From 9659f0ec9bfd8d9e864d310c17942755dfa196ac Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 5 May 2025 11:52:13 -0700 Subject: [PATCH 01/24] c2d-temptent-10088089 --- windows/client-management/manage-click-to-do.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/client-management/manage-click-to-do.md b/windows/client-management/manage-click-to-do.md index a972b9a325..fbc627dd9f 100644 --- a/windows/client-management/manage-click-to-do.md +++ b/windows/client-management/manage-click-to-do.md @@ -20,9 +20,11 @@ appliesto: Click to Do (preview) helps users to get things done faster by identifying text and images that are currently on their screen so they can perform actions on them. This article provides information about Click to Do and how to manage it in a commercial environment. > [!NOTE] +> - Click to Do is behind [temporary enterprise feature control](/windows/whats-new/temporary-enterprise-feature-control) and will be enabled when the next annual feature update is installed. To enable Click to Do, use the **Enable features introduced via servicing that are off by default** policy setting. For more information, see [Enable features introduced via servicing that are off by default](/windows/deployment/update/waas-advanced-wufb#enable-features-introduced-via-servicing-that-are-off-by-default). > - In-market commercial devices are defined as devices with an Enterprise (ENT) or Education (EDU) SKU or any premium SKU device that is managed by an IT administrator (whether via Microsoft Endpoint Manager or other endpoint management solution), has a volume license key, or is joined to a domain. Commercial devices during Out of Box Experience (OOBE) are defined as those with ENT or EDU SKU or any premium SKU device that has a volume license key or is Microsoft Entra joined. > - Click to Do is optimized for select languages English, Chinese (simplified), French, German, Japanese, and Spanish. Content-based and storage limitations apply. For more information, see [https://aka.ms/copilotpluspcs](https://aka.ms/copilotpluspcs). + ## What is Click to Do? Click to Do (preview) analyzes what's on the screen and then allows users to choose the text or image they want to take action on. Users can open Click to Do by using **Windows key** + **Q** or with **Windows key** + **mouse click**. Other entry points for Click to Do include right swipe on touch enabled PCs, Snipping Tool, search results, and the Start menu. @@ -64,7 +66,8 @@ The policy setting below allows you to determine whether Click to Do is availabl - When the policy is disabled or not configured, users will have Click to Do available on their device. > [!Important] -> This policy doesn't affect Click to Do in Recall. For more information, see [Manage Recall](manage-recall.md). +> - This policy doesn't affect Click to Do in Recall. For more information, see [Manage Recall](manage-recall.md). +> - If a user prefers to disable Click to Do on their device, they can turn it **Off** using the **Click to Do** setting under **Settings** > **Privacy & security** > **Click to Do**. ## Click to Do privacy considerations From b1361d46e9e1ec66dcae5d6d235115b100e28780 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 5 May 2025 12:07:20 -0700 Subject: [PATCH 02/24] c2d-temptent-10088089 --- windows/client-management/manage-click-to-do.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/manage-click-to-do.md b/windows/client-management/manage-click-to-do.md index fbc627dd9f..0195fe8a3c 100644 --- a/windows/client-management/manage-click-to-do.md +++ b/windows/client-management/manage-click-to-do.md @@ -20,7 +20,7 @@ appliesto: Click to Do (preview) helps users to get things done faster by identifying text and images that are currently on their screen so they can perform actions on them. This article provides information about Click to Do and how to manage it in a commercial environment. > [!NOTE] -> - Click to Do is behind [temporary enterprise feature control](/windows/whats-new/temporary-enterprise-feature-control) and will be enabled when the next annual feature update is installed. To enable Click to Do, use the **Enable features introduced via servicing that are off by default** policy setting. For more information, see [Enable features introduced via servicing that are off by default](/windows/deployment/update/waas-advanced-wufb#enable-features-introduced-via-servicing-that-are-off-by-default). +> - Click to Do is behind [temporary enterprise feature control](/windows/whats-new/temporary-enterprise-feature-control) and will be enabled when the next annual feature update is installed. To enable Click to Do, use the **Enable features introduced via servicing that are off by default** policy setting. For more information, see [Enable features introduced via servicing that are off by default](/windows/deployment/update/waas-configure-wufb#enable-features-introduced-via-servicing-that-are-off-by-default). > - In-market commercial devices are defined as devices with an Enterprise (ENT) or Education (EDU) SKU or any premium SKU device that is managed by an IT administrator (whether via Microsoft Endpoint Manager or other endpoint management solution), has a volume license key, or is joined to a domain. Commercial devices during Out of Box Experience (OOBE) are defined as those with ENT or EDU SKU or any premium SKU device that has a volume license key or is Microsoft Entra joined. > - Click to Do is optimized for select languages English, Chinese (simplified), French, German, Japanese, and Spanish. Content-based and storage limitations apply. For more information, see [https://aka.ms/copilotpluspcs](https://aka.ms/copilotpluspcs). From c0ce8971f2b1ce4146608a15f81cda8f5030a0a5 Mon Sep 17 00:00:00 2001 From: Sam Yun Date: Tue, 13 May 2025 11:49:46 -0700 Subject: [PATCH 03/24] Update wifi-csp.md with correct SSID/Profile info --- windows/client-management/mdm/wifi-csp.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index 5a09b0e1ee..02e7965eff 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -16,10 +16,9 @@ The WiFi configuration service provider provides the functionality to add or del Programming considerations: -- If the authentication method needs a certificate, for example, EAP-TLS requires client certificates, you must configure it through the CertificateStore configuration service provider. The WiFi configuration service provider doesn't provide that functionality; instead, the Wi-Fi profile can specify characteristics of the certificate to be used for choosing the right certificate for that network. The server must successfully enroll the certificate first before deploying the Wi-Fi network configuration. For example, for an EAP-TLS profile, the server must successfully configure and enroll the required client certificate before deploying the Wi-Fi profile. Self-signed certificate works for EAP-TLS/PEAP-MSCHAPv2, but it isn't supported in EAP-TLS. +- If the authentication method needs a certificate, (e.g. client certificates for EAP-TLS), you must configure it through the [CertificateStore](./certificatestore-csp) configuration service provider. The WiFi configuration service provider doesn't provide that functionality; instead, the Wi-Fi profile can specify characteristics of the certificate to be used for choosing the right certificate for that network. The server must successfully enroll the certificate first before deploying the Wi-Fi network configuration. For example, for an EAP-TLS profile, the server must successfully configure and enroll the required client certificate before deploying the Wi-Fi profile. Self-signed certificate works for EAP-TLS/PEAP-MSCHAPv2, but it isn't supported in EAP-TLS. - For WEP, WPA, and WPA2-based networks, include the passkey in the network configuration in plaintext. The passkey is encrypted automatically when it's stored on the device. -- The SSID of the Wi-Fi network part of the LocURI node must be a valid URI based on RFC 2396. This condition requires that all non-ASCII characters must be escaped using a %-character. Unicode characters without the necessary escaping aren't supported. -- The `name_goes_here\` must match `name_goes_here`. +- The `SSID` part of the LocURI node must be a valid URI based on RFC 2396. This condition requires that all non-excluded ASCII characters must be escaped using a %-character. This includes replacing the space character with `%20`. Characters (including Unicode) without the necessary escaping aren't supported. - For the WiFi CSP, you can't use the Replace command unless the node already exists. - Using ProxyPacUrl or ProxyWPAD in Windows 10 client editions (Home, Pro, Enterprise, and Education) will result in failure. @@ -108,9 +107,13 @@ The Profile name of the Wi-Fi network. This is added when WlanXml node is added -Specifies the name of the Wi-Fi network (32 bytes maximum) to create, configure, query, or delete. The name is case sensitive and can be represented in ASCII. +Specifies the Profile Name of the Wi-Fi network (32 bytes maximum) to create, configure, query, or delete. The name is case sensitive and can be represented in ASCII. In the URI, it must be %-escaped, but the non-%-escaped value is what's used when applied to the system. -SSID is the name of network you're connecting to, while Profile name is the name of the Profile that contains the WiFi settings information. If the Profile name isn't set right in the MDM SyncML, as per the information in the WiFi settings XML, it could lead to some unexpected errors. For example, `./Vendor/MSFT/WiFi/Profile//WlanXml`. +> [!NOTE] +> This field is the Profile Name that will appear as a "Friendly Name" to the user and contains the Wi-Fi settings information. The non-%-escaped value must correspond to `` in ` `. This value MAY be different from the SSID of the actual network being broadcast (which is under ` `). + +> [!IMPORTANT] +> If the Profile name isn't set correctly in the MDM SyncML, as per the information in the Wi-Fi settings XML (``, it could lead to some unexpected errors. In other words, if the profile is `Contoso Wi-Fi{...}`, the MDM SyncML must be `./Vendor/MSFT/WiFi/Profile/Contoso%20Wi-Fi/WlanXml`. From 6f40d5aadaa770bdb7940416b8a07af488b9bdd1 Mon Sep 17 00:00:00 2001 From: Sam Yun Date: Tue, 13 May 2025 15:05:01 -0700 Subject: [PATCH 04/24] More updates --- windows/client-management/mdm/wifi-csp.md | 64 ++++++++++------------- 1 file changed, 29 insertions(+), 35 deletions(-) diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index 02e7965eff..476762d285 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -1,7 +1,7 @@ --- title: WiFi CSP description: Learn more about the WiFi CSP. -ms.date: 03/12/2025 +ms.date: 05/13/2025 ms.topic: generated-reference --- @@ -16,11 +16,11 @@ The WiFi configuration service provider provides the functionality to add or del Programming considerations: -- If the authentication method needs a certificate, (e.g. client certificates for EAP-TLS), you must configure it through the [CertificateStore](./certificatestore-csp) configuration service provider. The WiFi configuration service provider doesn't provide that functionality; instead, the Wi-Fi profile can specify characteristics of the certificate to be used for choosing the right certificate for that network. The server must successfully enroll the certificate first before deploying the Wi-Fi network configuration. For example, for an EAP-TLS profile, the server must successfully configure and enroll the required client certificate before deploying the Wi-Fi profile. Self-signed certificate works for EAP-TLS/PEAP-MSCHAPv2, but it isn't supported in EAP-TLS. +- If the authentication method needs a certificate (for example, client certificates for EAP-TLS), you must configure it through the [CertificateStore](./certificatestore-csp) configuration service provider. The WiFi configuration service provider doesn't provide that functionality; instead, the Wi-Fi profile can specify characteristics of the certificate to be used for choosing the right certificate for that network. The server must successfully enroll the certificate first before deploying the Wi-Fi network configuration. For example, for an EAP-TLS profile, the server must successfully configure and enroll the required client certificate before deploying the Wi-Fi profile. Self-signed certificate works for EAP-TLS/PEAP-MSCHAPv2, but it isn't supported in EAP-TLS. - For WEP, WPA, and WPA2-based networks, include the passkey in the network configuration in plaintext. The passkey is encrypted automatically when it's stored on the device. -- The `SSID` part of the LocURI node must be a valid URI based on RFC 2396. This condition requires that all non-excluded ASCII characters must be escaped using a %-character. This includes replacing the space character with `%20`. Characters (including Unicode) without the necessary escaping aren't supported. +- The `SSID` part of the LocURI node must be a valid URI based on RFC 2396. This condition requires that all nonexcluded ASCII characters must be escaped using a %-character. This includes replacing the space character (` `) with `%20`. Characters (including Unicode) without the necessary escaping aren't supported. - For the WiFi CSP, you can't use the Replace command unless the node already exists. -- Using ProxyPacUrl or ProxyWPAD in Windows 10 client editions (Home, Pro, Enterprise, and Education) will result in failure. +- Using ProxyPacUrl or ProxyWPAD in Windows client editions (Home, Pro, Enterprise, and Education) will result in failure. @@ -52,7 +52,7 @@ The following list shows the WiFi configuration service provider nodes: | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | @@ -91,7 +91,7 @@ Identifies the Wi-Fi network configuration. Each Wi-Fi network configuration is | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | @@ -110,10 +110,10 @@ The Profile name of the Wi-Fi network. This is added when WlanXml node is added Specifies the Profile Name of the Wi-Fi network (32 bytes maximum) to create, configure, query, or delete. The name is case sensitive and can be represented in ASCII. In the URI, it must be %-escaped, but the non-%-escaped value is what's used when applied to the system. > [!NOTE] -> This field is the Profile Name that will appear as a "Friendly Name" to the user and contains the Wi-Fi settings information. The non-%-escaped value must correspond to `` in ` `. This value MAY be different from the SSID of the actual network being broadcast (which is under ` `). +> This field is the Profile Name that appears as a "Friendly Name" to the user and contains the Wi-Fi settings information. The non-%-escaped value must correspond to `` in ` `. This value MAY be different from the SSID of the actual network being broadcast (which is under ` `). > [!IMPORTANT] -> If the Profile name isn't set correctly in the MDM SyncML, as per the information in the Wi-Fi settings XML (``, it could lead to some unexpected errors. In other words, if the profile is `Contoso Wi-Fi{...}`, the MDM SyncML must be `./Vendor/MSFT/WiFi/Profile/Contoso%20Wi-Fi/WlanXml`. +> If the Profile name isn't set correctly in the MDM SyncML, as per the information in the Wi-Fi settings XML (``), it could lead to some unexpected errors. In other words, if the profile is `Contoso Wi-Fi{...}`, the MDM SyncML must be `./Vendor/MSFT/WiFi/Profile/Contoso%20Wi-Fi/WlanXml`. @@ -138,7 +138,7 @@ Specifies the Profile Name of the Wi-Fi network (32 bytes maximum) to create, co | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | @@ -187,7 +187,7 @@ Allows for defining which administrative entity is setting this Wi-Fi profile. T | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | @@ -226,7 +226,7 @@ Optional node. The format is url:port. Configuration of the network proxy (if an | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | @@ -243,7 +243,7 @@ Optional node. URL to the PAC file location. > [!NOTE] -> Don't use. Using this configuration in Windows 10 client editions will result in failure. +> Don't use. Using this configuration in Windows client editions will result in failure. @@ -267,7 +267,7 @@ Optional node. URL to the PAC file location. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | @@ -284,7 +284,7 @@ Optional node. The presence of the field enables WPAD for proxy lookup. > [!NOTE] -> Don't use. Using this configuration in Windows 10 client editions will result in failure. +> Don't use. Using this configuration in Windows client editions will result in failure. @@ -317,7 +317,7 @@ Optional node. The presence of the field enables WPAD for proxy lookup. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1809 [10.0.17763] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1809 [10.0.17763] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | @@ -367,7 +367,7 @@ Optional node. If the policy is active selecting one of the values from the foll | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | @@ -414,7 +414,7 @@ If it exists in the blob, the **keyType** and **protected** elements must come b | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | @@ -453,7 +453,7 @@ Identifies the Wi-Fi network configuration. Each Wi-Fi network configuration is | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | @@ -469,9 +469,7 @@ The Profile name of the Wi-Fi network. This is added when WlanXml node is added -Specifies the name of the Wi-Fi network (32 bytes maximum) to create, configure, query, or delete. The name is case sensitive and can be represented in ASCII. - -SSID is the name of network you're connecting to, while Profile name is the name of the Profile that contains the WiFi settings information. If the Profile name isn't set right in the MDM SyncML, as per the information in the WiFi settings XML, it could lead to some unexpected errors. For example, `./Vendor/MSFT/WiFi/Profile//WlanXml`. +See [Device/Profile/{SSID}](#deviceprofilessid) for more information. @@ -496,7 +494,7 @@ SSID is the name of network you're connecting to, while Profile name is the name | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | @@ -545,7 +543,7 @@ Allows for defining which administrative entity is setting this Wi-Fi profile. T | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | @@ -584,7 +582,7 @@ Optional node. The format is url:port. Configuration of the network proxy (if an | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | @@ -601,7 +599,7 @@ Optional node. URL to the PAC file location. > [!NOTE] -> Don't use. Using this configuration in Windows 10 client editions will result in failure. +> Don't use. Using this configuration in Windows client editions will result in failure. @@ -625,7 +623,7 @@ Optional node. URL to the PAC file location. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | @@ -642,7 +640,7 @@ Optional node. The presence of the field enables WPAD for proxy lookup. > [!NOTE] -> Don't use. Using this configuration in Windows 10 client editions will result in failure. +> Don't use. Using this configuration in Windows client editions will result in failure. @@ -675,7 +673,7 @@ Optional node. The presence of the field enables WPAD for proxy lookup. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1809 [10.0.17763] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1809 [10.0.17763] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | @@ -725,7 +723,7 @@ Optional node. If the policy is active selecting one of the values from the foll | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | @@ -743,12 +741,8 @@ Link to schema: -The profile XML must be escaped, as shown in the examples below. -If it exists in the blob, the **keyType** and **protected** elements must come before **keyMaterial**, as shown in the example in [WPA2-Personal Profile Sample](/windows/win32/nativewifi/wpa2-personal-profile-sample). - -> [!NOTE] -> If you need to specify other advanced conditions, such as specifying criteria for certificates that can be used by the Wi-Fi profile, you can do so by specifying this through the EapHostConfig portion of the WlanXML. For more information, see [EAP configuration](./eap-configuration.md). +See [Device/Profile/{SSID}/WlanXml](#deviceprofilessidwlanxml) for more information. @@ -790,7 +784,7 @@ The following example shows how to add PEAP-MSCHAPv2 network with SSID 'MyNetwor chr - MyNetwork412D4D534654574C414EMyNetworkfalseESSmanualWPA2AEStrueuser2500025truetruefalse26falsefalsefalsefalsefalse + MyNetwork412D4D534654574C414EMyNetworkfalseESSmanualWPA2AEStrueuser2500025truetruefalse26falsefalsefalsefalsefalse From ada61ec6eb809e4edaa61fef3e9e5c5206c899b3 Mon Sep 17 00:00:00 2001 From: Sam Yun Date: Tue, 13 May 2025 23:36:04 -0700 Subject: [PATCH 05/24] Update EAP and WiFi CSP documentation --- .../mdm/eap-configuration.md | 10 ++- windows/client-management/mdm/wifi-csp.md | 82 ++++++++++++------- 2 files changed, 59 insertions(+), 33 deletions(-) diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md index cb42cb7572..f5e211ef20 100644 --- a/windows/client-management/mdm/eap-configuration.md +++ b/windows/client-management/mdm/eap-configuration.md @@ -1,12 +1,12 @@ --- title: EAP configuration -description: Learn how to create an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, including details about EAP certificate filtering in Windows 10. +description: Learn how to create an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, including details about EAP certificate filtering in Windows. ms.date: 06/26/2017 --- # EAP configuration -This article provides a step-by-step guide for creating an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, including information about EAP certificate filtering in Windows 10. +This article provides a step-by-step guide for creating an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, including information about EAP certificate filtering in Windows. While the screenshots are specifically for VPN, the EAP portions are applicable to Wi-Fi and Wired EAP profiles as well. For more information, see [Configure EAP profiles and settings in Windows](/windows-server/networking/technologies/extensible-authentication-protocol/configure-eap-profiles). ## Create an EAP configuration XML for a VPN profile @@ -292,6 +292,8 @@ Alternatively, you can use the following procedure to create an EAP configuratio > [!NOTE] > You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access) article. -## Related topics +## Related articles -[Configuration service provider reference](index.yml) +* [Configuration service provider reference](index.yml) +* [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access) +* [Configure EAP profiles and settings in Windows](/windows-server/networking/technologies/extensible-authentication-protocol/configure-eap-profiles) \ No newline at end of file diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index 476762d285..af47398d61 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -138,7 +138,7 @@ Specifies the Profile Name of the Wi-Fi network (32 bytes maximum) to create, co | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later | @@ -390,7 +390,7 @@ The profile XML must be escaped, as shown in the examples below. If it exists in the blob, the **keyType** and **protected** elements must come before **keyMaterial**, as shown in the example in [WPA2-Personal Profile Sample](/windows/win32/nativewifi/wpa2-personal-profile-sample). > [!NOTE] -> If you need to specify other advanced conditions, such as specifying criteria for certificates that can be used by the Wi-Fi profile, you can do so by specifying this through the EapHostConfig portion of the WlanXML. For more information, see [EAP configuration](./eap-configuration.md). +> If you need to specify other advanced conditions, such as specifying criteria for certificates that can be used by the Wi-Fi profile, you can do so by specifying this through the [EapHostConfig](/windows/win32/eaphost/eaphostconfigschema-eaphostconfig-element) portion of the WlanXml ([WLANProfile](/windows/win32/nativewifi/wlan-profileschema-elements) > [MSM](/windows/win32/nativewifi/wlan-profileschema-msm-wlanprofile-element) > [security](/windows/win32/nativewifi/wlan-profileschema-security-msm-element) > [OneX](/windows/win32/nativewifi/onexschema-onex-element) > EAPConfig). For more information, see [EAP configuration](./eap-configuration.md) and [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access). For an example, see [WPA2-Enterprise with TLS profile sample](/windows/win32/nativewifi/wpa2-enterprise-with-tls-profile-sample). @@ -404,6 +404,7 @@ If it exists in the blob, the **keyType** and **protected** elements must come b +See [Add a network](#add-a-network) for examples. @@ -494,7 +495,7 @@ See [Device/Profile/{SSID}](#deviceprofilessid) for more information. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later | @@ -768,7 +769,7 @@ These XML examples show how to perform various tasks using OMA DM. ### Add a network -The following example shows how to add PEAP-MSCHAPv2 network with SSID 'MyNetwork'. +The following example shows how to add a WPA2-Enterprise network with SSID and profile name `MyNetwork` that authenticates with PEAP-MSCHAPv2. ```xml @@ -784,7 +785,7 @@ The following example shows how to add PEAP-MSCHAPv2 network with SSID 'MyNetwor chr - MyNetwork412D4D534654574C414EMyNetworkfalseESSmanualWPA2AEStrueuser2500025truetruefalse26falsefalsefalsefalsefalse + MyNetwork4d794e6574776f726bMyNetworkfalseESSmanualWPA2AEStrueuser2500025truetruefalse26falsefalsefalsefalsefalse]]> @@ -793,6 +794,49 @@ The following example shows how to add PEAP-MSCHAPv2 network with SSID 'MyNetwor ``` +The following example shows how to add a WPA3-Enterprise network with profile name `My Network` and SSID `MySSID` that authenticates with EAP-TLS. + +> [!IMPORTANT] +> Notice how the space is %-escaped in the `LocURI` and unescaped in the `WLANProfile` > `name`. + +```xml + + 300 + + 301 + + + ./Vendor/MSFT/WiFi/Profile/My%20Network/WlanXml + + + chr + + My NetworkMySSIDESSautoWPA3ENTAEStrueenabled720128disabledmachine1300013truetrue00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff 00 11 22 33falsetruefalsefalse00112233445566778899aabbccddeeff00112233Client Authentication1.3.6.1.5.5.7.3.2Client Authentication]]> + + + +``` + +The following example shows how to add a WPA3-Personal (transition mode) network with profile name and SSID `MyNetwork` that includes the passphrase `TestPassword1!`. + +```xml + + 300 + + 301 + + + ./Vendor/MSFT/WiFi/Profile/MyNetwork/WlanXml + + + chr + + MyNetworkMyNetworkESSautoWPA3SAEAESfalsetruepassPhrasefalseTestPassword1!]]> + + + +``` + ### Query network profiles The following example shows how to query Wi-Fi profiles installed on an MDM server. @@ -825,7 +869,7 @@ The following example shows the response. ### Remove a network -The following example shows how to remove a network with SSID 'MyNetwork' and no proxy. Removing all network authentication types is done in this same manner. +The following example shows how to remove a network with SSID `MyNetwork` and no proxy. Removing all network authentication types is done in this same manner. ```xml @@ -840,32 +884,12 @@ The following example shows how to remove a network with SSID 'MyNetwork' and no ``` - -### Add a network and certification authority for a server certificate - -The following example shows how to add PEAP-MSCHAPv2 network with SSID 'MyNetwork' and root CA validation for server certificate. - -```xml - - 300 - - 301 - - - ./Vendor/MSFT/WiFi/Profile/MyNetwork/WlanXml - - - chr - - MyNetworkMyNetworkfalseESSmanualWPA2AEStrueuser2500025true InsertCertThumbPrintHere truefalse26falsefalsefalsetruefalse - - - -``` ## Related articles -[Configuration service provider reference](configuration-service-provider-reference.md) +* [Configuration service provider reference](configuration-service-provider-reference.md) +* [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access) +* [Configure EAP profiles and settings in Windows](/windows-server/networking/technologies/extensible-authentication-protocol/configure-eap-profiles) \ No newline at end of file From 0fbc401dd205dcc11dacbb3feea461b2dbcdcb6e Mon Sep 17 00:00:00 2001 From: Sam Yun Date: Tue, 13 May 2025 23:46:32 -0700 Subject: [PATCH 06/24] Acrolinx --- windows/client-management/mdm/wifi-csp.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index af47398d61..3898c4cc25 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -18,9 +18,9 @@ Programming considerations: - If the authentication method needs a certificate (for example, client certificates for EAP-TLS), you must configure it through the [CertificateStore](./certificatestore-csp) configuration service provider. The WiFi configuration service provider doesn't provide that functionality; instead, the Wi-Fi profile can specify characteristics of the certificate to be used for choosing the right certificate for that network. The server must successfully enroll the certificate first before deploying the Wi-Fi network configuration. For example, for an EAP-TLS profile, the server must successfully configure and enroll the required client certificate before deploying the Wi-Fi profile. Self-signed certificate works for EAP-TLS/PEAP-MSCHAPv2, but it isn't supported in EAP-TLS. - For WEP, WPA, and WPA2-based networks, include the passkey in the network configuration in plaintext. The passkey is encrypted automatically when it's stored on the device. -- The `SSID` part of the LocURI node must be a valid URI based on RFC 2396. This condition requires that all nonexcluded ASCII characters must be escaped using a %-character. This includes replacing the space character (` `) with `%20`. Characters (including Unicode) without the necessary escaping aren't supported. +- The `SSID` part of the LocURI node must be a valid URI based on RFC 2396. This condition requires that all nonexcluded ASCII characters must be escaped using a %-character, including replacing the space character (` `) with `%20`. Characters (including Unicode) without the necessary escaping aren't supported. - For the WiFi CSP, you can't use the Replace command unless the node already exists. -- Using ProxyPacUrl or ProxyWPAD in Windows client editions (Home, Pro, Enterprise, and Education) will result in failure. +- Using `ProxyPacUrl` or `ProxyWPAD` in Windows client editions (Home, Pro, Enterprise, and Education) will fail. @@ -107,7 +107,7 @@ The Profile name of the Wi-Fi network. This is added when WlanXml node is added -Specifies the Profile Name of the Wi-Fi network (32 bytes maximum) to create, configure, query, or delete. The name is case sensitive and can be represented in ASCII. In the URI, it must be %-escaped, but the non-%-escaped value is what's used when applied to the system. +Specifies the Profile Name of the Wi-Fi network (32 bytes maximum) to create, configure, query, or delete. The name is case sensitive and can be represented in ASCII. In the URI, it must be %-escaped, but the non-%-escaped value is used inside the system. > [!NOTE] > This field is the Profile Name that appears as a "Friendly Name" to the user and contains the Wi-Fi settings information. The non-%-escaped value must correspond to `` in ` `. This value MAY be different from the SSID of the actual network being broadcast (which is under ` `). @@ -243,7 +243,7 @@ Optional node. URL to the PAC file location. > [!NOTE] -> Don't use. Using this configuration in Windows client editions will result in failure. +> Don't use. Using this configuration in Windows client editions will fail. @@ -284,7 +284,7 @@ Optional node. The presence of the field enables WPAD for proxy lookup. > [!NOTE] -> Don't use. Using this configuration in Windows client editions will result in failure. +> Don't use. Using this configuration in Windows client editions will fail. @@ -385,7 +385,7 @@ Link to schema: -The profile XML must be escaped, as shown in the examples below. +The profile XML must be escaped, as shown in the following examples. If it exists in the blob, the **keyType** and **protected** elements must come before **keyMaterial**, as shown in the example in [WPA2-Personal Profile Sample](/windows/win32/nativewifi/wpa2-personal-profile-sample). @@ -470,7 +470,7 @@ The Profile name of the Wi-Fi network. This is added when WlanXml node is added -See [Device/Profile/{SSID}](#deviceprofilessid) for more information. +For more information, see [Device/Profile/{SSID}](#deviceprofilessid). @@ -600,7 +600,7 @@ Optional node. URL to the PAC file location. > [!NOTE] -> Don't use. Using this configuration in Windows client editions will result in failure. +> Don't use. Using this configuration in Windows client editions will fail. @@ -641,7 +641,7 @@ Optional node. The presence of the field enables WPAD for proxy lookup. > [!NOTE] -> Don't use. Using this configuration in Windows client editions will result in failure. +> Don't use. Using this configuration in Windows client editions will fail. @@ -743,7 +743,7 @@ Link to schema: -See [Device/Profile/{SSID}/WlanXml](#deviceprofilessidwlanxml) for more information. +For more information, see [Device/Profile/{SSID}/WlanXml](#deviceprofilessidwlanxml). From 22c483af5ccef72aef4809e748515e91ac9ac802 Mon Sep 17 00:00:00 2001 From: Sam Yun Date: Tue, 13 May 2025 23:57:03 -0700 Subject: [PATCH 07/24] WiredNetwork CSP --- .../client-management/mdm/wirednetwork-csp.md | 25 +++++++++++++------ 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md index 25003242b3..7d03ef8177 100644 --- a/windows/client-management/mdm/wirednetwork-csp.md +++ b/windows/client-management/mdm/wirednetwork-csp.md @@ -1,7 +1,7 @@ --- title: WiredNetwork CSP description: Learn more about the WiredNetwork CSP. -ms.date: 03/12/2025 +ms.date: 05/14/2025 ms.topic: generated-reference --- @@ -32,7 +32,7 @@ The following list shows the WiredNetwork configuration service provider nodes: | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1809 [10.0.17763] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1809 [10.0.17763] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | @@ -72,7 +72,7 @@ Enable block period (minutes), used to specify the duration for which automatic | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1809 [10.0.17763] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1809 [10.0.17763] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | @@ -88,6 +88,11 @@ XML describing the wired network configuration and follows the LAN_profile schem +The profile XML must be escaped, as shown in the following examples. + +> [!NOTE] +> If you need to specify other advanced conditions, such as specifying criteria for certificates that can be used by the LAN profile, you can do so by specifying this through the [EapHostConfig](/windows/win32/eaphost/eaphostconfigschema-eaphostconfig-element) portion of the LanXML ([LANProfile](/windows/win32/nativewifi/lan-profileschema-schema) > [MSM](/windows/win32/nativewifi/lan-profileschema-msm-lanprofile-element) > [security](/windows/win32/nativewifi/lan-profileschema-security-msm-element) > [OneX](/windows/win32/nativewifi/onexschema-onex-element) > EAPConfig). For more information, see [EAP configuration](./eap-configuration.md) and [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access). + @@ -101,6 +106,7 @@ XML describing the wired network configuration and follows the LAN_profile schem +See [Examples](#examples). @@ -111,7 +117,7 @@ XML describing the wired network configuration and follows the LAN_profile schem | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1809 [10.0.17763] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1809 [10.0.17763] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | @@ -151,7 +157,7 @@ Enable block period (minutes), used to specify the duration for which automatic | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1809 [10.0.17763] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1809 [10.0.17763] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | @@ -167,6 +173,7 @@ XML describing the wired network configuration and follows the LAN_profile schem +For more information, see [Device/LanXML](#devicelanxml). @@ -188,7 +195,7 @@ XML describing the wired network configuration and follows the LAN_profile schem ## Examples -The following example shows how to add a wired network profile: +The following example shows how to add a wired network profile that authenticates with PEAP-MSCHAPv2: ```xml @@ -202,7 +209,7 @@ The following example shows how to add a wired network profile: chr - falsetrue2500025falsetruefalse26falsefalsefalsetruefalsetrue + falsetrue2500025falsetruefalse26falsefalsefalsetruefalsetrue]]> @@ -214,4 +221,6 @@ The following example shows how to add a wired network profile: ## Related articles -[Configuration service provider reference](configuration-service-provider-reference.md) +* [Configuration service provider reference](configuration-service-provider-reference.md) +* [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access) +* [Configure EAP profiles and settings in Windows](/windows-server/networking/technologies/extensible-authentication-protocol/configure-eap-profiles) From 0891babae4631a6af2928f171b29ea9d72a1b894 Mon Sep 17 00:00:00 2001 From: Sam Yun Date: Wed, 14 May 2025 14:17:39 -0700 Subject: [PATCH 08/24] Correct samples --- windows/client-management/mdm/wifi-csp.md | 2 +- windows/client-management/mdm/wirednetwork-csp.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index 3898c4cc25..0e3c6924c0 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -390,7 +390,7 @@ The profile XML must be escaped, as shown in the following examples. If it exists in the blob, the **keyType** and **protected** elements must come before **keyMaterial**, as shown in the example in [WPA2-Personal Profile Sample](/windows/win32/nativewifi/wpa2-personal-profile-sample). > [!NOTE] -> If you need to specify other advanced conditions, such as specifying criteria for certificates that can be used by the Wi-Fi profile, you can do so by specifying this through the [EapHostConfig](/windows/win32/eaphost/eaphostconfigschema-eaphostconfig-element) portion of the WlanXml ([WLANProfile](/windows/win32/nativewifi/wlan-profileschema-elements) > [MSM](/windows/win32/nativewifi/wlan-profileschema-msm-wlanprofile-element) > [security](/windows/win32/nativewifi/wlan-profileschema-security-msm-element) > [OneX](/windows/win32/nativewifi/onexschema-onex-element) > EAPConfig). For more information, see [EAP configuration](./eap-configuration.md) and [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access). For an example, see [WPA2-Enterprise with TLS profile sample](/windows/win32/nativewifi/wpa2-enterprise-with-tls-profile-sample). +> If you need to specify other advanced conditions, such as specifying criteria for certificates that can be used by the Wi-Fi profile, you can do so by specifying this through the [EapHostConfig](/windows/win32/eaphost/eaphostconfigschema-eaphostconfig-element) portion of the WlanXml ([WLANProfile](/windows/win32/nativewifi/wlan-profileschema-elements) > [MSM](/windows/win32/nativewifi/wlan-profileschema-msm-wlanprofile-element) > [security](/windows/win32/nativewifi/wlan-profileschema-security-msm-element) > [OneX](/windows/win32/nativewifi/onexschema-onex-element) > EAPConfig). For more information, see [EAP configuration](./eap-configuration.md) and [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access). For an example, see [Wireless profile samples](/windows/win32/nativewifi/wireless-profile-samples). diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md index 7d03ef8177..84a2b1dac2 100644 --- a/windows/client-management/mdm/wirednetwork-csp.md +++ b/windows/client-management/mdm/wirednetwork-csp.md @@ -91,7 +91,7 @@ XML describing the wired network configuration and follows the LAN_profile schem The profile XML must be escaped, as shown in the following examples. > [!NOTE] -> If you need to specify other advanced conditions, such as specifying criteria for certificates that can be used by the LAN profile, you can do so by specifying this through the [EapHostConfig](/windows/win32/eaphost/eaphostconfigschema-eaphostconfig-element) portion of the LanXML ([LANProfile](/windows/win32/nativewifi/lan-profileschema-schema) > [MSM](/windows/win32/nativewifi/lan-profileschema-msm-lanprofile-element) > [security](/windows/win32/nativewifi/lan-profileschema-security-msm-element) > [OneX](/windows/win32/nativewifi/onexschema-onex-element) > EAPConfig). For more information, see [EAP configuration](./eap-configuration.md) and [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access). +> If you need to specify other advanced conditions, such as specifying criteria for certificates that can be used by the LAN profile, you can do so by specifying this through the [EapHostConfig](/windows/win32/eaphost/eaphostconfigschema-eaphostconfig-element) portion of the LanXML ([LANProfile](/windows/win32/nativewifi/lan-profileschema-schema) > [MSM](/windows/win32/nativewifi/lan-profileschema-msm-lanprofile-element) > [security](/windows/win32/nativewifi/lan-profileschema-security-msm-element) > [OneX](/windows/win32/nativewifi/onexschema-onex-element) > EAPConfig). For more information, see [EAP configuration](./eap-configuration.md) and [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access). For an example, see [Wired Profile Samples](/windows/win32/nativewifi/wired-profile-samples). From 3646b59da154464f0dfab7d9e774c6e3f816a973 Mon Sep 17 00:00:00 2001 From: Sam Yun Date: Wed, 14 May 2025 17:33:16 -0700 Subject: [PATCH 09/24] Point to samples --- windows/client-management/mdm/wifi-csp.md | 13 +++++++------ windows/client-management/mdm/wirednetwork-csp.md | 9 +++++---- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index 0e3c6924c0..3e1f76f26f 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -769,7 +769,7 @@ These XML examples show how to perform various tasks using OMA DM. ### Add a network -The following example shows how to add a WPA2-Enterprise network with SSID and profile name `MyNetwork` that authenticates with PEAP-MSCHAPv2. +The following example shows how to add a WPA2-Enterprise network with SSID and profile name `MyNetwork` that authenticates with PEAP-MSCHAPv2. This example is based on the sample profile at [WPA2-Enterprise with PEAP-MSCHAPv2 profile sample](/windows/win32/nativewifi/wpa2-enterprise-with-peap-mschapv2-profile-sample). ```xml @@ -794,7 +794,7 @@ The following example shows how to add a WPA2-Enterprise network with SSID and p ``` -The following example shows how to add a WPA3-Enterprise network with profile name `My Network` and SSID `MySSID` that authenticates with EAP-TLS. +The following example shows how to add a WPA3-Enterprise network with profile name `My Network` and SSID `MySSID` that authenticates with EAP-TLS. This example is based on the sample profile at [WPA2-Enterprise with TLS profile sample](/windows/win32/nativewifi/wpa2-enterprise-with-tls-profile-sample). > [!IMPORTANT] > Notice how the space is %-escaped in the `LocURI` and unescaped in the `WLANProfile` > `name`. @@ -817,7 +817,7 @@ The following example shows how to add a WPA3-Enterprise network with profile na ``` -The following example shows how to add a WPA3-Personal (transition mode) network with profile name and SSID `MyNetwork` that includes the passphrase `TestPassword1!`. +The following example shows how to add a WPA3-Personal (transition mode) network with profile name and SSID `MyNetwork` that includes the passphrase `TestPassword1!`. This example is based on the sample profile at [WPA3-Personal with transition mode profile sample](/windows/win32/nativewifi/wpa3-personal-transition-profile-sample). ```xml @@ -890,6 +890,7 @@ The following example shows how to remove a network with SSID `MyNetwork` and no ## Related articles -* [Configuration service provider reference](configuration-service-provider-reference.md) -* [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access) -* [Configure EAP profiles and settings in Windows](/windows-server/networking/technologies/extensible-authentication-protocol/configure-eap-profiles) \ No newline at end of file +- [Wireless profile samples](/windows/win32/nativewifi/wireless-profile-samples) +- [Configuration service provider reference](configuration-service-provider-reference.md) +- [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access) +- [Configure EAP profiles and settings in Windows](/windows-server/networking/technologies/extensible-authentication-protocol/configure-eap-profiles) diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md index 84a2b1dac2..7b0d0d324b 100644 --- a/windows/client-management/mdm/wirednetwork-csp.md +++ b/windows/client-management/mdm/wirednetwork-csp.md @@ -195,7 +195,7 @@ For more information, see [Device/LanXML](#devicelanxml). ## Examples -The following example shows how to add a wired network profile that authenticates with PEAP-MSCHAPv2: +The following example shows how to add a wired network profile that authenticates with PEAP-MSCHAPv2. This example is based on the sample profile at [PEAP Profile Sample](/windows/win32/nativewifi/peap-profile-sample) ```xml @@ -221,6 +221,7 @@ The following example shows how to add a wired network profile that authenticate ## Related articles -* [Configuration service provider reference](configuration-service-provider-reference.md) -* [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access) -* [Configure EAP profiles and settings in Windows](/windows-server/networking/technologies/extensible-authentication-protocol/configure-eap-profiles) +- [Wired profile samples](/windows/win32/nativewifi/wired-profile-samples) +- [Configuration service provider reference](configuration-service-provider-reference.md) +- [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access) +- [Configure EAP profiles and settings in Windows](/windows-server/networking/technologies/extensible-authentication-protocol/configure-eap-profiles) From e124b57e258622555d7102833630bd363c46e695 Mon Sep 17 00:00:00 2001 From: Sam Yun Date: Wed, 14 May 2025 17:43:59 -0700 Subject: [PATCH 10/24] Update VPN authentication page to point to main doc page --- .../network-security/vpn/vpn-authentication.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md index 26a2c22a06..df5f510507 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md @@ -71,7 +71,7 @@ For a UWP VPN plug-in, the app vendor controls the authentication method to be u ## Configure authentication -See [EAP configuration](/windows/client-management/mdm/eap-configuration) for EAP XML configuration. +See [EAP configuration](/windows/client-management/mdm/eap-configuration) and [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access) for EAP XML configuration. >[!NOTE] >To configure Windows Hello for Business authentication, follow the steps in [EAP configuration](/windows/client-management/mdm/eap-configuration) to create a smart card certificate. [Learn more about Windows Hello for Business.](../../../identity-protection/hello-for-business/index.md). @@ -79,4 +79,3 @@ See [EAP configuration](/windows/client-management/mdm/eap-configuration) for EA The following image shows the field for EAP XML in a Microsoft Intune VPN profile. The EAP XML field only appears when you select a built-in connection type (automatic, IKEv2, L2TP, PPTP). :::image type="content" source="images/vpn-eap-xml.png" alt-text="Screenshot showing EAP XML configuration in Intune profile."::: - From e7043e95c134b947ba61e2da5d66355599bf29ab Mon Sep 17 00:00:00 2001 From: Sam Yun Date: Wed, 14 May 2025 17:45:32 -0700 Subject: [PATCH 11/24] Fix certstore csp link --- windows/client-management/mdm/wifi-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index 3e1f76f26f..1fb9efc0a8 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -16,7 +16,7 @@ The WiFi configuration service provider provides the functionality to add or del Programming considerations: -- If the authentication method needs a certificate (for example, client certificates for EAP-TLS), you must configure it through the [CertificateStore](./certificatestore-csp) configuration service provider. The WiFi configuration service provider doesn't provide that functionality; instead, the Wi-Fi profile can specify characteristics of the certificate to be used for choosing the right certificate for that network. The server must successfully enroll the certificate first before deploying the Wi-Fi network configuration. For example, for an EAP-TLS profile, the server must successfully configure and enroll the required client certificate before deploying the Wi-Fi profile. Self-signed certificate works for EAP-TLS/PEAP-MSCHAPv2, but it isn't supported in EAP-TLS. +- If the authentication method needs a certificate (for example, client certificates for EAP-TLS), you must configure it through the [CertificateStore](certificatestore-csp.md) configuration service provider. The WiFi configuration service provider doesn't provide that functionality; instead, the Wi-Fi profile can specify characteristics of the certificate to be used for choosing the right certificate for that network. The server must successfully enroll the certificate first before deploying the Wi-Fi network configuration. For example, for an EAP-TLS profile, the server must successfully configure and enroll the required client certificate before deploying the Wi-Fi profile. Self-signed certificate works for EAP-TLS/PEAP-MSCHAPv2, but it isn't supported in EAP-TLS. - For WEP, WPA, and WPA2-based networks, include the passkey in the network configuration in plaintext. The passkey is encrypted automatically when it's stored on the device. - The `SSID` part of the LocURI node must be a valid URI based on RFC 2396. This condition requires that all nonexcluded ASCII characters must be escaped using a %-character, including replacing the space character (` `) with `%20`. Characters (including Unicode) without the necessary escaping aren't supported. - For the WiFi CSP, you can't use the Replace command unless the node already exists. From 5bf4e5ce58d9308ee92bce950d4b6a4366d7c5e0 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 15 May 2025 11:04:32 -0400 Subject: [PATCH 12/24] added note for Entra ID passkeys support on windows. --- windows/security/identity-protection/passkeys/index.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/passkeys/index.md b/windows/security/identity-protection/passkeys/index.md index aef59bf2b1..744c417108 100644 --- a/windows/security/identity-protection/passkeys/index.md +++ b/windows/security/identity-protection/passkeys/index.md @@ -41,9 +41,12 @@ Passkeys have several advantages over passwords, including their ease of use and By default, Windows offers to save the passkey locally on the **Windows device**, in which case the passkey is protected by Windows Hello (biometrics and PIN). You can also choose to save the passkey in one of the following locations: -- **iPhone, iPad or Android device**: the passkey is saved on a phone or tablet, protected by the device's biometrics, if offered by the device. This option requires you to scan a QR code with your phone or tablet, which must be in proximity of the Windows device -- **Linked device**: the passkey is saved on a phone or tablet, protected by the device's biometrics, if offered by the device. This option requires the linked device to be in proximity of the Windows device, and it's only supported for Android devices -- **Security key**: the passkey is saved to a FIDO2 security key, protected by the key's unlock mechanism (for example, biometrics or PIN) +- **iPhone, iPad or Android device**: the passkey is saved on a phone or tablet, protected by the device's biometrics, if offered by the device. This option requires you to scan a QR code with your phone or tablet, which must be in proximity of the Windows device. +- **Linked device**: the passkey is saved on a phone or tablet, protected by the device's biometrics, if offered by the device. This option requires the linked device to be in proximity of the Windows device, and it's only supported for Android devices. +- **Security key**: the passkey is saved to a FIDO2 security key, protected by the key's unlock mechanism (for example, biometrics or PIN). + +>[!NOTE] +>Micorsoft Entra ID passkeys on Windows aren't currently supported. To learn see [Passkey authentication matrix with Microsoft Entra ID](/entra/identity/authentication/concept-fido2-compatibility). Pick one of the following options to learn how to save a passkey, based on where you want to store it. From f032707cdcc4d26e60baab3b93c645ec5d6e466e Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 15 May 2025 11:19:01 -0400 Subject: [PATCH 13/24] update note --- windows/security/identity-protection/passkeys/index.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/passkeys/index.md b/windows/security/identity-protection/passkeys/index.md index 744c417108..a36ef84413 100644 --- a/windows/security/identity-protection/passkeys/index.md +++ b/windows/security/identity-protection/passkeys/index.md @@ -46,7 +46,9 @@ By default, Windows offers to save the passkey locally on the **Windows device** - **Security key**: the passkey is saved to a FIDO2 security key, protected by the key's unlock mechanism (for example, biometrics or PIN). >[!NOTE] ->Micorsoft Entra ID passkeys on Windows aren't currently supported. To learn see [Passkey authentication matrix with Microsoft Entra ID](/entra/identity/authentication/concept-fido2-compatibility). +>Currently, Micorsoft Entra ID passkeys can't be stored on Windows devices. To learn more, see [Passkey authentication matrix with Microsoft Entra ID](/entra/identity/authentication/concept-fido2-compatibility). + +Microsoft Entra ID currently supports only device-bound passkeys stored on FIDO2 security keys or in Microsoft Authenticator Pick one of the following options to learn how to save a passkey, based on where you want to store it. From 145b1f0d148b5a0d3d20af27002b2ab86a511df3 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 15 May 2025 11:19:32 -0400 Subject: [PATCH 14/24] update --- windows/security/identity-protection/passkeys/index.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/security/identity-protection/passkeys/index.md b/windows/security/identity-protection/passkeys/index.md index a36ef84413..0bdc20e1d0 100644 --- a/windows/security/identity-protection/passkeys/index.md +++ b/windows/security/identity-protection/passkeys/index.md @@ -48,8 +48,6 @@ By default, Windows offers to save the passkey locally on the **Windows device** >[!NOTE] >Currently, Micorsoft Entra ID passkeys can't be stored on Windows devices. To learn more, see [Passkey authentication matrix with Microsoft Entra ID](/entra/identity/authentication/concept-fido2-compatibility). -Microsoft Entra ID currently supports only device-bound passkeys stored on FIDO2 security keys or in Microsoft Authenticator - Pick one of the following options to learn how to save a passkey, based on where you want to store it. #### [:::image type="icon" source="images/laptop.svg" border="false"::: **Windows device**](#tab/windows) From 10bdef78ca7f8dadc8091c387f41bb3e323bea74 Mon Sep 17 00:00:00 2001 From: Ruchika Mittal Date: Thu, 15 May 2025 21:06:01 +0530 Subject: [PATCH 15/24] acro fix --- windows/security/identity-protection/passkeys/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/passkeys/index.md b/windows/security/identity-protection/passkeys/index.md index 0bdc20e1d0..d90b5222d4 100644 --- a/windows/security/identity-protection/passkeys/index.md +++ b/windows/security/identity-protection/passkeys/index.md @@ -46,7 +46,7 @@ By default, Windows offers to save the passkey locally on the **Windows device** - **Security key**: the passkey is saved to a FIDO2 security key, protected by the key's unlock mechanism (for example, biometrics or PIN). >[!NOTE] ->Currently, Micorsoft Entra ID passkeys can't be stored on Windows devices. To learn more, see [Passkey authentication matrix with Microsoft Entra ID](/entra/identity/authentication/concept-fido2-compatibility). +>Currently, Microsoft Entra ID passkeys can't be stored on Windows devices. To learn more, see [Passkey authentication matrix with Microsoft Entra ID](/entra/identity/authentication/concept-fido2-compatibility). Pick one of the following options to learn how to save a passkey, based on where you want to store it. @@ -396,4 +396,4 @@ To provide feedback for passkeys, open [**Feedback Hub**][FHUB] and use the cate [CSP-5]: /windows/client-management/mdm/policy-csp-bluetooth#servicesallowedlist [CSP-6]: /windows/client-management/mdm/policy-csp-deviceinstallation#preventinstallationofmatchingdeviceids [CSP-7]: /windows/client-management/mdm/policy-csp-deviceinstallation -[CSP-8]: /windows/client-management/mdm/policy-csp-bluetooth \ No newline at end of file +[CSP-8]: /windows/client-management/mdm/policy-csp-bluetooth From 87ece4b800ddcc9a9008283640c8182e3c4ccff7 Mon Sep 17 00:00:00 2001 From: Ruchika Mittal Date: Thu, 15 May 2025 21:10:46 +0530 Subject: [PATCH 16/24] typo fix --- windows/security/identity-protection/passkeys/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/passkeys/index.md b/windows/security/identity-protection/passkeys/index.md index d90b5222d4..150f18ac34 100644 --- a/windows/security/identity-protection/passkeys/index.md +++ b/windows/security/identity-protection/passkeys/index.md @@ -391,7 +391,7 @@ To provide feedback for passkeys, open [**Feedback Hub**][FHUB] and use the cate [CSP-1]: /windows/client-management/mdm/policy-csp-bluetooth#allowadvertising [CSP-2]: /windows/client-management/mdm/policy-csp-bluetooth#allowdiscoverablemode -[CSP-3]: /windows/client-management/mdm/policy-csp-bluetooth#allowprepairing +[CSP-3]: /windows/client-management/mdm/policy-csp-bluetooth#allowpreparing [CSP-4]: /windows/client-management/mdm/policy-csp-bluetooth#allowpromptedproximalconnections [CSP-5]: /windows/client-management/mdm/policy-csp-bluetooth#servicesallowedlist [CSP-6]: /windows/client-management/mdm/policy-csp-deviceinstallation#preventinstallationofmatchingdeviceids From 8f1e0f695aee4831190dbf10b25768c5bd115270 Mon Sep 17 00:00:00 2001 From: Sam Yun Date: Thu, 15 May 2025 11:29:40 -0700 Subject: [PATCH 17/24] Remove applicability (need to update in ddf instead) --- windows/client-management/mdm/wifi-csp.md | 30 +++++++++---------- .../client-management/mdm/wirednetwork-csp.md | 8 ++--- 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index 1fb9efc0a8..3c625c28f3 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -18,7 +18,7 @@ Programming considerations: - If the authentication method needs a certificate (for example, client certificates for EAP-TLS), you must configure it through the [CertificateStore](certificatestore-csp.md) configuration service provider. The WiFi configuration service provider doesn't provide that functionality; instead, the Wi-Fi profile can specify characteristics of the certificate to be used for choosing the right certificate for that network. The server must successfully enroll the certificate first before deploying the Wi-Fi network configuration. For example, for an EAP-TLS profile, the server must successfully configure and enroll the required client certificate before deploying the Wi-Fi profile. Self-signed certificate works for EAP-TLS/PEAP-MSCHAPv2, but it isn't supported in EAP-TLS. - For WEP, WPA, and WPA2-based networks, include the passkey in the network configuration in plaintext. The passkey is encrypted automatically when it's stored on the device. -- The `SSID` part of the LocURI node must be a valid URI based on RFC 2396. This condition requires that all nonexcluded ASCII characters must be escaped using a %-character, including replacing the space character (` `) with `%20`. Characters (including Unicode) without the necessary escaping aren't supported. +- The `SSID` part of the LocURI node must be a valid URI based on RFC 2396. This condition requires that all nonexcluded ASCII characters must be escaped using a %-character, including replacing the space character (' ') with '%20'. Characters (including Unicode) without the necessary escaping aren't supported. - For the WiFi CSP, you can't use the Replace command unless the node already exists. - Using `ProxyPacUrl` or `ProxyWPAD` in Windows client editions (Home, Pro, Enterprise, and Education) will fail. @@ -52,7 +52,7 @@ The following list shows the WiFi configuration service provider nodes: | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | @@ -91,7 +91,7 @@ Identifies the Wi-Fi network configuration. Each Wi-Fi network configuration is | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | @@ -187,7 +187,7 @@ Allows for defining which administrative entity is setting this Wi-Fi profile. T | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | @@ -226,7 +226,7 @@ Optional node. The format is url:port. Configuration of the network proxy (if an | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later | @@ -267,7 +267,7 @@ Optional node. URL to the PAC file location. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later | @@ -317,7 +317,7 @@ Optional node. The presence of the field enables WPAD for proxy lookup. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1809 [10.0.17763] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1809 [10.0.17763] and later | @@ -367,7 +367,7 @@ Optional node. If the policy is active selecting one of the values from the foll | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | @@ -415,7 +415,7 @@ See [Add a network](#add-a-network) for examples. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | @@ -454,7 +454,7 @@ Identifies the Wi-Fi network configuration. Each Wi-Fi network configuration is | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | @@ -544,7 +544,7 @@ Allows for defining which administrative entity is setting this Wi-Fi profile. T | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | @@ -583,7 +583,7 @@ Optional node. The format is url:port. Configuration of the network proxy (if an | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later | @@ -624,7 +624,7 @@ Optional node. URL to the PAC file location. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later | @@ -674,7 +674,7 @@ Optional node. The presence of the field enables WPAD for proxy lookup. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1809 [10.0.17763] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1809 [10.0.17763] and later | @@ -724,7 +724,7 @@ Optional node. If the policy is active selecting one of the values from the foll | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md index 7b0d0d324b..1b8f00d555 100644 --- a/windows/client-management/mdm/wirednetwork-csp.md +++ b/windows/client-management/mdm/wirednetwork-csp.md @@ -32,7 +32,7 @@ The following list shows the WiredNetwork configuration service provider nodes: | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1809 [10.0.17763] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1809 [10.0.17763] and later | @@ -72,7 +72,7 @@ Enable block period (minutes), used to specify the duration for which automatic | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1809 [10.0.17763] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1809 [10.0.17763] and later | @@ -117,7 +117,7 @@ See [Examples](#examples). | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1809 [10.0.17763] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1809 [10.0.17763] and later | @@ -157,7 +157,7 @@ Enable block period (minutes), used to specify the duration for which automatic | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1809 [10.0.17763] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1809 [10.0.17763] and later | From a19e2927fda93ced7cbe1382e82609d5e68e4ce3 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 15 May 2025 15:58:37 -0400 Subject: [PATCH 18/24] update --- .../assigned-access/configuration-file.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/windows/configuration/assigned-access/configuration-file.md b/windows/configuration/assigned-access/configuration-file.md index ae9ebb8fad..35b2c0500c 100644 --- a/windows/configuration/assigned-access/configuration-file.md +++ b/windows/configuration/assigned-access/configuration-file.md @@ -157,11 +157,14 @@ Example: ``` -> [!IMPORTANT] -> If you pins elements to the Start menu with Microsoft Edge secondary tiles, include the following apps in the allowed apps list: -> -> - `` -> - `` +#### Microsoft Edge secondary tiles considerations + +Microsoft Edge secondary tiles are pinned website shortcuts that appear on the Start menu. These pins provide quick access to specific websites directly from the Start menu, functioning similarly to app shortcuts. + +If you pin elements to the Start menu with Microsoft Edge secondary tiles, include the following apps in the allowed apps list: + +- `` +- `` ::: zone pivot="windows-10" From 0a90af6113d8a6e7000ac4b9ff9d8fbd21191626 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 15 May 2025 16:02:11 -0400 Subject: [PATCH 19/24] update --- .../configuration/assigned-access/configuration-file.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/windows/configuration/assigned-access/configuration-file.md b/windows/configuration/assigned-access/configuration-file.md index 35b2c0500c..970189cc17 100644 --- a/windows/configuration/assigned-access/configuration-file.md +++ b/windows/configuration/assigned-access/configuration-file.md @@ -163,8 +163,11 @@ Microsoft Edge secondary tiles are pinned website shortcuts that appear on the S If you pin elements to the Start menu with Microsoft Edge secondary tiles, include the following apps in the allowed apps list: -- `` -- `` +```xml + + + +``` ::: zone pivot="windows-10" From d0355dfc1f7c268f7e416fa9cbb64e154fcce433 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 15 May 2025 16:12:11 -0400 Subject: [PATCH 20/24] added link --- windows/configuration/assigned-access/configuration-file.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/configuration/assigned-access/configuration-file.md b/windows/configuration/assigned-access/configuration-file.md index 970189cc17..b2679f9258 100644 --- a/windows/configuration/assigned-access/configuration-file.md +++ b/windows/configuration/assigned-access/configuration-file.md @@ -169,6 +169,8 @@ If you pin elements to the Start menu with Microsoft Edge secondary tiles, inclu ``` +For more information about Start menu customizations and pinning secondary tiles, see [Customize the Start layout](../start/layout.md). + ::: zone pivot="windows-10" ### File Explorer restrictions From 4b69d5177954fd47dcd070979179554b65c1172d Mon Sep 17 00:00:00 2001 From: Ruchika Mittal Date: Fri, 16 May 2025 02:11:27 +0530 Subject: [PATCH 21/24] typo fix --- windows/configuration/assigned-access/configuration-file.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/assigned-access/configuration-file.md b/windows/configuration/assigned-access/configuration-file.md index b2679f9258..ad07fc474e 100644 --- a/windows/configuration/assigned-access/configuration-file.md +++ b/windows/configuration/assigned-access/configuration-file.md @@ -127,7 +127,7 @@ Example of two profiles, a desktop app and a UWP app: ### AllAppList -Based on the purpose of the kiosk device, define the list of applications that are allowed to run. This list can contain both UWP apps and desktop apps. When the mult-app kiosk configuration is applied to a device, AppLocker rules are generated to allow the apps that are listed in the configuration. +Based on the purpose of the kiosk device, define the list of applications that are allowed to run. This list can contain both UWP apps and desktop apps. When the multi-app kiosk configuration is applied to a device, AppLocker rules are generated to allow the apps that are listed in the configuration. > [!NOTE] > If an app has a dependency on another app, both must be included in the allowed apps list. From eec8aa4601e8f8a31936dee4f9a6339d70ddf1e6 Mon Sep 17 00:00:00 2001 From: Sam Yun Date: Thu, 15 May 2025 14:13:56 -0700 Subject: [PATCH 22/24] fixes for md preview, add explicit example --- windows/client-management/mdm/wifi-csp.md | 39 ++++++++++++++++++++--- 1 file changed, 35 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index 3c625c28f3..4d35e88454 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -107,13 +107,13 @@ The Profile name of the Wi-Fi network. This is added when WlanXml node is added -Specifies the Profile Name of the Wi-Fi network (32 bytes maximum) to create, configure, query, or delete. The name is case sensitive and can be represented in ASCII. In the URI, it must be %-escaped, but the non-%-escaped value is used inside the system. +Specifies the Profile name of the Wi-Fi network (32 bytes maximum) to create, configure, query, or delete. The name is case sensitive and can be represented in ASCII. In the URI, it must be %-escaped, but the non-%-escaped value is used inside the system. > [!NOTE] -> This field is the Profile Name that appears as a "Friendly Name" to the user and contains the Wi-Fi settings information. The non-%-escaped value must correspond to `` in ` `. This value MAY be different from the SSID of the actual network being broadcast (which is under ` `). +> This field is the Profile Name that appears as a "Friendly Name" to the user and contains the Wi-Fi settings information. The non-%-escaped value must correspond to `` in ` `. + +The Profile name can be the same or different from the SSID of the actual network being broadcast (which is under ` `). For example, the broadcast SSID might be "CC_Corp_7" but the Profile name might be "ContosoWiFi". -> [!IMPORTANT] -> If the Profile name isn't set correctly in the MDM SyncML, as per the information in the Wi-Fi settings XML (``), it could lead to some unexpected errors. In other words, if the profile is `Contoso Wi-Fi{...}`, the MDM SyncML must be `./Vendor/MSFT/WiFi/Profile/Contoso%20Wi-Fi/WlanXml`. @@ -128,6 +128,32 @@ Specifies the Profile Name of the Wi-Fi network (32 bytes maximum) to create, co + +In the following example, the 'ContosoWiFi' Profile is added, targeting the 'CC_Corp_7' SSID. The rest of the profile is omitted for brevity - for complete examples, see [Add a network](#add-a-network). + +```xml + + 300 + + 301 + + + ./Vendor/MSFT/WiFi/Profile/ContosoWiFi/WlanXml + + + chr + + ContosoWiFiCC_Corp_7{...}]]> + + + +``` + +> [!IMPORTANT] +> If the Profile name isn't set correctly in the MDM SyncML, as per the information in the Wi-Fi settings XML (``), it could lead to some unexpected errors at runtime. In other words, if the profile is `Contoso Wi-Fi{...}`, the MDM SyncML must be `./Vendor/MSFT/WiFi/Profile/Contoso%20Wi-Fi/WlanXml`. +> +> In this example, if we instead had `./Vendor/MSFT/WiFi/Profile/CC_Corp_7/WlanXml`, the profile would be considered to be User provisioned, not MDM provisioned, which may cause users to connect to the wrong network. + @@ -244,6 +270,7 @@ Optional node. URL to the PAC file location. > [!NOTE] > Don't use. Using this configuration in Windows client editions will fail. + @@ -285,6 +312,7 @@ Optional node. The presence of the field enables WPAD for proxy lookup. > [!NOTE] > Don't use. Using this configuration in Windows client editions will fail. + @@ -391,6 +419,7 @@ If it exists in the blob, the **keyType** and **protected** elements must come b > [!NOTE] > If you need to specify other advanced conditions, such as specifying criteria for certificates that can be used by the Wi-Fi profile, you can do so by specifying this through the [EapHostConfig](/windows/win32/eaphost/eaphostconfigschema-eaphostconfig-element) portion of the WlanXml ([WLANProfile](/windows/win32/nativewifi/wlan-profileschema-elements) > [MSM](/windows/win32/nativewifi/wlan-profileschema-msm-wlanprofile-element) > [security](/windows/win32/nativewifi/wlan-profileschema-security-msm-element) > [OneX](/windows/win32/nativewifi/onexschema-onex-element) > EAPConfig). For more information, see [EAP configuration](./eap-configuration.md) and [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access). For an example, see [Wireless profile samples](/windows/win32/nativewifi/wireless-profile-samples). + @@ -601,6 +630,7 @@ Optional node. URL to the PAC file location. > [!NOTE] > Don't use. Using this configuration in Windows client editions will fail. + @@ -642,6 +672,7 @@ Optional node. The presence of the field enables WPAD for proxy lookup. > [!NOTE] > Don't use. Using this configuration in Windows client editions will fail. + From 535184b8fb257dcdf34a0fa30a4445c6fb6b4660 Mon Sep 17 00:00:00 2001 From: Sam Yun Date: Thu, 15 May 2025 15:24:50 -0700 Subject: [PATCH 23/24] Point proxy config to proxycsp --- windows/client-management/mdm/wifi-csp.md | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index 4d35e88454..784e8088ba 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -20,7 +20,7 @@ Programming considerations: - For WEP, WPA, and WPA2-based networks, include the passkey in the network configuration in plaintext. The passkey is encrypted automatically when it's stored on the device. - The `SSID` part of the LocURI node must be a valid URI based on RFC 2396. This condition requires that all nonexcluded ASCII characters must be escaped using a %-character, including replacing the space character (' ') with '%20'. Characters (including Unicode) without the necessary escaping aren't supported. - For the WiFi CSP, you can't use the Replace command unless the node already exists. -- Using `ProxyPacUrl` or `ProxyWPAD` in Windows client editions (Home, Pro, Enterprise, and Education) will fail. +- Using `Proxy`, `ProxyPacUrl` or `ProxyWPAD` in Windows client editions (Home, Pro, Enterprise, and Education) may fail or have no effect. Use [NetworkProxy](networkproxy-csp.md) CSP instead. @@ -229,6 +229,9 @@ Optional node. The format is url:port. Configuration of the network proxy (if an +> [!NOTE] +> Don't use. Using this configuration in Windows client editions may fail or have no effect. Use [NetworkProxy](networkproxy-csp.md) CSP instead. + @@ -269,7 +272,7 @@ Optional node. URL to the PAC file location. > [!NOTE] -> Don't use. Using this configuration in Windows client editions will fail. +> Don't use. Using this configuration in Windows client editions may fail or have no effect. Use [NetworkProxy](networkproxy-csp.md) CSP instead. @@ -311,7 +314,7 @@ Optional node. The presence of the field enables WPAD for proxy lookup. > [!NOTE] -> Don't use. Using this configuration in Windows client editions will fail. +> Don't use. Using this configuration in Windows client editions may fail or have no effect. Use [NetworkProxy](networkproxy-csp.md) CSP instead. @@ -589,6 +592,9 @@ Optional node. The format is url:port. Configuration of the network proxy (if an +> [!NOTE] +> Don't use. Using this configuration in Windows client editions may fail or have no effect. Use [NetworkProxy](networkproxy-csp.md) CSP instead. + @@ -629,7 +635,7 @@ Optional node. URL to the PAC file location. > [!NOTE] -> Don't use. Using this configuration in Windows client editions will fail. +> Don't use. Using this configuration in Windows client editions may fail or have no effect. Use [NetworkProxy](networkproxy-csp.md) CSP instead. @@ -671,7 +677,7 @@ Optional node. The presence of the field enables WPAD for proxy lookup. > [!NOTE] -> Don't use. Using this configuration in Windows client editions will fail. +> Don't use. Using this configuration in Windows client editions may fail or have no effect. Use [NetworkProxy](networkproxy-csp.md) CSP instead. From 4e491ee32462712d20ffa6e1ad80396f4c11fb8a Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Fri, 16 May 2025 13:20:23 -0700 Subject: [PATCH 24/24] Metadata updates - manager - ms.collection --- ...asic-level-windows-diagnostic-events-and-fields-1809.md | 6 ++++-- ...nfigure-windows-diagnostic-data-in-your-organization.md | 6 ++++-- windows/privacy/diagnostic-data-viewer-overview.md | 6 ++++-- windows/privacy/diagnostic-data-viewer-powershell.md | 5 ++++- .../essential-services-and-connected-experiences.md | 5 ++++- windows/privacy/index.yml | 3 ++- ...ng-system-components-to-microsoft-services-using-MDM.md | 5 ++++- ...ws-operating-system-components-to-microsoft-services.md | 5 ++++- windows/privacy/manage-windows-11-endpoints.md | 5 ++++- windows/privacy/manage-windows-1809-endpoints.md | 5 ++++- windows/privacy/manage-windows-21h2-endpoints.md | 5 ++++- windows/privacy/optional-diagnostic-data.md | 6 ++++-- .../required-diagnostic-events-fields-windows-11-22H2.md | 6 ++++-- .../required-diagnostic-events-fields-windows-11-24H2.md | 6 ++++-- ...uired-windows-diagnostic-data-events-and-fields-2004.md | 6 ++++-- .../windows-11-endpoints-non-enterprise-editions.md | 5 ++++- windows/privacy/windows-privacy-compliance-guide.md | 7 +++++-- 17 files changed, 67 insertions(+), 25 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 9ba990de30..d2e845de5d 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -6,10 +6,12 @@ ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown -manager: laurawi +manager: dansimp ms.date: 10/01/2024 ms.topic: reference -ms.collection: privacy-windows +ms.collection: +- privacy-windows +- must-keep --- diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 6239e43f99..e367317ea5 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -6,10 +6,12 @@ ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown -manager: laurawi +manager: dansimp ms.date: 03/11/2016 -ms.collection: highpri ms.topic: how-to +ms.collection: +- privacy-windows +- must-keep --- # Configure Windows diagnostic data in your organization diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md index 63e25e508f..a794a57c74 100644 --- a/windows/privacy/diagnostic-data-viewer-overview.md +++ b/windows/privacy/diagnostic-data-viewer-overview.md @@ -6,10 +6,12 @@ ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown -manager: laurawi +manager: dansimp ms.date: 01/09/2018 -ms.collection: highpri ms.topic: how-to +ms.collection: +- privacy-windows +- must-keep --- # Diagnostic Data Viewer Overview diff --git a/windows/privacy/diagnostic-data-viewer-powershell.md b/windows/privacy/diagnostic-data-viewer-powershell.md index 3aa78b5848..54ed628d22 100644 --- a/windows/privacy/diagnostic-data-viewer-powershell.md +++ b/windows/privacy/diagnostic-data-viewer-powershell.md @@ -6,9 +6,12 @@ ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown -manager: laurawi +manager: dansimp ms.date: 12/13/2018 ms.topic: how-to +ms.collection: +- privacy-windows +- must-keep --- # Diagnostic Data Viewer for PowerShell Overview diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md index d59b42605f..b6edb1591e 100644 --- a/windows/privacy/essential-services-and-connected-experiences.md +++ b/windows/privacy/essential-services-and-connected-experiences.md @@ -6,9 +6,12 @@ ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown -manager: laurawi +manager: dansimp ms.date: 06/13/2024 ms.topic: reference +ms.collection: +- privacy-windows +- must-keep --- # Essential services and connected experiences for Windows diff --git a/windows/privacy/index.yml b/windows/privacy/index.yml index e17ca37e0c..cb17f69ddc 100644 --- a/windows/privacy/index.yml +++ b/windows/privacy/index.yml @@ -13,9 +13,10 @@ metadata: ms.collection: - essentials-privacy - privacy-windows + - must-keep author: DHB-MSFT ms.author: danbrown - manager: laurawi + manager: dansimp ms.date: 04/30/2025 ms.localizationpriority: high diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index 47797f36e0..663a1fb614 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -6,9 +6,12 @@ ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown -manager: laurawi +manager: dansimp ms.date: 05/15/2019 ms.topic: reference +ms.collection: +- privacy-windows +- must-keep --- # Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services using Microsoft Intune MDM Server diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 9e89ce6f88..e349cbd218 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -6,9 +6,12 @@ ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown -manager: laurawi +manager: dansimp ms.date: 06/27/2024 ms.topic: reference +ms.collection: +- privacy-windows +- must-keep --- # Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md index 4bf198648c..6ed92f1764 100644 --- a/windows/privacy/manage-windows-11-endpoints.md +++ b/windows/privacy/manage-windows-11-endpoints.md @@ -6,9 +6,12 @@ ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown -manager: laurawi +manager: dansimp ms.date: 10/06/2023 ms.topic: reference +ms.collection: +- privacy-windows +- must-keep --- # Manage connection endpoints for Windows 11 Enterprise diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md index ab2077895d..4baed27cd9 100644 --- a/windows/privacy/manage-windows-1809-endpoints.md +++ b/windows/privacy/manage-windows-1809-endpoints.md @@ -6,9 +6,12 @@ ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown -manager: laurawi +manager: dansimp ms.date: 01/18/2018 ms.topic: reference +ms.collection: +- privacy-windows +- must-keep --- # Manage connection endpoints for Windows 10 Enterprise, version 1809 diff --git a/windows/privacy/manage-windows-21h2-endpoints.md b/windows/privacy/manage-windows-21h2-endpoints.md index d9b12eeca8..d1c796a2e9 100644 --- a/windows/privacy/manage-windows-21h2-endpoints.md +++ b/windows/privacy/manage-windows-21h2-endpoints.md @@ -6,9 +6,12 @@ ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown -manager: laurawi +manager: dansimp ms.date: 01/18/2018 ms.topic: reference +ms.collection: +- privacy-windows +- must-keep --- # Manage connection endpoints for Windows 10 Enterprise, version 21H2 diff --git a/windows/privacy/optional-diagnostic-data.md b/windows/privacy/optional-diagnostic-data.md index 9c3b3247ea..0c6dc6be07 100644 --- a/windows/privacy/optional-diagnostic-data.md +++ b/windows/privacy/optional-diagnostic-data.md @@ -6,10 +6,12 @@ ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown -manager: laurawi +manager: dansimp ms.date: 03/31/2017 -ms.collection: highpri ms.topic: reference +ms.collection: +- privacy-windows +- must-keep --- # Optional diagnostic data for Windows 11 and Windows 10 diff --git a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md index 4d704e6dd5..800f6a44bf 100644 --- a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md +++ b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md @@ -7,10 +7,12 @@ ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown -manager: laurawi +manager: dansimp ms.date: 10/01/2024 ms.topic: reference -ms.collection: privacy-windows +ms.collection: +- privacy-windows +- must-keep --- # Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2 diff --git a/windows/privacy/required-diagnostic-events-fields-windows-11-24H2.md b/windows/privacy/required-diagnostic-events-fields-windows-11-24H2.md index a18ec35c86..e17b4cc411 100644 --- a/windows/privacy/required-diagnostic-events-fields-windows-11-24H2.md +++ b/windows/privacy/required-diagnostic-events-fields-windows-11-24H2.md @@ -7,10 +7,12 @@ ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown -manager: laurawi +manager: dansimp ms.date: 10/01/2024 ms.topic: reference -ms.collection: privacy-windows +ms.collection: +- privacy-windows +- must-keep --- # Required diagnostic events and fields for Windows 11, version 24H2 diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index 4af11c5787..fc05807bdb 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -6,9 +6,11 @@ ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown -manager: laurawi +manager: dansimp ms.date: 10/01/2024 -ms.collection: privacy-windows +ms.collection: +- privacy-windows +- must-keep ms.topic: reference --- diff --git a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md index 2ced47d282..a4dbd390e2 100644 --- a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md +++ b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md @@ -6,9 +6,12 @@ ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown -manager: laurawi +manager: dansimp ms.date: 10/06/2023 ms.topic: reference +ms.collection: +- privacy-windows +- must-keep --- # Windows 11 connection endpoints for non-Enterprise editions diff --git a/windows/privacy/windows-privacy-compliance-guide.md b/windows/privacy/windows-privacy-compliance-guide.md index 2cb7a70074..155caa56e4 100644 --- a/windows/privacy/windows-privacy-compliance-guide.md +++ b/windows/privacy/windows-privacy-compliance-guide.md @@ -6,10 +6,13 @@ ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown -manager: laurawi +manager: dansimp ms.date: 05/20/2019 ms.topic: article -ms.collection: essentials-compliance +ms.collection: +- essentials-compliance +- privacy-windows +- must-keep --- # Windows Privacy Compliance:
A Guide for IT and Compliance Professionals