    **Note**  If an EKU is present, it must contain the smart card sign-in EKU. Certificates with no EKU can be used for sign-in. | - Client Authentication (1.3.6.1.5.5.7.3.2)
    The client authentication object identifier is required only if a certificate is used for SSL authentication.

    - Smart Card Sign-in (1.3.6.1.4.1.311.20.2.2) | @@ -310,4 +310,4 @@ For more information about this option for the command-line tool, see [-SCRoots] ## See also -[How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md) \ No newline at end of file +[How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md) diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md index afd45f5a5f..8193759010 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md +++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md @@ -5,7 +5,7 @@ ms.reviewer: ardenw ms.collection: - highpri - tier2 -ms.topic: article +ms.topic: troubleshooting ms.date: 09/24/2021 --- diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md index e2ef4a9160..f3f0e7de99 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md +++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md @@ -2,7 +2,7 @@ title: Smart Card Group Policy and Registry Settings description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards. ms.reviewer: ardenw -ms.topic: article +ms.topic: reference ms.date: 11/02/2021 --- diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md index 5d498cb152..5ad7eb1205 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md +++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md @@ -2,7 +2,7 @@ title: How Smart Card Sign-in Works in Windows description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system. ms.reviewer: ardenw -ms.topic: article +ms.topic: overview ms.date: 09/24/2021 --- diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md index 8250828ff6..4b9fd9a3fd 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md @@ -2,7 +2,7 @@ title: Smart Card Removal Policy Service description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation. ms.reviewer: ardenw -ms.topic: article +ms.topic: concept-article ms.date: 09/24/2021 --- diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md index e3a98718be..2604d84270 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md @@ -2,7 +2,7 @@ title: Smart Cards for Windows Service description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions. ms.reviewer: ardenw -ms.topic: article +ms.topic: concept-article ms.date: 09/24/2021 --- diff --git a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md index 4de4acbfc6..f18465fff3 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md +++ b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md @@ -2,7 +2,7 @@ title: Smart Card Tools and Settings description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events. ms.reviewer: ardenw -ms.topic: article +ms.topic: conceptual ms.date: 09/24/2021 --- diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md index 07d20ddf30..a7e5247fcc 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md +++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md @@ -2,7 +2,7 @@ title: Smart Card Technical Reference description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows. ms.reviewer: ardenw -ms.topic: article +ms.topic: reference ms.date: 09/24/2021 --- diff --git a/windows/security/operating-system-security/data-protection/bitlocker/index.md b/windows/security/operating-system-security/data-protection/bitlocker/index.md index 2464ef0104..3faff60393 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/index.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/index.md @@ -13,7 +13,7 @@ ms.date: 08/03/2023 Bitlocker is a Windows disk encryption feature, designed to protect data by providing encryption for entire volumes.\ BitLocker addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. -BitLocker provides maximum protection when used with a Trusted Platform Module (TPM). A TPM is a hardware component installed in many devices ant it works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system is offline. +BitLocker provides maximum protection when used with a Trusted Platform Module (TPM). A TPM is a hardware component installed in many devices and it works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system is offline. On devices that don't have a TPM, BitLocker can still be used to encrypt the Windows operating system drive. However, this implementation requires the user to insert a USB startup key to start the device or resume from hibernation. An operating system volume password can be used to protect the operating system volume on a computer without TPM. Both options don't provide the pre-startup system integrity verification offered by BitLocker with a TPM. diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md b/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md index 5aae45f5c3..21b3797cf1 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md @@ -1,7 +1,7 @@ --- title: Optimize Microsoft 365 traffic for remote workers with the Windows VPN client description: Learn how to optimize Microsoft 365 traffic for remote workers with the Windows VPN client -ms.topic: article +ms.topic: how-to ms.date: 08/03/2023 --- # Optimize Microsoft 365 traffic for remote workers with the Windows VPN client diff --git a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md index fa3fa7d18b..cba1170eaa 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md @@ -6,7 +6,7 @@ ms.date: 11/09/2022 ms.collection: - highpri - tier3 -ms.topic: article +ms.topic: best-practice --- # Best practices for configuring Windows Defender Firewall diff --git a/windows/security/security-foundations/certification/fips-140-validation.md b/windows/security/security-foundations/certification/fips-140-validation.md index d34c1295ff..1cb3c7c91f 100644 --- a/windows/security/security-foundations/certification/fips-140-validation.md +++ b/windows/security/security-foundations/certification/fips-140-validation.md @@ -2,14 +2,14 @@ title: Federal Information Processing Standard (FIPS) 140 Validation description: Learn how Microsoft products and cryptographic modules follow the U.S. Federal government standard FIPS 140. ms.prod: windows-client -ms.date: 11/03/2022 +ms.date: 08/18/2023 manager: aaroncz ms.author: paoloma author: paolomatarazzo ms.collection: - highpri - tier3 -ms.topic: article +ms.topic: reference ms.localizationpriority: medium ms.reviewer: ms.technology: itpro-security diff --git a/windows/security/security-foundations/certification/windows-platform-common-criteria.md b/windows/security/security-foundations/certification/windows-platform-common-criteria.md index c79a189b61..0e0bc1697c 100644 --- a/windows/security/security-foundations/certification/windows-platform-common-criteria.md +++ b/windows/security/security-foundations/certification/windows-platform-common-criteria.md @@ -5,7 +5,7 @@ ms.prod: windows-client ms.author: sushmanemali author: s4sush manager: aaroncz -ms.topic: article +ms.topic: reference ms.localizationpriority: medium ms.date: 11/4/2022 ms.reviewer: paoloma diff --git a/windows/security/security-foundations/index.md b/windows/security/security-foundations/index.md index 52c893e6cb..0f47d591b2 100644 --- a/windows/security/security-foundations/index.md +++ b/windows/security/security-foundations/index.md @@ -1,7 +1,7 @@ --- title: Windows security foundations description: Get an overview of security foundations, including the security development lifecycle, common criteria, and the bug bounty program. -ms.topic: conceptual +ms.topic: overview ms.date: 06/15/2023 author: paolomatarazzo ms.author: paoloma diff --git a/windows/security/security-foundations/msft-security-dev-lifecycle.md b/windows/security/security-foundations/msft-security-dev-lifecycle.md index 4f96b191e4..99fc260eb9 100644 --- a/windows/security/security-foundations/msft-security-dev-lifecycle.md +++ b/windows/security/security-foundations/msft-security-dev-lifecycle.md @@ -4,13 +4,13 @@ description: Download the Microsoft Security Development Lifecycle white paper t author: paolomatarazzo ms.author: paoloma manager: aaroncz -ms.topic: article +ms.topic: conceptual ms.date: 07/31/2023 --- # Microsoft Security Development Lifecycle -The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development. As a Microsoft-wide initiative and a mandatory policy since 2004, the SDL has played a critical role in embedding security and privacy in software and culture at Microsoft. +The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development. As a Microsoft-wide initiative and a mandatory policy since 2004, the SDL has played a critical role in embedding security and privacy in software and culture at Microsoft. [:::image type="content" source="images/simplified-sdl.png" alt-text="Simplified secure development lifecycle":::](https://www.microsoft.com/en-us/securityengineering/sdl) diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md index fd5538b2a7..5c246fea41 100644 --- a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md +++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md @@ -1,8 +1,8 @@ --- -title: Allow log on locally - security policy setting +title: Allow log on locally - security policy setting description: Describes the best practices, location, values, policy management, and security considerations for the Allow log on locally security policy setting. ms.assetid: d9e5e1f3-3bff-4da7-a9a2-4bb3e0c79055 -ms.reviewer: +ms.reviewer: ms.author: vinpa ms.prod: windows-client ms.mktglfcycl: deploy @@ -29,7 +29,7 @@ Describes the best practices, location, values, policy management, and security This policy setting determines which users can start an interactive session on the device. Users must have this user right to log on over a Remote Desktop Services session that is running on a Windows-based member device or domain controller. > **Note:**  Users who do not have this right are still able to start a remote interactive session on the device if they have the **Allow logon through Remote Desktop Services** right. - + Constant: SeInteractiveLogonRight ### Possible values @@ -48,6 +48,7 @@ By default, the members of the following groups have this right on domain contro - Account Operators - Administrators - Backup Operators +- Enterprise Domain Controllers - Print Operators - Server Operators @@ -62,17 +63,17 @@ Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Pol ### Default values -The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. +The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy's property page. | Server type or GPO | Default value | | - | - | | Default Domain Policy| Not Defined | -| Default Domain Controller Policy | Account Operators
    Administrators
    Backup Operators
    Print Operators
    Server Operators | +| Default Domain Controller Policy | Account Operators
    Administrators
    Backup Operators
    Enterprise Domain Controllers
    Print Operators
    Server Operators | | Stand-Alone Server Default Settings| Administrators
    Backup Operators
    Users | -| Domain Controller Effective Default Settings | Account Operators
    Administrators
    Backup Operators
    Print Operators
    Server Operators | +| Domain Controller Effective Default Settings | Account Operators
    Administrators
    Backup Operators
    Enterprise Domain Controllers
    Print Operators
    Server Operators | | Member Server Effective Default Settings | Administrators
    Backup Operators
    Users | | Client Computer Effective Default Settings | Administrators
    Backup Operators
    Users | - + ## Policy management Restarting the device is not required to implement this change. @@ -112,5 +113,5 @@ If you remove these default groups, you could limit the abilities of users who a ## Related topics - [User Rights Assignment](user-rights-assignment.md) - - + + diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md index 63272a0b01..03d85f19cb 100644 --- a/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md +++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md @@ -42,7 +42,7 @@ This policy setting allows you to specify an ACL in two different ways. You can - Blank - This value represents how the local security policy deletes the policy enforcement key. This value deletes the policy and then sets it as Not defined. The Blank value is set by using the ACL editor to empty the list, and then pressing OK. + This value represents how the local security policy deletes the policy enforcement key. This value deletes the policy and then sets it as Not defined. To set a blank value, select "Define this policy setting" and leave the Security descriptor empty, and then select OK. ### Location diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md index 5d0649468d..b7d2de8f44 100644 --- a/windows/whats-new/deprecated-features.md +++ b/windows/whats-new/deprecated-features.md @@ -36,6 +36,7 @@ The features in this article are no longer being actively developed, and might b |Feature | Details and mitigation | Deprecation announced | | ----------- | --------------------- | ---- | +| AllJoyn | Microsoft's implementation of AllJoyn which included the [Windows.Devices.AllJoyn API namespace](/uwp/api/windows.devices.alljoyn), a [Win32 API](/windows/win32/api/_alljoyn/), a [management configuration service provider (CSP)](/windows/client-management/mdm/alljoynmanagement-csp), and an [Alljoyn Router Service](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#alljoyn-router-service) has been deprecated. [AllJoyn](https://www.alljoyn.org/), sponsored by AllSeen Alliance, was an open source discovery and communication protocol for Internet of Things scenarios such as turning on/off lights or reading temperatures.AllSeen Alliance promoted the AllJoyn project from 2013 until 2016 when it merged with the Open Connectivity Foundation (OCF), the sponsors of [Iotivity.org](https://iotivity.org/), another protocol for Internet of Things scenarios. Customers should refer to the [Iotivity.org](https://iotivity.org/) website for alternatives such as [Iotivity Lite](https://github.com/iotivity/iotivity-lite) or [Iotivity](https://github.com/iotivity/iotivity). | August 17, 2023 | | TLS 1.0 and 1.1 | Over the past several years, internet standards and regulatory bodies have [deprecated or disallowed](https://www.ietf.org/rfc/rfc8996.html) TLS versions 1.0 and 1.1 due to various security issues. Starting in Windows 11 Insider Preview builds for September 2023 and continuing in future Windows OS releases, TLS 1.0 and 1.1 will be disabled by default. This change increases the security posture of Windows customers and encourages modern protocol adoption. For organizations that need to use these versions, there's an option to re-enable TLS 1.0 or TLS 1.1. For more information, see [Resources for deprecated features](deprecated-features-resources.md). | August 1, 2023| | Cortana in Windows | Cortana in Windows as a standalone app is deprecated. This change only impacts Cortana in Windows, and your productivity assistant, Cortana, will continue to be available in Outlook mobile, Teams mobile, Microsoft Teams display, and Microsoft Teams rooms. | June 2023 | | Microsoft Support Diagnostic Tool (MSDT) | [MSDT](/windows-server/administration/windows-commands/msdt) is deprecated and will be removed in a future release of Windows. MSDT is used to gather diagnostic data for analysis by support professionals. For more information, see [Resources for deprecated features](deprecated-features-resources.md) | January 2023 | @@ -89,3 +90,4 @@ The features in this article are no longer being actively developed, and might b |`wusa.exe /uninstall /kb:####### /quiet`|The `wusa` tool usage to quietly uninstall an update has been deprecated. The uninstall command with `/quiet` switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507
    Applies to Windows Server 2016 and Windows Server 2019.| + diff --git a/windows/whats-new/windows-licensing.md b/windows/whats-new/windows-licensing.md index 3a56385d67..5431f9f832 100644 --- a/windows/whats-new/windows-licensing.md +++ b/windows/whats-new/windows-licensing.md @@ -7,7 +7,7 @@ ms.author: paoloma manager: aaroncz ms.collection: - tier2 -ms.topic: conceptual +ms.topic: overview ms.date: 05/04/2023 appliesto: - ✅ Windows 11