diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 832811db7c..01fb6fa851 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19654,6 +19654,26 @@ "source_path": "windows/configuration/windows-10-accessibility-for-ITPros.md", "redirect_url": "/windows/configuration/windows-accessibility-for-ITPros", "redirect_document_id": false + }, + { + "source_path": "education/windows/take-a-test-multiple-pcs.md", + "redirect_url": "/education/windows/edu-take-a-test-kiosk-mode", + "redirect_document_id": false + }, + { + "source_path": "education/windows/take-a-test-single-pc.md", + "redirect_url": "/education/windows/take-tests-in-windows", + "redirect_document_id": false + }, + { + "source_path": "education/windows/take-tests-in-windows-10.md", + "redirect_url": "/education/windows/take-tests-in-windows", + "redirect_document_id": false + }, + { + "source_path": "education/windows/change-history-edu.md", + "redirect_url": "/education/windows", + "redirect_document_id": false } ] } diff --git a/education/index.yml b/education/index.yml index 6ed1dbb047..1a3a69e704 100644 --- a/education/index.yml +++ b/education/index.yml @@ -23,7 +23,7 @@ productDirectory: # Card - title: Phase 1 - Cloud deployment imageSrc: ./images/EDU-Deploy.svg - summary: Create your Microsoft 365 tenant, secure and configure your environment, sync your active directry and SIS, and license users. + summary: Create your Microsoft 365 tenant, secure and configure your environment, sync your Active Directory and SIS, and license users. url: /microsoft-365/education/deploy/create-your-office-365-tenant # Card - title: Phase 2 - Device management diff --git a/education/windows/TOC.yml b/education/windows/TOC.yml index b3ef37c53c..3fda1c6630 100644 --- a/education/windows/TOC.yml +++ b/education/windows/TOC.yml @@ -12,8 +12,10 @@ items: items: - name: Overview href: windows-11-se-overview.md - - name: Settings and CSP list + - name: Settings list href: windows-11-se-settings-list.md + - name: Frequently Asked Questions (FAQ) + href: windows-11-se-faq.yml - name: Windows in S Mode items: - name: Test Windows 10 in S mode on existing Windows 10 education devices @@ -27,19 +29,15 @@ items: - name: Windows 10 configuration recommendations for education customers href: configure-windows-for-education.md - name: Take tests and assessments in Windows - href: take-tests-in-windows-10.md + href: take-tests-in-windows.md - name: How-to-guides items: - - name: Configure education features - items: - - name: Configure education themes - href: edu-themes.md - - name: Configure Stickers - href: edu-stickers.md - - name: Configure Take a Test on a single PC - href: take-a-test-single-pc.md - - name: Configure a Test on multiple PCs - href: take-a-test-multiple-pcs.md + - name: Configure education themes + href: edu-themes.md + - name: Configure Stickers + href: edu-stickers.md + - name: Configure Take a Test in kiosk mode + href: edu-take-a-test-kiosk-mode.md - name: Use the Set up School PCs app href: use-set-up-school-pcs-app.md - name: Change Windows edition @@ -96,8 +94,6 @@ items: href: set-up-school-pcs-provisioning-package.md - name: What's new in Set up School PCs href: set-up-school-pcs-whats-new.md - - name: Take a Test app technical reference + - name: Take a Test technical reference href: take-a-test-app-technical.md - - name: Change history for Windows 10 for Education - href: change-history-edu.md diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md deleted file mode 100644 index 2b3d262830..0000000000 --- a/education/windows/change-history-edu.md +++ /dev/null @@ -1,156 +0,0 @@ ---- -title: Change history for Windows 10 for Education (Windows 10) -description: New and changed topics in Windows 10 for Education -keywords: Windows 10 education documentation, change history -ms.prod: windows -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: edu -ms.collection: education -author: paolomatarazzo -ms.author: paoloma -ms.date: 08/10/2022 -ms.reviewer: -manager: aaroncz -appliesto: -- ✅ Windows 10 ---- -# Change history for Windows 10 for Education - -This topic lists new and updated topics in the [Windows 10 for Education](index.yml) documentation. - -## May 2019 - -|New or changed topic | Description| -|-----------|-------------| -|[Windows 10 Subscription Activation](/windows/deployment/windows-10-subscription-activation)|Subscription activation support for Windows 10 Pro Education to Windows 10 Education| - -## April 2018 -New or changed topic | Description ---- | --- -[Windows 10 Pro in S mode for Education](s-mode-switch-to-edu.md) | Created a new topic on S mode for Education. | -[Change to Windows 10 Education from Windows 10 Pro](change-to-pro-education.md) | Updated sections referencing S mode. - -## March 2018 - -New or changed topic | Description ---- | --- -[Reset devices with Autopilot Reset](autopilot-reset.md) | Added section for troubleshooting Autopilot Reset. - -## November 2017 - -| New or changed topic | Description | -| --- | ---- | -| [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md) | Updated the list of device manufacturers. | -| [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) | Updated instances of the parameter enablePrint, or enablePrinting, to requirePrinting. | -| [Set up Take a Test on a single PC](take-a-test-single-pc.md) | Updated instances of the parameter enablePrint, or enablePrinting, to requirePrinting. | -| [Take a Test app technical reference](take-a-test-app-technical.md) | Added a note that the Alt+F4 key combination for enabling students to exit the test is disabled in Windows 10, version 1703 (Creators Update) and later. Also added more information about the Ctrl+Alt+Del key combination. | - -## RELEASE: Windows 10, version 1709 (Fall Creators Update) - -| New or changed topic | Description | -| --- | ---- | -| [Reset devices with Autopilot Reset](autopilot-reset.md) | New. Learn how you can use this new feature to quickly reset student PCs from the lock screen and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use and returned to a fully configured or known IT-approved state. | -| [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md) | Updated the *Go back to your previous edition of Windows 10* section with new information on how to work around cases where Win32 apps are blocked after switching from Windows 10 S back to your previous Windows edition. | -| [Take a Test app technical reference](take-a-test-app-technical.md) | Updated. Starting with Windows 10, version 1709 (Fall Creators Update), assessments can now run in permissive mode. This mode enables students who need access to other apps, like accessibility tools, to use the apps. | - -## September 2017 - -| New or changed topic | Description | -| --- | ---- | -| [Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Updated the prerequisites to provide more clarification. | - -## August 2017 - -| New or changed topic | Description | -| --- | ---- | -| [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md) | New. Find out how you can test Windows 10 S on various Windows 10 devices (except Windows 10 Home) in your school and share your feedback with us. | -| [Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Updated the instructions to reflect the new or updated functionality in the latest version of the app. | - -## July 2017 - -| New or changed topic | Description | -| --- | ---- | -| [Get Minecraft: Education Edition with Windows 10 device promotion](get-minecraft-for-education.md) | New information about redeeming Minecraft: Education Edition licenses with qualifying purchases of Windows 10 devices. | -| [Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Added the how-to video, which shows how to use the app to create a provisioning package that you can use to set up school PCs. | -| [Take a Test app technical reference](take-a-test-app-technical.md) | Added a Group Policy section to inform you of any policies that affect the Take a Test app or functionality within the app. | - -## June 2017 - -| New or changed topic | Description | -| --- | ---- | -| [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) | Includes the following updates:

- New configuration guidance for IT administrators to enable students and school personnel, who use assistive technology apps not available in the Microsoft Store for Education and use devices running Windows 10 S, to be successful in the classroom and in their jobs.
- New configuration information when using Windows 10 S for education. | -| [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) | New configuration guidance for IT administrators to enable students and school personnel, who use assistive technology apps not available in the Microsoft Store for Education and use devices running Windows 10 S, to be successful in the classroom and in their jobs. | -| [Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Updated the recommended apps section to include information about Office 365 for Windows 10 S (Education Preview). | - -## May 2017 - -| New or changed topic | Description | -| --- | ---- | -| [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) | New. If you have an education tenant and use devices Windows 10 Pro or Windows 10 S in your schools, find out how you can opt in to a free switch to Windows 10 Pro Education. | -| [Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Updated. Now includes network tips and updated step-by-step instructions that show the latest updates to the app such as Wi-Fi setup. | - -## RELEASE: Windows 10, version 1703 (Creators Update) - -| New or changed topic | Description| -| --- | --- | -| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](/microsoft-365/education/deploy/) | New. Learn how you can quickly and easily use the new Microsoft Education system to implement a full IT cloud solution for your school. | -| [Microsoft Education documentation and resources](/education) | New. Find links to more content for IT admins, teachers, students, and education app developers. | -| [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) | New. Provides guidance on ways to configure the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, so that Windows is ready for your school. | -| [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) | Updated the screenshots and related instructions to reflect the current UI and experience. | -| [Set up Windows devices for education](set-up-windows-10.md) | Updated for Windows 10, version 1703. | -| Set up School PCs app:
[Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md)
[Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Updated. Describes the school-specific settings and policies that Set up School PC configures. Also provides step-by-step instructions for using the latest version of the app to create a provisioning package that you can use to set up student PCs. | -| Set up using Windows Configuration Designer:
[Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md)
[Provision student PCs with apps](set-up-students-pcs-with-apps.md) | Updated the information for Windows 10, version 1703. | -| [Take tests in Windows 10](take-tests-in-windows-10.md)
[Set up Take a Test on a single PC](take-a-test-single-pc.md)
[Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md)
[Take a Test app technical reference](take-a-test-app-technical.md) | Updated. Includes new information on ways you can set up the test account and assessment URL and methods for creating and distributing the link. Methods available to you vary depending on whether you're setting up Take a Test on a single PC or multiple PCs. | - -## January 2017 - -| New or changed topic | Description | -| --- | --- | -| [For IT administrators - get Minecraft: Education Edition](school-get-minecraft.md) | Updates. Learn how schools can use invoices to pay for Minecraft: Education Edition. | - -## December 2016 - -| New or changed topic | Description | -| --- | --- | -| [Upgrade Windows 10 Pro to Pro Education from Microsoft Store for Business] | New. Learn how to opt-in to a free upgrade to Windows 10 Pro Education. As of May 2017, this topic has been replaced with [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md). | - -## November 2016 - -| New or changed topic | Description| -| --- | --- | -| [Working with Microsoft Store for Business – education scenarios](education-scenarios-store-for-business.md) | New. Learn about education scenarios for Microsoft Store for Business. | -| [For teachers - get Minecraft: Education Edition](teacher-get-minecraft.md) | Updates. Subscription support for Minecraft: Education Edition. | -| [For IT administrators - get Minecraft: Education Edition](school-get-minecraft.md) | Updates. Subscription support for Minecraft: Education Edition. | - - -## RELEASE: Windows 10, version 1607 (Anniversary Update) -The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added: - -- [Set up Windows 10](set-up-windows-10.md) -- [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md) -- [Provision student PCs with apps](set-up-students-pcs-with-apps.md) -- [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) - -## July 2016 - -| New or changed topic | Description| -| --- | --- | -| [Windows 10 editions for education customers](windows-editions-for-education-customers.md) | New. Learn about the two editions in Windows 10, version 1607 that's designed for the needs of K-12 institutions. | -|[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)|New. Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, AD DS, and Microsoft Azure AD, use Configuration Manager, Intune, and Group Policy to manage devices. | - -## June 2016 - -| New or changed topic | Description | -|----------------------|-------------| -| [Get Minecraft Education Edition](get-minecraft-for-education.md)
[For teachers: get Minecraft Education Edition](teacher-get-minecraft.md)
[For IT administrators: get Minecraft Education Edition](school-get-minecraft.md) | New. Learn how to get and distribute Minecraft: Education Edition. | - -## May 2016 - -| New or changed topic | Description | -|----------------------|-------------| -| [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md) | New. Learn how the Set up School PCs app works and how to use it. | -| [Set up School PCs app technical reference (Preview)](set-up-school-pcs-technical.md) | New. Describes the changes that the Set up School PCs app makes to a PC. | -| [Take tests in Windows 10 (Preview)](take-tests-in-windows-10.md)
[Set up Take a Test on a single PC (Preview)](take-a-test-single-pc.md)
[Set up Take a Test on multiple PCs (Preview)](take-a-test-multiple-pcs.md)
[Take a Test app technical reference (Preview)](take-a-test-app-technical.md) | New. Learn how to set up and use the Take a Test app. | -| [Chromebook migration guide](chromebook-migration-guide.md) | Moved from [Windows 10 and Windows 10 Mobile](/windows/deployment/planning/) library, originally published in November 2015 | -| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Moved from [Windows 10 and Windows 10 Mobile](/windows/deployment/planning/) library, originally published in May 2016 | \ No newline at end of file diff --git a/education/windows/deploy-windows-10-overview.md b/education/windows/deploy-windows-10-overview.md index 7fe730e070..6eaf25ef11 100644 --- a/education/windows/deploy-windows-10-overview.md +++ b/education/windows/deploy-windows-10-overview.md @@ -47,7 +47,7 @@ Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-base Minecraft Education Edition is built for learning. Learn how to get early access and add it to your Microsoft Store for Business for distribution. -**[Take tests in Windows 10](take-tests-in-windows-10.md)** +**[Take tests in Windows](take-tests-in-windows.md)** Take a Test is a new app that lets you create the right environment for taking tests. Learn how to use and get it set up. diff --git a/education/windows/edu-stickers.md b/education/windows/edu-stickers.md index f2bb99a869..717f74fe2a 100644 --- a/education/windows/edu-stickers.md +++ b/education/windows/edu-stickers.md @@ -37,23 +37,23 @@ Stickers aren't enabled by default. Follow the instructions below to configure y #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) -To enable Stickers using Microsoft Intune, [create a custom profile][MEM-1] with the following settings: +To configure devices using Microsoft Intune, create a [custom policy][MEM-1] with the following settings: | Setting | |--------| |
  • OMA-URI: **`./Vendor/MSFT/Policy/Config/Stickers/EnableStickers`**
  • Data type: **Integer**
  • Value: **1**
    • | -Assign the policy to a security group that contains as members the devices or users that you want to enable Stickers on. +Assign the policy to a security group that contains as members the devices or users that you want to configure. #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) -To configure Stickers using a provisioning package, use the following settings: +To configure devices using a provisioning package, [create a provisioning package][WIN-1] using Windows Configuration Designer (WCD) with the following settings: | Setting | |--------| |
  • Path: **`Education/AllowStickers`**
  • Value: **True**
    • | -Apply the provisioning package to the devices that you want to enable Stickers on. +Follow the steps in [Apply a provisioning package][WIN-2] to apply the package that you created. --- @@ -74,4 +74,7 @@ Select the *X button* at the top of the screen to save your progress and close t ----------- -[MEM-1]: /mem/intune/configuration/custom-settings-windows-10 \ No newline at end of file +[MEM-1]: /mem/intune/configuration/custom-settings-windows-10 + +[WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package +[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package \ No newline at end of file diff --git a/education/windows/edu-take-a-test-kiosk-mode.md b/education/windows/edu-take-a-test-kiosk-mode.md new file mode 100644 index 0000000000..77fb1c113c --- /dev/null +++ b/education/windows/edu-take-a-test-kiosk-mode.md @@ -0,0 +1,235 @@ +--- +title: Configure Take a Test in kiosk mode +description: Description of how to configure Windows to execute the Take a Test app in kiosk mode, using Intune and provisioning packages. +ms.date: 09/30/2022 +ms.prod: windows +ms.technology: windows +ms.topic: how-to +ms.localizationpriority: medium +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: +manager: aaroncz +ms.collection: education +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE +--- + +# Configure Take a Test in kiosk mode + +Executing Take a Test in kiosk mode is the recommended option for high stakes assessments, such as mid-term exams. In this mode, Windows will execute Take a Test in a lock-down mode, preventing the execution of any applications other than Take a Test. Students must sign in using a test-taking account. + +The configuration of Take a Test in kiosk mode can be done using: + +- Microsoft Intune/MDM +- a provisioning package (PPKG) +- PowerShell +- the Settings app + +When using the Settings app, you can configure Take a Test in kiosk mode using a local account only. This option is recommended for devices that aren't managed. +The other options allow you to configure Take a Test in kiosk mode using a local account, an account defined in the directory, or a guest account. + +> [!TIP] +> While you could create a single account in the directory to be the dedicated test-taking account, it is recommended to use a guest account. This way, you don't get into a scenario where the testing account is locked out due to bad password attempts or other factors. +> +> An additional benefit of using a guest account, is that your students don't have to type a password to access the test. + +Follow the instructions below to configure your devices, selecting the option that best suits your needs. + +#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) + +You can use Intune for Education or a custom profile in Microsoft Intune: + +- Intune for Education provides a simpler experience +- A custom profile provides more flexibility and controls over the configuration + +> [!IMPORTANT] +> Currently, the policy created in Intune for Education is applicable to Windows 10 and Windows 11 only. **It will not apply to Windows 11 SE devices.** +> +> If you want to configure Take a Test for Windows 11 SE devices, you must use a custom policy. + +### Configure Take a Test from Intune for Education + +To configure devices using Intune for Education, follow these steps: + +1. Sign in to the Intune for Education portal +1. Select **Groups** > Pick a group to configure Take a Test for +1. Select **Windows device settings** +1. Expand the **Take a Test profiles** category and select **+ Assign new Take a Test profile** +1. Specify a **Profile Name**, **Account Name**, **Assessment URL** and, optionally, **Description** and options allowed during the test +1. Select **Create and assign profile** + +:::image type="content" source="./images/takeatest/intune-education-take-a-test-profile.png" alt-text="Intune for Education - creation of a Take a Test profile." lightbox="./images/takeatest/intune-education-take-a-test-profile.png" border="true"::: + +### Configure Take a Test with a custom policy + +To configure devices using Microsoft Intune, create a [custom policy][MEM-1] with the following settings: + +| Setting | +|--------| +|
  • OMA-URI: **`./Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn`**
  • Data type: **Integer**
  • Value: **1**
    • | +|
  • OMA-URI: **`./Vendor/MSFT/Policy/Config/WindowsLogon/HideFastUserSwitching`**
  • Data type: **Integer**
  • Value: **1**
    • | +|
  • OMA-URI: **`./Vendor/MSFT/SharedPC/AccountModel`**
  • Data type: **Integer**
  • Value: **1**
    • | +|
  • OMA-URI: **`./Vendor/MSFT/SharedPC/EnableAccountManager`**
  • Data type: **Boolean**
  • Value: **True**
    • | +|
  • OMA-URI: **`./Vendor/MSFT/SharedPC/KioskModeAUMID`**
  • Data type: **String**
  • Value: **Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App**
    • | +|
  • OMA-URI: **`./Vendor/MSFT/SharedPC/KioskModeUserTileDisplayText`**
  • Data type: **String**
  • Value: **Take a Test** (or a string of your choice to display in the sing-in screen)
    • | +|
  • OMA-URI: **`./Vendor/MSFT/SecureAssessment/LaunchURI`**
  • Data type: **String**
  • Value: **\**
    • | + +:::image type="content" source="./images/takeatest/intune-take-a-test-custom-profile.png" alt-text="Intune portal - creation of a custom policy to configure Take a Test." lightbox="./images/takeatest/intune-take-a-test-custom-profile.png" border="true"::: + +Assign the policy to a security group that contains as members the devices or users that you want to configure. + +#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) + +To create a provisioning package, you can either use Set up School PCs or Windows Configuration Designer: + +- Set up School PCs provides a simpler, guided experience +- Windows Configuration Designer provides more flexibility and controls over the configuration + +### Create a provisioning package using Set up School PCs + +Create a provisioning package using the Set up School PCs app, configuring the settings in the **Set up the Take a Test app** page. + +:::image type="content" source="./images/takeatest/suspcs-take-a-test.png" alt-text="Set up School PCs app - Take a test page" lightbox="./images/takeatest/suspcs-take-a-test.png" border="true"::: + +### Create a provisioning package using Windows Configuration Designer + +[Create a provisioning package][WIN-1] using Windows Configuration Designer with the following settings: + +| Setting | +|--------| +|
  • Path: **`Policies/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn`**
  • Value: **Enabled**
    • | +|
  • Path: **`Policies/WindowsLogon/HideFastUserSwitching`**
  • Value: **True**
    • | +|
  • Path: **`SharedPC/AccountManagement/AccountModel`**
  • Value: **Domain-joined only**
    • | +|
  • Path: **`SharedPC/AccountManagement/EnableAccountManager`**
  • Value: **True**
    • | +|
  • Path: **`SharedPC/AccountManagement/KioskModeAUMID`**
  • Value: **Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App**
    • | +|
  • Path: **`SharedPC/AccountManagement/KioskModeUserTileDisplayText`**
  • Value: **Take a Test** (or a string of your choice to display in the sing-in screen)
    • | +|
  • Path: **`TakeATest/LaunchURI/`**
  • Value: **\**
    • | + +:::image type="content" source="./images/takeatest/wcd-take-a-test.png" alt-text="Windows Configuration Designer - configuration of policies to enable Take a Test to run in kiosk mode" lightbox="./images/takeatest/wcd-take-a-test.png" border="true"::: + +Follow the steps in [Apply a provisioning package][WIN-2] to apply the package that you created. + +#### [:::image type="icon" source="images/icons/powershell.svg"::: **PowerShell**](#tab/powershell) + +Configure your devices using PowerShell scripts via the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). For more information, see [Using PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). + +> [!TIP] +> PowerShell scripts can be executed as scheduled tasks via Group Policy. + +> [!IMPORTANT] +> For all device settings, the WMI Bridge client must be executed as SYSTEM (LocalSystem) account. +> +> To test a PowerShell script, you can: +> 1. [Download the psexec tool](/sysinternals/downloads/psexec) +> 1. Open an elevated command prompt and run: `psexec.exe -i -s powershell.exe` +> 1. Run the script in the PowerShell session + +Edit the following sample PowerShell script to: + +- Customize the assessment URL with **$testURL** +- Change the kiosk user tile name displayed in the sign-in screen with **$userTileName** + +```powershell +$testURL = "https://contoso.com/algebra-exam" +$userTileName = "Take a Test" +$namespaceName = "root\cimv2\mdm\dmmap" +$ParentID="./Vendor/MSFT/Policy/Config" + +#Configure SharedPC +$className = "MDM_SharedPC" +$instance = "SharedPC" +$cimObject = Get-CimInstance -Namespace $namespaceName -ClassName $className +if (-not ($cimObject)) { + $cimObject = New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$ParentID;InstanceID=$instance} +} +$cimObject.AccountModel = 1 +$cimObject.EnableAccountManager = $true +$cimObject.KioskModeAUMID = "Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App" +$cimObject.KioskModeUserTileDisplayText = $userTileName +Set-CimInstance -CimInstance $cimObject + +#Configure SecureAssessment +$className = "MDM_SecureAssessment" +$instance = "SecureAssessment" +$cimObject = Get-CimInstance -Namespace $namespaceName -ClassName $className +if (-not ($cimObject)) { + $cimObject = New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$ParentID;InstanceID=$instance} +} +$cimObject.LaunchURI= $testURL +Set-CimInstance -CimInstance $cimObject + +#Configure interactive logon +$className = "MDM_Policy_Config01_LocalPoliciesSecurityOptions02" +$instance = "LocalPoliciesSecurityOptions" +$cimObject = Get-CimInstance -Namespace $namespaceName -ClassName $className +if (-not ($cimObject)) { + $cimObject = New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$ParentID;InstanceID=$instance} +} +$cimObject.InteractiveLogon_DoNotDisplayLastSignedIn = 1 +Set-CimInstance -CimInstance $cimObject + +#Configure Windows logon +$className = "MDM_Policy_Config01_WindowsLogon02" +$instance = "WindowsLogon" +$cimObject = Get-CimInstance -Namespace $namespaceName -ClassName $className +if (-not ($cimObject)) { + $cimObject = New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$ParentID;InstanceID=$instance} +} +$cimObject.HideFastUserSwitching = 1 +Set-CimInstance -CimInstance $cimObject +``` + +#### [:::image type="icon" source="images/icons/windows-os.svg"::: **Settings app**](#tab/win) + +To create a local account, and configure Take a Test in kiosk mode using the Settings app: + +1. Sign into the Windows device with an administrator account +1. Open the **Settings** app and select **Accounts** > **Other Users** +1. Under **Other users**, select **Add account** > **I don't have this person's sign-in information** > **Add a user without a Microsoft account** +1. Provide a user name and password for the account that will be used for testing + :::image type="content" source="./images/takeatest/settings-accounts-create-take-a-test-account.png" alt-text="Use the Settings app to create a test-taking account." border="true"::: +1. Select **Accounts > Access work or school** +1. Select **Create a test-taking account** + :::image type="content" source="./images/takeatest/settings-accounts-set-up-take-a-test-account.png" alt-text="Use the Settings app to set up a test-taking account." border="true"::: +1. Under **Add an account for taking tests**, select **Add account** > Select the account created in step 4 + :::image type="content" source="./images/takeatest/settings-accounts-choose-take-a-test-account.png" alt-text="Use the Settings app to choose the test-taking account." border="true"::: +1. Under **Enter the tests's web address**, enter the assessment URL +1. Under **Test taking settings** select the options you want to enable during the test + - To enable printing, select **Require printing** + + > [!NOTE] + > Make sure a printer is pre-configured on the Take a Test account if you're enabling this option. + + - To enable teachers to monitor screens, select **Allow screen monitoring** + - To allow text suggestions, select **Allow text suggestions** + +1. To take the test, a student must sign in using the test-taking account selected in step 4 + :::image type="content" source="./images/takeatest/login-screen-take-a-test-single-pc.png" alt-text="Windows 11 SE login screen with the take a test account." border="true"::: + + > [!NOTE] + > To sign-in with a local account on a device that is joined to Azure AD or Active Directory, you must prefix the username with either `\` or `.\`. + +--- + +## How to use Take a Test in kiosk mode + +Once the devices are configured, a new user tile will be available in the sign-in screen. If selected, Take a Test will be executed in kiosk mode using the guest account, opening the assessment URL. + +## How to exit Take a Test + +To exit the Take a Test app at any time, press Ctrl+Alt+Delete. You'll be prompted to sign out of the test-taking account, or return to the test. Once signed out, the device will be unlocked from kiosk mode and can be used as normal. + +The following animation shows the process of signing in to the test-taking account, taking a test, and exiting the test: + +:::image type="content" source="./images/takeatest/sign-in-sign-out.gif" alt-text="Signing in and signing out with a test account" border="true"::: + +----------- + +[MEM-1]: /mem/intune/configuration/custom-settings-windows-10 +[MEM-2]: /mem/intune/configuration/settings-catalog + +[WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package +[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package \ No newline at end of file diff --git a/education/windows/edu-themes.md b/education/windows/edu-themes.md index af6034a005..bff180c066 100644 --- a/education/windows/edu-themes.md +++ b/education/windows/edu-themes.md @@ -31,23 +31,23 @@ Education themes aren't enabled by default. Follow the instructions below to con #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) -To enable education themes using Microsoft Intune, [create a custom profile][MEM-1] with the following settings: +To configure devices using Microsoft Intune, create a [custom policy][MEM-1] with the following settings: | Setting | |--------| |
  • OMA-URI: **`./Vendor/MSFT/Policy/Config/Education/EnableEduThemes`**
  • Data type: **Integer**
  • Value: **1**
    • | -Assign the policy to a security group that contains as members the devices or users that you want to enable education themes on. +Assign the policy to a security group that contains as members the devices or users that you want to configure. #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) -To configure education themes using a provisioning package, use the following settings: +To configure devices using a provisioning package, [create a provisioning package][WIN-1] using Windows Configuration Designer (WCD), with the following settings: | Setting | |--------| |
  • Path: **`Education/EnableEduThemes`**
  • Value: **True**
    • | -Apply the provisioning package to the devices that you want to enable education themes on. +Follow the steps in [Apply a provisioning package][WIN-2] to apply the package that you created. --- @@ -61,4 +61,7 @@ To change the theme, select **Settings** > **Personalization** > **Themes** > ** ----------- -[MEM-1]: /mem/intune/configuration/custom-settings-windows-10 \ No newline at end of file +[MEM-1]: /mem/intune/configuration/custom-settings-windows-10 + +[WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package +[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package \ No newline at end of file diff --git a/education/windows/images/takeatest/TakeATestURL.png b/education/windows/images/takeatest/TakeATestURL.png deleted file mode 100644 index b057763e8b..0000000000 Binary files a/education/windows/images/takeatest/TakeATestURL.png and /dev/null differ diff --git a/education/windows/images/takeatest/desktop-shortcuts.png b/education/windows/images/takeatest/desktop-shortcuts.png new file mode 100644 index 0000000000..fa246eb151 Binary files /dev/null and b/education/windows/images/takeatest/desktop-shortcuts.png differ diff --git a/education/windows/images/takeatest/flow-chart.png b/education/windows/images/takeatest/flow-chart.png new file mode 100644 index 0000000000..ce9aae2853 Binary files /dev/null and b/education/windows/images/takeatest/flow-chart.png differ diff --git a/education/windows/images/takeatest/i4e_takeatestprofile_accountsummary.PNG b/education/windows/images/takeatest/i4e_takeatestprofile_accountsummary.PNG deleted file mode 100644 index e8feb9b5d7..0000000000 Binary files a/education/windows/images/takeatest/i4e_takeatestprofile_accountsummary.PNG and /dev/null differ diff --git a/education/windows/images/takeatest/i4e_takeatestprofile_addnewprofile.PNG b/education/windows/images/takeatest/i4e_takeatestprofile_addnewprofile.PNG deleted file mode 100644 index 401bccef4a..0000000000 Binary files a/education/windows/images/takeatest/i4e_takeatestprofile_addnewprofile.PNG and /dev/null differ diff --git a/education/windows/images/takeatest/i4e_takeatestprofile_changegroup_selectgroup.PNG b/education/windows/images/takeatest/i4e_takeatestprofile_changegroup_selectgroup.PNG deleted file mode 100644 index 4c8f0705ce..0000000000 Binary files a/education/windows/images/takeatest/i4e_takeatestprofile_changegroup_selectgroup.PNG and /dev/null differ diff --git a/education/windows/images/takeatest/i4e_takeatestprofile_groupassignment_selected.PNG b/education/windows/images/takeatest/i4e_takeatestprofile_groupassignment_selected.PNG deleted file mode 100644 index 8431e1d0cf..0000000000 Binary files a/education/windows/images/takeatest/i4e_takeatestprofile_groupassignment_selected.PNG and /dev/null differ diff --git a/education/windows/images/takeatest/i4e_takeatestprofile_groups_changegroupassignments.PNG b/education/windows/images/takeatest/i4e_takeatestprofile_groups_changegroupassignments.PNG deleted file mode 100644 index 914f0b4edd..0000000000 Binary files a/education/windows/images/takeatest/i4e_takeatestprofile_groups_changegroupassignments.PNG and /dev/null differ diff --git a/education/windows/images/takeatest/i4e_takeatestprofile_newtestaccount.PNG b/education/windows/images/takeatest/i4e_takeatestprofile_newtestaccount.PNG deleted file mode 100644 index 1ec2f0a2e2..0000000000 Binary files a/education/windows/images/takeatest/i4e_takeatestprofile_newtestaccount.PNG and /dev/null differ diff --git a/education/windows/images/takeatest/intune-education-take-a-test-profile.png b/education/windows/images/takeatest/intune-education-take-a-test-profile.png new file mode 100644 index 0000000000..440925d5c4 Binary files /dev/null and b/education/windows/images/takeatest/intune-education-take-a-test-profile.png differ diff --git a/education/windows/images/takeatest/intune-take-a-test-custom-profile.png b/education/windows/images/takeatest/intune-take-a-test-custom-profile.png new file mode 100644 index 0000000000..71e94646ec Binary files /dev/null and b/education/windows/images/takeatest/intune-take-a-test-custom-profile.png differ diff --git a/education/windows/images/takeatest/login-screen-take-a-test-single-pc.png b/education/windows/images/takeatest/login-screen-take-a-test-single-pc.png new file mode 100644 index 0000000000..77b4fc7bc6 Binary files /dev/null and b/education/windows/images/takeatest/login-screen-take-a-test-single-pc.png differ diff --git a/education/windows/images/takeatest/settings-accounts-choose-take-a-test-account.png b/education/windows/images/takeatest/settings-accounts-choose-take-a-test-account.png new file mode 100644 index 0000000000..03af072260 Binary files /dev/null and b/education/windows/images/takeatest/settings-accounts-choose-take-a-test-account.png differ diff --git a/education/windows/images/takeatest/settings-accounts-create-take-a-test-account.png b/education/windows/images/takeatest/settings-accounts-create-take-a-test-account.png new file mode 100644 index 0000000000..cc9c1443b2 Binary files /dev/null and b/education/windows/images/takeatest/settings-accounts-create-take-a-test-account.png differ diff --git a/education/windows/images/takeatest/settings-accounts-set-up-take-a-test-account.png b/education/windows/images/takeatest/settings-accounts-set-up-take-a-test-account.png new file mode 100644 index 0000000000..8cb28abc78 Binary files /dev/null and b/education/windows/images/takeatest/settings-accounts-set-up-take-a-test-account.png differ diff --git a/education/windows/images/takeatest/sign-in-sign-out.gif b/education/windows/images/takeatest/sign-in-sign-out.gif new file mode 100644 index 0000000000..7b4354b31c Binary files /dev/null and b/education/windows/images/takeatest/sign-in-sign-out.gif differ diff --git a/education/windows/images/takeatest/suspc_choosesettings_setuptakeatest.PNG b/education/windows/images/takeatest/suspc_choosesettings_setuptakeatest.PNG deleted file mode 100644 index 8ffc3fe3e6..0000000000 Binary files a/education/windows/images/takeatest/suspc_choosesettings_setuptakeatest.PNG and /dev/null differ diff --git a/education/windows/images/takeatest/suspc_choosesettings_takeatest.PNG b/education/windows/images/takeatest/suspc_choosesettings_takeatest.PNG deleted file mode 100644 index 9f9f028852..0000000000 Binary files a/education/windows/images/takeatest/suspc_choosesettings_takeatest.PNG and /dev/null differ diff --git a/education/windows/images/takeatest/suspc_choosesettings_takeatest_updated.png b/education/windows/images/takeatest/suspc_choosesettings_takeatest_updated.png deleted file mode 100644 index e44dd21207..0000000000 Binary files a/education/windows/images/takeatest/suspc_choosesettings_takeatest_updated.png and /dev/null differ diff --git a/education/windows/images/takeatest/suspc_createpackage_takeatest.png b/education/windows/images/takeatest/suspc_createpackage_takeatest.png deleted file mode 100644 index 0be05a727d..0000000000 Binary files a/education/windows/images/takeatest/suspc_createpackage_takeatest.png and /dev/null differ diff --git a/education/windows/images/takeatest/suspc_createpackage_takeatestpage.PNG b/education/windows/images/takeatest/suspc_createpackage_takeatestpage.PNG deleted file mode 100644 index df8c2cc5b5..0000000000 Binary files a/education/windows/images/takeatest/suspc_createpackage_takeatestpage.PNG and /dev/null differ diff --git a/education/windows/images/takeatest/suspc_createpackage_takeatestpage_073117.PNG b/education/windows/images/takeatest/suspc_createpackage_takeatestpage_073117.PNG deleted file mode 100644 index 4a4ec886a5..0000000000 Binary files a/education/windows/images/takeatest/suspc_createpackage_takeatestpage_073117.PNG and /dev/null differ diff --git a/education/windows/images/takeatest/suspcs-take-a-test.png b/education/windows/images/takeatest/suspcs-take-a-test.png new file mode 100644 index 0000000000..fca5587d78 Binary files /dev/null and b/education/windows/images/takeatest/suspcs-take-a-test.png differ diff --git a/education/windows/images/takeatest/take_a_test_flow_dark.png b/education/windows/images/takeatest/take_a_test_flow_dark.png deleted file mode 100644 index 98255e8694..0000000000 Binary files a/education/windows/images/takeatest/take_a_test_flow_dark.png and /dev/null differ diff --git a/education/windows/images/takeatest/tat_settingsapp_setupaccount_addtestaccount.PNG b/education/windows/images/takeatest/tat_settingsapp_setupaccount_addtestaccount.PNG deleted file mode 100644 index 66c28eccc7..0000000000 Binary files a/education/windows/images/takeatest/tat_settingsapp_setupaccount_addtestaccount.PNG and /dev/null differ diff --git a/education/windows/images/takeatest/tat_settingsapp_setuptesttakingaccount.PNG b/education/windows/images/takeatest/tat_settingsapp_setuptesttakingaccount.PNG deleted file mode 100644 index 70a917d836..0000000000 Binary files a/education/windows/images/takeatest/tat_settingsapp_setuptesttakingaccount.PNG and /dev/null differ diff --git a/education/windows/images/takeatest/tat_settingsapp_setuptesttakingaccount_1703.PNG b/education/windows/images/takeatest/tat_settingsapp_setuptesttakingaccount_1703.PNG deleted file mode 100644 index deb04f2e74..0000000000 Binary files a/education/windows/images/takeatest/tat_settingsapp_setuptesttakingaccount_1703.PNG and /dev/null differ diff --git a/education/windows/images/takeatest/tat_settingsapp_workorschoolaccess_setuptestaccount.PNG b/education/windows/images/takeatest/tat_settingsapp_workorschoolaccess_setuptestaccount.PNG deleted file mode 100644 index c9221ed95a..0000000000 Binary files a/education/windows/images/takeatest/tat_settingsapp_workorschoolaccess_setuptestaccount.PNG and /dev/null differ diff --git a/education/windows/images/takeatest/wcd-take-a-test.png b/education/windows/images/takeatest/wcd-take-a-test.png new file mode 100644 index 0000000000..c05761dfb8 Binary files /dev/null and b/education/windows/images/takeatest/wcd-take-a-test.png differ diff --git a/education/windows/index.yml b/education/windows/index.yml index 5205e02a4a..012096eecd 100644 --- a/education/windows/index.yml +++ b/education/windows/index.yml @@ -83,9 +83,13 @@ landingContent: linkLists: - linkListType: concept links: - - text: Take tests and assessments - url: take-tests-in-windows-10.md + - text: Take tests and assessments in Windows + url: take-tests-in-windows.md - text: Change Windows editions url: change-home-to-edu.md - text: "Deploy Minecraft: Education Edition" - url: get-minecraft-for-education.md \ No newline at end of file + url: get-minecraft-for-education.md + - linkListType: how-to-guide + links: + - text: Configure Take a Test in kiosk mode + url: edu-take-a-test-kiosk-mode.md \ No newline at end of file diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md index 92e12acb44..afb19817af 100644 --- a/education/windows/set-up-windows-10.md +++ b/education/windows/set-up-windows-10.md @@ -40,7 +40,7 @@ You can use the following diagram to compare the tools. ## Related topics -[Take tests in Windows 10](take-tests-in-windows-10.md) +[Take tests in Windows](take-tests-in-windows.md) [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md index dd064677bf..ba90dcb6ed 100644 --- a/education/windows/take-a-test-app-technical.md +++ b/education/windows/take-a-test-app-technical.md @@ -1,41 +1,42 @@ --- title: Take a Test app technical reference -description: The policies and settings applied by the Take a Test app. -keywords: take a test, test taking, school, policies +description: List of policies and settings applied by the Take a Test app. +ms.date: 09/30/2022 ms.prod: windows -ms.mktglfcycl: plan -ms.sitesec: library -ms.pagetype: edu +ms.technology: windows +ms.topic: reference ms.localizationpriority: medium -ms.collection: education author: paolomatarazzo ms.author: paoloma -ms.date: 08/10/2022 -ms.reviewer: +ms.reviewer: manager: aaroncz +ms.collection: education appliesto: - ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE --- -# Take a Test app technical reference +# Take a Test app technical reference -Take a Test is an app that locks down the PC and displays an online assessment web page. +Take a Test is an application that locks down a device and displays an online assessment web page. -Whether you're a teacher or IT administrator, you can easily configure Take a Test to meet your testing needs. For high-stakes tests, the app creates a browser-based, locked-down environment for more secure online assessments. This environment means that students taking the tests that don’t have copy/paste privileges, can’t access to files and applications, and are free from distractions. For simple tests and quizzes, Take a Test can be configured to use the teacher’s preferred assessment website to deliver digital assessments +Whether you're a teacher or IT administrator, you can configure Take a Test to meet your testing needs. For high-stakes tests, the app creates a browser-based, locked-down environment. This environment means that students taking the tests that don't have copy/paste privileges, can't access to files and applications, and are free from distractions. For simple tests and quizzes, Take a Test can be configured to use the teacher's preferred assessment website to deliver digital assessments. Assessment vendors can use Take a Test as a platform to lock down the operating system. Take a Test supports the [SBAC browser API standard](https://www.smarterapp.org/documents/SecureBrowserRequirementsSpecifications_0-3.pdf) for high stakes common core testing. For more information, see [Take a Test Javascript API](/windows/uwp/apps-for-education/take-a-test-api). -## PC lockdown for assessment +## PC lock-down for assessment - When the assessment page initiates lock down, the student’s desktop will be locked and the app will be launched above the Windows lock screen to provide a sandbox that ensures the student can only interact with the Take a Test app . After transitioning to the lock screen, Take a Test will apply local MDM policies to further lock down the device. The whole process of going above the lock screen and applying policies is what defines lockdown. The lockdown process is atomic, which means that if any part of the lockdown operation fails, the app won't be above lock and won't have any of the policies applied. + When the assessment page initiates lock-down, the student's desktop will be locked and the app will be launched above the Windows lock screen to provide a sandbox that ensures the student can only interact with the Take a Test app. After transitioning to the lock screen, Take a Test will apply local MDM policies to further lock down the device. The whole process of going above the lock screen and applying policies is what defines lock-down. The lock-down process is atomic, which means that if any part of the lock-down operation fails, the app won't be above lock and won't have any of the policies applied. When running above the lock screen: -- The app runs full screen with no chrome -- The hardware print screen button is disabled -- Depending on the parameter you set through the schema or dedicated account, content within the app will show up as black in screen capturing/sharing software -- System clipboard is cleared -- Web apps can query the processes currently running in the user’s device -- Extended display shows up as black + +- The app runs full screen with no chrome +- The hardware print screen button is disabled +- Depending on the parameter you set through the schema or dedicated account, content within the app will show up as black in screen capturing/sharing software +- System clipboard is cleared +- Web apps can query the processes currently running in the user's device +- Extended display shows up as black - Auto-fill is disabled ## Mobile device management (MDM) policies @@ -45,7 +46,7 @@ When Take a Test is running, the following MDM policies are applied to lock down | Policy | Description | Value | |---|---|---| | AllowToasts | Disables toast notifications from being shown | 0 | -| AllowAppStoreAutoUpdate | Disables automatic updates for Microsoft Store apps that are installed on the PC | 0 | +| AllowAppStoreAutoUpdate | Disables automatic updates for Store apps that are installed on the PC | 0 | | AllowDeviceDiscovery | Disables UI for screen sharing | 0 | | AllowInput Panel | Disables the onscreen keyboard, which will disable auto-fill | 0 | | AllowCortana | Disables Cortana functionality | 0 | @@ -67,41 +68,42 @@ To ensure Take a Test activates correctly, make sure the following Group Policy When Take a Test is running, the following functionality is available to students: -- Assistive technology that is configured to run above the lock screen should run as expected -- Narrator is available through Windows key + Enter -- Magnifier is available through Windows key + "+" key - - - Full screen mode is compatible - -- The student can press Alt+Tab when locked down. This key press results in the student being able to switch between the following elements: - - - Take a Test - - Assistive technology that may be running +- Assistive technology that is configured to run above the lock screen should run as expected +- Narrator is available through Win+Enter +- Magnifier is available through Win++ +- The student can press Alt+Tab when locked down. This key press results in the student being able to switch between the following elements: + - Take a Test + - Assistive technology that may be running - Lock screen (not available if student is using a dedicated test account) - > [!NOTE] - > The app will exit if the student signs in to an account from the lock screen. Progress made in the test may be lost or invalidated. - -- The student can exit the test by pressing one of the following key combinations: - - - Ctrl+Alt+Del - - On Windows 10 Enterprise or Windows 10 Education versions, IT admins can choose to block this functionality by configuring a [keyboard filter](/windows-hardware/customize/enterprise/keyboardfilter). - - - Alt+F4 (Take a Test will restart if the student is using a dedicated test account) - - > [!NOTE] - > Alt+F4 is disabled in Windows 10, version 1703 (Creators Update) and later. + > [!NOTE] + > The app will exit if the student signs in to an account from the lock screen. + > Progress made in the test may be lost or invalidated. +- The student can exit the test by pressing Ctrl+Alt+Delete ## Permissive mode -Starting with Windows 10, version 1709 (Fall Creators Update), assessments can now run in permissive mode. This mode enables students who need access to other apps, like accessibility tools, to use the apps. +This mode enables students who need access to other apps, like accessibility tools, to use the apps. -When permissive mode is triggered in lockdown mode, Take a Test transitions from lockdown mode to running windows mode on the user's desktop. The student can then run allowed apps during the test. +When permissive mode is triggered in lock-down mode, Take a Test transitions from lock-down mode to running windows mode on the user's desktop. The student can then run allowed apps during the test. When running tests in this mode, keep the following points in mind: -- Permissive mode isn't supported in kiosk mode (dedicated test account). -- Permissive mode can be triggered from the web app running within Take a Test. Alternatively, you can create a link or shortcut without "#enforcelockdown" and it will launch in permissive mode. +- Permissive mode isn't supported in kiosk mode (dedicated test account) +- Permissive mode can be triggered from the web app running within Take a Test. Alternatively, you can create a link or shortcut without "#enforcelockdown" and it will launch in permissive mode + +## Troubleshoot Take a Test with the event viewer + +You can use the Event Viewer to view Take a Test events and errors. Take a Test logs events when a lock-down request has been received, device enrollment has succeeded, lock-down policies were successfully applied, and more. + +To enable viewing events in the Event Viewer: + +1. Open the `Event Viewer` +1. Navigate to `Applications and Services Logs > Microsoft > Windows > Management-SecureAssessment` +1. Select `Operational` > `Enable Log` + +To save the event logs: + +1. Select `Operational` > `Save All Events As…` ## Learn more diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md deleted file mode 100644 index 25de4845e6..0000000000 --- a/education/windows/take-a-test-multiple-pcs.md +++ /dev/null @@ -1,272 +0,0 @@ ---- -title: Set up Take a Test on multiple PCs -description: Learn how to set up and use the Take a Test app on multiple PCs. -keywords: take a test, test taking, school, set up on multiple PCs -ms.prod: windows -ms.mktglfcycl: plan -ms.sitesec: library -ms.pagetype: edu -ms.localizationpriority: medium -ms.collection: education -author: paolomatarazzo -ms.author: paoloma -ms.date: 08/10/2022 -ms.reviewer: -manager: aaroncz -appliesto: -- ✅ Windows 10 -- ✅ Windows 11 -- ✅ Windows 11 SE ---- - -# Set up Take a Test on multiple PCs - -Many schools use online testing for formative and summation assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. - -Follow the guidance in this topic to set up Take a Test on multiple PCs. - -## Set up a dedicated test account -To configure a dedicated test account on multiple PCs, select any of the following methods: -- [Provisioning package created through the Set up School PCs app](#set-up-a-test-account-in-the-set-up-school-pcs-app) -- [Configuration in Intune for Education](#set-up-a-test-account-in-intune-for-education) -- [Mobile device management (MDM) or Microsoft Endpoint Configuration Manager](#set-up-a-test-account-in-mdm-or-configuration-manager) -- [Provisioning package created through Windows Configuration Designer](#set-up-a-test-account-through-windows-configuration-designer) -- [Group Policy to deploy a scheduled task that runs a PowerShell script](#create-a-scheduled-task-in-group-policy) - -### Set up a test account in the Set up School PCs app -If you want to set up a test account using the Set up School PCs app, configure the settings in the **Set up the Take a Test app** page in the Set up School PCs app. Follow the instructions in [Use the Set up School PCs app](use-set-up-school-pcs-app.md) to configure the test-taking account and create a provisioning package. - -If you set up Take a Test, the **Take a Test** button is added on the student PC's sign-in screen. Windows will also lock down the student PC so that students can't access anything else while taking the test. - -**Figure 1** - Configure Take a Test in the Set up School PCs app - -![Configure Take a Test in the Set up School PCs app.](images/takeatest/suspc_choosesettings_setuptakeatest.png) - -### Set up a test account in Intune for Education -You can set up a test-taking account in Intune for Education. To do this, follow these steps: - -1. In Intune for Education, select **Take a Test profiles** from the menu. -2. Click **+ Add Test Profile** to create an account. - - **Figure 2** - Add a test profile in Intune for Education - - ![Add a test profile in Intune for Education.](images/takeatest/i4e_takeatestprofile_addnewprofile.png) - -3. In the new profile page: - 1. Enter a name for the profile. - 2. Enter the assessment URL. - 3. Toggle the switch to **Allow screen capture**. - 4. Select a user account to use as the test-taking account. - 5. Click **Save**. - - **Figure 3** - Add information about the test profile - - ![Add information about the test profile.](images/takeatest/i4e_takeatestprofile_newtestaccount.png) - - After you save the test profile, you'll see a summary of the settings that you configured for Take a Test. Next, you'll need to assign the test profile to a group that will be using the test account. - -4. In the test account page, click **Groups**. - - **Figure 4** - Assign the test account to a group - - ![Assign the test account to a group.](images/takeatest/i4e_takeatestprofile_accountsummary.png) - -5. In the **Groups** page, click **Change group assignments**. - - **Figure 5** - Change group assignments - - ![Change group assignments.](images/takeatest/i4e_takeatestprofile_groups_changegroupassignments.png) - -6. In the **Change group assignments** page: - 1. Select a group from the right column and click **Add Members** to select the group and assign the test-taking account to that group. You can select more than one group. - 2. Click **OK** when you're done making your selection. - - **Figure 6** - Select the group(s) that will use the test account - - ![Select the groups that will use the test account.](images/takeatest/i4e_takeatestprofile_groupassignment_selected.png) - -And that's it! When the students from the selected group sign in to the student PCs using the Take a Test user name that you selected, the PC will be locked down and Take a Test will open the assessment URL and students can start taking tests. - -### Set up a test account in MDM or Configuration Manager -You can configure a dedicated testing account through MDM or Configuration Manager by specifying a single account in the directory to be the test-taking account. Devices that have the test-taking policies can sign into the specified account to take the test. - -**Best practice** -- Create a single account in the directory specifically for test taking - - Active Directory example: Contoso\TestAccount - - Azure Active Directory example: testaccount@contoso.com - -- Deploy the policies to the group of test-taking devices - -**To enable this configuration** - -1. Launch your management console. -2. Create a policy to set up single app kiosk mode using the following values: - - - **Custom OMA-DM URI** = ./Vendor/MSFT/AssignedAccess/KioskModeApp - - **String value** = {"*Account*":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "} - - *Account* can be in one of the following formats: - - username (not recommended) - - domain\username - - computer name\\username (not recommended) - - username@tenant.com - -3. Create a policy to configure the assessment URL using the following values: - - - **Custom OMA-DM URI** = ./Vendor/MSFT/SecureAssessment/LaunchURI - - **String value** = *assessment URL* - -4. Create a policy that associates the assessment URL to the account using the following values: - - - **Custom OMA-DM URI** = ./Vendor/MSFT/SecureAssessment/TesterAccount - - **String value** = Enter the account that you specified in step 2, using the same account format. - -5. Deploy the policies to the test-taking devices. -6. To take the test, the student signs in to the test account. - -### Set up a test account through Windows Configuration Designer -To set up a test account through Windows Configuration Designer, follow these steps. - -1. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd). -2. Create a provisioning package by following the steps in [Provision PCs with common settings for initial deployment (desktop wizard)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment). However, make a note of these other settings to customize the test account. - 1. After you're done with the wizard, don't click **Create**. Instead, click the **Switch to advanced editor** to switch the project to the advanced editor to see all the available **Runtime settings**. - 2. Under **Runtime settings**, go to **AssignedAccess > AssignedAccessSettings**. - 3. Enter **{"Account":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}**, using the account that you want to set up. - - **Figure 7** - Add the account to use for test-taking - - ![Add the account to use for test-taking.](images/wcd/wcd_settings_assignedaccess.png) - - The account can be in one of the following formats: - - username - - domain\username - - computer name\\username - - username@tenant.com - - 4. Under **Runtime settings**, go to **TakeATest** and configure the following settings: - - In **LaunchURI**, enter the assessment URL. - - In **TesterAccount**, enter the test account you entered in step 3. - -3. Follow the steps to [build a package](/windows/configuration/provisioning-packages/provisioning-create-package#build-package). - - - You'll see the file path for your provisioning package. By default, this is set to %windir%\Users\*your_username\Windows Imaging and Configuration Designer (WICD)\*Project name). - - Copy the provisioning package to a USB drive. - -4. Follow the steps in [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) to apply the package that you created. - -### Set up a tester account in Group Policy -To set up a tester account using Group Policy, first create a PowerShell script that configures the tester account and assessment URL, and then create a scheduled task to run the script. - -#### Create a PowerShell script -This sample PowerShell script configures the tester account and the assessment URL. Edit the sample to: - -- Use your assessment URL for **$obj.LaunchURI** -- Use your tester account for **$obj.TesterAccount** -- Use your tester account for **-UserName** - ->[!NOTE] ->The account that you specify for the tester account must already exist on the device. For steps to create the tester account, see [Set up a dedicated test account](./take-a-test-single-pc.md#set-up-a-dedicated-test-account). - -```powershell -$obj = get-wmiobject -namespace root/cimv2/mdm/dmmap -class MDM_SecureAssessment -filter "InstanceID='SecureAssessment' AND ParentID='./Vendor/MSFT'"; -$obj.LaunchURI='https://www.foo.com'; -$obj.TesterAccount='TestAccount'; -$obj.put() -Set-AssignedAccess -AppUserModelId Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App -UserName TestAccount -``` - -#### Create a scheduled task in Group Policy -1. Open the Group Policy Management Console. -2. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click **Edit**. -3. In the console tree under **Computer Configuration** or **User Configuration**, go to **Preferences** > **Control Panel Settings**. -4. Right-click **Scheduled Tasks**, point to **New**, and select **Scheduled Task**. -5. In the **New Scheduled Task Properties** dialog box, click **Change User or Group**. -6. In the **Select User or Group** dialog box, click **Advanced**. -7. In the **Advanced** dialog box, click **Find Now**. -8. Select **System** in the search results -9. Go back to the **Properties** dialog box and select **Run with highest privileges** under **Security options**. -10. Specify the operating system in the **Configure for** field. -11. Navigate to the **Actions** tab. -12. Create a new **Action**. -13. Configure the action to **Start a program**. -14. In the **Program/script** field, enter **powershell**. -15. In the **Add arguments** field, enter **-file "\"**. -16. Click **OK**. -17. Navigate to the **Triggers** tab and create a new trigger. -18. Specify the trigger to be **On a schedule**. -19. Specify the trigger to be **One time**. -20. Specify the time the trigger should start. -21. Click **OK**. -22. In the **Settings** tab, select **Run task as soon as possible after a scheduled start is missed**. -23. Click **OK**. - -## Provide link to test -Anything hosted on the web can be presented in a locked down manner, not just assessments. To lock down online content, just embed a URL with a specific prefix and devices will be locked down when users follow the link. We recommend using this method for lower stakes assessments. - -**To provide a link to the test** - -1. Create the link to the test using schema activation. - - Create a link using a web UI - - For this option, you can just copy the assessment URL, select the options you want to allow during the test, and click a button to create the link. We recommend this option for teachers. - - To get started, navigate to: [Create a link using a web UI](https://aka.ms/create-a-take-a-test-link). - - - Create a link using schema activation - - You can accomplish the same thing as the first option (using a web UI), by manually embedding a URL with a specific prefix. You can select parameters depending on what you want to enable. - - For more info, see [Create a link using schema activation](#create-a-link-using-schema-activation). - -2. Distribute the link. - - Once the links are created, you can distribute them through the web, email, OneNote, or any other method of your choosing. You can also create shortcuts to distribute the link. For more info, see [Create a shortcut for the test link](#create-a-shortcut-for-the-test-link). - -3. To take the test, have the students click on the link and provide user consent. - -### Create a link using schema activation -One of the ways you can present content in a locked down manner is by embedding a URL with a specific prefix. Once users click the URL, devices will be locked down. - -**To enable schema activation for assessment URLs** - -1. Embed a link or create a desktop shortcut with: - - ```http - ms-edu-secureassessment:#enforceLockdown - ``` - -2. To enable printing, screen capture, or both, use the above link and append one of these parameters: - - - `&enableTextSuggestions` - Enables text suggestions - - `&requirePrinting` - Enables printing - - `&enableScreenCapture` - Enables screen capture - - `&requirePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&requirePrinting`, and `&enableScreenCapture` if you want to enable more than one capability. - - If you exclude these parameters, the default behavior is disabled. - - For tests that utilize the Windows lockdown API, which checks for running processes before locking down, remove `enforceLockdown`. Removing `enforceLockdown` will result in the app not locking down immediately, which allows you to close apps that aren't allowed to run during lockdown. The test web application may lock down the device once you've closed the apps. - - > [!NOTE] - > The Windows 10, version 1607 legacy configuration, `ms-edu-secureassessment:!enforcelockdown` is still supported, but not in combination with the new parameters. - -3. To enable permissive mode, don't include `enforceLockdown` in the schema parameters. - - For more information, see [Permissive mode](take-a-test-app-technical.md#permissive-mode). - -### Create a shortcut for the test link -You can also distribute the test link by creating a shortcut. To create the shortcut, create the link to the test by either using the [web UI](https://aka.ms/create-a-take-a-test-link) or using [schema activation](#create-a-link-using-schema-activation). After you have the link, follow these steps: - -1. On a device running Windows, right-click on the desktop and then select **New > Shortcut**. -2. In the **Create Shortcut** window, paste the assessment URL in the field under **Type the location of the item**. -3. Click **Next**. -4. Type a name for the shortcut and then click **Finish**. - -Once the shortcut is created, you can copy it and distribute it to students. - -## Related topics - -[Take tests in Windows](take-tests-in-windows-10.md) - -[Set up Take a Test on a single PC](take-a-test-single-pc.md) - -[Take a Test app technical reference](take-a-test-app-technical.md) diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md deleted file mode 100644 index bf7fd7c439..0000000000 --- a/education/windows/take-a-test-single-pc.md +++ /dev/null @@ -1,136 +0,0 @@ ---- -title: Set up Take a Test on a single PC -description: Learn how to set up and use the Take a Test app on a single PC. -keywords: take a test, test taking, school, set up on single PC -ms.prod: windows -ms.mktglfcycl: plan -ms.sitesec: library -ms.pagetype: edu -ms.localizationpriority: medium -ms.collection: education -author: paolomatarazzo -ms.author: paoloma -ms.date: 08/10/2022 -ms.reviewer: -manager: aaroncz -appliesto: -- ✅ Windows 10 -- ✅ Windows 11 -- ✅ Windows 11 SE ---- -# Set up Take a Test on a single PC - -To configure [Take a Test](take-tests-in-windows-10.md) on a single PC, follow the guidance in this topic. - -## Set up a dedicated test account -To configure the assessment URL and a dedicated testing account on a single PC, follow these steps. - -1. Sign into the Windows device with an administrator account. -2. Open the **Settings** app and go to **Accounts > Access work or school**. -3. Click **Set up an account for taking tests**. - - **Figure 1** - Use the Settings app to set up a test-taking account - - ![Use the Settings app to set up a test-taking account.](images/takeatest/tat_settingsapp_workorschoolaccess_setuptestaccount.png) - -4. In the **Set up an account for taking tests** window, choose an existing account to use as the dedicated testing account. - - **Figure 2** - Choose the test-taking account - - ![Choose the test-taking account.](images/takeatest/tat_settingsapp_setuptesttakingaccount_1703.png) - - > [!NOTE] - > If you don't have an account on the device, you can create a new account. To do this, go to **Settings > Accounts > Other people > Add someone else to this PC > I don’t have this person’s sign-in information > Add a user without a Microsoft account**. - -5. In the **Set up an account for taking tests**, enter the assessment URL in the field under **Enter the test's web address**. -6. Select the options you want to enable during the test. - - To enable printing, select **Require printing**. - - > [!NOTE] - > Make sure a printer is preconfigured on the Take a Test account if you're enabling this option. - - - To enable teachers to monitor screens, select **Allow screen monitoring**. - - To allow text suggestions, select **Allow text suggestions**. - -7. Click **Save**. -8. To take the test, the student must sign in using the test-taking account that you created. - -## Provide a link to the test -Anything hosted on the web can be presented in a locked down manner, not just assessments. To lock down online content, just embed a URL with a specific prefix and devices will be locked down when users follow the link. We recommend using this method for lower stakes assessments. - -**To provide a link to the test** - -1. Create the link to the test. - - There are different ways you can do this: - - Create a link using a web UI - - For this option, you can just copy the assessment URL, select the options you want to allow during the test, and click a button to create the link. We recommend this for option for teachers. - - To get started, go here: [Create a link using a web UI](https://aka.ms/create-a-take-a-test-link). - - - Create a link using schema activation - - You can accomplish the same thing as the first option (using a web UI), by manually embedding a URL with a specific prefix. You can select parameters depending on what you want to enable. - - For more info, see [Create a link using schema activation](#create-a-link-using-schema-activation). - -2. Distribute the link. - - Once the links are created, you can distribute them through the web, email, OneNote, or any other method of your choosing. - - You can also create shortcuts to distribute the link. For more info, see [Create a shortcut for the test link](#create-a-shortcut-for-the-test-link). - -3. To take the test, have the students click on the link and provide user consent. - - > [!NOTE] - > If you enabled printing, the printer must be preconfigured for the account before the student takes the test. - - -### Create a link using schema activation -One of the ways you can present content in a locked down manner is by embedding a URL with a specific prefix. Once users click the URL, devices will be locked down. - -**To enable schema activation for assessment URLs** - -1. Embed a link or create a desktop shortcut with: - - ``` - ms-edu-secureassessment:#enforceLockdown - ``` - -2. To enable printing, screen capture, or both, use the above link and append one of these parameters: - - - `&enableTextSuggestions` - Enables text suggestions - - `&requirePrinting` - Enables printing - - `&enableScreenCapture` - Enables screen capture - - `&requirePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&requirePrinting`, and `&enableScreenCapture` if you want to enable more than one capability. - - If you exclude these parameters, the default behavior is disabled. - - For tests that utilizes the Windows lockdown API, which checks for running processes before locking down, remove `enforceLockdown`. Removing `enforceLockdown` will result in the app not locking down immediately, which allows you to close apps that are not allowed to run during lockdown. The test web application may lock down the device once you have closed the apps. - - > [!NOTE] - > The Windows 10, version 1607 legacy configuration, `ms-edu-secureassessment:!enforcelockdown` is still supported, but not in combination with the new parameters. - -3. To enable permissive mode, do not include `enforceLockdown` in the schema parameters. - - For more information, see [Permissive mode](take-a-test-app-technical.md#permissive-mode). - - -### Create a shortcut for the test link -You can also distribute the test link by creating a shortcut. To do this, create the link to the test by either using the [web UI](https://aka.ms/create-a-take-a-test-link) or using [schema activation](#create-a-link-using-schema-activation). After you have the link, follow these steps: - -1. On a device running Windows, right-click on the desktop and then select **New > Shortcut**. -2. In the **Create Shortcut** window, paste the assessment URL in the field under **Type the location of the item**. -3. Click **Next**. -4. Type a name for the shortcut and then click **Finish**. - -Once the shortcut is created, you can copy it and distribute it to students. - - -## Related topics -[Take tests in Windows](take-tests-in-windows-10.md) - -[Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) - -[Take a Test app technical reference](take-a-test-app-technical.md) diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md deleted file mode 100644 index 3bff38fdc6..0000000000 --- a/education/windows/take-tests-in-windows-10.md +++ /dev/null @@ -1,79 +0,0 @@ ---- -title: Take tests in Windows -description: Learn how to set up and use the Take a Test app. -keywords: take a test, test taking, school, how to, use Take a Test -ms.prod: windows -ms.mktglfcycl: plan -ms.sitesec: library -ms.pagetype: edu -ms.localizationpriority: medium -ms.collection: education -author: paolomatarazzo -ms.author: paoloma -ms.date: 08/10/2022 -ms.reviewer: -manager: aaroncz -appliesto: -- ✅ Windows 10 -- ✅ Windows 11 -- ✅ Windows 11 SE ---- - -# Take tests in Windows - -Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows creates the right environment for taking a test: - -- Take a Test shows just the test and nothing else. -- Take a Test clears the clipboard. -- Students aren’t able to go to other websites. -- Students can’t open or access other apps. -- Students can't share, print, or record their screens unless enabled by the teacher or IT administrator -- Students can’t change settings, extend their display, see notifications, get updates, or use autofill features. -- Cortana is turned off. - -## How to use Take a Test - -![Set up and user flow for the Take a Test app.](images/takeatest/take_a_test_flow_dark.png) - -There are several ways to configure devices for assessments, depending on your use case: - -- For higher stakes testing such as mid-term exams, you can set up a device with a dedicated testing account and URL. -- For lower stakes assessments such as a quick quiz in a class, you can quickly create and distribute the assessment URL through any method of your choosing. - -1. **Configure an assessment URL and a dedicated testing account** - - In this configuration, a user signs into in to the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing. - - There are different methods to configure the assessment URL and a dedicated testing account depending on whether you're setting up Take a Test on a single PC or multiple PCs. - - - **For a single PC** - - You can use the Windows **Settings** application. For more info, see [Set up Take a Test on a single PC](take-a-test-single-pc.md). - - - **For multiple PCs** - - You can use any of these methods: - - Mobile device management (MDM) or Microsoft Endpoint Configuration Manager - - A provisioning package created in Windows Configuration Designer - - Group Policy to deploy a scheduled task that runs a Powershell script - - You can also configure Take a Test using these options: - - Set up School PCs app - - Intune for Education - - For more info about these methods, see [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md). - -2. **Create and distribute the assessment URL through the web, email, OneNote, or any other method** - - This allows teachers and test administrators an easier way to deploy assessments quickly and simply. We recommend this method for lower stakes assessments. You can also create shortcuts to distribute the link. - - You can enable this using a schema activation. - - -## How to exit Take a Test -To exit the Take a Test app at any time, press Ctrl+Alt+Delete. - - -## Get more info -- Teachers can use Microsoft Forms to create tests. See [Create tests using Microsoft Forms](https://support.microsoft.com/office/create-a-quiz-with-microsoft-forms-a082a018-24a1-48c1-b176-4b3616cdc83d) to find out how. -- To learn more about the policies and settings set by the Take a Test app, see [Take a Test app technical reference](take-a-test-app-technical.md). diff --git a/education/windows/take-tests-in-windows.md b/education/windows/take-tests-in-windows.md new file mode 100644 index 0000000000..c60b202ae2 --- /dev/null +++ b/education/windows/take-tests-in-windows.md @@ -0,0 +1,100 @@ +--- +title: Take tests and assessments in Windows +description: Description of the built-in Take a Test app for Windows and how to use it. +ms.date: 09/30/2022 +ms.prod: windows +ms.technology: windows +ms.topic: conceptual +ms.localizationpriority: medium +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: +manager: aaroncz +ms.collection: education +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE +--- + +# Take tests and assessments in Windows + +Many schools use online testing for formative and summation assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. To help schools with testing, Windows provides an application called **Take a Test**. The application is a secure browser that provides different features to help with testing, and can be configured to only allow access a specific URL or a list of URLs. When using Take a Test, students can't: + +- print, use screen capture, or text suggestions (unless enabled by the teacher or administrator) +- access other applications +- change system settings, such as display extension, notifications, updates +- access Cortana +- access content copied to the clipboard + +## How to use Take a Test + +There are different ways to use Take a Test, depending on the use case: + +- For lower stakes assessments, such a quick quiz in a class, a teacher can generate a *secure assessment URL* and share it with the students. Students can then open the URL to access the assessment through Take a Test. To learn more, see the next section: [Create a secure assessment link](#create-a-secure-assessment-link) +- For higher stakes assessments, you can configure Windows devices to use a dedicated account for testing and execute Take a Test in a locked-down mode, called **kiosk mode**. Once signed in with the dedicated account, Windows will execute Take a Test in a lock-down mode, preventing the execution of any applications other than Take a Test. For more information, see [Configure Take a Test in kiosk mode](edu-take-a-test-kiosk-mode.md) + +![Set up and user flow for the Take a Test app.](images/takeatest/flow-chart.png) + +## Create a secure assessment link + +Anything hosted on the web can be presented in a locked down manner using the Take a Test app, not just assessments. To lock down online content, a URL must be embedded with a specific prefix and devices will be locked down when users open the link. + +To create a secure assessment link to the test, there are two options: + +- Create a link using a web application +- Create a link using schema activation + +### Create a link using a web application + +For this option, copy the assessment URL and open the web application Customize your assessment URL, where you can: + +- Paste the link to the assessment URL +- Select the options you want to allow during the test +- Generate the link by selecting the button Create link + +This is an ideal option for teachers who want to create a link to a specific assessment and share it with students using OneNote, for example. + +### Create a link using schema activation + +For this option, you embed a URL with a specific prefix and specify parameters depending on what you want to allow during the test. +The URL must be in the following format: + +``` +ms-edu-secureassessment:#enforceLockdown +``` + +To enable printing, screen capture, or both, use the above link and append one of these parameters: + +- `&enableTextSuggestions` - Enables text suggestions +- `&requirePrinting` - Enables printing +- `&enableScreenCapture` - Enables screen capture +- `&requirePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&requirePrinting`, and `&enableScreenCapture` if you want to enable more than one capability. + +If these parameters aren't included, the default behavior is to disable the capabilities. + +For tests that utilize the Windows lockdown API, which checks for running processes before locking down, remove `enforceLockdown`. Removing `enforceLockdown` will result in the app not locking down immediately, which allows you to close apps that aren't allowed to run during lockdown. Take a Test will lock down the device once the applications are closed. + +To enable permissive mode, don't include `enforceLockdown` in the schema parameters. For more information, see [Permissive mode](take-a-test-app-technical.md#permissive-mode). + +## Distribute the secure assessment link + +Once the link is created, it can be distributed through the web, email, OneNote, or any other method of your choosing. + +For example, you can create and copy the shortcut to the assessment URL to the students' desktop. + +To take the test, have the students open the link. + +> [!NOTE] +> If you enabled printing, the printer must be pre-configured for the account before the student takes the test. + +:::image type="content" source="./images/takeatest/desktop-shortcuts.png" alt-text="Windows 11 SE desktop showing two shortcuts to assessment URLs." border="true"::: + +> [!NOTE] +> If using `enforceLockdown`, to exit the Take a Test app at any time, press Ctrl+Alt+Delete. Students will be prompted to type their password to get back to their desktop. + +## Additional information + +Teachers can use **Microsoft Forms** to create tests. For more information, see [Create tests using Microsoft Forms](https://support.microsoft.com/office/). + +To learn more about the policies and settings set by the Take a Test app, see [Take a Test app technical reference](take-a-test-app-technical.md). diff --git a/education/windows/tutorial-school-deployment/configure-device-settings.md b/education/windows/tutorial-school-deployment/configure-device-settings.md index 333618e34c..faf86a1fa0 100644 --- a/education/windows/tutorial-school-deployment/configure-device-settings.md +++ b/education/windows/tutorial-school-deployment/configure-device-settings.md @@ -62,7 +62,7 @@ Settings that are commonly configured for student devices include: - Wallpaper and lock screen background. See: [Lock screen and desktop][INT-7] - Wi-Fi connections. See: [Add Wi-Fi profiles][INT-8] -- Enablement of the integrated testing and assessment solution *Take a test*. See: [Add Take a Test profile][INT-9] +- Enablement of the integrated testing and assessment solution *Take a Test*. See: [Add Take a Test profile][INT-9] For more information, see [Windows device settings in Intune for Education][INT-3]. diff --git a/education/windows/tutorial-school-deployment/enroll-overview.md b/education/windows/tutorial-school-deployment/enroll-overview.md index 1a0048e8b2..0d58d8889b 100644 --- a/education/windows/tutorial-school-deployment/enroll-overview.md +++ b/education/windows/tutorial-school-deployment/enroll-overview.md @@ -33,15 +33,10 @@ This [table][INT-1] describes the ideal scenarios for using either option. It's :::image type="content" source="./images/enroll.png" alt-text="The device lifecycle for Intune-managed devices - enrollment" border="false"::: Select one of the following options to learn the next steps about the enrollment method you chose: - -> [!div class="nextstepaction"] -> [Next: Automatic Intune enrollment via Azure AD join >](enroll-aadj.md) - -> [!div class="nextstepaction"] -> [Next: Bulk enrollment with provisioning packages >](enroll-package.md) - -> [!div class="nextstepaction"] -> [Next: Enroll devices with Windows Autopilot >](enroll-autopilot.md) +> [!div class="op_single_selector"] +> - [Automatic Intune enrollment via Azure AD join](enroll-aadj.md) +> - [Bulk enrollment with provisioning packages](enroll-package.md) +> - [Enroll devices with Windows Autopilot ](enroll-autopilot.md) diff --git a/education/windows/windows-11-se-faq.yml b/education/windows/windows-11-se-faq.yml new file mode 100644 index 0000000000..b0dec35701 --- /dev/null +++ b/education/windows/windows-11-se-faq.yml @@ -0,0 +1,68 @@ +### YamlMime:FAQ +metadata: + title: Windows 11 SE Frequently Asked Questions (FAQ) + description: Use these frequently asked questions (FAQ) to learn important details about Windows 11 SE. + ms.prod: windows + ms.technology: windows + author: paolomatarazzo + ms.author: paoloma + manager: aaroncz + ms.reviewer: + ms.collection: education + ms.topic: faq + localizationpriority: medium + ms.date: 09/14/2022 + appliesto: + - ✅ Windows 11 SE + +title: Common questions about Windows 11 SE +summary: Windows 11 SE combines the power and privacy of Windows 11 with educator feedback to create a simplified experience on devices built for education. This Frequently Asked Questions (FAQ) article is intended to help you learn more about Windows 11 SE so you can get to what matters most. + +sections: + - name: General + questions: + - question: What is Windows 11 SE? + answer: | + Windows 11 SE is a new cloud-first operating system that offers the power and reliability of Windows 11 with a simplified design and tools specially designed for schools. + To learn more, see [Windows 11 SE Overview](/education/windows/windows-11-se-overview). + - question: Who is the Windows 11 SE designed for? + answer: | + Windows 11 SE is designed for students in grades K-8 who use a laptop provided by their school, in a 1:1 scenario. + - question: What are the major differences between Windows 11 and Windows 11 SE? + answer: | + Windows 11 SE was created based on feedback from educators who wanted a distraction-free experience for their students. Here are some of the differences that you'll find in Windows 11 SE: + - Experience a simplified user interface so you can stay focused on the important stuff + - Only IT admins can install apps. Users will not be able to access the Microsoft Store or download apps from the internet + - Use Snap Assist to maximize screen space on smaller screens with two-window snapping + - Store your Desktop, Documents, and Photos folders in the cloud using OneDrive, so your work is backed up and easy to find + - Express yourself and celebrate accomplishments with the *emoji and GIF panel* and *Stickers* + - name: Deployment + questions: + - question: Can I load Windows 11 SE on any hardware? + answer: | + Windows 11 SE is only available on devices that are built for education. To learn more, see [Windows 11 SE Overview](/education/windows/windows-11-se-overview). + - name: Applications and settings + questions: + - question: How can I install applications on Windows 11 SE? + answer: | + You can use Microsoft Intune to install applications on Windows 11 SE. + For more information, see [Configure applications with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-apps). + - question: What apps will work on Windows 11 SE? + answer: | + Windows 11 SE supports all web applications and a curated list of desktop applications. You can prepare and add a desktop app to Microsoft Intune as a Win32 app from the [approved app list](/education/windows/windows-11-se-overview), then distribute it. + For more information, see [Considerations for Windows 11 SE](/education/windows/tutorial-school-deployment/configure-device-apps#considerations-for-windows-11-se). + - question: Why there's no application store on Windows 11 SE? + answer: | + IT Admins can manage system settings (including application installation and the application store) to ensure all students have a safe, distraction-free experience. On Windows SE devices, you have pre-installed apps from Microsoft, from your IT admin, and from your device manufacturer. You can continue to use web apps on the Microsoft Edge browser, as web apps do not require installation. + For more information, see [Configure applications with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-app). + - question: What does the error 0x87D300D9 mean in the Intune for Education portal? + answer: | + This error means that the app you are trying to install is not supported on Windows 11 SE. If you have an app that fails with this error, then: + - Make sure the app is on the [available applications list](/education/windows/windows-11-se-overview#available-applications). Or, make sure your app is [approved for Windows 11 SE](/education/windows/windows-11-se-overview#add-your-own-applications) + - If the app is approved, then it's possible the app is not packaged correctly. For more information, [Configure applications with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-apps) + - If the app isn't approved, then it won't run on Windows 11 SE. To get apps approved, see [Add your own applications](/education/windows/windows-11-se-overview#add-your-own-applications). Or, use an app that runs in a web browser, such as a web app or PWA + - name: Out-of-box experience (OOBE) + questions: + - question: My Windows 11 SE device is stuck in OOBE, how can I troubleshoot it? + answer: | + To access the Settings application during OOBE on a Windows 11 SE device, press Shift+F10, then select the accessibility icon :::image type="icon" source="images/icons/accessibility.svg"::: on the bottom-right corner of the screen. From the Settings application, you can troubleshoot the OOBE process and, optionally, trigger a device reset. diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index f524db0125..6827ee275a 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -88,8 +88,9 @@ The following applications can also run on Windows 11 SE, and can be deployed us |-----------------------------------------|-------------------|----------|------------------------------| | AirSecure | 8.0.0 | Win32 | AIR | | Alertus Desktop | 5.4.44.0 | Win32 | Alertus technologies | -| Brave Browser | 1.34.80 | Win32 | Brave | +| Brave Browser | 106.0.5249.65 | Win32 | Brave | | Bulb Digital Portfolio | 0.0.7.0 | Store | Bulb | +| CA Secure Browser | 14.0.0 | Win32 | Cambium Development | | Cisco Umbrella | 3.0.110.0 | Win32 | Cisco | | CKAuthenticator | 3.6 | Win32 | Content Keeper | | Class Policy | 114.0.0 | Win32 | Class Policy | @@ -133,7 +134,6 @@ The following applications can also run on Windows 11 SE, and can be deployed us | Remote Help | 3.8.0.12 | Win32 | Microsoft | | Respondus Lockdown Browser | 2.0.9.00 | Win32 | Respondus | | Safe Exam Browser | 3.3.2.413 | Win32 | Safe Exam Browser | -| Secure Browser | 14.0.0 | Win32 | Cambium Development | | Senso.Cloud | 2021.11.15.0 | Win32 | Senso.Cloud | | SuperNova Magnifier & Screen Reader | 21.02 | Win32 | Dolphin Computer Access | | Zoom | 5.9.1 (2581) | Win32 | Zoom | @@ -167,14 +167,6 @@ When the app is ready, Microsoft will update you. Then, you add the app to the I For more information on Intune requirements for adding education apps, see [Configure applications with Microsoft Intune][EDUWIN-1]. -### 0x87D300D9 error with an app - -When you deploy an app using Intune for Education, you may get a `0x87D300D9` error code with a `Failed` state in the [Intune for Education portal](https://intuneeducation.portal.azure.com). If you have an app that fails with this error, then: - -- Make sure the app is on the [available applications list](#available-applications). Or, make sure your app is [approved for Windows 11 SE](#add-your-own-applications) -- If the app is approved, then it's possible the app is packaged wrong. For more information, see [Add your own apps](#add-your-own-applications) and [Configure applications with Microsoft Intune][EDUWIN-1] -- If the app isn't approved, then it won't run on Windows 11 SE. To get apps approved, see [Add your own apps](#add-your-own-applications). Or, use an app that runs in a web browser, such as a web app or PWA - ## Related articles - [Tutorial: deploy and manage Windows devices in a school][EDUWIN-2] diff --git a/education/windows/windows-11-se-settings-list.md b/education/windows/windows-11-se-settings-list.md index 0dda7bbc35..92038f93e9 100644 --- a/education/windows/windows-11-se-settings-list.md +++ b/education/windows/windows-11-se-settings-list.md @@ -17,7 +17,7 @@ appliesto: # Windows 11 SE for Education settings list -Windows 11 SE automatically configures settings and features in the operating system. These settings use the Configuration Service Provider (CSPs) provided by Microsoft. You can use an MDM provider to configure these settings. +Windows 11 SE automatically configures certain settings and features in the operating system. You can use Microsoft Intune to customize these settings. This article lists the settings automatically configured. For more information on Windows 11 SE, see [Windows 11 SE for Education overview](windows-11-se-overview.md). @@ -61,45 +61,6 @@ The following settings can't be changed. | Administrative tools | Administrative tools, such as the command prompt and Windows PowerShell, can't be opened. Windows PowerShell scripts deployed using Microsoft Endpoint Manager can run. | | Apps | Only certain apps are allowed to run on Windows 11 SE. For more info on what apps can run on Windows 11 SE, see [Windows 11 SE for Education overview](windows-11-se-overview.md). | -## What's available in the Settings app - -On Windows 11 SE devices, the Settings app shows the following setting pages. Depending on the hardware, some setting pages might not be shown. - -- Accessibility - -- Accounts - - Email & accounts - -- Apps - -- Bluetooth & devices - - Bluetooth - - Printers & scanners - - Mouse - - Touchpad - - Typing - - Pen - - AutoPlay - -- Network & internet - - WiFi - - VPN - -- Personalization - - Taskbar - -- Privacy & security - -- System - - Display - - Notifications - - Tablet mode - - Multitasking - - Projecting to this PC - -- Time & Language - - Language & region - ## Next steps [Windows 11 SE for Education overview](windows-11-se-overview.md) diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md index 172f1e3c6c..da8c28524d 100644 --- a/education/windows/windows-editions-for-education-customers.md +++ b/education/windows/windows-editions-for-education-customers.md @@ -21,7 +21,7 @@ appliesto: Windows 10, version 1607 (Anniversary Update) continues our commitment to productivity, security, and privacy for all customers. Windows 10 Pro and Windows 10 Enterprise offer the functionality and safety features demanded by business and education customers around the globe. Windows 10 is the most secure Windows we’ve ever built. All of our Windows commercial editions can be configured to support the needs of schools, through group policies, domain join, and more. To learn more about Microsoft’s commitment to security and privacy in Windows 10, see more on both [security](/windows/security/security-foundations) and [privacy](https://go.microsoft.com/fwlink/?LinkId=822620). -Beginning with version 1607, Windows 10 offers various new features and functionality, such as simplified provisioning with the [Set up School PCs app](./use-set-up-school-pcs-app.md) or [Windows Configuration Designer](./set-up-students-pcs-to-join-domain.md), easier delivery of digital assessments with [Take a Test](./take-tests-in-windows-10.md), and faster sign-in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information on [windows.com](https://www.windows.com/). +Beginning with version 1607, Windows 10 offers various new features and functionality, such as simplified provisioning with the [Set up School PCs app](./use-set-up-school-pcs-app.md) or [Windows Configuration Designer](./set-up-students-pcs-to-join-domain.md), easier delivery of digital assessments with [Take a Test](./take-tests-in-windows.md), and faster sign-in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information on [windows.com](https://www.windows.com/). Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: [Windows 10 Pro Education](#windows-10-pro-education) and [Windows 10 Education](#windows-10-education). These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments. diff --git a/windows/application-management/provisioned-apps-windows-client-os.md b/windows/application-management/provisioned-apps-windows-client-os.md index e0eb4e127d..1c99168f4a 100644 --- a/windows/application-management/provisioned-apps-windows-client-os.md +++ b/windows/application-management/provisioned-apps-windows-client-os.md @@ -101,6 +101,8 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. --- - [HEVC Video Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEVCVideoExtension_8wekyb3d8bbwe) | Package name: Microsoft.HEVCVideoExtension +> [!NOTE] +> For devices running Windows 11, version 21H2, and any supported version of Windows 10, you need to acquire the [HEVC Video Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEVCVideoExtension_8wekyb3d8bbwe) from the Microsoft Store. - Supported versions: --- diff --git a/windows/client-management/generate-kernel-or-complete-crash-dump.md b/windows/client-management/generate-kernel-or-complete-crash-dump.md index e631ae9d84..442eedecc8 100644 --- a/windows/client-management/generate-kernel-or-complete-crash-dump.md +++ b/windows/client-management/generate-kernel-or-complete-crash-dump.md @@ -7,12 +7,12 @@ author: Deland-Han ms.localizationpriority: medium ms.author: delhan ms.date: 8/28/2019 -ms.reviewer: +ms.reviewer: manager: willchen ms.collection: highpri --- -# Generate a kernel or complete crash dump +# Generate a kernel or complete crash dump A system crash (also known as a “bug check” or a "Stop error") occurs when Windows can't run correctly. The dump file that is produced from this event is called a system crash dump. @@ -39,7 +39,7 @@ To enable memory dump setting, follow these steps: 5. Restart the computer. >[!Note] ->You can change the dump file path by edit the **Dump file** field. In other words, you can change the path from %SystemRoot%\Memory.dmp to point to a local drive that has enough disk space, such as E:\Memory.dmp. +>You can change the dump file path by edit the **Dump file** field. In other words, you can change the path from %SystemRoot%\Memory.dmp to point to a local drive that has enough disk space, such as E:\Memory.dmp. ### Tips to generate memory dumps @@ -72,13 +72,13 @@ If you can sign in while the problem is occurring, you can use the Microsoft Sys On some computers, you can't use keyboard to generate a crash dump file. For example, Hewlett-Packard (HP) BladeSystem servers from the Hewlett-Packard Development Company are managed through a browser-based graphical user interface (GUI). A keyboard isn't attached to the HP BladeSystem server. -In these cases, you must generate a complete crash dump file or a kernel crash dump file by using the Non-Maskable Interrupt (NMI) switch that causes an NMI on the system processor. +In these cases, you must generate a complete crash dump file or a kernel crash dump file by using the Non-Maskable Interrupt (NMI) switch that causes an NMI on the system processor. To implement this process, follow these steps: -> [!IMPORTANT] +> [!IMPORTANT] > Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur. - + > [!NOTE] > This registry key isn't required for clients running Windows 8 and later, or servers running Windows Server 2012 and later. Setting this registry key on later versions of Windows has no effect. @@ -98,14 +98,14 @@ To implement this process, follow these steps: 7. Hardware vendors, such as HP, IBM, and Dell, may provide an Automatic System Recovery (ASR) feature. You should disable this feature during troubleshooting. For example, if the HP and Compaq ASR feature is enabled in the BIOS, disable this feature while you troubleshoot to generate a complete Memory.dmp file. For the exact steps, contact your hardware vendor. -8. Enable the NMI switch in the BIOS or by using the Integrated Lights Out (iLO) Web interface. +8. Enable the NMI switch in the BIOS or by using the Integrated Lights Out (iLO) Web interface. >[!Note] >For the exact steps, see the BIOS reference manual or contact your hardware vendor. 9. Test this method on the server by using the NMI switch to generate a dump file. You'll see a STOP 0x00000080 hardware malfunction. -If you want to run NMI in Microsoft Azure using Serial Console, see [Use Serial Console for SysRq and NMI calls](/azure/virtual-machines/linux/serial-console-nmi-sysrq). +If you want to run NMI in Microsoft Azure using Serial Console, see [Use Serial Console for SysRq and NMI calls](/troubleshoot/azure/virtual-machines/serial-console-nmi-sysrq). ### Use the keyboard diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md index 8687773b6b..c78db44623 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md @@ -52,7 +52,7 @@ ms.date: 08/01/2022 - [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#experience-allowmanualmdmunenrollment) - [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) - [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) 9 -- [MixedReality/AllowCaptivePortalBeforeSignIn](./policy-csp-mixedreality.md#mixedreality-allowcaptiveportalpeforesignin) Insider +- [MixedReality/AllowCaptivePortalBeforeLogon](./policy-csp-mixedreality.md#mixedreality-allowcaptiveportalpeforelogon) Insider - [MixedReality/AllowLaunchUriInSingleAppKiosk](./policy-csp-mixedreality.md#mixedreality-allowlaunchuriinsingleappkiosk)10 - [MixedReality/AutoLogonUser](./policy-csp-mixedreality.md#mixedreality-autologonuser) 11 - [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) 9 diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 79aba31f6b..7be79948ea 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1,7 +1,7 @@ --- title: Policy CSP description: Learn how the Policy configuration service provider (CSP) enables the enterprise to configure policies on Windows 10 and Windows 11. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -65,22 +65,22 @@ Policy ``` -**./Vendor/MSFT/Policy** +**./Vendor/MSFT/Policy** The root node for the Policy configuration service provider. Supported operation is Get. -**Policy/Config** +**Policy/Config** Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value) the configuration source can use the Policy/Result path to retrieve the resulting value. Supported operation is Get. -**Policy/Config/_AreaName_** +**Policy/Config/_AreaName_** The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. Supported operations are Add, Get, and Delete. -**Policy/Config/_AreaName/PolicyName_** +**Policy/Config/_AreaName/PolicyName_** Specifies the name/value pair used in the policy. The following list shows some tips to help you when configuring policies: @@ -94,27 +94,27 @@ The following list shows some tips to help you when configuring policies: - Supported operations are Add, Get, Delete, and Replace. - Value type is string. -**Policy/Result** +**Policy/Result** Groups the evaluated policies from all providers that can be configured. Supported operation is Get. -**Policy/Result/_AreaName_** +**Policy/Result/_AreaName_** The area group that can be configured by a single technology independent of the providers. Supported operation is Get. -**Policy/Result/_AreaName/PolicyName_** +**Policy/Result/_AreaName/PolicyName_** Specifies the name/value pair used in the policy. Supported operation is Get. -**Policy/ConfigOperations** +**Policy/ConfigOperations** Added in Windows 10, version 1703. The root node for grouping different configuration operations. Supported operations are Add, Get, and Delete. -**Policy/ConfigOperations/ADMXInstall** +**Policy/ConfigOperations/ADMXInstall** Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md). > [!NOTE] @@ -124,27 +124,27 @@ ADMX files that have been installed by using **ConfigOperations/ADMXInstall** ca Supported operations are Add, Get, and Delete. -**Policy/ConfigOperations/ADMXInstall/_AppName_** -Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file. +**Policy/ConfigOperations/ADMXInstall/_AppName_** +Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file. Supported operations are Add, Get, and Delete. -**Policy/ConfigOperations/ADMXInstall/_AppName_/Policy** +**Policy/ConfigOperations/ADMXInstall/_AppName_/Policy** Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app policy is to be imported. Supported operations are Add, Get, and Delete. -**Policy/ConfigOperations/ADMXInstall/_AppName_/Policy/_UniqueID_** +**Policy/ConfigOperations/ADMXInstall/_AppName_/Policy/_UniqueID_** Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the policy to import. Supported operations are Add and Get. Does not support Delete. -**Policy/ConfigOperations/ADMXInstall/_AppName_/Preference** +**Policy/ConfigOperations/ADMXInstall/_AppName_/Preference** Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app preference is to be imported. Supported operations are Add, Get, and Delete. -**Policy/ConfigOperations/ADMXInstall/_AppName_/Preference/_UniqueID_** +**Policy/ConfigOperations/ADMXInstall/_AppName_/Preference/_UniqueID_** Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the preference to import. Supported operations are Add and Get. Does not support Delete. @@ -174,7 +174,7 @@ Supported operations are Add and Get. Does not support Delete.
    Accounts/AllowMicrosoftAccountSignInAssistant
    - + ### ActiveXControls policies @@ -185,7 +185,7 @@ Supported operations are Add and Get. Does not support Delete. -### ADMX_ActiveXInstallService policies +### ADMX_ActiveXInstallService policies
    @@ -279,7 +279,7 @@ Supported operations are Add and Get. Does not support Delete.
    -### ADMX_AppxPackageManager policies +### ADMX_AppxPackageManager policies
    @@ -287,7 +287,7 @@ Supported operations are Add and Get. Does not support Delete.
    -### ADMX_AppXRuntime policies +### ADMX_AppXRuntime policies
    @@ -304,7 +304,7 @@ Supported operations are Add and Get. Does not support Delete.
    -### ADMX_AttachmentManager policies +### ADMX_AttachmentManager policies
    @@ -380,7 +380,7 @@ Supported operations are Add and Get. Does not support Delete.
    -### ADMX_CipherSuiteOrder policies +### ADMX_CipherSuiteOrder policies
    @@ -391,7 +391,7 @@ Supported operations are Add and Get. Does not support Delete.
    -### ADMX_COM policies +### ADMX_COM policies
    @@ -402,7 +402,7 @@ Supported operations are Add and Get. Does not support Delete.
    -### ADMX_ControlPanel policies +### ADMX_ControlPanel policies
    @@ -419,7 +419,7 @@ Supported operations are Add and Get. Does not support Delete.
    -### ADMX_ControlPanelDisplay policies +### ADMX_ControlPanelDisplay policies
    @@ -513,7 +513,7 @@ Supported operations are Add and Get. Does not support Delete.
    -### ADMX_CredentialProviders policies +### ADMX_CredentialProviders policies
    @@ -527,7 +527,7 @@ Supported operations are Add and Get. Does not support Delete.
    -### ADMX_CredSsp policies +### ADMX_CredSsp policies
    @@ -563,7 +563,7 @@ Supported operations are Add and Get. Does not support Delete.
    ADMX_CredSsp/RestrictedRemoteAdministration -### ADMX_CredUI policies +### ADMX_CredUI policies
    @@ -574,14 +574,14 @@ Supported operations are Add and Get. Does not support Delete.
    -### ADMX_CtrlAltDel policies +### ADMX_CtrlAltDel policies
    ADMX_Cpls/UseDefaultTile
    -### ADMX_DataCollection policies +### ADMX_DataCollection policies
    @@ -710,7 +710,7 @@ Supported operations are Add and Get. Does not support Delete.
    -### ADMX_DeviceInstallation policies +### ADMX_DeviceInstallation policies
    @@ -739,7 +739,7 @@ Supported operations are Add and Get. Does not support Delete.
    -### ADMX_DeviceSetup policies +### ADMX_DeviceSetup policies
    @@ -761,7 +761,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC ### ADMX_DigitalLocker policies -
    +
    ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1
    @@ -818,7 +818,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_DistributedLinkTracking policies +### ADMX_DistributedLinkTracking policies
    @@ -920,7 +920,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_EAIME policies +### ADMX_EAIME policies
    @@ -975,7 +975,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_EnhancedStorage policies +### ADMX_EnhancedStorage policies
    @@ -998,7 +998,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_ErrorReporting policies +### ADMX_ErrorReporting policies
    @@ -1101,7 +1101,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_EventLog policies +### ADMX_EventLog policies
    @@ -1169,7 +1169,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_EventViewer policies +### ADMX_EventViewer policies
    @@ -1182,7 +1182,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC ADMX_EventViewer/EventViewer_RedirectionURL
    -### ADMX_Explorer policies +### ADMX_Explorer policies
    @@ -1202,7 +1202,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_ExternalBoot policies +### ADMX_ExternalBoot policies
    @@ -1329,7 +1329,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_Globalization policies +### ADMX_Globalization policies
    @@ -1406,7 +1406,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_GroupPolicy policies +### ADMX_GroupPolicy policies
    @@ -1557,7 +1557,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -## ADMX_ICM policies +## ADMX_ICM policies
    @@ -1691,7 +1691,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_Kerberos policies +### ADMX_Kerberos policies
    @@ -1736,7 +1736,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_LanmanWorkstation policies +### ADMX_LanmanWorkstation policies
    @@ -1775,7 +1775,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_Logon policies +### ADMX_Logon policies
    @@ -1825,7 +1825,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_MicrosoftDefenderAntivirus policies +### ADMX_MicrosoftDefenderAntivirus policies
    @@ -2128,7 +2128,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_MMCSnapins policies +### ADMX_MMCSnapins policies
    @@ -2472,7 +2472,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_msched policies +### ADMX_msched policies
    @@ -2483,7 +2483,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_MSDT policies +### ADMX_MSDT policies
    @@ -2497,7 +2497,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_MSI policies +### ADMX_MSI policies
    @@ -2744,7 +2744,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_NetworkConnections policies +### ADMX_NetworkConnections policies
    @@ -3058,7 +3058,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_Power policies +### ADMX_Power policies
    @@ -3138,7 +3138,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_PowerShellExecutionPolicy policies +### ADMX_PowerShellExecutionPolicy policies
    @@ -3184,7 +3184,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_Printing policies +### ADMX_Printing policies
    @@ -3268,7 +3268,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_Printing2 policies +### ADMX_Printing2 policies
    @@ -3300,7 +3300,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_Programs policies +### ADMX_Programs policies
    @@ -3341,9 +3341,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    ADMX_Reliability/ShutdownReason
    -
    +
    -### ADMX_RemoteAssistance policies +### ADMX_RemoteAssistance policies
    @@ -3354,7 +3354,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_RemovableStorage policies +### ADMX_RemovableStorage policies
    @@ -3455,7 +3455,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_RPC policies +### ADMX_RPC policies
    @@ -3543,7 +3543,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_Sensors policies +### ADMX_Sensors policies
    @@ -3580,7 +3580,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_Servicing policies +### ADMX_Servicing policies
    @@ -3588,7 +3588,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_SettingSync policies +### ADMX_SettingSync policies
    @@ -3620,7 +3620,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_SharedFolders policies +### ADMX_SharedFolders policies
    @@ -3709,7 +3709,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_Snmp policies +### ADMX_Snmp policies
    @@ -3725,7 +3725,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_StartMenu policies +### ADMX_StartMenu policies
    @@ -3931,7 +3931,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_SystemRestore policies +### ADMX_SystemRestore policies
    @@ -3950,7 +3950,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_Taskbar policies +### ADMX_Taskbar policies
    @@ -4021,7 +4021,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_tcpip policies +### ADMX_tcpip policies
    @@ -4166,25 +4166,25 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER -
    +
    ADMX_TerminalServer/TS_JOIN_SESSION_DIRECTORY -
    +
    ADMX_TerminalServer/TS_KEEP_ALIVE -
    +
    ADMX_TerminalServer/TS_LICENSE_SECGROUP -
    +
    ADMX_TerminalServer/TS_LICENSE_SERVERS -
    +
    ADMX_TerminalServer/TS_LICENSE_TOOLTIP -
    +
    ADMX_TerminalServer/TS_LICENSING_MODE -
    +
    ADMX_TerminalServer/TS_MAX_CON_POLICY
    @@ -4282,7 +4282,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2 ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1 - +
    ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2
    @@ -4330,15 +4330,15 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    ADMX_TerminalServer/TS_USER_PROFILES -
    +
    -### ADMX_Thumbnails policies +### ADMX_Thumbnails policies
    ADMX_Thumbnails/DisableThumbnails -
    +
    ADMX_Thumbnails/DisableThumbnailsOnNetworkFolders
    @@ -4352,7 +4352,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    ADMX_TouchInput/TouchInputOff_1 -
    +
    ADMX_TouchInput/TouchInputOff_2
    @@ -4364,7 +4364,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_TPM policies +### ADMX_TPM policies
    @@ -4399,7 +4399,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_UserExperienceVirtualization policies +### ADMX_UserExperienceVirtualization policies
    @@ -4782,7 +4782,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_UserProfiles policies +### ADMX_UserProfiles policies
    @@ -4811,7 +4811,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_W32Time policies +### ADMX_W32Time policies
    @@ -4828,7 +4828,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_WCM policies +### ADMX_WCM policies
    @@ -4853,7 +4853,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_WinCal policies +### ADMX_WinCal policies
    @@ -4864,7 +4864,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_WindowsConnectNow policies +### ADMX_WindowsConnectNow policies
    @@ -4879,7 +4879,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_WindowsExplorer policies +### ADMX_WindowsExplorer policies
    @@ -5097,7 +5097,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_WindowsMediaDRM policies +### ADMX_WindowsMediaDRM policies
    @@ -5105,7 +5105,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_WindowsMediaPlayer policies +### ADMX_WindowsMediaPlayer policies
    @@ -5174,7 +5174,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_WindowsRemoteManagement policies +### ADMX_WindowsRemoteManagement policies
    @@ -5185,7 +5185,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_WindowsStore policies +### ADMX_WindowsStore policies
    @@ -5205,7 +5205,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_WinInit policies +### ADMX_WinInit policies
    @@ -5219,7 +5219,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_WinLogon policies +### ADMX_WinLogon policies
    @@ -5250,7 +5250,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_wlansvc policies +### ADMX_wlansvc policies
    @@ -5286,7 +5286,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### ADMX_WPN policies +### ADMX_WPN policies
    @@ -5338,8 +5338,8 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    ApplicationManagement/AllowSharedUserAppData
    -
    - ApplicationManagement/BlockNonAdminUserInstall +
    + ApplicationManagement/BlockNonAdminUserInstall
    ApplicationManagement/DisableStoreOriginatedApps @@ -5478,7 +5478,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### Audit policies +### Audit policies
    @@ -6304,40 +6304,40 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### DesktopAppInstaller policies +### DesktopAppInstaller policies
    - DesktopAppInstaller/EnableAdditionalSources + DesktopAppInstaller/EnableAdditionalSources
    - DesktopAppInstaller/EnableAppInstaller + DesktopAppInstaller/EnableAppInstaller
    - DesktopAppInstaller/EnableDefaultSource + DesktopAppInstaller/EnableDefaultSource
    - DesktopAppInstaller/EnableLocalManifestFiles + DesktopAppInstaller/EnableLocalManifestFiles
    - DesktopAppInstaller/EnableHashOverride + DesktopAppInstaller/EnableHashOverride
    - DesktopAppInstaller/EnableMicrosoftStoreSource + DesktopAppInstaller/EnableMicrosoftStoreSource
    - DesktopAppInstaller/EnableMSAppInstallerProtocol + DesktopAppInstaller/EnableMSAppInstallerProtocol
    - DesktopAppInstaller/EnableSettings + DesktopAppInstaller/EnableSettings
    - DesktopAppInstaller/EnableAllowedSources + DesktopAppInstaller/EnableAllowedSources
    - DesktopAppInstaller/EnableExperimentalFeatures + DesktopAppInstaller/EnableExperimentalFeatures
    - DesktopAppInstaller/SourceAutoUpdateInterval + DesktopAppInstaller/SourceAutoUpdateInterval
    @@ -7719,7 +7719,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### MixedReality policies +### MixedReality policies
    @@ -7779,7 +7779,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### Multitasking policies +### Multitasking policies
    @@ -8030,7 +8030,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    Privacy/LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps -
    +
    Privacy/LetAppsAccessCalendar
    @@ -8597,7 +8597,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    Start/DisableContextMenus -
    +
    Start/DisableControlCenter
    @@ -9143,11 +9143,11 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    Update/SetPolicyDrivenUpdateSourceForQuality
    -
    - Update/SetProxyBehaviorForUpdateDetection +
    + Update/SetProxyBehaviorForUpdateDetection
    -
    - Update/TargetReleaseVersion +
    + Update/TargetReleaseVersion
    @@ -9442,7 +9442,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
    -### WindowsSandbox policies +### WindowsSandbox policies
    @@ -9506,8 +9506,8 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC > Not all Policies in Policy CSP supported by Group Policy are ADMX-backed. For more details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). ## Policies in Policy CSP supported by HoloLens devices -- [Policies in Policy CSP supported by HoloLens 2](./policies-in-policy-csp-supported-by-hololens2.md) -- [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](./policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md) +- [Policies in Policy CSP supported by HoloLens 2](./policies-in-policy-csp-supported-by-hololens2.md) +- [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](./policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md) - [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](./policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md) ## Policies in Policy CSP supported by Windows 10 IoT diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index e49f9c7be8..e308bcc662 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -23,7 +23,7 @@ manager: aaroncz MixedReality/AADGroupMembershipCacheValidityInDays
    - MixedReality/AllowCaptivePortalBeforeSignIn + MixedReality/AllowCaptivePortalBeforeLogon
    MixedReality/AllowLaunchUriInSingleAppKiosk @@ -103,7 +103,7 @@ Steps to use this policy correctly:
    -**MixedReality/AllowCaptivePortalBeforeSignIn** +**MixedReality/AllowCaptivePortalBeforeLogon** @@ -127,11 +127,14 @@ Steps to use this policy correctly: This new feature is an opt-in policy that IT Admins can enable to help with the setup of new devices in new areas or new users. When this policy is turned on it allows a captive portal on the sign-in screen, which allows a user to enter credentials to connect to the Wi-Fi access point. If enabled, sign in will implement similar logic as OOBE to display captive portal if necessary. -MixedReality/AllowCaptivePortalBeforeSignIn +MixedReality/AllowCaptivePortalBeforeLogon -The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/AllowCaptivePortalBeforeSignIn` +The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/AllowCaptivePortalBeforeLogon` -Bool value +Int value + +- 0: (Default) Off +- 1: On diff --git a/windows/client-management/mdm/secureassessment-csp.md b/windows/client-management/mdm/secureassessment-csp.md index 0e11d6566e..dcc9b9b0f9 100644 --- a/windows/client-management/mdm/secureassessment-csp.md +++ b/windows/client-management/mdm/secureassessment-csp.md @@ -127,7 +127,7 @@ Example: ## Related topics -[Set up Take a Test on multiple PCs](/education/windows/take-a-test-multiple-pcs) +[Set up Take a Test](/education/windows/take-a-test-multiple-pcs) [Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 902c4828e2..be27ffd69f 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -129,13 +129,13 @@ href: deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md - name: Subscription Activation items: - - name: Windows 10/11 Subscription Activation + - name: Windows subscription activation href: windows-10-subscription-activation.md - - name: Windows 10/11 Enterprise E3 in CSP + - name: Windows Enterprise E3 in CSP href: windows-10-enterprise-e3-overview.md - - name: Configure VDA for Subscription Activation + - name: Configure VDA for subscription activation href: vda-subscription-activation.md - - name: Deploy Windows 10/11 Enterprise licenses + - name: Deploy Windows Enterprise licenses href: deploy-enterprise-licenses.md - name: Deploy Windows client updates items: diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index 0eb5352dfa..f06c1107d1 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -1,256 +1,296 @@ --- -title: Deploy Windows 10/11 Enterprise licenses -manager: dougeby -ms.author: aaroncz -description: Steps to deploy Windows 10 Enterprise or Windows 11 Enterprise licenses for Windows 10/11 Enterprise E3 or E5 Subscription Activation, or for Windows 10/11 Enterprise E3 in CSP -ms.prod: w10 -ms.localizationpriority: medium +title: Deploy Windows Enterprise licenses +description: Steps to deploy Windows 10 Enterprise or Windows 11 Enterprise licenses for Windows Enterprise E3 or E5 subscription activation, or for Windows Enterprise E3 in CSP. author: aczechowski -ms.topic: article +ms.author: aaroncz +manager: dougeby +ms.prod: windows-client +ms.technology: itpro-deploy +ms.localizationpriority: medium +ms.topic: how-to ms.collection: highpri +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- -# Deploy Windows 10/11 Enterprise licenses +# Deploy Windows Enterprise licenses -This topic describes how to deploy Windows 10 or Windows 11 Enterprise E3 or E5 licenses with [Windows 10/11 Enterprise Subscription Activation](windows-10-subscription-activation.md) or [Windows 10/11 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD). +This article describes how to deploy Windows 10 or Windows 11 Enterprise E3 or E5 licenses with [subscription activation](windows-10-subscription-activation.md) or [Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD). + +These activation features require a supported and licensed version of Windows 10 Pro or Windows 11 Pro: + +- Subscription activation with an enterprise agreement (EA) or a Microsoft Products & Services Agreement (MPSA). +- Enterprise E3 in CSP. +- Automatic, non-KMS activation also requires a device with a firmware-embedded activation key. +- Subscription activation requires Enterprise _per user_ licensing. It doesn't work with _per device_ licensing. + +## Enable subscription activation with an existing EA + +If you're an EA customer with an existing Microsoft 365 tenant, use the following steps to enable Windows subscription licenses on your existing tenant: + +1. Work with your reseller to place an order for one $0 SKU per user. As of October 1, 2022, there are three SKUs available, depending on your current Windows Enterprise SA license: + + | SKU | Description | + |---------|---------| + | **AAA-51069** | `Win OLS Activation User Alng Sub Add-on E3` | + | **AAA-51068** | `Win OLS Activation User Sub Add-on E5` | + | **VRM-00001** | `Win OLS Activation User GCC Sub Per User` | + + > [!NOTE] + > As of October 1, 2022, subscription activation is available for _commercial_ and _GCC_ tenants. It's currently not available on GCC High or DoD tenants. + +1. After an order is placed, the OLS admin on the agreement will receive a service activation email, which indicates the subscription licenses have been provisioned on the tenant. + +1. You can now assign subscription licenses to users. + +If you need to update contact information and resend the activation email, use the following process: + +1. Sign in to the [Microsoft Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). + +1. Select **Subscriptions**. + +1. Select **Online Services Agreement List**. + +1. Enter your agreement number, and then select **Search**. + +1. Select the **Service Name**. + +1. In the **Subscription Contact** section, select the name listed under **Last Name**. + +1. Update the contact information, then select **Update Contact Details**. This action will trigger a new email. + +## Preparing for deployment: reviewing requirements + +- Devices must be running a supported version of Windows 10 Pro or Windows 11 Pro +- Azure AD-joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible. + +For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this article. + +### Active Directory synchronization with Azure AD + +If you have an on-premises Active Directory Domain Services (AD DS) domain, you need to synchronize the identities in the on-premises AD DS domain with Azure AD. This synchronization is required for users to have a _single identity_ that they can use to access their on-premises apps and cloud services that use Azure AD. An example of a cloud service is Windows Enterprise E3 or E5. + +**Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. Azure AD Connect is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure. + +:::image type="content" source="images/enterprise-e3-ad-connect.png" alt-text="Figure 1 illustrates the integration between the on-premises AD DS domain with Azure AD."::: + +Figure 1: On-premises AD DS integrated with Azure AD + +For more information about integrating on-premises AD DS domains with Azure AD, see the following resources: + +- [What is hybrid identity with Azure Active Directory?](/azure/active-directory/hybrid/whatis-hybrid-identity) +- [Azure AD Connect and Azure AD Connect Health installation roadmap](/azure/active-directory/hybrid/how-to-connect-install-roadmap) + +## Assigning licenses to users + +After you've ordered the Windows subscription (Windows 10 Business, E3 or E5), you'll receive an email with guidance on how to use Windows as an online service: + +:::image type="content" source="images/al01.png" alt-text="An example email from Microsoft to complete your profile after purchasing Online Services through Microsoft Volume Licensing."::: + +The following methods are available to assign licenses: + +- When you have the required Azure AD subscription, [group-based licensing](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users. + +- You can sign in to the Microsoft 365 admin center and manually assign licenses: + + :::image type="content" source="images/al02.png" alt-text="A screenshot of the admin center, showing assignment of the Windows 10 Enterprise E3 product license to a specific user."::: + +- You can assign licenses by uploading a spreadsheet. + +- [How to use PowerShell to automatically assign licenses to your Microsoft 365 users](https://social.technet.microsoft.com/wiki/contents/articles/15905.how-to-use-powershell-to-automatically-assign-licenses-to-your-office-365-users.aspx). + +> [!TIP] +> Other solutions may exist from the community. For example, a Microsoft MVP shared the following process: [Assign EMS licenses based on local Active Directory group membership](https://ronnydejong.com/2015/03/04/assign-ems-licenses-based-on-local-active-directory-group-membership/). + +## Explore the upgrade experience + +Now that you've established a subscription and assigned licenses to users, you can upgrade devices running supported versions of Windows 10 Pro or Windows 11 Pro to Enterprise edition. > [!NOTE] -> * Windows 10/11 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later. Windows 11 is considered "later" in this context. -> * Windows 10/11 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later. -> * Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key. -> * Windows 10/11 Enterprise Subscription Activation requires Windows 10/11 Enterprise per user licensing; it doesn't work on per device based licensing. +> The following experiences are specific to Windows 10. The general concepts also apply to Windows 11. + +### Step 1: Join Windows Pro devices to Azure AD + +You can join a Windows Pro device to Azure AD during setup, the first time the device starts. You can also join a device that's already set up. + +#### Join a device to Azure AD the first time the device is started + +1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then select **Next**. + + :::image type="content" source="images/enterprise-e3-who-owns.png" alt-text="A screenshot of the 'Who owns this PC?' page in Windows 10 setup."::: + + Figure 2: The "Who owns this PC?" page in initial Windows 10 setup. + +1. On the **Choose how you'll connect** page, select **Join Azure AD**, and then select **Next**. + + :::image type="content" source="images/enterprise-e3-choose-how.png" alt-text="A screenshot of the 'Choose how you'll connect' page in Windows 10 setup."::: + + Figure 3: The "Choose how you'll connect" page in initial Windows 10 setup. + +1. On the **Let's get you signed in** page, enter your Azure AD credentials, and then select **Sign in**. + + :::image type="content" source="images/enterprise-e3-lets-get.png" alt-text="A screenshot of the 'Let's get you signed in' page in Windows 10 setup."::: + + Figure 4: The "Let's get you signed in" page in initial Windows 10 setup. + +Now the device is Azure AD-joined to the organization's subscription. + +#### Join a device to Azure AD when the device is already set up with Windows 10 Pro > [!IMPORTANT] -> An issue has been identified where devices can lose activation status or be blocked from upgrading to Windows Enterprise if the device isn't able to connect to Windows Update. A workaround is to ensure that devices do not have the REG_DWORD present HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations and set to 1. If this REG_DWORD is present, it must be set to 0. -> ->Also ensure that the Group Policy setting: Computer Configuration > Administrative Templates > Windows Components > Windows Update > "Do not connect to any Windows Update Internet locations" is set to "Disabled". +> Make sure that the user you're signing in with is _not_ the **BUILTIN/Administrator** account. That user can't use the `+ Connect` action to join a work or school account. -## Firmware-embedded activation key +1. Go to **Settings**, select **Accounts**, and select **Access work or school**. -To determine if the computer has a firmware-embedded activation key, type the following command at an elevated Windows PowerShell prompt: + :::image type="content" source="images/enterprise-e3-connect-to-work-or-school.png" alt-text="A screenshot of the 'Connect to work or school' settings page."::: + + Figure 5: "Connect to work or school" configuration in Settings. + +1. In **Set up a work or school account**, select **Join this device to Azure Active Directory**. + + :::image type="content" source="images/enterprise-e3-set-up-work-or-school.png" alt-text="A screenshot of the 'Set up a work or school account' wizard."::: + + Figure 6: Set up a work or school account. + +1. On the **Let's get you signed in** page, enter your Azure AD credentials, and then select **Sign in**. + + :::image type="content" source="images/enterprise-e3-lets-get-2.png" alt-text="A screenshot of the 'Let's get you signed in' window."::: + + Figure 7: The "Let's get you signed in" window. + +Now the device is Azure AD-joined to the organization's subscription. + +### Step 2: Pro edition activation + +If the device is running a supported version of Windows 10 or Windows 11, it automatically activates Windows Enterprise edition using the firmware-embedded activation key. + +### Step 3: Sign in using Azure AD account + +Once the device is joined to Azure AD, users will sign in with their Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device. + +:::image type="content" source="images/enterprise-e3-sign-in.png" alt-text="A screenshot of signing in to Windows 10 as an Azure AD user."::: + +Figure 8: Sign in to Windows 10 with an Azure AD account. + +### Step 4: Verify that Enterprise edition is enabled + +To verify the Windows Enterprise E3 or E5 subscription, go to **Settings**, select **Update & Security**, and select **Activation**. + +:::image type="content" source="images/enterprise-e3-win-10-activated-enterprise-subscription-active.png" alt-text="A screenshot of verifying Windows 10 Enterprise activation in Settings."::: + +Figure 9: Verify Windows 10 Enterprise subscription in Settings. + +If there are any problems with the Windows Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process. + +> [!NOTE] +> If you use the `slmgr /dli` or `slmgr /dlv` commands to get the activation information for the E3 or E5 license, the license information displayed will be similar to the following output: +> +> ```console +> Name: Windows(R), Professional edition +> Description: Windows(R) Operating System, RETAIL channel +> Partial Product Key: 3V66T +> ``` + +## Troubleshoot the user experience + +In some instances, users may experience problems with the Windows Enterprise E3 or E5 subscription. The most common problems that users may experience are the following issues: + +- The Windows 10/11 Enterprise E3 or E5 subscription has lapsed or has been removed. +- An earlier version of Windows 10 Pro isn't activated. For example, Windows 10, versions 1703 or 1709. + +### Troubleshoot common problems in the Activation pane + +Use the following figures to help you troubleshoot when users experience common problems: + +#### Device in healthy state + +The following image illustrates a device in a healthy state, where Windows 10 Pro is activated and the Windows 10 Enterprise subscription is active. + +:::image type="content" source="images/enterprise-e3-win-10-activated-enterprise-subscription-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that's healthy and successfully activated."::: + +#### Device that's not activated with active subscription + +Figure 10 illustrates a device on which the Windows 10 Pro isn't activated, but the Windows 10 Enterprise subscription is active. + +:::image type="content" source="images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that isn't activated but the subscription is active."::: + +Figure 10: Windows 10 Pro, version 1703 edition not activated in Settings. + +It displays the following error: "We can't activate Windows on this device right now. You can try activating again later or go to the Store to buy genuine Windows. Error code: 0xC004F034." + +#### Device that's activated without an Enterprise subscription + +Figure 11 illustrates a device on which the Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed. + +:::image type="content" source="images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that's activated but the subscription isn't active."::: + +Figure 11: Windows 10 Enterprise subscription lapsed or removed in Settings. + +It displays the following error: "Windows 10 Enterprise subscription is not valid." + +#### Device that's not activated and without an Enterprise subscription + +Figure 12 illustrates a device on which the Windows 10 Pro license isn't activated and the Windows 10 Enterprise subscription is lapsed or removed. + +:::image type="content" source="images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that's not activated and the subscription isn't active."::: + +Figure 12: Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings. + +It displays both of the previously mentioned error messages. + +### Review requirements on devices + +Devices must be running a supported version of Windows 10 Pro or Windows 11 Pro. Earlier versions of Windows 10, such as version 1703, don't support this feature. + +Devices must also be joined to Azure AD, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible. + +Use the following procedures to review whether a particular device meets these requirements. + +#### Firmware-embedded activation key + +To determine if the computer has a firmware-embedded activation key, enter the following command at an elevated Windows PowerShell prompt: ```PowerShell -(Get-CimInstance -query ‘select * from SoftwareLicensingService’).OA3xOriginalProductKey +(Get-CimInstance -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey ``` If the device has a firmware-embedded activation key, it will be displayed in the output. If the output is blank, the device doesn't have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key. -## Enabling Subscription Activation with an existing EA +#### Determine if a device is Azure AD-joined -If you're an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant: +1. Open a command prompt and enter `dsregcmd /status`. -1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license: +1. Review the output in the **Device State** section. If the **AzureAdJoined** value is **YES**, the device is joined to Azure AD. - - **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3 - - **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5 - -2. After an order is placed, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant. -3. The admin can now assign subscription licenses to users. +#### Determine the version of Windows -Use the following process if you need to update contact information and retrigger activation in order to resend the activation email: +1. Open a command prompt and enter `winver`. -1. Sign in to the [Microsoft Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). -2. Click **Subscriptions**. -3. Click **Online Services Agreement List**. -4. Enter your agreement number, and then click **Search**. -5. Click the **Service Name**. -6. In the **Subscription Contact** section, click the name listed under **Last Name**. -7. Update the contact information, then click **Update Contact Details**. This action will trigger a new email. +1. The **About Windows** window displays the OS version and build information. -Also in this article: -- [Explore the upgrade experience](#explore-the-upgrade-experience): How to upgrade devices using the deployed licenses. -- [Troubleshoot the user experience](#troubleshoot-the-user-experience): Examples of some license activation issues that can be encountered, and how to resolve them. +1. Compare this information again the Windows support lifecycle: -## Active Directory synchronization with Azure AD - -You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10/11 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD. - -You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10/11 Enterprise E3 or E5). This synchronization means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them. - -**Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure. - -![Illustration of Azure Active Directory Connect.](images/enterprise-e3-ad-connect.png) - -**Figure 1. On-premises AD DS integrated with Azure AD** - -For more information about integrating on-premises AD DS domains with Azure AD, see the following resources: - -- [Integrating your on-premises identities with Azure Active Directory](/azure/active-directory/hybrid/whatis-hybrid-identity) -- [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/) + - [Windows 10 release information](/windows/release-health/release-information) + - [Windows 11 release information](/windows/release-health/windows11-release-information) > [!NOTE] -> If you're implementing Azure AD, and you already have an on-premises domain, you don't need to integrate with Azure AD, since your main authentication method is your internal AD. If you want to manage all your infrastructure in the cloud, you can safely configure your domain controller remotely to integrate your computers with Azure AD, but you won't be able to apply fine controls using GPO. Azure AD is best suited for the global administration of devices when you don't have any on-premises servers. +> If a device is running a version of Windows 10 Pro prior to version 1703, it won't upgrade to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal. -## Preparing for deployment: reviewing requirements +### Delay in the activation of Enterprise license of Windows 10 -Devices must be running Windows 10 Pro, version 1703, or later and be Azure Active Directory-joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic. +This delay is by design. Windows 10 and Windows 11 include a built-in cache that's used when determining upgrade eligibility. This behavior includes processing responses that indicate that the device isn't eligible for an upgrade. It can take up to four days after a qualifying purchase before the upgrade eligibility is enabled and the cache expires. -## Assigning licenses to users +## Known issues -Upon acquisition of Windows 10/11 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service: +If a device isn't able to connect to Windows Update, it can lose activation status or be blocked from upgrading to Windows Enterprise. To work around this issue: -> [!div class="mx-imgBorder"] -> ![profile.](images/al01.png) +- Make sure that the device doesn't have the following registry value: `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations = 1 (REG_DWORD)`. If this registry value exists, it must be set to `0`. -The following methods are available to assign licenses: - -1. When you have the required Azure AD subscription, [group-based licensing](/azure/active-directory/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users. - -2. You can sign in to portal.office.com and manually assign licenses: - - ![portal.](images/al02.png) - -3. You can assign licenses by uploading a spreadsheet. - -4. A per-user [PowerShell scripted method](https://social.technet.microsoft.com/wiki/contents/articles/15905.how-to-use-powershell-to-automatically-assign-licenses-to-your-office-365-users.aspx) of assigning licenses is available. - -5. Organizations can use synchronized [AD groups](https://ronnydejong.com/2015/03/04/assign-ems-licenses-based-on-local-active-directory-group-membership/) to automatically assign licenses. - -## Explore the upgrade experience - -Now that your subscription has been established and Windows 10/11 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, (version 1703 or later) to Windows 10/11 Enterprise. What will the users experience? How will they upgrade their devices? - -### Step 1: Join Windows 10/11 Pro devices to Azure AD - -Users can join a Windows 10/11 Pro device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703 or later. - -**To join a device to Azure AD the first time the device is started** - -1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 2**.

    - - Who owns this PC? page in Windows 10 setup - - **Figure 2. The “Who owns this PC?” page in initial Windows 10 setup** - -2. On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**.

    - - Choose how you'll connect - page in Windows 10 setup - - **Figure 3. The “Choose how you’ll connect” page in initial Windows 10 setup** - -3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**.

    - - Let's get you signed in - page in Windows 10 setup - - **Figure 4. The “Let’s get you signed in” page in initial Windows 10 setup** - -Now the device is Azure AD–joined to the company’s subscription. - -**To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 installed and set up** - ->[!IMPORTANT] ->Make sure that the user you're signing in with is **not** a BUILTIN/Administrator. That user cannot use the `+ Connect` button to join a work or school account. - -1. Go to **Settings > Accounts > Access work or school**, as illustrated in **Figure 5**.

    - - Connect to work or school configuration - - **Figure 5. Connect to work or school configuration in Settings** - -2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**.

    - - Set up a work or school account - - **Figure 6. Set up a work or school account** - -3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**.

    - - Let's get you signed in - dialog box - - **Figure 7. The “Let’s get you signed in” dialog box** - -Now the device is Azure AD–joined to the company's subscription. - -### Step 2: Pro edition activation - -> [!IMPORTANT] -> If your device is running Windows 10, version 1803 or later, this step isn't needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key. -> If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**. - -
    -Windows 10 Pro activated -
    Figure 7a - Windows 10 Pro activation in Settings - -Windows 10/11 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only). - -### Step 3: Sign in using Azure AD account - -Once the device is joined to your Azure AD subscription, the users will sign in by using their Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device. - -
    Sign in, Windows 10 - -**Figure 8. Sign in by using Azure AD account** - -### Step 4: Verify that Enterprise edition is enabled - -You can verify the Windows 10/11 Enterprise E3 or E5 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**. - -
    -Windows 10 activated and subscription active - -**Figure 9 - Windows 10 Enterprise subscription in Settings** - -If there are any problems with the Windows 10/11 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process. - -> [!NOTE] -> If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following: -> Name: Windows(R), Professional edition -> Description: Windows(R) Operating System, RETAIL channel -> Partial Product Key: 3V66T +- Make sure that the following group policy setting is **disabled**: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not connect to any Windows Update Internet locations. ## Virtual Desktop Access (VDA) -Subscriptions to Windows 10/11 Enterprise are also available for virtualized clients. Windows 10/11 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [Qualified Multitenant Hoster](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download). - -Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Enterprise Subscription Activation](vda-subscription-activation.md). - -## Troubleshoot the user experience - -In some instances, users may experience problems with the Windows 10/11 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows: - -- The existing Windows 10 Pro, version 1703 or 1709 operating system isn't activated. This problem doesn't apply to Windows 10, version 1803 or later. -- The Windows 10/11 Enterprise E3 or E5 subscription has lapsed or has been removed. - -Use the following figures to help you troubleshoot when users experience these common problems: - -- [Figure 9](#win-10-activated-subscription-active) (see the section above) illustrates a device in a healthy state, where Windows 10 Pro is activated and the Windows 10 Enterprise subscription is active. - -- [Figure 10](#win-10-not-activated) (below) illustrates a device on which Windows 10 Pro isn't activated, but the Windows 10 Enterprise subscription is active. - -
    - Windows 10 not activated and subscription active -
    Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings - -- [Figure 11](#subscription-not-active) (below) illustrates a device on which Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed. - -
    - Windows 10 activated and subscription not active -
    Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings - -- [Figure 12](#win-10-not-activated-subscription-not-active) (below) illustrates a device on which Windows 10 Pro license isn't activated and the Windows 10 Enterprise subscription is lapsed or removed. - -
    - Windows 10 not activated and subscription not active -
    Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings - -### Review requirements on devices - -Devices must be running Windows 10 Pro, version 1703 (or later), and be Azure Active Directory-joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements. - -**To determine if a device is Azure Active Directory-joined:** - -1. Open a command prompt and type **dsregcmd /status**. -2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory-joined. - -**To determine the version of Windows 10:** - -At a command prompt, type: **winver** - -A popup window will display the Windows 10 version number and detailed OS build information. - -If a device is running a version of Windows 10 Pro prior to version 1703 (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal. - -### Delay in the activation of Enterprise License of Windows 10 - -This delay is by design. Windows 10 and Windows 11 include a built-in cache that is used when determining upgrade eligibility, including responses that indicate that the device isn't eligible for an upgrade. It can take up to four days after a qualifying purchase before the upgrade eligibility is enabled and the cache expires. +Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Azure or in another [qualified multitenant hoster](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download). +Virtual machines (VMs) must be configured to enable Windows Enterprise subscriptions for VDA. Active Directory-joined and Azure AD-joined clients are supported. For more information, see [Enable VDA for Enterprise subscription activation](vda-subscription-activation.md). diff --git a/windows/deployment/images/sa-pro-activation.png b/windows/deployment/images/sa-pro-activation.png deleted file mode 100644 index 4066c45dad..0000000000 Binary files a/windows/deployment/images/sa-pro-activation.png and /dev/null differ diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md index a10b3e8bbf..b4fd53631f 100644 --- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md +++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md @@ -1,138 +1,42 @@ --- -title: Olympia Corp enrollment guidelines -description: Learn about the Olympia Corp enrollment and setting up an Azure Active Directory-REGISTERED Windows client device or an Azure Active Directory-JOINED Windows client device. -ms.author: aaroncz +title: Olympia Corp Retirement +description: Learn about the retirement of Olympia Corp and how to back up your data prior to October 31, 2022. +ms.author: lizlong ms.topic: article ms.prod: w10 -ms.technology: windows -author: aczechowski +author: lizgt2000 ms.reviewer: -manager: dougeby -ms.custom: seo-marvel-apr2020 +manager: aaroncz --- # Olympia Corp - + **Applies to** - Windows 10 - Windows 11 -## What is Windows Insider Lab for Enterprise and Olympia Corp? +## Retirement of Olympia Corp -Windows Insider Lab for Enterprise is intended for Windows Insiders who want to try new experimental and pre-release enterprise privacy and security features. To get the complete experience of these enterprise features, Olympia Corp, a virtual corporation has been set up to reflect the IT infrastructure of real world business. Selected customers are invited to join Olympia Corp and try these features. +Olympia Corp, a virtual corporation was set up to reflect the IT infrastructure of real world businesses.
    +Olympia will be formally retired on October 31, 2022.
    +We'll begin unassigning Olympia licenses and deleting the Olympia feedback path on Feedback Hub. Olympia Corp will no longer be a part of Windows Insider Lab for Enterprise. -As an Olympia user, you will have an opportunity to: +> [!WARNING] +> To prevent data loss, Olympia participants need to complete the following: +> - If you're using the provided Olympia licenses, make a back up of any data as you'll lose data once we unassign the licenses. +> - Please remove your device from Olympia before October 31, 2022. -- Use various enterprise features like Windows Information Protection (WIP), Microsoft Defender for Office 365, Windows Defender Application Guard (WDAG), and Application Virtualization (APP-V). -- Learn how Microsoft is preparing for GDPR, as well as enabling enterprise customers to prepare for their own readiness. -- Validate and test pre-release software in your environment. -- Provide feedback. -- Interact with engineering team members through a variety of communication channels. +To remove the account from Azure Active Directory, follow the steps below: ->[!Note] ->Enterprise features might have reduced or different security, privacy, accessibility, availability, and reliability standards relative to commercially provided services and software. We may change or discontinue any of the enterprise features at any time without notice. + 1. Open the **Settings** app. + 1. Go to **Accounts** > **Access work or school**. + 1. Select the connected account that you want to remove, then select **Disconnect**. + 1. To confirm device removal, select **Yes**. -For more information about Olympia Corp, see [https://olympia.windows.com/Info/FAQ](https://olympia.windows.com/Info/FAQ). +- After removing your account from Olympia, log in to your device using your local account. -To request an Olympia Corp account, fill out the survey at [https://aka.ms/RegisterOlympia](https://aka.ms/RegisterOlympia). - -## Enrollment guidelines - -Welcome to Olympia Corp. Here are the steps needed to enroll. - -As part of Windows Insider Lab for Enterprise, you can upgrade to Windows client Enterprise from Windows client Pro. This upgrade is optional. Since certain features such as Windows Defender Application Guard are only available on Windows client Enterprise, we recommend you to upgrade. - -Choose one of the following two enrollment options: - -- To set up an Azure Active Directory-registered device, [follow these steps](#enrollment-keep-current-edition). In this case, you log onto the device by using an existing (non-Olympia) account. - -- If you are running Windows client Pro, we recommend that you upgrade to Windows client Enterprise by following these steps to [set up an Azure Active Directory-joined device](#enrollment-upgrade-to-enterprise). In this case, you will be able to log on to the device with your Olympia account. - - - -### Set up an Azure Active Directory-REGISTERED Windows client device - -This is the Bring Your Own Device (BYOD) method--your device will receive Olympia policies and features, but a new account will not be created. See [Azure AD register FAQ](/azure/active-directory/devices/faq) for additional information. - -1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/windows/create-a-local-user-or-administrator-account-in-windows-20de74e0-ac7f-3502-a866-32915af2a34d)). - - ![Settings -> Accounts.](images/1-1.png) - -2. If you are already connected to a domain, select the existing account and then select **Disconnect**. Select **Restart Later**. - -3. Select **Connect** and enter your **Olympia corporate account** (for example, username@olympia.windows.com). Select **Next**. - - ![Entering account information when setting up a work or school account.](images/1-3.png) - -4. Enter the temporary password that was sent to you. Select **Sign in**. Follow the instructions to set a new password. - - > [!NOTE] - > Passwords should contain 8-16 characters, including at least one special character or number. - - ![Update your password.](images/1-4.png) - -5. Read the **Terms and Conditions**. Select **Accept** to participate in the program. - -6. If this is the first time you are logging in, fill in the additional information to help you retrieve your account details. - -7. Create a PIN for signing into your Olympia corporate account. - -8. Go to **Start > Settings > Update & Security > Windows Insider Program**. Select on the current Windows Insider account, and select **Change**. Sign in with your **Olympia corporate account**. - - > [!NOTE] - > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness). - -9. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**. - - - -### Set up Azure Active Directory-JOINED Windows client device - -- This method will upgrade your Windows client Pro license to Enterprise and create a new account. See [Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join) for more information. - - > [!NOTE] - > Make sure that you save your Pro license key before upgrading to the Enterprise edition. If the device gets disconnected from Olympia, you can use the Pro key to reactivate the license manually in the unlikely event that the license fails to downgrade back to Pro automatically. To reactivate manually, see [Upgrade by manually entering a product key](../../upgrade/windows-10-edition-upgrades.md#upgrade-by-manually-entering-a-product-key). - -1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/windows/create-a-local-user-or-administrator-account-in-windows-20de74e0-ac7f-3502-a866-32915af2a34d)). - - ![Settings -> Accounts.](images/1-1.png) - -2. If you are already connected to a domain, select the existing account and then select **Disconnect**. Select **Restart Later**. - -3. Select **Connect**, then select **Join this device to Azure Active Directory**. - - ![Joining device to Azure AD.](images/2-3.png) - -4. Enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Select **Next**. - - ![Set up a work or school account.](images/2-4.png) - -5. Enter the temporary password that was sent to you. Select **Sign in**. Follow the instructions to set a new password. - - > [!NOTE] - > Passwords should contain 8-16 characters, including at least one special character or number. - - ![Entering temporary password.](images/2-5.png) - -6. When asked to make sure this is your organization, verify that the information is correct. If so, select **Join**. - -7. If this is the first time you are signing in, fill in the additional information to help you retrieve your account details. - -8. Create a PIN for signing into your Olympia corporate account. - -9. When asked to make sure this is your organization, verify that the information is correct. If so, select **Join**. - -10. Restart your device. - -11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your device will upgrade to Windows client Enterprise. - -12. Go to **Start > Settings > Update & Security > Windows Insider Program**. Select on the current Windows Insider account, and select **Change**. Sign in with your **Olympia corporate account**. - - > [!NOTE] - > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness). - -13. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**. - ->[!NOTE] -> Your Windows client Enterprise license won't be renewed if your device isn't connected to Olympia. +- If you're looking for another program to join, the program we recommend is the Windows Insider Program for Business. Follow the instructions below to register: +[Register for the Windows 10 Insider Program for Business](/windows-insider/business/register) + +Thank you for your participation in Olympia and email Windows Insider Lab for Enterprise [olympia@microsoft.com](mailto:olympia@microsoft.com) with any questions. diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 969e44b244..e59eefbb34 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -14,15 +14,13 @@ search.appverid: - MET150 ms.topic: conceptual ms.date: 07/12/2022 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Windows subscription activation -Applies to: - -- Windows 10 -- Windows 11 - The subscription activation feature enables you to "step-up" from Windows Pro edition to Enterprise or Education editions. You can use this feature if you're subscribed to Windows Enterprise E3 or E5 licenses. Subscription activation also supports step-up from Windows Pro Education edition to Education edition. If you have devices that are licensed for earlier versions of Windows Professional, Microsoft 365 Business Premium provides an upgrade to Windows Pro edition, which is the prerequisite for deploying [Windows Business](/microsoft-365/business-premium/microsoft-365-business-faqs#what-is-windows-10-business). @@ -100,7 +98,7 @@ The following list illustrates how deploying Windows client has evolved with eac > The following requirements don't apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only. It supports workgroup, hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure virtual machines](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems). > [!IMPORTANT] -> Currently, subscription activation is only available on commercial tenants. It's currently not available on US GCC, GCC High, or DoD tenants. +> As of October 1, 2022, subscription activation is available for _commercial_ and _GCC_ tenants. It's currently not available on GCC High or DoD tenants. For more information, see [Enable subscription activation with an existing EA](deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea). For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following requirements: @@ -218,7 +216,7 @@ $(Get-WmiObject SoftwareLicensingService).OA3xOriginalProductKey | foreach{ if ( If your organization has an Enterprise Agreement (EA) or Software Assurance (SA): -- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD. Ideally, you assign the licenses to groups using the Azure AD Premium feature for group assignment. For more information, see [Enable subscription activation with an existing EA](./deploy-enterprise-licenses.md#enabling-subscription-activation-with-an-existing-ea). +- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD. Ideally, you assign the licenses to groups using the Azure AD Premium feature for group assignment. For more information, see [Enable subscription activation with an existing EA](./deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea). - The license administrator can assign seats to Azure AD users with the same process that's used for Microsoft 365 Apps. diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 319f5a8afd..c9216efadf 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -25,7 +25,7 @@ appliesto: ## Default Enablement -Starting with Windows 11 Enterprise 22H2, compatible systems have Windows Defender Credential Guard turned on by default. This changes the default state of the feature in Windows, though system administrators can still modify this enablement state. Windows Defender Credential Guard can still be manually [enabled](#enable-windows-defender-credential-guard) or [disabled](#disable-windows-defender-credential-guard) via the methods documented below. +Starting in **Windows 11 Enterprise, version 22H2** and **Windows 11 Education, version 22H2**, compatible systems have Windows Defender Credential Guard turned on by default. This changes the default state of the feature in Windows, though system administrators can still modify this enablement state. Windows Defender Credential Guard can still be manually [enabled](#enable-windows-defender-credential-guard) or [disabled](#disable-windows-defender-credential-guard) via the methods documented below. ### Requirements for automatic enablement @@ -33,18 +33,26 @@ Windows Defender Credential Guard will be enabled by default when a PC meets the |Component|Requirement| |---|---| -|Operating System|Windows 11 Enterprise 22H2| +|Operating System|**Windows 11 Enterprise, version 22H2** or **Windows 11 Education, version 22H2**| |Existing Windows Defender Credential Guard Requirements|Only devices which meet the [existing hardware and software requirements](credential-guard-requirements.md#hardware-and-software-requirements) to run Windows Defender Credential Guard will have it enabled by default.| -|Virtualization-based Security (VBS) Requirements|VBS must be enabled in order to run Windows Defender Credential Guard. Starting with Windows 11 Enterprise 22H2, devices that meet the requirements to run Windows Defender Credential Guard as well as the [minimum requirements to enable VBS](/windows-hardware/design/device-experiences/oem-vbs) will have both Windows Defender Credential Guard and VBS enabled by default. +|Virtualization-based Security (VBS) Requirements|VBS must be enabled in order to run Windows Defender Credential Guard. Starting with Windows 11 Enterprise 22H2 and Windows 11 Education 22H2, devices that meet the requirements to run Windows Defender Credential Guard as well as the [minimum requirements to enable VBS](/windows-hardware/design/device-experiences/oem-vbs) will have both Windows Defender Credential Guard and VBS enabled by default. > [!NOTE] > If Windows Defender Credential Guard or VBS has previously been explicitly disabled, default enablement will not overwrite this setting. +> [!NOTE] +> Devices running Windows 11 Pro 22H2 may have Virtualization-Based Security (VBS) and/or Windows Defender Credential Guard automaticaly enabled if they meet the other requirements for default enablement listed above and have previously run Windows Defender Credential Guard (for example if Windows Defender Credential Guard was running on an Enterprise device that later downgraded to Pro). +> +> To determine whether the Pro device is in this state, check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`. In this scenario, if you wish to disable VBS and Windows Defender Credential Guard, follow the instructions for [disabling Virtualization-Based Security](#disabling-virtualization-based-security). If you wish to disable only Windows Defender Credential Guard without disabling Virtualization-Based Security, use the procedures for [disabling Windows Defender Credential Guard](#disable-windows-defender-credential-guard). + ## Enable Windows Defender Credential Guard Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the [Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard hardware readiness tool](#enable-windows-defender-credential-guard-by-using-the-hvci-and-windows-defender-credential-guard-hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines. +> [!NOTE] +> Credential Guard and Device Guard are not supported when using Azure Gen 1 VMs. These options are available with Gen 2 VMs only. + ### Enable Windows Defender Credential Guard by using Group Policy You can use Group Policy to enable Windows Defender Credential Guard. This will add and enable the virtualization-based security features for you if needed. @@ -230,24 +238,54 @@ DG_Readiness_Tool_v3.6.ps1 -Ready ## Disable Windows Defender Credential Guard -To disable Windows Defender Credential Guard, you can use the following set of procedures or the [HVCI and Windows Defender Credential Guard hardware readiness tool](#disable-windows-defender-credential-guard-by-using-the-hvci-and-windows-defender-credential-guard-hardware-readiness-tool). If Credential Guard was enabled with UEFI Lock then you must use the following procedure as the settings are persisted in EFI (firmware) variables and it will require physical presence at the machine to press a function key to accept the change. If Credential Guard was enabled without UEFI Lock then you can turn it off by using Group Policy. +Windows Defender Credential Guard can be disabled via several methods explained below, depending on how the feature was enabled. For devices that had Windows Defender Credential Guard automatically enabled in the 22H2 update and did not have it enabled prior to the update, it is sufficient to [disable via Group Policy](#disabling-windows-defender-credential-guard-using-group-policy). -1. If you used Group Policy, disable the Group Policy setting that you used to enable Windows Defender Credential Guard (**Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn on Virtualization Based Security**). +If Windows Defender Credential Guard was enabled with UEFI Lock, the procedure described in [Disabling Windows Defender Credential Guard with UEFI Lock](#disabling-windows-defender-credential-guard-with-uefi-lock) must be followed. Note that the default enablement change in eligible 22H2 devices does **not** use a UEFI Lock. -1. Delete the following registry settings: +If Windows Defender Credential Guard was enabled via Group Policy without UEFI Lock, Windows Defender Credential Guard should be [disabled via Group Policy](#disabling-windows-defender-credential-guard-using-group-policy). + +Otherwise, Windows Defender Credential Guard can be [disabled by changing registry keys](#disabling-windows-defender-credential-guard-using-registry-keys). + +Windows Defender Credential Guard running in a virtual machine can be [disabled by the host](#disable-windows-defender-credential-guard-for-a-virtual-machine). + +For information on disabling Virtualization-Based Security (VBS), see [Disabling Virtualization-Based Security](#disabling-virtualization-based-security). + +### Disabling Windows Defender Credential Guard using Group Policy + +If Windows Defender Credential Guard was enabled via Group Policy and without UEFI Lock, disabling the same Group Policy setting will disable Windows Defender Credential Guard. + +1. Disable the Group Policy setting that governs Windows Defender Credential Guard. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn on Virtualization Based Security**. In the "Credential Guard Configuration" section, set the dropdown value to "Disabled": + + :::image type="content" source="images/credguard-gp-disabled.png" alt-text="Windows Defender Credential Guard Group Policy set to Disabled."::: + +1. Restart the machine. + +### Disabling Windows Defender Credential Guard using Registry Keys + +If Windows Defender Credential Guard was enabled without UEFI Lock and without Group Policy, it is sufficient to edit the registry keys as described below to disable Windows Defender Credential Guard. + +1. Change the following registry settings to 0: - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags` - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags` -1. If you also wish to disable virtualization-based security delete the following registry settings: + > [!NOTE] + > Deleting these registry settings may not disable Windows Defender Credential Guard. They must be set to a value of 0. - - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity` +1. Restart the machine. - - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures` +### Disabling Windows Defender Credential Guard with UEFI Lock - > [!IMPORTANT] - > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery. +If Windows Defender Credential Guard was enabled with UEFI Lock enabled, then the following procedure must be followed since the settings are persisted in EFI (firmware) variables. This scenario will require physical presence at the machine to press a function key to accept the change. + +1. If Group Policy was used to enable Windows Defender Credential Guard, disable the relevant Group Policy setting. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn on Virtualization Based Security**. In the "Credential Guard Configuration" section, set the dropdown value to "Disabled". + +1. Change the following registry settings to 0: + + - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags` + + - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags` 1. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands: @@ -262,37 +300,7 @@ To disable Windows Defender Credential Guard, you can use the following set of p mountvol X: /d ``` -1. Restart the PC. - -1. Accept the prompt to disable Windows Defender Credential Guard. - -1. Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard. - - > [!NOTE] - > The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit commands after turning off all virtualization-based security Group Policy and registry settings: - > - > ```cmd - > bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS - > bcdedit /set vsmlaunchtype off - > ``` - -For more info on virtualization-based security and HVCI, see [Enable virtualization-based protection of code integrity](../../threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md). - -> [!NOTE] -> Credential Guard and Device Guard are not supported when using Azure Gen 1 VMs. These options are available with Gen 2 VMs only. - -### Disable Windows Defender Credential Guard by using the HVCI and Windows Defender Credential Guard hardware readiness tool - -You can also disable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md). - -```powershell -DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot -``` - -> [!IMPORTANT] -> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. -> -> This is a known issue. +1. Restart the PC. Before the OS boots, a prompt will appear notifying that UEFI was modified, and asking for confirmation. This prompt must be confirmed for the changes to persist. This step requires physical access to the machine. ### Disable Windows Defender Credential Guard for a virtual machine @@ -301,3 +309,31 @@ From the host, you can disable Windows Defender Credential Guard for a virtual m ```powershell Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true ``` + +## Disabling Virtualization-Based Security + +Instructions are given below for how to disable Virtualization-Based Security (VBS) entirely, rather than just Windows Defender Credential Guard. Disabling Virtualization-Based Security will automatically disable Windows Defender Credential Guard and other features that rely on VBS. + +> [!IMPORANT] +> Other security features in addition to Windows Defender Credential Guard rely on Virtualization-Based Security in order to run. Disabling Virtualization-Based Security may have unintended side effects. + +1. If Group Policy was used to enable Virtualization-Based Security, set the Group Policy setting that was used to enable it (**Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn on Virtualization Based Security**) to "Disabled". + +1. Delete the following registry settings: + + - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity` + + - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures` + + > [!IMPORTANT] + > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery. + +1. If Windows Defender Credential Guard is running when disabling Virtualization-Based Security and either feature was enabled with UEFI Lock, the EFI (firmware) variables must be cleared using bcdedit. From an elevated command prompt, run the following bcdedit commands after turning off all Virtualization-Based Security Group Policy and registry settings as described in steps 1 and 2 above: + + > + > ```cmd + > bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS + > bcdedit /set vsmlaunchtype off + > ``` + +1. Restart the PC. diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md index 5688ac38d1..562a265130 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md @@ -101,7 +101,7 @@ The following tables describe baseline protections, plus protections for improve |Hardware: **Trusted Platform Module (TPM)**|**Requirement**:
    - TPM 1.2 or TPM 2.0, either discrete or firmware. [TPM recommendations](../../information-protection/tpm/tpm-recommendations.md)|A TPM provides protection for VBS encryption keys that are stored in the firmware. TPM helps protect against attacks involving a physically present user with BIOS access.| |Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot**|**Requirements**:
    - See the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot|UEFI Secure Boot helps ensure that the device boots only authorized code, and can prevent boot kits and root kits from installing and persisting across reboots.| |Firmware: **Secure firmware update process**|**Requirements**:
    - UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot.|UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed.| -|Software: Qualified **Windows operating system**|**Requirement**:
    - At least Windows 10 Enterprise or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.| +|Software: Qualified **Windows operating system**|**Requirement**:
    - At least Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.| > [!IMPORTANT] > The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Windows Defender Credential Guard can provide. diff --git a/windows/security/identity-protection/credential-guard/images/credguard-gp-disabled.png b/windows/security/identity-protection/credential-guard/images/credguard-gp-disabled.png new file mode 100644 index 0000000000..bfb042a49d Binary files /dev/null and b/windows/security/identity-protection/credential-guard/images/credguard-gp-disabled.png differ diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md index 7e64879acd..b953d1d21e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md @@ -231,6 +231,30 @@ After a successful MFA, the provisioning flow asks the user to create and valida Once a user has set up a PIN with cloud Kerberos trust, it can be used immediately for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached logon can be used for subsequent unlocks without line of sight or network connectivity. +## Migrate from key trust deployment model to cloud Kerberos trust + +If you deployed WHFB using the **key trust** deployment model, and want to migrate to the **cloud Kerberos trust** deployment model, follow these steps: + +1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos) +1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy) +1. For hybrid Azure AD joined devices, sign out and sign in the device using Windows Hello for Business with line of sight to a domain controller (DC). Without line of sight to DC, even when the policy is set to "UseCloudTrustForOnPremAuth", the system will fall back to key trust if cloud Kerberos trust login fails + +## Migrate from certificate trust deployment model to cloud Kerberos trust + +> [!IMPORTANT] +> There is no direct migration path from certificate trust deployment to cloud Kerberos trust deployment. + +If you have deployed WHFB using a **certificate trust** deployment model, and want to use **cloud Kerberos trust**, you will need to clean up the existing deployments and redeploy by following these steps: + +1. Disable the certificate trust policy +1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy) +1. Remove the certificate trust credential using the command `certutil -deletehellocontainer` from the user context +1. Reboot or sign out and sign back in +1. Provision Windows Hello for Business (Enroll PIN/Face/Fingerprint) + +> [!NOTE] +> For hybrid Azure AD joined devices, sign in with new credentials while having line of sight to a DC. + ## Troubleshooting If you encounter issues or want to share feedback about Windows Hello for Business cloud Kerberos trust, share via the Windows Feedback Hub app by following these steps: diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/accessibility.svg b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/accessibility.svg new file mode 100644 index 0000000000..21a6b4f235 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/accessibility.svg @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/group-policy.svg b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/group-policy.svg new file mode 100644 index 0000000000..ace95add6b --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/group-policy.svg @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/intune.svg b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/intune.svg new file mode 100644 index 0000000000..6e0d938aed --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/intune.svg @@ -0,0 +1,24 @@ + + + + + + + + + + + + + + + + Icon-intune-329 + + + + + + + + \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/powershell.svg b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/powershell.svg new file mode 100644 index 0000000000..ab2d5152ca --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/powershell.svg @@ -0,0 +1,20 @@ + + + + + + + + + + MsPortalFx.base.images-10 + + + + + + + + + + \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/provisioning-package.svg b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/provisioning-package.svg new file mode 100644 index 0000000000..dbbad7d780 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/provisioning-package.svg @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/registry.svg b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/registry.svg new file mode 100644 index 0000000000..06ab4c09d7 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/registry.svg @@ -0,0 +1,22 @@ + + + + + + + + + + + + + + + + + + + Icon-general-18 + + + \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/windows-os.svg b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/windows-os.svg new file mode 100644 index 0000000000..da64baf975 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/windows-os.svg @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md b/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md index cba7b837da..db57203dd5 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md @@ -8,7 +8,7 @@ ms.author: vinpa ms.reviewer: paoloma manager: aaroncz ms.localizationpriority: medium -ms.date: 06/21/2022 +ms.date: 10/07/2022 adobe-target: true appliesto: - ✅ Windows 11, version 22H2 @@ -40,22 +40,36 @@ Enhanced Phishing Protection provides robust phishing protections for work or sc ## Configure Enhanced Phishing Protection for your organization -Enhanced Phishing Protection can be configured via Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service like Microsoft Intune. Follow the instructions below to configure your devices using either GPO or CSP. +Enhanced Phishing Protection can be configured via Microsoft Intune, Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service. Follow the instructions below to configure your devices using either Microsoft Intune, GPO or CSP. -#### [✅ **GPO**](#tab/gpo) +#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) + +To configure devices using Microsoft Intune, create a [**Settings catalog** policy][MEM-2], and use the settings listed under the category **`SmartScreen > Enhanced Phishing Protection`**: + +|Setting|Description| +|---------|---------| +|Service Enabled |This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender.
  • If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.
  • If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.
    • | +|Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate
  • If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn your users if they type their work or school password into one of the malicious scenarios described above.| +|Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
  • If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they reuse their work or school password.| +|Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
  • If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they store their password in Notepad or Microsoft 365 Office Apps.| + + +Assign the policy to a security group that contains as members the devices or users that you want to configure. + +#### [:::image type="icon" source="images/icons/group-policy.svg"::: **GPO**](#tab/gpo) Enhanced Phishing Protection can be configured using the following Administrative Templates policy settings: |Setting|Description| |---------|---------| -|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Service Enabled |This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender.

    If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.

    If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.| -|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate.

    If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.

    If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn your users if they type their work or school password into one of the malicious scenarios described above.| -|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.

    If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.

    If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they reuse their work or school password.| -|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.

    If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.

    If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they store their password in Notepad or Microsoft 365 Office Apps.| +|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Service Enabled |This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender.
  • If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.
  • If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.
    • | +|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate
  • If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn your users if they type their work or school password into one of the malicious scenarios described above.| +|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
  • If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they reuse their work or school password.| +|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
  • If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they store their password in Notepad or Microsoft 365 Office Apps.| -#### [✅ **CSP**](#tab/csp) +#### [:::image type="icon" source="images/icons/windows-os.svg"::: **CSP**](#tab/csp) -Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP](/windows/client-management/mdm/policy-csp-webthreatdefense). +Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP][WIN-1]. | Setting | OMA-URI | Data type | |-------------------------|---------------------------------------------------------------------------|-----------| @@ -70,9 +84,18 @@ Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP]( By default, Enhanced Phishing Protection is deployed in audit mode, preventing notifications to the users for any protection scenarios. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender. Users aren't warned if they enter their work or school password into a phishing site, if they reuse their password, or if they unsafely store their password in applications. Because of this possibility, it's recommended that you configure Enhanced Phishing Protection to warn users during all protection scenarios. -To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen Group Policy and MDM settings. +To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen settings. -#### [✅ **GPO**](#tab/gpo) +#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) + +|Settings catalog element|Recommendation| +|---------|---------| +|Service Enabled|**Enable**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users.| +|Notify Malicious|**Enable**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password.| +|Notify Password Reuse|**Enable**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password.| +|Notify Unsafe App|**Enable**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps.| + +#### [:::image type="icon" source="images/icons/group-policy.svg"::: **GPO**](#tab/gpo) |Group Policy setting|Recommendation| |---------|---------| @@ -81,7 +104,7 @@ To better help you protect your organization, we recommend turning on and using |Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse|**Enable**: Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.| |Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|**Enable**: Enhanced Phishing Protection warns users if they store their password in Notepad and Microsoft 365 Office Apps.| -#### [✅ **CSP**](#tab/csp) +#### [:::image type="icon" source="images/icons/windows-os.svg"::: **CSP**](#tab/csp) |MDM setting|Recommendation| |---------|---------| @@ -99,3 +122,9 @@ To better help you protect your organization, we recommend turning on and using - [Threat protection](../index.md) - [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md) - [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference) + +------------ + +[WIN-1]: /windows/client-management/mdm/policy-csp-webthreatdefense + +[MEM-2]: /mem/intune/configuration/settings-catalog \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index dcad6a2586..0eee8eff2c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -85,6 +85,8 @@ href: merge-windows-defender-application-control-policies.md - name: Enforce WDAC policies href: enforce-windows-defender-application-control-policies.md + - name: Managing WDAC Policies with CI Tool + href: citool-commands.md - name: Use code signing to simplify application control for classic Windows applications href: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md items: diff --git a/windows/security/threat-protection/windows-defender-application-control/citool-commands.md b/windows/security/threat-protection/windows-defender-application-control/citool-commands.md new file mode 100644 index 0000000000..5a2d7b7e72 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/citool-commands.md @@ -0,0 +1,105 @@ +--- +title: Managing CI Policies and Tokens with CiTool +description: Learn how to use Policy Commands, Token Commands, and Miscellaneous Commands in CiTool +author: valemieux +ms.author: jogeurte +ms.service: security +ms.reviewer: jogeurte +ms.topic: how-to +ms.date: 08/07/2022 +ms.custom: template-how-to +--- + +# Manage Windows Defender Application Control (WDAC) Policies with CI Tool + +CI Tool makes Windows Defender Application Control (WDAC) policy management easier for IT admins. CI Tool can be used to manage Windows Defender Application Control policies and CI Tokens. This article describes how to use CI Tool to update and manage policies. CI Tool is currently included in Windows 11, version 22H2. + +## Policy Commands + +| Command | Description | Alias | +|--------|---------|---------| +| --update-policy `` | Add or update a policy on the current system | -up | +| --remove-policy `` | Remove a policy indicated by PolicyGUID from the system | -rp | +| --list-policies | Dump information about all policies on the system, whether they are active or not | -lp | + +## Token Commands + +| Command | Description | Alias | +|--------|---------|---------| +| --add-token `` <--token-id ID> | Deploy a token onto the current system, with an optional specific ID. | -at | +| --remove-token `` | Remove a Token indicated by ID from the system. | -rt | +| --list-tokens | Dump information about all tokens on the system | -lt | + +> [!NOTE] +> Regarding --add-token, if `` is specified, a pre-existing token with `` should not exist. + +## Miscellaneous Commands + +| Command | Description | Alias | +|--------|---------|---------| +| --device-id | Dump the Code Integrity Device ID | -id | +| --refresh | Attempt to Refresh WDAC Policies | -r | +| --help | Display the tool's help menu | -h | + +## Examples + +1. Deploy a WDAC policy onto the system + + ```powershell + PS C:\Users\ CITool --update-policy "\Windows\Temp\{BF61FE40-8929-4FDF-9EC2-F7A767717F0B}.cip" + Operation Successful + Press Enter to Continue + ``` + +2. Refresh the WDAC policies + + ```powershell + PS C:\Users\ CITool --refresh + Operation Successful + ``` + +3. Remove a specific WDAC policy by its policy ID + + ```powershell + PS C:\Users\ CiTool --remove-policy "{BF61FE40-8929-4FDF-9EC2-F7A767717F0B}" + Operation Successful + Press Enter to Continue + ``` + +4. Display the help menu + + ```powershell + PS C:\Users\ CITool -h + + ----------------------------- Policy Commands --------------------------------- + --update-policy /Path/To/Policy/File + Add or update a policy on the current system + aliases: -up + --remove-policy PolicyGUID + Remove a policy indicated by PolicyGUID from the system + aliases: -rp + --list-policies + Dump information about all policies on the system, whether they be active or not + aliases: -lp + ----------------------------- Token Commands --------------------------------- + --add-token Path/To/Token/File <--token-id ID> + Deploy a token onto the current system, with an optional specific ID + If is specified, a pre-existing token with should not exist. + aliases:-at + --remove-token ID + Remove a Token indicated by ID from the system. + aliases: -rt + --list-tokens + Dump information about all tokens on the system + aliases: -lt + ----------------------------- Misc Commands --------------------------------- + --device-id + Dump the Code Integrity Device Id + aliases: -id + --refresh + Attempt to Refresh CI Policies + aliases: -r + --help + Display this message + aliases: -h + ``` diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md index aa1ac5a9ad..369149227c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md @@ -6,11 +6,11 @@ ms.prod: m365-security audience: ITPro ms.collection: M365-security-compliance author: jsuther1974 -ms.reviewer: jogeurte +ms.reviewer: aaroncz ms.author: jogeurte ms.manager: jsuther manager: aaroncz -ms.date: 03/08/2022 +ms.date: 10/06/2022 ms.technology: windows-sec ms.topic: article ms.localizationpriority: medium @@ -27,13 +27,15 @@ ms.localizationpriority: medium >[!NOTE] >Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). -This topic describes how to deploy Windows Defender Application Control (WDAC) policies using script. The instructions below use PowerShell but can work with any scripting host. +This article describes how to deploy Windows Defender Application Control (WDAC) policies using script. The instructions below use PowerShell but can work with any scripting host. > [!NOTE] > To use this procedure, download and distribute the [WDAC policy refresh tool](https://aka.ms/refreshpolicy) to all managed endpoints. Ensure your WDAC policies allow the WDAC policy refresh tool or use a managed installer to distribute the tool. ## Deploying policies for Windows 10 version 1903 and above +You should now have one or more WDAC policies converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). + 1. Initialize the variables to be used by the script. ```powershell @@ -49,7 +51,7 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p Copy-Item -Path $PolicyBinary -Destination $DestinationFolder -Force ``` -3. Repeat steps 1-2 as appropriate to deploy additional WDAC policies. +3. Repeat steps 1-2 as appropriate to deploy more WDAC policies. 4. Run RefreshPolicy.exe to activate and refresh all WDAC policies on the managed endpoint. ```powershell @@ -82,7 +84,7 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [Microsoft Endpoint Manager](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically. -1. Mount the EFI volume and make the directory, if it does not exist, in an elevated PowerShell prompt: +1. Mount the EFI volume and make the directory, if it doesn't exist, in an elevated PowerShell prompt: ```powershell $MountPoint = 'C:\EFIMount' diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md index bd7dcfac4f..48ebdd4db4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz -ms.date: 06/27/2022 +ms.date: 10/06/2022 ms.technology: windows-sec --- @@ -31,13 +31,17 @@ ms.technology: windows-sec > > Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment. -Single-policy format Windows Defender Application Control policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy. The following procedure walks you through how to deploy a WDAC policy called **ContosoPolicy.bin** to a test OU called *WDAC Enabled PCs* by using a GPO called **Contoso GPO Test**. +Single-policy format Windows Defender Application Control policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy. + +You should now have a WDAC policy converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). + +The following procedure walks you through how to deploy a WDAC policy called **SiPolicy.p7b** to a test OU called *WDAC Enabled PCs* by using a GPO called **Contoso GPO Test**. To deploy and manage a Windows Defender Application Control policy with Group Policy: 1. On a client computer on which RSAT is installed, open the GPMC by running **GPMC.MSC** -2. Create a new GPO: right-click an OU and then click **Create a GPO in this domain, and Link it here**. +2. Create a new GPO: right-click an OU and then select **Create a GPO in this domain, and Link it here**. > [!NOTE] > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Plan for Windows Defender Application Control lifecycle policy management](../plan-windows-defender-application-control-management.md). @@ -46,15 +50,15 @@ To deploy and manage a Windows Defender Application Control policy with Group Po 3. Name the new GPO. You can choose any name. -4. Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**. +4. Open the Group Policy Management Editor: right-click the new GPO, and then select **Edit**. -5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Windows Defender Application Control** and then click **Edit**. +5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Windows Defender Application Control** and then select **Edit**. ![Edit the Group Policy for Windows Defender Application Control.](../images/wdac-edit-gp.png) 6. In the **Deploy Windows Defender Application Control** dialog box, select the **Enabled** option, and then specify the WDAC policy deployment path. - In this policy setting, you specify either the local path in which the policy will exist on the client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. For example, with ContosoPolicy.bin on the test computer, the example file path would be C:\\Windows\\System32\\CodeIntegrity\\ContosoPolicy.bin. + In this policy setting, you specify either the local path where the policy will exist on each client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. For example, the path to SiPolicy.p7b using the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) would be %USERPROFILE%\Desktop\SiPolicy.p7b. > [!NOTE] > This policy file does not need to be copied to every computer. You can instead copy the WDAC policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers. @@ -62,6 +66,6 @@ To deploy and manage a Windows Defender Application Control policy with Group Po ![Group Policy called Deploy Windows Defender Application Control.](../images/dg-fig26-enablecode.png) > [!NOTE] - > You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Give your WDAC policies friendly names and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository. + > You may have noticed that the GPO setting references a .p7b file, but the file extension and name of the policy binary do not matter. Regardless of what you name your policy binary, they are all converted to SIPolicy.p7b when applied to the client computers running Windows 10. If you are deploying different WDAC policies to different sets of devices, you may want to give each of your WDAC policies a friendly name and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository. 7. Close the Group Policy Management Editor, and then restart the Windows test computer. Restarting the computer updates the WDAC policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md index 9db5920c58..f155922fc3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md @@ -6,10 +6,10 @@ ms.technology: itpro-security ms.localizationpriority: medium ms.collection: M365-security-compliance author: jsuther1974 -ms.reviewer: isbrahm +ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz -ms.date: 06/27/2022 +ms.date: 10/06/2022 ms.topic: how-to --- @@ -48,19 +48,17 @@ To use Intune's built-in WDAC policies, configure [Endpoint Protection for Windo > [!NOTE] > Policies deployed through Intune custom OMA-URI are subject to a 350,000 byte limit. Customers should create Windows Defender Application Control policies that use signature-based rules, the Intelligent Security Graph, and managed installers where practical. Customers whose devices are running 1903+ builds of Windows are also encouraged to use [multiple policies](../deploy-multiple-windows-defender-application-control-policies.md) which allow more granular policy. +You should now have one or more WDAC policies converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). + ### Deploy custom WDAC policies on Windows 10 1903+ Beginning with Windows 10 1903, custom OMA-URI policy deployment can use the [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp), which has support for multiple policies and rebootless policies. The steps to use Intune's custom OMA-URI functionality are: -1. Know a generated policy's GUID, which can be found in the policy xml as `` +1. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10). -2. Convert the policy XML to binary format using the [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) cmdlet in order to be deployed. The binary policy may be signed or unsigned. - -3. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10). - -4. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings: +2. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings: - **OMA-URI**: `./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy` - **Data type**: Base64 (file) - **Certificate file**: upload your binary format policy file. You don't need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf. diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 570d88a692..a5cebfa066 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -14,6 +14,7 @@ author: jgeurten ms.reviewer: isbrahm ms.author: vinpa manager: aaroncz +ms.date: 10/07/2022 --- # Microsoft recommended driver block rules @@ -25,36 +26,32 @@ manager: aaroncz - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). -Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're quickly patched and rolled out to the ecosystem. The vulnerable driver blocklist is designed to help harden systems against third party-developed drivers across the Windows ecosystem with any of the following attributes: +Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers. When vulnerabilities in drivers are found, we work with our partners to ensure they're quickly patched and rolled out to the ecosystem. The vulnerable driver blocklist is designed to help harden systems against third party-developed drivers across the Windows ecosystem with any of the following attributes: - Known security vulnerabilities that can be exploited by attackers to elevate privileges in the Windows kernel - Malicious behaviors (malware) or certificates used to sign malware - Behaviors that aren't malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel -Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). For more information about driver submission, see [Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center -](https://www.microsoft.com/security/blog/2021/12/08/improve-kernel-security-with-the-new-microsoft-vulnerable-and-malicious-driver-reporting-center/). To report an issue or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi) or submit feedback on this article. +Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). For more information about driver submission, see [Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center](https://www.microsoft.com/security/blog/2021/12/08/improve-kernel-security-with-the-new-microsoft-vulnerable-and-malicious-driver-reporting-center/). To report an issue or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi) or submit feedback on this article. ## Microsoft vulnerable driver blocklist -Microsoft adds the vulnerable versions of the drivers to our vulnerable driver blocklist, which is automatically enabled on devices when any of the listed conditions are met: - -| Condition | Windows 10 or 11 | Windows 11 22H2 or later | -|--|:--:|:--:| -| Device has [Hypervisor-protected code integrity (HVCI)](../device-guard/enable-virtualization-based-protection-of-code-integrity.md) enabled | :heavy_check_mark: | :heavy_check_mark: | -| Device is in [S mode](https://support.microsoft.com/windows/windows-10-and-windows-11-in-s-mode-faq-851057d6-1ee9-b9e5-c30b-93baebeebc85#WindowsVersion=Windows_11) | :heavy_check_mark: | :heavy_check_mark: | -| Device has [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) enabled | :x: | :heavy_check_mark: | -| Clean install of Windows | :x: | :heavy_check_mark: | +With Windows 11 2022 update, the vulnerable driver blocklist is enabled by default for all devices, and can be turned on or off via the [Windows Security](https://support.microsoft.com/windows/device-protection-in-windows-security-afa11526-de57-b1c5-599f-3a4c6a61c5e2) app. The vulnerable driver blocklist is also enforced when either memory integrity (also known as hypervisor-protected code integrity or HVCI), Smart App Control, or S mode is active. Users can opt in to HVCI using the Windows Security app, and HVCI is on by-default for most new Windows 11 devices. > [!NOTE] -> Microsoft vulnerable driver blocklist can also be enabled using [Windows Security](https://support.microsoft.com/windows/device-protection-in-windows-security-afa11526-de57-b1c5-599f-3a4c6a61c5e2), but the option to disable it is grayed out when HVCI or Smart App Control is enabled, or when the device is in S mode. You must disable HVCI or Smart App Control, or switch the device out of S mode, and restart the device before you can disable Microsoft vulnerable driver blocklist. +> The option to turn Microsoft's vulnerable driver blocklist on or off using the [Windows Security](https://support.microsoft.com/windows/device-protection-in-windows-security-afa11526-de57-b1c5-599f-3a4c6a61c5e2) app is grayed out when HVCI, Smart App Control, or S mode is enabled. You must disable HVCI or Smart App Control, or switch the device out of S mode, and restart the device before you can turn off the Microsoft vulnerable driver blocklist. + +The blocklist is updated with each new major release of Windows. We plan to update the current blocklist for non-Windows 11 customers in an upcoming servicing release and will occasionally publish future updates through regular Windows servicing. + +Customers who always want the most up-to-date driver blocklist can also use Windows Defender Application Control (WDAC) to apply the latest recommended driver blocklist contained in this article. For your convenience, we've provided a download of the most up-to-date vulnerable driver blocklist along with instructions to apply it on your computer at the end of this article. Otherwise, you can use the XML provided below to create your own custom WDAC policies. ## Blocking vulnerable drivers using WDAC -Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this setting isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. +Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this setting isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies) and review the audit block events. > [!IMPORTANT] > Microsoft also recommends enabling Attack Surface Reduction (ASR) rule [**Block abuse of exploited vulnerable signed drivers**](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-abuse-of-exploited-vulnerable-signed-drivers) to prevent an application from writing a vulnerable signed driver to disk. The ASR rule doesn't block a driver already existing on the system from being loaded, however enabling **Microsoft vulnerable driver blocklist** or applying this WDAC policy prevents the existing driver from being loaded. @@ -78,6 +75,12 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + @@ -401,7 +404,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + @@ -1800,7 +1803,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + @@ -2183,8 +2186,29 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- > [!NOTE] -> The policy listed above contains **Allow All** rules. Microsoft recommends deploying this policy alongside an existing WDAC policy instead of merging it with the existing policy. If you must use a single policy, remove the **Allow All** rules before merging it with the existing policy. For more information, see [Create a WDAC Deny Policy](create-wdac-deny-policy.md#single-policy-considerations). +> The policy listed above contains **Allow All** rules. Microsoft recommends deploying this policy alongside an existing WDAC policy instead of merging it with the existing policy. If you must use a single policy, remove the **Allow All** rules before merging it with the existing policy. For more information, see [Create a WDAC Deny Policy](/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy#single-policy-considerations). + +## Steps to download and apply the vulnerable driver blocklist binary + +If you prefer to apply the vulnerable driver blocklist exactly as shown above, follow these steps: + +1. Download the [WDAC policy refresh tool](https://aka.ms/refreshpolicy) +2. Download and extract the [vulnerable driver blocklist binaries](https://aka.ms/VulnerableDriverBlockList) +3. Select either the audit only version or the enforced version and rename the file to SiPolicy.p7b +4. Copy SiPolicy.p7b to %windir%\system32\CodeIntegrity +5. Run the WDAC policy refresh tool you downloaded in Step 1 above to activate and refresh all WDAC policies on your computer + +To check that the policy was successfully applied on your computer: + +1. Open Event Viewer +2. Browse to **Applications and Services Logs - Microsoft - Windows - CodeIntegrity - Operational** +3. Select **Filter Current Log...** +4. Replace "<All Event IDs>" with "3099" and select OK +5. Look for a 3099 event where the PolicyNameBuffer and PolicyIdBuffer match the Name and Id PolicyInfo settings found at the bottom of the blocklist WDAC Policy XML in this article. NOTE: Your computer may have more than one 3099 event if other WDAC policies are also present. + +> [!NOTE] +> If any vulnerable drivers are already running that would be blocked by the policy, you must reboot your computer for those drivers to be blocked. Running processes aren't shutdown when activating a new WDAC policy without reboot. ## More information -- [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md) +- [Merge Windows Defender Application Control policies](/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies) diff --git a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md index bcfc28eb19..2f9f3c81b4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md @@ -2,7 +2,6 @@ title: Understanding Windows Defender Application Control (WDAC) secure settings description: Learn about secure settings in Windows Defender Application Control. ms.prod: windows-client -ms.technology: itpro-security ms.localizationpriority: medium ms.collection: M365-security-compliance author: jgeurten @@ -10,6 +9,7 @@ ms.reviewer: vinpa ms.author: jogeurte manager: aaroncz ms.date: 10/11/2021 +ms.technology: itpro-security --- # Understanding WDAC Policy Settings diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md index 2ce61c38c1..6ee4af0b30 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md @@ -8,8 +8,8 @@ ms.collection: M365-security-compliance author: jgeurten ms.reviewer: aaroncz ms.author: jogeurte -manager: aaroncz -ms.date: 06/27/2022 +manager: jsuther +ms.date: 10/06/2022 ms.topic: overview --- @@ -26,9 +26,31 @@ ms.topic: overview You should now have one or more Windows Defender Application Control (WDAC) policies ready to deploy. If you haven't yet completed the steps described in the [WDAC Design Guide](windows-defender-application-control-design-guide.md), do so now before proceeding. +## Convert your WDAC policy XML to binary + +Before you deploy your WDAC policies, you must first convert the XML to its binary form. You can do this using the following PowerShell example. You must set the $WDACPolicyXMLFile variable to point to your WDAC policy XML file. + + ```powershell + ## Update the path to your WDAC policy XML + $WDACPolicyXMLFile = $env:USERPROFILE"\Desktop\MyWDACPolicy.xml" + [xml]$WDACPolicy = Get-Content -Path $WDACPolicyXMLFile + if (($WDACPolicy.SiPolicy.PolicyID) -ne $null) ## Multiple policy format (For Windows builds 1903+ only, including Server 2022) + { + $PolicyID = $WDACPolicy.SiPolicy.PolicyID + $PolicyBinary = $PolicyID+".cip" + } + else ## Single policy format (Windows Server 2016 and 2019, and Windows 10 1809 LTSC) + { + $PolicyBinary = "SiPolicy.p7b" + } + + ## Binary file will be written to your desktop + ConvertFrom-CIPolicy -XmlFilePath $WDACPolicyXMLFile -BinaryFilePath $env:USERPROFILE\Desktop\$PolicyBinary + ``` + ## Plan your deployment -As with any significant change to your environment, implementing application control can have unintended consequences. To ensure the best chance for success, you should follow safe deployment practices and plan your deployment carefully. Decide what devices you'll manage with Windows Defender Application Control and split them into deployment rings so you can control the scale of the deployment and respond if anything goes wrong. Define the success criteria that will determine when it's safe to continue from one ring to the next. +As with any significant change to your environment, implementing application control can have unintended consequences. To ensure the best chance for success, you should follow safe deployment practices and plan your deployment carefully. Identify the devices you'll manage with WDAC and split them into deployment rings. This way, you can control the speed and scale of the deployment and respond if anything goes wrong. Define the success criteria that will determine when it's safe to continue from one ring to the next. All Windows Defender Application Control policy changes should be deployed in audit mode before proceeding to enforcement. Carefully monitor events from devices where the policy has been deployed to ensure the block events you observe match your expectation before broadening the deployment to other deployment rings. If your organization uses Microsoft Defender for Endpoint, you can use the Advanced Hunting feature to centrally monitor WDAC-related events. Otherwise, we recommend using an event log forwarding solution to collect relevant events from your managed endpoints.