deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into ap-reliability-report-022624

Browse Source
This commit is contained in:
Tiara Quan 2024-04-01 08:35:10 -07:00 committed by GitHub
commit 5e869eee45
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
21 changed files with 279 additions and 298 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
.acrolinx-config.edn
View File

@ -2,40 +2,32 @@
:allowed-branchname-matches ["main" "release-.*"]
:allowed-filename-matches ["windows/"]
:targets
:use-gh-statuses true
:targets
{
:counts {
;;:correctness 13
;;:total 15 ;; absolute flag count but i don't know the difference between this and issues
;;:issues 15 ;; coming from the platform, will need to be tested.
;;:correctness 13
;;:total 15 ;;
;;:issues 15 ;;
;;:correctness 13 ;;
}
:scores {
;;:terminology 100
:qualityscore 80 ;; Confirmed with Hugo that you just comment out the single score and leave the structure in place
:qualityscore 80 ;;
;;:correctness 40
}
}
:guidance-profile "d2b6c2c8-00ee-47f1-8d10-b280cc3434c1" ;; Profile ID for "M365-specific"
:acrolinx-check-settings
{
"languageId" "en"
"ruleSetName" "Standard"
"requestedFlagTypes" ["CORRECTNESS" "SPELLING" "GRAMMAR" "STYLE"
"TERMINOLOGY_DEPRECATED"
"TERMINOLOGY_VALID"
"VOICE_GUIDANCE"
]
"termSetNames" ["M365" "Products" "Microsoft"]
}
:template-header
"
## Acrolinx Scorecards
## Acrolinx Scorecards
**The minimum Acrolinx topic score of 80 is required for all MAGIC content merged to the default branch.**
**The minimum Acrolinx topic score of 80 is required for all Magic content merged to the default branch.**
If you need a scoring exception for content in this PR, add the *Sign off* and the *Acrolinx exception* labels to the PR. The PubOps Team will review the exception request and may take one or more of the following actions:
@ -43,22 +35,26 @@ If you need a scoring exception for content in this PR, add the *Sign off* and t
- Escalate the exception request to the Acrolinx Review Team for review.
- Approve the exception and work with the GitHub Admin Team to merge the PR to the default branch.
For more information about the exception criteria and exception process, see [Minimum Acrolinx topic scores for publishing](https://review.docs.microsoft.com/en-us/office-authoring-guide/acrolinx-min-score?branch=master).
For more information about the exception criteria and exception process, see [Minimum Acrolinx topic scores for publishing](https://review.docs.microsoft.com/en-us/office-authoring-guide/acrolinx-min-score?branch=main).
Click the scorecard links for each article to review the Acrolinx feedback on grammar, spelling, punctuation, writing style, and terminology:
Select the total score link to review all feedback on clarity, consistency, tone, brand, terms, spelling, grammar, readability, and inclusive language. _You should fix all spelling errors regardless of your total score_. Fixing spelling errors helps maintain customer trust in overall content quality.
| Article | Score | Issues | Correctness<br>score | Scorecard | Processed |
| ------- | ----- | ------ | ------ | --------- | --------- |
| Article | Total score<br>(Required: 80) | Words + phrases<br>(Brand, terms) | Correctness<br>(Spelling, grammar) | Clarity<br>(Readability) |
|---------|:--------------:|:--------------------:|:------:|:---------:|
"
:template-change
"| ${s/file} | ${acrolinx/qualityscore} | ${acrolinx/flags/issues} | ${acrolinx/scores/correctness} | [link](${acrolinx/scorecard}) | ${s/status} |
"| ${s/status} ${s/file} | [${acrolinx/qualityscore}](${acrolinx/scorecard}) | ${acrolinx/scores/words_and_phrases} | ${acrolinx/scores/correctness} | ${acrolinx/scores/clarity} |
"
:template-footer
"
**More info about Acrolinx**
**More information about Acrolinx**
Use the Acrolinx extension, or sidebar, in Visual Studio Code to check spelling, grammar, style, tone, clarity, and key terminology when you're creating or updating content. For more information, see [Use the Visual Studio Code extension to run Acrolinx locally](https://review.docs.microsoft.com/en-us/office-authoring-guide/acrolinx-vscode?branch=master).
- [Install Acrolinx locally for VSCode for Magic](https://review.docs.microsoft.com/office-authoring-guide/acrolinx-vscode?branch=main)
- [False positives or issues](https://aka.ms/acrolinxbug)
- [Request a new Acrolinx term](https://microsoft.sharepoint.com/teams/M365Dev2/SitePages/M365-terminology.aspx)
- [Troubleshooting issues with Acrolinx](https://review.docs.microsoft.com/help/contribute/acrolinx-error-messages)
"
}

10
windows/client-management/client-tools/add-remove-hide-features.md
View File

@ -4,7 +4,7 @@ description: Learn how to add or remove Windows optional features using the Opti
author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.date: 03/13/2024
ms.date: 03/28/2024
ms.topic: how-to
ms.service: windows-client
ms.subservice: itpro-apps
@ -85,7 +85,7 @@ Once the **System > Optional features** pane is open, add a feature with the fol
1. Once all of the desired features are selected, select the **Next** button.
1. Review the selected list of features and then select the **Install** button to add the selected features.
1. Review the selected list of features and then select the **Add** button to add the selected features.
::: zone-end
@ -99,7 +99,7 @@ Once the **Optional features** pane is open, add a feature with the following st
1. Find the desired feature to add and then select the box next to the feature to add it. Multiple features can be selected.
1. Once all of the desired features are selected, select the **Install** button.
1. Once all of the desired features are selected, select the **Add** button.
::: zone-end
@ -115,7 +115,7 @@ Once the **System > Optional features** pane is open, remove a feature with the
1. Under **Installed features**, search for the feature that needs to be removed in the **Search installed features** search box, or scroll through the list of added features until the feature that needs to be removed is found.
1. Once the feature that needs to be removed is found, select the feature to expand it, and then select the **Uninstall** button.
1. Once the feature that needs to be removed is found, select the feature to expand it, and then select the **Remove** button.
::: zone-end
@ -125,7 +125,7 @@ Once the **Optional features** pane is open, remove a feature with the following
1. Under **Installed features**, search for the feature that needs to be removed in the **Find an installed optional feature** search box, or scroll through the list of added features until the feature that needs to be removed is found.
1. Once the feature that needs to be removed is found, select the feature to expand it, and then select the **Uninstall** button.
1. Once the feature that needs to be removed is found, select the feature to expand it, and then select the **Remove** button.
::: zone-end

12
windows/client-management/manage-windows-copilot.md
View File

@ -3,7 +3,7 @@ title: Manage Copilot in Windows
description: Learn how to manage Copilot in Windows for commercial environments using MDM and group policy. Learn about the chat providers available to Copilot in Windows.
ms.topic: conceptual
ms.subservice: windows-copilot
ms.date: 02/09/2024
ms.date: 03/21/2024
ms.author: mstewart
author: mestew
appliesto:
@ -109,10 +109,12 @@ To verify that Copilot with commercial data protection is enabled for the user a
1. To verify that commercial data protection is enabled for the user, select the user's **Display name** to open the flyout menu.
1. In the flyout, select the **Licenses & apps** tab, then expand the **Apps** list.
1. Verify that **Copilot** is enabled for the user.
1. If you prefer to view a user's licenses from the [Azure portal](https://portal.azure.com), you'll find it under **Microsoft Entra ID** > **Users**. Select the user's name, then **Licenses**. Select a license that includes **Copilot**, and verify that it's listed as **On**.
> [!Note]
> If you previously disabled Copilot with commercial data protection (formerly Bing Chat Enterprise) using the URL, `https://aka.ms/TurnOffBCE`, see [Manage Copilot](/copilot/manage) for verifying that commercial data protection is enabled for your users.
1. If you prefer to view a user's licenses from the [Azure portal](https://portal.azure.com), you'll find it under **Microsoft Entra ID** > **Users**. Select the user's name, then **Licenses**. Select a license that includes **Copilot**, and verify that it's listed as **On**. If you previously disabled Copilot with commercial data protection (formerly Bing Chat Enterprise), see [Manage Copilot](/copilot/manage) for verifying that commercial data protection is enabled for your users.
1. Copilot with commercial data protection is used as the chat provider platform for users when the following conditions are met:
- Users have an eligible license, commercial data protection in Copilot is enabled, and the [Copilot in Windows user experience is enabled](#enable-the-copilot-in-windows-user-experience-for-windows-11-version-22h2-clients).
- Users are signed in with their Microsoft Entra ID (work accounts)
- Users can sign into Windows with their Microsoft Entra ID
- For Active Directory users on Windows 11, a Microsoft Entra ID in the Web Account Manager (WAM) authentication broker can be used. Entra IDs in Microsoft Edge profiles and Microsoft 365 Apps would both be in WAM. <!--8470699-->
The following sample PowerShell script connects to Microsoft Graph and lists which users that have Copilot with commercial data protection enabled and disabled:

7
windows/client-management/mdm/policy-csp-windowslogon.md
View File

@ -389,6 +389,13 @@ This policy controls the configuration under which winlogon sends MPR notificati
<!-- EnableMPRNotifications-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> Starting in Windows Insiders build 25216, the behavior of EnableMPRNotifications policy was changed, and the Group Policy was updated with the following text:
>
> - **Friendly name**: Configure the transmission of the user's password in the content of MPR notifications sent by winlogon
> - **Description**: This policy controls whether the user's password is included in the content of MPR notifications sent by winlogon in the system.
> - If you disable this setting or do not configure it, winlogon sends MPR notifications with empty password fields of the user's authentication info.
> - If you enable this setting, winlogon sends MPR notifications containing the user's password in the authentication info.
<!-- EnableMPRNotifications-Editable-End -->
<!-- EnableMPRNotifications-DFProperties-Begin -->

2
windows/client-management/mdm/unifiedwritefilter-csp.md
View File

@ -19,7 +19,7 @@ The table below shows the applicability of Windows:
The UnifiedWriteFilter (UWF) configuration service provider enables the IT administrator to remotely manage the UWF to help protect physical storage media including any writable storage type.
> **Note**  The UnifiedWriteFilter CSP is only supported in Windows 10 Enterprise and Windows 10 Education.
> **Note**  The UnifiedWriteFilter CSP is only supported in Windows 10/11 Enterprise and Windows 10/11 Education.
The following example shows the UWF configuration service provider in tree format.
```

43
windows/deployment/do/mcc-isp-faq.yml
View File

@ -15,7 +15,7 @@ metadata:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 04/27/2023
ms.date: 03/21/2024
title: Microsoft Connected Cache Frequently Asked Questions
summary: |
Frequently asked questions about Microsoft Connected Cache
@ -27,6 +27,8 @@ sections:
answer: Yes. Microsoft Connected Cache is a free service.
- question: What will Microsoft Connected Cache do for me? How will it impact our customers?
answer: As an ISP, your network can benefit from reduced load on your backbone and improve customer download experience for supported Microsoft static content. It will also help you save on CDN costs.
- question: I already peer with Microsoft(8075). What benefit will I receive by adding Microsoft Connected Cache to my network?
answer: MCC complements peering by offloading static content that is served off of multiple CDNs such as Akamai, Lumen, Edgecast. Static content such as OS updates, Apps, Software installs etc. can't be served via 8075. So, even if you're peering with Microsoft, you can benefit from installing MCC.
- question: Is there a non-disclosure agreement to sign?
answer: No, a non-disclosure agreement isn't required.
- question: What are the prerequisites and hardware requirements?
@ -40,29 +42,36 @@ sections:
The following are recommended hardware configurations:
<!--Using include file, mcc-prerequisites.md, for shared content on DO monitoring-->
[!INCLUDE [Microsoft Connected Cache Prerequisites](includes/mcc-prerequisites.md)]
| Microsoft Connected Cache Machine Class | Scenario |Traffic Range| VM/Hardware Recommendation|
| -------- | -------- | -------- | -------- |
| Edge | For smaller ISPs or remote sites part of a larger network. |< 5 Gbps Peak| VM </br> Up to 8 cores</br></br>Up to 16-GB memory</br></br>1 500 GB SSD|
| Metro POP | For ISPs, IXs, or Transit Providers serving a moderate amount of traffic in a network that might require one of more cache nodes. |5 to 20 Gbps Peak| VM or hardware</br></br>16 cores*</br></br>32-GB memory</br></br>2 - 3 500-GB SSDs each|
|Data Center|For ISPs, IXs, or Transit Providers serving a large amount traffic daily and might require deployment of multiple cache nodes.|20 to 40 Gbps Peak| Hardware, see sample spec below:</br></br>32 or more cores*</br></br>64 or more GB memory</br></br>4 - 6 500 - 1-TB SSDs** each |
*Requires systems (chipset, CPU, motherboard) with PCIe version 3, or higher.
**Drive speeds are important and to achieve higher egress, we recommend SSD NVMe in m.2 PCIe slot (version 4, or higher).
We have one customer who is able to achieve mid-30s Gbps egress rate using the following hardware specification:
- Dell PowerEdge R330
- 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core
- 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s
- 4 - Transcend SSD230s 1 TB SATA Drives
Intel Corporation Ethernet 10G 2P X520 Adapter (Link Aggregated)
- question: Will I need to provide hardware BareMetal server or VM?
answer: Microsoft Connected Cache is a software-only caching solution and will require you to provide your own server to host the software.
- question: Do I need to provide hardware BareMetal server or VM?
answer: Microsoft Connected Cache is a software-only caching solution and requires you to provide your own server to host the software.
- question: Can we use hard drives instead of SSDs?
answer: We highly recommend using SSDs as Microsoft Connected Cache is a read intensive application. We also recommend using multiple drives to improve performance.
- question: Will I need to manually enter the CIDR blocks? If I have multiple cache nodes, should I configure a subset of CIDR blocks to each cache node?
answer: You can choose to route your traffic using manual CIDR blocks or BGP. If you have multiple Microsoft Connected Cache(s), you can allocate subsets of CIDR blocks to each cache node if you wish. However, since Microsoft Connected Cache has automatic load balancing, we recommend adding all of your traffic to all of your cache nodes.
- question: Do I need to manually enter the CIDR blocks? If I have multiple cache nodes, should I configure a subset of CIDR blocks to each cache node?
answer: You can choose to route your traffic using manual CIDR blocks or BGP. If you have multiple Microsoft Connected Caches, you can allocate subsets of CIDR blocks to each cache node if you wish. However, since Microsoft Connected Cache has automatic load balancing, we recommend adding all of your traffic to all of your cache nodes.
- question: Should I add any load balancing mechanism?
answer: You don't need to add any load balancing. Our service will take care of routing traffic if you have multiple cache nodes serving the same CIDR blocks based on the reported health of the cache node.
- question: How many Microsoft Connected Cache instances will I need? How do we set up if we support multiple countries or regions?
answer: As stated in the table above, the recommended configuration will achieve near the maximum possible egress of 40 Gbps with a two-port link aggregated NIC and four cache drives. We have a feature coming soon that will help you estimate the number of cache nodes needed. If your ISP spans multiple countries or regions, you can set up separate cache nodes per country or region.
answer: You don't need to add any load balancing. Our service takes care of routing traffic if you have multiple cache nodes serving the same CIDR blocks based on the reported health of the cache node.
- question: How many Microsoft Connected Cache instances do I need? How do we set up if we support multiple countries or regions?
answer: As stated in the recommended hardware table, the recommended configuration achieves near the maximum possible egress of 40 Gbps with a two-port link aggregated NIC and four cache drives. We have a feature coming soon that helps you estimate the number of cache nodes needed. If your ISP spans multiple countries or regions, you can set up separate cache nodes per country or region.
- question: Where should we install Microsoft Connected Cache?
answer: You are in control of your hardware and you can pick the location based on your traffic and end customers. You can choose the location where you have your routers or where you have dense traffic or any other parameters.
- question: How long would a piece of content live within the Microsoft Connected Cache? Is content purged from the cache?
answer: Once a request for said content is made, NGINX will look at the cache control headers from the original acquisition. If that content has expired, NGINX will continue to serve the stale content while it's downloading the new content. We cache the content for 30 days. The content will be in the hot cache path (open handles and such) for 24 hrs, but will reside on disk for 30 days. The drive fills up and nginx will start to delete content based on its own algorithm, probably some combination of least recently used.
answer: Once a request for said content is made, NGINX looks at the cache control headers from the original acquisition. If that content is expired, NGINX continues to serve the stale content while it's downloading the new content. We cache the content for 30 days. The content will be in the hot cache path (open handles and such) for 24 hrs, but will reside on disk for 30 days. The drive fills up and nginx will start to delete content based on its own algorithm, probably some combination of least recently used.
- question: What content is cached by Microsoft Connected Cache?
answer: For more information about content cached, see [Delivery Optimization and Microsoft Connected Cache content endpoints - Windows Deployment](delivery-optimization-endpoints.md).
- question: Does Microsoft Connected Cache support Xbox or Teams content?
@ -73,9 +82,9 @@ sections:
answer: We have already successfully onboarded ISPs in many countries and regions around the world and have received positive feedback! However, you can always start off with a portion of your CIDR blocks to test out the performance of MCC before expanding to more customers.
- question: How does Microsoft Connected Cache populate its content?
answer: Microsoft Connected Cache is a cold cache warmed by client requests. The client requests content and that is what fills up the cache. There's no off-peak cache fill necessary. Microsoft Connected Cache will reach out to different CDN providers just like a client device would. The traffic flow from Microsoft Connected Cache will vary depending on how you currently transit to each of these CDN providers. The content can come from third party CDNs or from AFD.
- question: What CDNs will Microsoft Connected Cache pull content from?
- question: What CDNs does Microsoft Connected Cache pull content from?
answer: |
Microsoft relies on a dynamic mix of 1st and 3rd party CDN providers to ensure enough capacity, redundancy, and performance for the delivery of Microsoft served content. Though we don't provide lists of the CDN vendors we utilize as they can change without notice, our endpoints are public knowledge. If someone were to perform a series of DNS lookups against our endpoints (tlu.dl.delivery.mp.microsoft.com for example), they would be able to determine which CDN or CDNs were in rotation at a given point in time:
Microsoft relies on a dynamic mix of 1st and 3rd party CDN providers to ensure enough capacity, redundancy, and performance for the delivery of Microsoft served content. Though we don't provide lists of the CDN vendors we utilize as they can change without notice, our endpoints are public knowledge. If someone were to perform a series of DNS lookups against our endpoints (tlu.dl.delivery.mp.microsoft.com for example), they would be able to determine which CDN or CDNs were in rotation at a given point in time:
$ dig +noall +answer tlu.dl.delivery.mp.microsoft.com | grep -P "IN\tA"
@ -84,13 +93,13 @@ sections:
$ whois 13.107.4.50|grep "Organization:"
Organization: Microsoft Corporation (MSFT)
- question: I'm a network service provider and have downstream transit customers. If one of my downstream transit customers onboards to Microsoft Connected Cache, how will it affect my traffic?
- question: I'm a network service provider and have downstream transit customers. If one of my downstream transit customers onboards to Microsoft Connected Cache, how does it affect my traffic?
answer: If a downstream customer deploys a Microsoft Connected Cache node, the cache controller will prefer the downstream ASN when handling that ASN's traffic.
- question: I signed up for Microsoft Connected Cache, but I'm not receiving the verification email. What should I do?
answer: First, check that the email under the NOC role is correct in your PeeringDB page. If the email associated with NOC role is correct, search for an email from the sender "microsoft-noreply@microsoft.com" with the email subject - "Here's your Microsoft Connected Cache verification code" in your Spam folders. Still can't find it? Ensure that your email admin rules allow emails from the sender "microsoft-noreply@microsoft.com".
answer: First, check that the email under the NOC role is correct in your PeeringDB page. If the email associated with NOC role is correct, search for an email from the sender "microsoft-noreply@microsoft.com" with the email subject - "Here's your Microsoft Connected Cache verification code" in your Spam folders. Still can't find it? Ensure that your email admin rules allow emails from the sender `microsoft-noreply@microsoft.com`.
- question: I noticed I can set up BGP for routing. How does BGP routing work for Microsoft Connected Cache?
answer: BGP routing can be set up as an automatic method of routing traffic. To learn more about how BGP is used with Microsoft Connected Cache, see [BGP Routing](mcc-isp-create-provision-deploy.md#bgp-routing).
- question: I have an active MCC, but I'm noticing I hit the message limit for my IoT Hub each day. Does this affect my MCC performance and should I be concerned?
answer: Even when the quota of 8k messages is hit, the MCC functionality won't be affected. Your client devices will continue to download content as normal. You'll also not be charged above the 8k message limit, so you don't need to worry at all about getting a paid plan. MCC will always be a free service. So if functionality isn't impacted, what is? Instead, messages about the configuration or edge deployment would be impacted. This means that if there was a request to update your MCC and the daily quota was reached, your MCC might not update. In that case, you would just need to wait for the next day to update. This is only a limitation of the early preview and isn't an issue during public preview.
answer: Even when the quota of 8k messages is hit, the MCC functionality isn't affected. Your client devices continue to download content as normal. You also won't be charged above the 8k message limit, so you don't need to worry at all about getting a paid plan. MCC will always be a free service. So if functionality isn't impacted, what is? Instead, messages about the configuration or edge deployment would be impacted. This means that if there was a request to update your MCC and the daily quota was reached, your MCC might not update. In that case, you would just need to wait for the next day to update. This is only a limitation of the early preview and isn't an issue during public preview.
- question: What do I do if I need more support and have more questions even after reading this FAQ page?
answer: For further support for Microsoft Connected Cache, visit [Troubleshooting Issues for Microsoft Connected Cache for ISP (public preview)](mcc-isp-support.md).

26
windows/deployment/do/mcc-isp-overview.md
View File

@ -13,7 +13,7 @@ appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for ISPs</a>
ms.date: 07/27/2023
ms.date: 03/21/2024
---
# Microsoft Connected Cache for ISPs overview
@ -37,10 +37,15 @@ Microsoft Connected Cache uses Delivery Optimization as the backbone for Microso
- Endpoint protection: Windows Defender definition updates
- Xbox: Xbox Game Pass (PC only)
Do you peer with [Microsoft (ASN 8075)](/azure/internet-peering/)? Microsoft Connected Cache complements peering by offloading static content that is served off of multiple CDNs such as Akamai, Lumen, and Edgecast. Microsoft Peering mainly caches dynamic content - by onboarding to Microsoft Connected Cache, you'll cache static content that otherwise would be served from the CDN.
For the full list of content endpoints that Microsoft Connected Cache for ISPs supports, see [Microsoft Connected Cache content and services endpoints](delivery-optimization-endpoints.md).
### Are you already peering with 8075?
MCC complements peering by offloading static content that is served off of multiple CDNs such as Akamai, Lumen, Edgecast. Static content such as OS updates, Apps, Software installs etc. can't be served via 8075. So, even if you're peering with Microsoft, you can benefit from installing MCC.
:::image type="content" source="./media/mcc-isp-overview/mcc-isp-peeringvsmcc.png" alt-text="Chart containing Peering vs Cache Content Traffic." lightbox="./media/mcc-isp-overview/mcc-isp-peeringvsmcc.png":::
## How MCC works
:::image type="content" source="./images/mcc-isp-diagram.png" alt-text="Data flow diagram of how Microsoft Connected Cache works." lightbox="./images/mcc-isp-diagram.png":::
@ -71,3 +76,18 @@ The following steps describe how MCC is provisioned and used:
1. Subsequent requests from end-user devices for content will be served from cache.
1. If the MCC node is unavailable, the client gets content from the CDN to ensure uninterrupted service for your subscribers.
### Hardware recommendation
The following are recommended hardware configurations based on traffic ranges:
| Microsoft Connected Cache Machine Class | Scenario |Traffic Range| VM/Hardware Recommendation|
| -------- | -------- | -------- | -------- |
| Edge | For smaller ISPs or remote sites part of a larger network. |< 5 Gbps Peak| **VM** </br> </br>Up to 8 cores</br></br>Up to 16-GB memory</br></br>1 500 GB SSD|
| Metro POP | For ISPs, IXs, or Transit Providers serving a moderate amount of traffic in a network that might require one of more cache nodes. |5 to 20 Gbps Peak| **VM or hardware**</br></br>16 cores*</br></br>32-GB memory</br></br>2 - 3 500-GB SSDs each|
|Data Center|For ISPs, IXs, or Transit Providers serving a large amount traffic daily and might require deployment of multiple cache nodes.|20 to 40 Gbps Peak| **Hardware**, see sample spec below:</br></br> 32 or more cores*</br></br>64 or more GB memory</br></br>4 - 6 500 - 1-TB SSDs** each |
*Requires systems (chipset, CPU, motherboard) with PCIe version 3, or higher.
**Drive speeds are important and to achieve higher egress, we recommend SSD NVMe in m.2 PCIe slot (version 4, or higher).

BIN
windows/deployment/do/media/mcc-isp-overview/mcc-isp-peeringvsmcc.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 122 KiB

4
windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
View File

@ -80,10 +80,6 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set
- Device configuration
- Office Click-to-run
- Last Intune device check in completed within the last 28 days.
- Devices must have Serial Number, Model and Manufacturer.
> [!NOTE]
> Windows Autopatch doesn't support device emulators that don't generate the serial number, model and manufacturer information. Devices that use a non-supported device emulator fail the **Intune or Cloud-Attached** prerequisite check.
> [!IMPORTANT]
> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.

8
windows/deployment/windows-missing-fonts.md
View File

@ -7,7 +7,7 @@ author: frankroj
ms.author: frankroj
manager: aaroncz
ms.topic: article
ms.date: 03/13/2024
ms.date: 03/28/2024
ms.subservice: itpro-deploy
zone_pivot_groups: windows-versions-11-10
appliesto:
@ -131,7 +131,7 @@ Once the **Language** pane is open, add the fonts associated with a language and
1. Drop down the menu below **Windows display language** to show all of the languages currently added to the device.
1. If the desired language isn't listed, add the fonts for the desired language by selecting the **+** button next to **Add a language**.
1. If the desired language isn't listed, add the fonts for the desired language by selecting the **+** button next to **Add a language** in the **Preferred languages** section.
1. In the **Choose a language to install** window that opens:
@ -203,7 +203,7 @@ Once the **System > Optional features** pane is open, add a supplemental font wi
1. Once all of the desired supplemental fonts are selected, select the **Next** button.
1. Review the selected list of features and then select the **Install** button to add the selected features.
1. Review the selected list of features and then select the **Add** button to add the selected features.
::: zone-end
@ -227,7 +227,7 @@ Once the **Optional features** pane is open, add a supplemental font with the fo
1. Find the desired supplemental font to add and then select the box next to the supplemental font to add it. Multiple supplemental fonts can be selected.
1. Once all of the desired supplemental fonts are selected, select the **Install** button.
1. Once all of the desired supplemental fonts are selected, select the **Add** button.
::: zone-end

30
windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
View File

@ -5,36 +5,34 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
ms.date: 03/16/2023
ms.date: 03/26/2024
ms.topic: article
appliesto:
- ✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>
- ✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>
- ✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2022</a>
- ✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>
- ✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>
---
# Windows Defender Application Control and virtualization-based protection of code integrity
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and higher
Windows includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows systems so they behave more like mobile devices. In this configuration, [**Windows Defender Application Control (WDAC)**](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) is used to restrict devices to run only approved apps, while the OS is hardened against kernel memory attacks using [**memory integrity**](../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md).
Windows includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows systems so they behave more like kiosk devices. In this configuration, [**Windows Defender Application Control (WDAC)**](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) is used to restrict devices to run only approved apps, while the OS is hardened against kernel memory attacks using [**memory integrity**](../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md).
> [!NOTE]
> Memory integrity is sometimes referred to as *hypervisor-protected code integrity (HVCI)* or *hypervisor enforced code integrity*, and was originally released as part of *Device Guard*. Device Guard is no longer used except to locate memory integrity and VBS settings in Group Policy or the Windows registry.
WDAC policies and memory integrity are powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a strong protection capability for Windows devices.
Using WDAC to restrict devices to only authorized apps has these advantages over other solutions:
WDAC policies and memory integrity are powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a strong protection capability for Windows devices. Using WDAC to restrict devices to only authorized apps has these advantages over other solutions:
1. The Windows kernel handles enforcement of WDAC policy and requires no other services or agents.
2. The WDAC policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run.
3. WDAC lets you set application control policy for any code that runs on Windows, including kernel mode drivers and even code that runs as part of Windows.
4. Customers can protect the WDAC policy even from local administrator tampering by digitally signing the policy. Changing signed policy requires both administrative privilege and access to the organization's digital signing process. Using signed policies makes it difficult for an attacker, including one who has managed to gain administrative privilege, to tamper with WDAC policy.
5. You can protect the entire WDAC enforcement mechanism with memory integrity. Even if a vulnerability exists in kernel mode code, memory integrity greatly reduces the likelihood that an attacker could successfully exploit it. Without memory integrity, an attacker who compromises the kernel could normally disable most system defenses, including application control policies enforced by WDAC or any other application control solution.
1. The WDAC policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run.
1. WDAC lets you set application control policy for any code that runs on Windows, including kernel mode drivers and even code that runs as part of Windows.
1. Customers can protect the WDAC policy even from local administrator tampering by digitally signing the policy. Changing signed policy requires both administrative privilege and access to the organization's digital signing process. Using signed policies makes it difficult for an attacker, including one who manages to gain administrative privilege, to tamper with WDAC policy.
1. You can protect the entire WDAC enforcement mechanism with memory integrity. Even if a vulnerability exists in kernel mode code, memory integrity greatly reduces the likelihood that an attacker could successfully exploit it. Without memory integrity, an attacker who compromises the kernel could normally disable most system defenses, including application control policies enforced by WDAC or any other application control solution.
There are no direct dependencies between WDAC and memory integrity. You can deploy them individually or together and there's no order in which they must be deployed.
Memory integrity relies on Windows virtualization-based security, and has hardware, firmware, and kernel driver compatibility requirements that some older systems can't meet.
Memory integrity relies on Windows Virtualization-based security, and has hardware, firmware, and kernel driver compatibility requirements that some older systems can't meet.
WDAC has no specific hardware or software requirements.

52
windows/security/application-security/application-control/user-account-control/how-it-works.md
View File

@ -1,8 +1,8 @@
---
title: How User Account Control works
title: How User Account Control works
description: Learn about User Account Control (UAC) components and how it interacts with the end users.
ms.topic: concept-article
ms.date: 05/24/2023
ms.date: 03/26/2024
---
# How User Account Control works
@ -26,7 +26,7 @@ To better understand how this process works, let's take a closer look at the Win
The following diagram shows how the sign in process for an administrator differs from the sign in process for a standard user.
:::image type="content" source="images/uac-windows-logon-process.gif" alt-text="Diagram that describes the UAC Windows logon process.":::
:::image type="content" source="images/uac-windows-logon-process.gif" alt-text="Diagram that describes the UAC Windows sign-in process.":::
By default, both standard and administrator users access resources and execute apps in the security context of a standard user.\
When a user signs in, the system creates an access token for that user. The access token contains information about the level of access that the user is granted, including specific security identifiers (SIDs) and Windows privileges.
@ -91,9 +91,9 @@ The elevation process is further secured by directing the prompt to the *secure
When an executable file requests elevation, the *interactive desktop*, also called the *user desktop*, is switched to the secure desktop. The secure desktop dims the user desktop and displays an elevation prompt that must be responded to before continuing. When the user selects **Yes** or **No**, the desktop switches back to the user desktop.
> [!NOTE]
> Starting in **Windows Server 2019**, it's not possible to paste the content of the clipboard on the secure desktop. This is the same behavior of the currently supported Windows client OS versions.
> Starting in **Windows Server 2019**, it's not possible to paste the content of the clipboard on the secure desktop. This is the same behavior of the currently supported Windows client OS versions.
Malware can present an imitation of the secure desktop, but when the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting is set to **Prompt for consent**, the malware doesn't gain elevation if the user selects **Yes** on the imitation. If the policy setting is set to **Prompt for credentials**, malware imitating the credential prompt may be able to gather the credentials from the user. However, the malware doesn't gain elevated privilege and the system has other protections that mitigate malware from taking control of the user interface even with a harvested password.
Malware can present an imitation of the secure desktop, but when the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting is set to **Prompt for consent**, the malware doesn't gain elevation if the user selects **Yes** on the imitation. If the policy setting is set to **Prompt for credentials**, malware imitating the credential prompt might be able to gather the credentials from the user. However, the malware doesn't gain elevated privilege and the system has other protections that mitigate malware from taking control of the user interface even with a harvested password.
While malware could present an imitation of the secure desktop, this issue can't occur unless a user previously installed the malware on the PC. Because processes requiring an administrator access token can't silently install when UAC is enabled, the user must explicitly provide consent by selecting **Yes** or by providing administrator credentials. The specific behavior of the UAC elevation prompt is dependent upon security policies.
@ -109,34 +109,34 @@ To better understand each component, review the following tables:
|Component|Description|
|--- |--- |
|<p>User performs operation requiring privilege|<p>If the operation changes the file system or registry, Virtualization is called. All other operations call ShellExecute.|
|<p>ShellExecute|<p>ShellExecute calls CreateProcess. ShellExecute looks for the ERROR_ELEVATION_REQUIRED error from CreateProcess. If it receives the error, ShellExecute calls the Application Information service to attempt to perform the requested task with the elevated prompt.|
|<p>CreateProcess|<p>If the application requires elevation, CreateProcess rejects the call with ERROR_ELEVATION_REQUIRED.|
|User performs operation requiring privilege|If the operation changes the file system or registry, Virtualization is called. All other operations call ShellExecute.|
|ShellExecute|ShellExecute calls CreateProcess. ShellExecute looks for the ERROR_ELEVATION_REQUIRED error from CreateProcess. If it receives the error, ShellExecute calls the Application Information service to attempt to perform the requested task with the elevated prompt.|
|CreateProcess|If the application requires elevation, CreateProcess rejects the call with ERROR_ELEVATION_REQUIRED.|
### System
|Component|Description|
|--- |--- |
|<p>Application Information service|<p>A system service that helps start apps that require one or more elevated privileges or user rights to run, such as local administrative tasks, and apps that require higher integrity levels. The Application Information service helps start such apps by creating a new process for the application with an administrative user's full access token when elevation is required. Depending on the configured policies, the user may give consent.|
|<p>Elevating an ActiveX install|<p>If ActiveX isn't installed, the system checks the UAC slider level. If ActiveX is installed, the **User Account Control: Switch to the secure desktop when prompting for elevation** Group Policy setting is checked.|
|<p>Check UAC slider level|<p>UAC has a slider to select from four levels of notification.<ul><li><p>**Always notify** will:<ul><li>Notify you when programs try to install software or make changes to your computer.</li><li>Notify you when you make changes to Windows settings.</li><li>Freeze other tasks until you respond.</li></ul><p>Recommended if you often install new software or visit unfamiliar websites.<br></li><li><p>**Notify me only when programs try to make changes to my computer** will:<ul><li>Notify you when programs try to install software or make changes to your computer.</li><li>Not notify you when you make changes to Windows settings.</li><li>Freeze other tasks until you respond.</li></ul><p>Recommended if you don't often install apps or visit unfamiliar websites.<br></li><li><p>**Notify me only when programs try to make changes to my computer (do not dim my desktop)** will:<ul><li>Notify you when programs try to install software or make changes to your computer.</li><li>Not notify you when you make changes to Windows settings.</li><li>Not freeze other tasks until you respond.</li></ul><p>Not recommended. Choose this only if it takes a long time to dim the desktop on your computer.<br></li><li><p>**Never notify (Disable UAC prompts)** will:<ul><li>Not notify you when programs try to install software or make changes to your computer.</li><li>Not notify you when you make changes to Windows settings.</li><li>Not freeze other tasks until you respond.</li></ul><p>Not recommended due to security concerns.|
|<p>Secure desktop enabled|<p>The **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is checked: <ul><li><p>If the secure desktop is enabled, all elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.</li><li><p>If the secure desktop isn't enabled, all elevation requests go to the interactive user's desktop, and the per-user settings for administrators and standard users are used.|
|<p>CreateProcess|<p>CreateProcess calls AppCompat, Fusion, and Installer detection to assess if the app requires elevation. The file is then inspected to determine its requested execution level, which is stored in the application manifest for the file. CreateProcess fails if the requested execution level specified in the manifest doesn't match the access token and returns an error (ERROR_ELEVATION_REQUIRED) to ShellExecute.|
|<p>AppCompat|<p>The AppCompat database stores information in the application compatibility fix entries for an application.|
|<p>Fusion|<p>The Fusion database stores information from application manifests that describe the applications. The manifest schema is updated to add a new requested execution level field.|
|<p>Installer detection|<p>Installer detection detects setup files, which helps prevent installations from being run without the user's knowledge and consent.|
|Application Information service|A system service that helps start apps that require one or more elevated privileges or user rights to run, such as local administrative tasks, and apps that require higher integrity levels. The Application Information service helps start such apps by creating a new process for the application with an administrative user's full access token when elevation is required. Depending on the configured policies, the user might give consent.|
|Elevating an ActiveX install|If ActiveX isn't installed, the system checks the UAC slider level. If ActiveX is installed, the **User Account Control: Switch to the secure desktop when prompting for elevation** Group Policy setting is checked.|
|Check UAC slider level|UAC has a slider to select from four levels of notification.<ul><li>**Always notify** will:<ul><li>Notify you when programs try to install software or make changes to your computer.</li><li>Notify you when you make changes to Windows settings.</li><li>Freeze other tasks until you respond.</li></ul>Recommended if you often install new software or visit unfamiliar websites.<br></li><li>**Notify me only when programs try to make changes to my computer** will:<ul><li>Notify you when programs try to install software or make changes to your computer.</li><li>Not notify you when you make changes to Windows settings.</li><li>Freeze other tasks until you respond.</li></ul>Recommended if you don't often install apps or visit unfamiliar websites.<br></li><li>**Notify me only when programs try to make changes to my computer (do not dim my desktop)** will:<ul><li>Notify you when programs try to install software or make changes to your computer.</li><li>Not notify you when you make changes to Windows settings.</li><li>Not freeze other tasks until you respond.</li></ul>Not recommended. Choose this only if it takes a long time to dim the desktop on your computer.<br></li><li>**Never notify (Disable UAC prompts)** will:<ul><li>Not notify you when programs try to install software or make changes to your computer.</li><li>Not notify you when you make changes to Windows settings.</li><li>Not freeze other tasks until you respond.</li></ul>Not recommended due to security concerns.|
|Secure desktop enabled|The **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is checked: <ul><li>If the secure desktop is enabled, all elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.</li><li>If the secure desktop isn't enabled, all elevation requests go to the interactive user's desktop, and the per-user settings for administrators and standard users are used.|
|CreateProcess|CreateProcess calls AppCompat, Fusion, and Installer detection to assess if the app requires elevation. The file is then inspected to determine its requested execution level, which is stored in the application manifest for the file. CreateProcess fails if the requested execution level specified in the manifest doesn't match the access token and returns an error (ERROR_ELEVATION_REQUIRED) to ShellExecute.|
|AppCompat|The AppCompat database stores information in the application compatibility fix entries for an application.|
|Fusion|The Fusion database stores information from application manifests that describe the applications. The manifest schema is updated to add a new requested execution level field.|
|Installer detection|Installer detection detects setup files, which helps prevent installations from being run without the user's knowledge and consent.|
### Kernel
|Component|Description|
|--- |--- |
|<p>Virtualization|<p>Virtualization technology ensures that noncompliant apps don't silently fail to run or fail in a way that the cause can't be determined. UAC also provides file and registry virtualization and logging for applications that write to protected areas.|
|<p>File system and registry|<p>The per-user file and registry virtualization redirects per-computer registry and file write requests to equivalent per-user locations. Read requests are redirected to the virtualized per-user location first and to the per-computer location second.|
|Virtualization|Virtualization technology ensures that noncompliant apps don't silently fail to run or fail in a way that the cause can't be determined. UAC also provides file and registry virtualization and logging for applications that write to protected areas.|
|File system and registry|The per-user file and registry virtualization redirects per-computer registry and file write requests to equivalent per-user locations. Read requests are redirected to the virtualized per-user location first and to the per-computer location second.|
The slider never turns off UAC completely. If you set it to **Never notify**, it will:
- Keep the UAC service running
- Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt
- Cause all elevation request initiated by administrators to be autoapproved without showing a UAC prompt
- Automatically deny all elevation requests for standard users
> [!IMPORTANT]
@ -156,7 +156,7 @@ Most app tasks operate properly by using virtualization features. Although virtu
Virtualization isn't an option in the following scenarios:
- Virtualization doesn't apply to apps that are elevated and run with a full administrative access token
- Virtualization supports only 32-bit apps. Non-elevated 64-bit apps receive an access denied message when they attempt to acquire a handle (a unique identifier) to a Windows object. Native Windows 64-bit apps are required to be compatible with UAC and to write data into the correct locations
- Virtualization supports only 32-bit apps. Nonelevated 64-bit apps receive an access denied message when they attempt to acquire a handle (a unique identifier) to a Windows object. Native Windows 64-bit apps are required to be compatible with UAC and to write data into the correct locations
- Virtualization is disabled if the app includes an app manifest with a requested execution level attribute
### Request execution levels
@ -178,11 +178,11 @@ Installer detection only applies to:
Before a 32-bit process is created, the following attributes are checked to determine whether it's an installer:
- The file name includes keywords such as "install," "setup," or "update."
- Versioning Resource fields contain the following keywords: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name
- Keywords in the side-by-side manifest are embedded in the executable file
- Keywords in specific StringTable entries are linked in the executable file
- Key attributes in the resource script data are linked in the executable file
- There are targeted sequences of bytes within the executable file
- Versioning Resource fields contain the following keywords: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name.
- Keywords in the side-by-side manifest are embedded in the executable file.
- Keywords in specific StringTable entries are linked in the executable file.
- Key attributes in the resource script data are linked in the executable file.
- There are targeted sequences of bytes within the executable file.
> [!NOTE]
> The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies.

9
windows/security/application-security/application-control/user-account-control/index.md
View File

@ -2,19 +2,20 @@
title: User Account Control
description: Learn how User Account Control (UAC) helps to prevent unauthorized changes to Windows devices.
ms.topic: overview
ms.date: 05/24/2023
ms.date: 03/26/2024
---
# User Account Control overview
User Account Control (UAC) is a Windows security feature designed to protect the operating system from unauthorized changes. When changes to the system require administrator-level permission, UAC notifies the user, giving the opportunity to approve or deny the change. UAC improves the security of Windows devices by limiting the access that malicious code has to execute with administrator privileges. UAC empowers users to make informed decisions about actions that may affect the stability and security of their device.
User Account Control (UAC) is a Windows security feature designed to protect the operating system from unauthorized changes. When changes to the system require administrator-level permission, UAC notifies the user, giving the opportunity to approve or deny the change. UAC improves the security of Windows devices by limiting the access that malicious code has to execute with administrator privileges. UAC empowers users to make informed decisions about actions that might affect the stability and security of their device.
Unless you disable UAC, malicious software is prevented from disabling or interfering with UAC settings. UAC is enabled by default, and you can configure it if you have administrative privileges.
## Benefits of UAC
UAC allows all users to sign in their devices using a *standard user account*. Processes launched using a *standard user token* may perform tasks using access rights granted to a standard user. For instance, Windows Explorer automatically inherits standard user level permissions. Any applications that are started using Windows Explorer (for example, by opening a shortcut) also run with the standard set of user permissions. Most applications, including the ones included with the operating system, are designed to work properly this way.\
Other applications, like ones that aren't designed with security settings in mind, may require more permissions to run successfully. These applications are referred to as *legacy apps*.
UAC allows all users to sign in their devices using a *standard user account*. Processes launched using a *standard user token* might perform tasks using access rights granted to a standard user. For instance, Windows Explorer automatically inherits standard user level permissions. Any applications that are started using Windows Explorer (for example, by opening a shortcut) also run with the standard set of user permissions. Most applications, including the ones included with the operating system, are designed to work properly this way.
Other applications, like ones that aren't designed with security settings in mind, might require more permissions to run successfully. These applications are referred to as *legacy apps*.
When a user tries to perform an action that requires administrative privileges, UAC triggers a *consent prompt*. The prompt notifies the user that a change is about to occur, asking for their permission to proceed:

30
windows/security/application-security/application-control/user-account-control/settings-and-configuration.md
View File

@ -1,7 +1,7 @@
---
title: User Account Control settings and configuration
description: Learn about the User Account Control settings and how to configure them via Intune, CSP, group policy and registry.
ms.date: 07/31/2023
description: Learn about the User Account Control settings and how to configure them via Intune, CSP, group policy, and registry.
ms.date: 03/26/2024
ms.topic: how-to
---
@ -20,7 +20,7 @@ The following table lists the available settings to configure the UAC behavior,
|Detect application installations and prompt for elevation|Controls the behavior of application installation detection for the computer.<br><br>**Enabled (default)**: When an app installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.<br>**Disabled**: App installation packages aren't detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Microsoft Intune, should disable this policy setting. In this case, installer detection is unnecessary. |
|Only elevate executables that are signed and validated|Enforces signature checks for any interactive applications that request elevation of privilege. IT admins can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local devices.<br><br>**Enabled**: Enforces the certificate certification path validation for a given executable file before it's permitted to run.<br>**Disabled (default)**: Doesn't enforce the certificate certification path validation before a given executable file is permitted to run.|
|Only elevate UIAccess applications that are installed in secure locations|Controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following folders:<br>- `%ProgramFiles%`, including subfolders<br>- `%SystemRoot%\system32\`<br>- `%ProgramFiles(x86)%`, including subfolders<br><br><br>**Enabled (default)**: If an app resides in a secure location in the file system, it runs only with UIAccess integrity.<br>**Disabled**: An app runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.<br><br>**Note:** Windows enforces a digital signature check on any interactive apps that requests to run with a UIAccess integrity level regardless of the state of this setting.|
|Run all administrators in Admin Approval Mode|Controls the behavior of all UAC policy settings.<br><br>**Enabled (default)**: Admin Approval Mode is enabled. This policy must be enabled and related UAC settings configured. The policy allows the built-in Administrator account and members of the Administrators group to run in Admin Approval Mode.<br>**Disabled**: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, **Windows Security** notifies you that the overall security of the operating system has been reduced.|
|Run all administrators in Admin Approval Mode|Controls the behavior of all UAC policy settings.<br><br>**Enabled (default)**: Admin Approval Mode is enabled. This policy must be enabled and related UAC settings configured. The policy allows the built-in Administrator account and members of the Administrators group to run in Admin Approval Mode.<br>**Disabled**: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, **Windows Security** notifies you that the overall security of the operating system is reduced.|
|Switch to the secure desktop when prompting for elevation|This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.<br><br>**Enabled (default)**: All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.<br>**Disabled**: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.|
|Virtualize File And Registry Write Failures To Per User Locations|Controls whether application write failures are redirected to defined registry and file system locations. This setting mitigates applications that run as administrator and write run-time application data to `%ProgramFiles%`, `%Windir%`, `%Windir%\system32`, or `HKLM\Software`.<br><br>**Enabled (default)**: App write failures are redirected at run time to defined user locations for both the file system and registry.<br>**Disabled**: Apps that write data to protected locations fail.|
@ -67,18 +67,18 @@ You can use security policies to configure how User Account Control works in you
The policy settings are located under: `Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options`.
| Group Policy setting |Default value|
| - | - |
|User Account Control: Admin Approval Mode for the built-in Administrator account| Disabled |
|User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop| Disabled |
|User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode| Prompt for consent for non-Windows binaries |
|User Account Control: Behavior of the elevation prompt for standard users | Prompt for credentials |
|User Account Control: Detect application installations and prompt for elevation| Enabled (default for home edition only)<br />Disabled (default) |
|User Account Control: Only elevate executables that are signed and validated| Disabled |
|User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled |
|User Account Control: Run all administrators in Admin Approval Mode| Enabled |
|User Account Control: Switch to the secure desktop when prompting for elevation | Enabled |
|User Account Control: Virtualize file and registry write failures to per-user locations | Enabled |
| Group Policy setting | Default value |
|------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------|
| User Account Control: Admin Approval Mode for the built-in Administrator account | Disabled |
| User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop | Disabled |
| User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | Prompt for consent for non-Windows binaries |
| User Account Control: Behavior of the elevation prompt for standard users | Prompt for credentials |
| User Account Control: Detect application installations and prompt for elevation | Enabled (default for home edition only)<br />Disabled (default) |
| User Account Control: Only elevate executables that are signed and validated | Disabled |
| User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled |
| User Account Control: Run all administrators in Admin Approval Mode | Enabled |
| User Account Control: Switch to the secure desktop when prompting for elevation | Enabled |
| User Account Control: Virtualize file and registry write failures to per-user locations | Enabled |
#### [:::image type="icon" source="../../../images/icons/registry.svg" border="false"::: **Registry**](#tab/reg)

10
windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md
View File

@ -2,7 +2,7 @@
title: Windows Sandbox architecture
description: Windows Sandbox architecture
ms.topic: article
ms.date: 05/25/2023
ms.date: 03/26/2024
---
# Windows Sandbox architecture
@ -15,7 +15,7 @@ Rather than requiring a separate copy of Windows to boot the sandbox, Dynamic Ba
Most OS files are immutable and can be freely shared with Windows Sandbox. A small subset of operating system files are mutable and can't be shared, so the sandbox base image contains pristine copies of them. A complete Windows image can be constructed from a combination of the sharable immutable files on the host and the pristine copies of the mutable files. With the help of this scheme, Windows Sandbox has a full Windows installation to boot from without needing to download or store an extra copy of Windows.
Before Windows Sandbox is installed, the dynamic base image package is stored as a compressed 30-MB package. Once it's installed, the dynamic base image occupies about 500 MB of disk space.
Before Windows Sandbox is installed, the dynamic base image package is stored as a compressed 30-MB package. Once installed, the dynamic base image occupies about 500 MB of disk space.
![A chart compares scale of dynamic image of files and links with the host file system.](images/1-dynamic-host.png)
@ -27,7 +27,7 @@ Traditional VMs apportion statically sized allocations of host memory. When reso
## Memory sharing
Because Windows Sandbox runs the same operating system image as the host, it has been enhanced to use the same physical memory pages as the host for operating system binaries via a technology referred to as "direct map." For example, when *ntdll.dll* is loaded into memory in the sandbox, it uses the same physical pages as those pages of the binary when loaded on the host. Memory sharing between the host and the sandbox results in a smaller memory footprint when compared to traditional VMs, without compromising valuable host secrets.
Because Windows Sandbox runs the same operating system image as the host, it's enhanced to use the same physical memory pages as the host for operating system binaries via a technology referred to as "direct map." For example, when *ntdll.dll* is loaded into memory in the sandbox, it uses the same physical pages as those pages of the binary when loaded on the host. Memory sharing between the host and the sandbox results in a smaller memory footprint when compared to traditional VMs, without compromising valuable host secrets.
![A chart compares the memory footprint in Windows Sandbox versus a traditional VM.](images/3-memory-sharing.png)
@ -37,7 +37,7 @@ With ordinary virtual machines, the Microsoft hypervisor controls the scheduling
![A chart compares the scheduling in Windows Sandbox versus a traditional VM.](images/4-integrated-kernal.png)
Windows Sandbox employs a unique policy that allows the virtual processors of the Sandbox to be scheduled like host threads. Under this scheme, high-priority tasks on the host can preempt less important work in the Sandbox. This preemption means that the most important work will be prioritized, whether it's on the host or in the container.
Windows Sandbox employs a unique policy that allows the virtual processors of the Sandbox to be scheduled like host threads. Under this scheme, high-priority tasks on the host can preempt less important work in the Sandbox. This preemption means that the most important work is prioritized, whether it's on the host or in the container.
## WDDM GPU virtualization
@ -47,7 +47,7 @@ This feature allows programs running inside the sandbox to compete for GPU resou
![A chart illustrates graphics kernel use in Sandbox managed alongside apps on the host.](images/5-wddm-gpu-virtualization.png)
To take advantage of these benefits, a system with a compatible GPU and graphics drivers (WDDM 2.5 or newer) is required. Incompatible systems will render apps in Windows Sandbox with Microsoft's CPU-based rendering technology, Windows Advanced Rasterization Platform (WARP).
To take advantage of these benefits, a system with a compatible GPU and graphics drivers (WDDM 2.5 or newer) is required. Incompatible systems render apps in Windows Sandbox with Microsoft's CPU-based rendering technology, Windows Advanced Rasterization Platform (WARP).
## Battery pass-through

50
windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
View File

@ -2,7 +2,7 @@
title: Windows Sandbox configuration
description: Windows Sandbox configuration
ms.topic: article
ms.date: 05/25/2023
ms.date: 03/26/2024
---
# Windows Sandbox configuration
@ -11,13 +11,13 @@ Windows Sandbox supports simple configuration files, which provide a minimal set
A configuration file enables the user to control the following aspects of Windows Sandbox:
- **vGPU (virtualized GPU)**: Enable or disable the virtualized GPU. If vGPU is disabled, the sandbox will use Windows Advanced Rasterization Platform (WARP).
- **vGPU (virtualized GPU)**: Enable or disable the virtualized GPU. If vGPU is disabled, the sandbox uses Windows Advanced Rasterization Platform (WARP).
- **Networking**: Enable or disable network access within the sandbox.
- **Mapped folders**: Share folders from the host with *read* or *write* permissions. Exposing host directories may allow malicious software to affect the system or steal data.
- **Mapped folders**: Share folders from the host with *read* or *write* permissions. Exposing host directories might allow malicious software to affect the system or steal data.
- **Logon command**: A command that's executed when Windows Sandbox starts.
- **Audio input**: Shares the host's microphone input into the sandbox.
- **Video input**: Shares the host's webcam input into the sandbox.
- **Protected client**: Places increased security settings on the RDP session to the sandbox.
- **Protected client**: Places increased security settings on the Remote Desktop Protocol (RDP) session to the sandbox.
- **Printer redirection**: Shares printers from the host into the sandbox.
- **Clipboard redirection**: Shares the host clipboard with the sandbox so that text and files can be pasted back and forth.
- **Memory in MB**: The amount of memory, in megabytes, to assign to the sandbox.
@ -37,7 +37,7 @@ To create a configuration file:
</Configuration>
```
3. Add appropriate configuration text between the two lines. For details, see the correct syntax and the examples below.
3. Add appropriate configuration text between the two lines. For details, see [examples](#examples).
4. Save the file with the desired name, but make sure its filename extension is `.wsb`. In Notepad, you should enclose the filename and the extension inside double quotation marks, for example, `"My config file.wsb"`.
## Using a configuration file
@ -59,7 +59,7 @@ Enables or disables GPU sharing.
Supported values:
- *Enable*: Enables vGPU support in the sandbox.
- *Disable*: Disables vGPU support in the sandbox. If this value is set, the sandbox will use software rendering, which may be slower than virtualized GPU.
- *Disable*: Disables vGPU support in the sandbox. If this value is set, the sandbox uses software rendering, which might be slower than virtualized GPU.
- *Default* This value is the default value for vGPU support. Currently, this default value denotes that vGPU is disabled.
> [!NOTE]
@ -82,7 +82,7 @@ Supported values:
### Mapped folders
An array of folders, each representing a location on the host machine that will be shared into the sandbox at the specified path. At this time, relative paths aren't supported. If no path is specified, the folder will be mapped to the container user's desktop.
An array of folders, each representing a location on the host machine that is shared with the sandbox at the specified path. At this time, relative paths aren't supported. If no path is specified, the folder is mapped to the container user's desktop.
```xml
<MappedFolders>
@ -97,11 +97,9 @@ An array of folders, each representing a location on the host machine that will
</MappedFolders>
```
*HostFolder*: Specifies the folder on the host machine to share into the sandbox. The folder must already exist on the host, or the container will fail to start.
*SandboxFolder*: Specifies the destination in the sandbox to map the folder to. If the folder doesn't exist, it will be created. If no sandbox folder is specified, the folder will be mapped to the container desktop.
*ReadOnly*: If *true*, enforces read-only access to the shared folder from within the container. Supported values: *true*/*false*. Defaults to *false*.
- *HostFolder*: Specifies the folder on the host machine to share into the sandbox. The folder must already exist on the host, or the container fails to start.
- *SandboxFolder*: Specifies the destination in the sandbox to map the folder to. If the folder doesn't exist, it is created. If no sandbox folder is specified, the folder is mapped to the container desktop.
- *ReadOnly*: If *true*, enforces read-only access to the shared folder from within the container. Supported values: *true*/*false*. Defaults to *false*.
> [!NOTE]
> Files and folders mapped in from the host can be compromised by apps in the sandbox or potentially affect the host.
@ -129,7 +127,7 @@ Enables or disables audio input to the sandbox.
Supported values:
- *Enable*: Enables audio input in the sandbox. If this value is set, the sandbox will be able to receive audio input from the user. Applications that use a microphone may require this capability.
- *Enable*: Enables audio input in the sandbox. If this value is set, the sandbox can receive audio input from the user. Applications that use a microphone may require this capability.
- *Disable*: Disables audio input in the sandbox. If this value is set, the sandbox can't receive audio input from the user. Applications that use a microphone may not function properly with this setting.
- *Default*: This value is the default value for audio input support. Currently, this default value denotes that audio input is enabled.
@ -189,7 +187,7 @@ Enables or disables sharing of the host clipboard with the sandbox.
Supported values:
- *Enable*: Enables sharing of the host clipboard with the sandbox.
- *Disable*: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox will be restricted.
- *Disable*: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox is restricted.
- *Default*: This value is the default value for clipboard redirection. Currently, copy/paste between the host and sandbox are permitted under *Default*.
### Memory in MB
@ -198,13 +196,15 @@ Specifies the amount of memory that the sandbox can use in megabytes (MB).
`<MemoryInMB>value</MemoryInMB>`
If the memory value specified is insufficient to boot a sandbox, it will be automatically increased to the required minimum amount.
If the memory value specified is insufficient to boot a sandbox, it is automatically increased to the required minimum amount.
## Example 1
## Examples
### Example 1
The following config file can be used to easily test the downloaded files inside the sandbox. To achieve this testing, networking and vGPU are disabled, and the sandbox is allowed read-only access to the shared downloads folder. For convenience, the logon command opens the downloads folder inside the sandbox when it's started.
### Downloads.wsb
#### Downloads.wsb
```xml
<Configuration>
@ -223,17 +223,17 @@ The following config file can be used to easily test the downloaded files inside
</Configuration>
```
## Example 2
### Example 2
The following config file installs Visual Studio Code in the sandbox, which requires a slightly more complicated LogonCommand setup.
Two folders are mapped into the sandbox; the first (SandboxScripts) contains VSCodeInstall.cmd, which will install and run Visual Studio Code. The second folder (CodingProjects) is assumed to contain project files that the developer wants to modify using Visual Studio Code.
Two folders are mapped into the sandbox; the first (SandboxScripts) contains VSCodeInstall.cmd, which installs and runs Visual Studio Code. The second folder (CodingProjects) is assumed to contain project files that the developer wants to modify using Visual Studio Code.
With the Visual Studio Code installer script already mapped into the sandbox, the LogonCommand can reference it.
### VSCodeInstall.cmd
#### VSCodeInstall.cmd
Download vscode to `downloads` folder and run from `downloads` folder.
Downloads VS Code to `downloads` folder and runs installation from `downloads` folder.
```batch
REM Download Visual Studio Code
@ -243,7 +243,7 @@ REM Install and run Visual Studio Code
C:\users\WDAGUtilityAccount\Downloads\vscode.exe /verysilent /suppressmsgboxes
```
### VSCode.wsb
#### VSCode.wsb
```xml
<Configuration>
@ -265,15 +265,15 @@ C:\users\WDAGUtilityAccount\Downloads\vscode.exe /verysilent /suppressmsgboxes
</Configuration>
```
## Example 3
### Example 3
The following config file runs a PowerShell script as a logon command to swap the primary mouse button for left-handed users.
`C:\sandbox` folder on the host is mapped to the `C:\sandbox` folder in the sandbox, so the `SwapMouse.ps1` script can be referenced in the sandbox configuration file.
### SwapMouse.ps1
#### SwapMouse.ps1
Create a powershell script using the following code, and save it in the `C:\sandbox` directory as `SwapMouse.ps1`.
Create a PowerShell script using the following code, and save it in the `C:\sandbox` directory as `SwapMouse.ps1`.
```powershell
[Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | Out-Null

9
windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md
View File

@ -2,20 +2,20 @@
title: Windows Sandbox
description: Windows Sandbox overview
ms.topic: article
ms.date: 05/25/2023
ms.date: 03/26/2024
---
# Windows Sandbox
Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine.
A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application. Note, however, that as of Windows 11, version 22H2, your data will persist through a restart initiated from inside the virtualized environment—useful for installing applications that require the OS to reboot.
A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application. Note, however, that as of Windows 11, version 22H2, your data persists through a restart initiated from inside the virtualized environment—useful for installing applications that require the OS to reboot.
Software and applications installed on the host aren't directly available in the sandbox. If you need specific applications available inside the Windows Sandbox environment, they must be explicitly installed within the environment.
Windows Sandbox has the following properties:
- **Part of Windows**: Everything required for this feature is included in Windows 10 Pro and Enterprise. There's no need to download a VHD.
- **Part of Windows**: Everything required for this feature is included in Windows 10 Pro and Enterprise. There's no need to download a Virtual Hard Disk (VHD).
- **Pristine**: Every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows.
- **Disposable**: Nothing persists on the device. Everything is discarded when the user closes the application.
- **Secure**: Uses hardware-based virtualization for kernel isolation. It relies on the Microsoft hypervisor to run a separate kernel that isolates Windows Sandbox from the host.
@ -70,9 +70,6 @@ Windows Sandbox has the following properties:
## Usage
1. Copy an executable file (and any other files needed to run the application) from the host and paste them into the **Windows Sandbox** window.
2. Run the executable file or installer inside the sandbox.
3. When you're finished experimenting, close the sandbox. A dialog box will state that all sandbox content will be discarded and permanently deleted. Select **Ok**.
4. Confirm that your host machine doesn't exhibit any of the modifications that you made in Windows Sandbox.

194
windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
View File

@ -2,7 +2,7 @@
title: Enable memory integrity
description: This article explains the steps to opt in to using memory integrity on Windows devices.
ms.topic: conceptual
ms.date: 03/16/2023
ms.date: 03/26/2024
appliesto:
- "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>"
- "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>"
@ -13,17 +13,16 @@ appliesto:
# Enable virtualization-based protection of code integrity
**Memory integrity** is a virtualization-based security (VBS) feature available in Windows. Memory integrity and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows kernel. VBS uses the Windows hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. Memory integrity is a critical component that protects and hardens Windows by running kernel mode code integrity within the isolated virtual environment of VBS. Memory integrity also restricts kernel memory allocations that could be used to compromise the system.
**Memory integrity** is a Virtualization-based security (VBS) feature available in Windows. Memory integrity and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows kernel. VBS uses the Windows hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. Memory integrity is a critical component that protects and hardens Windows by running kernel mode code integrity within the isolated virtual environment of VBS. Memory integrity also restricts kernel memory allocations that could be used to compromise the system.
> [!NOTE]
> Memory integrity works better with Intel Kabylake and higher processors with *Mode-Based Execution Control*, and AMD Zen 2 and higher processors with *Guest Mode Execute Trap* capabilities. Older processors rely on an emulation of these features, called *Restricted User Mode*, and will have a bigger impact on performance. When nested virtualization is enabled, memory integrity works better when the VM is version >= 9.3.
>
> - Memory integrity is sometimes referred to as *hypervisor-protected code integrity (HVCI)* or *hypervisor enforced code integrity*, and was originally released as part of *Device Guard*. Device Guard is no longer used except to locate memory integrity and VBS settings in Group Policy or the Windows registry.
> - Memory integrity works better with Intel Kabylake and higher processors with *Mode-Based Execution Control*, and AMD Zen 2 and higher processors with *Guest Mode Execute Trap* capabilities. Older processors rely on an emulation of these features, called *Restricted User Mode*, and will have a bigger impact on performance. When nested virtualization is enabled, memory integrity works better when the VM is version >= 9.3.
> [!WARNING]
> Some applications and hardware device drivers may be incompatible with memory integrity. This incompatibility can cause devices or software to malfunction and in rare cases may result in a boot failure (blue screen). Such issues may occur after memory integrity has been turned on or during the enablement process itself. If compatibility issues occur, see [Troubleshooting](#troubleshooting) for remediation steps.
> [!NOTE]
> Memory integrity is sometimes referred to as *hypervisor-protected code integrity (HVCI)* or *hypervisor enforced code integrity*, and was originally released as part of *Device Guard*. Device Guard is no longer used except to locate memory integrity and VBS settings in Group Policy or the Windows registry.
## Memory integrity features
- Protects modification of the Control Flow Guard (CFG) bitmap for kernel mode drivers.
@ -47,30 +46,23 @@ Beginning with Windows 11 22H2, **Windows Security** shows a warning if memory i
### Enable memory integrity using Intune
Enabling in Intune requires using the Code Integrity node in the [VirtualizationBasedTechnology CSP](/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology). You can configure these settings by using the [settings catalog](/mem/intune/configuration/settings-catalog).
Use the **Virtualization Based Technology** > **Hypervisor Enforced Code Integrity** setting using the [settings catalog](/mem/intune/configuration/settings-catalog) to enable memory integrity. You can also use the HypervisorEnforcedCodeIntegrity node in the [VirtualizationBasedTechnology CSP](/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology).
### Enable memory integrity using Group Policy
1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one.
2. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**.
3. Double-click **Turn on Virtualization Based Security**.
4. Select **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled without UEFI lock**. Only select **Enabled with UEFI lock** if you want to prevent memory integrity from being disabled remotely or by policy update. Once enabled with UEFI lock, you must have access to the UEFI BIOS menu to turn off Secure Boot if you want to turn off memory integrity.
1. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**.
1. Double-click **Turn on Virtualization Based Security**.
1. Select **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled without UEFI lock**. Only select **Enabled with UEFI lock** if you want to prevent memory integrity from being disabled remotely or by policy update. Once enabled with UEFI lock, you must have access to the UEFI BIOS menu to turn off Secure Boot if you want to turn off memory integrity.
![Enable memory integrity using Group Policy.](images/enable-hvci-gp.png)
1. Select **Ok** to close the editor.
5. Select **Ok** to close the editor.
To apply the new policy on a domain-joined computer, either restart or run `gpupdate /force` in an elevated command prompt.
To apply the new policy on a domain-joined computer, either restart or run `gpupdate /force` in an elevated Command Prompt.
### Use registry keys to enable memory integrity
Set the following registry keys to enable memory integrity. These keys provide exactly the same set of configuration options provided by Group Policy.
<!--This comment ensures that the Important above and the Warning below don't merge together. -->
> [!IMPORTANT]
>
> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer's hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled.
@ -79,19 +71,13 @@ Set the following registry keys to enable memory integrity. These keys provide e
>
> - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers.
#### For Windows 10 version 1607 and later and for Windows 11 version 21H2
Recommended settings (to enable memory integrity without UEFI Lock):
```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
```
@ -155,52 +141,6 @@ reg delete HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\Hyperviso
reg add HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /t REG_DWORD /d 2 /f
```
#### For Windows 10 version 1511 and earlier
Recommended settings (to enable memory integrity, without UEFI Lock):
```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f
```
If you want to customize the preceding recommended settings, use the following settings.
**To enable VBS (it is always locked to UEFI)**
```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
```
**To enable VBS and require Secure boot only (value 1)**
```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
```
**To enable VBS with Secure Boot and DMA (value 3)**
```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
```
**To enable memory integrity (with the default, UEFI lock)**
```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f
```
**To enable memory integrity without UEFI lock**
```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f
```
### Enable memory integrity using Windows Defender Application Control (WDAC)
You can use WDAC policy to turn on memory integrity using any of the following techniques:
@ -214,10 +154,12 @@ You can use WDAC policy to turn on memory integrity using any of the following t
### Validate enabled VBS and memory integrity features
Windows 10, Windows 11, and Windows Server 2016 and higher have a WMI class for VBS-related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command:
#### Use Win32_DeviceGuard WMI class
Windows 10, Windows 11, and Windows Server 2016 and higher have a WMI class for VBS-related properties and features: **Win32_DeviceGuard**. This class can be queried from an elevated Windows PowerShell session by using the following command:
```powershell
Get-CimInstance ClassName Win32_DeviceGuard Namespace root\Microsoft\Windows\DeviceGuard
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
```
> [!NOTE]
@ -225,90 +167,92 @@ Get-CimInstance ClassName Win32_DeviceGuard Namespace root\Microsoft\Windo
The output of this command provides details of the available hardware-based security features and those features that are currently enabled.
#### AvailableSecurityProperties
##### AvailableSecurityProperties
This field helps to enumerate and report state on the relevant security properties for VBS and memory integrity.
Value | Description
-|-
**0.** | If present, no relevant properties exist on the device.
**1.** | If present, hypervisor support is available.
**2.** | If present, Secure Boot is available.
**3.** | If present, DMA protection is available.
**4.** | If present, Secure Memory Overwrite is available.
**5.** | If present, NX protections are available.
**6.** | If present, SMM mitigations are available.
**7.** | If present, MBEC/GMET is available.
**8.** | If present, APIC virtualization is available.
| Value | Description |
|-------|---------------------------------------------------------|
| **0** | If present, no relevant properties exist on the device. |
| **1** | If present, hypervisor support is available. |
| **2** | If present, Secure Boot is available. |
| **3** | If present, DMA protection is available. |
| **4** | If present, Secure Memory Overwrite is available. |
| **5** | If present, NX protections are available. |
| **6** | If present, SMM mitigations are available. |
| **7** | If present, MBEC/GMET is available. |
| **8** | If present, APIC virtualization is available. |
#### InstanceIdentifier
##### InstanceIdentifier
A string that is unique to a particular device and set by WMI.
#### RequiredSecurityProperties
##### RequiredSecurityProperties
This field describes the required security properties to enable VBS.
Value | Description
-|-
**0.** | Nothing is required.
**1.** | If present, hypervisor support is needed.
**2.** | If present, Secure Boot is needed.
**3.** | If present, DMA protection is needed.
**4.** | If present, Secure Memory Overwrite is needed.
**5.** | If present, NX protections are needed.
**6.** | If present, SMM mitigations are needed.
**7.** | If present, MBEC/GMET is needed.
| Value | Description |
|-------|------------------------------------------------|
| **0** | Nothing is required. |
| **1** | If present, hypervisor support is needed. |
| **2** | If present, Secure Boot is needed. |
| **3** | If present, DMA protection is needed. |
| **4** | If present, Secure Memory Overwrite is needed. |
| **5** | If present, NX protections are needed. |
| **6** | If present, SMM mitigations are needed. |
| **7** | If present, MBEC/GMET is needed. |
#### SecurityServicesConfigured
##### SecurityServicesConfigured
This field indicates whether Credential Guard or memory integrity has been configured.
This field indicates whether Credential Guard or memory integrity is configured.
Value | Description
-|-
**0.** | No services are configured.
**1.** | If present, Credential Guard is configured.
**2.** | If present, memory integrity is configured.
**3.** | If present, System Guard Secure Launch is configured.
**4.** | If present, SMM Firmware Measurement is configured.
| Value | Description |
|-------|-------------------------------------------------------|
| **0** | No services are configured. |
| **1** | If present, Credential Guard is configured. |
| **2** | If present, memory integrity is configured. |
| **3** | If present, System Guard Secure Launch is configured. |
| **4** | If present, SMM Firmware Measurement is configured. |
#### SecurityServicesRunning
##### SecurityServicesRunning
This field indicates whether Credential Guard or memory integrity is running.
Value | Description
-|-
**0.** | No services running.
**1.** | If present, Credential Guard is running.
**2.** | If present, memory integrity is running.
**3.** | If present, System Guard Secure Launch is running.
**4.** | If present, SMM Firmware Measurement is running.
| Value | Description |
|-------|----------------------------------------------------|
| **0** | No services running. |
| **1** | If present, Credential Guard is running. |
| **2** | If present, memory integrity is running. |
| **3** | If present, System Guard Secure Launch is running. |
| **4** | If present, SMM Firmware Measurement is running. |
#### Version
##### Version
This field lists the version of this WMI class. The only valid value now is **1.0**.
#### VirtualizationBasedSecurityStatus
##### VirtualizationBasedSecurityStatus
This field indicates whether VBS is enabled and running.
Value | Description
-|-
**0.** | VBS isn't enabled.
**1.** | VBS is enabled but not running.
**2.** | VBS is enabled and running.
| Value | Description |
|-------|---------------------------------|
| **0** | VBS isn't enabled. |
| **1** | VBS is enabled but not running. |
| **2** | VBS is enabled and running. |
#### PSComputerName
##### PSComputerName
This field lists the computer name. All valid values for computer name.
#### Use msinfo32.exe
Another method to determine the available and enabled VBS features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the VBS features are displayed at the bottom of the **System Summary** section.
:::image type="content" alt-text="Virtualization-based security features in the System Summary of System Information." source="images/system-information-virtualization-based-security.png" lightbox="images/system-information-virtualization-based-security.png":::
## Troubleshooting
- If a device driver fails to load or crashes at runtime, you may be able to update the driver using **Device Manager**.
- If a device driver fails to load or crashes at runtime, you might be able to update the driver using **Device Manager**.
- If you experience a critical error during boot or your system is unstable after turning on memory integrity, you can recover using the Windows Recovery Environment (Windows RE).
1. First, disable any policies that are used to enable VBS and memory integrity, for example Group Policy.
2. Then, boot to Windows RE on the affected computer, see [Windows RE Technical Reference](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference).
@ -338,5 +282,5 @@ Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
- The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607.
- The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10.
- Memory integrity and [nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time. To enable the Hyper-V role on the virtual machine, you must first install the Hyper-V role in a Windows nested virtualization environment.
- Virtual Fibre Channel adapters aren't compatible with memory integrity. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`.
- The AllowFullSCSICommandSet option for pass-through disks isn't compatible with memory integrity. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.
- Virtual Fibre Channel adapters aren't compatible with memory integrity. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of Virtualization-based security using `Set-VMSecurity`.
- The AllowFullSCSICommandSet option for pass-through disks isn't compatible with memory integrity. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of Virtualization-based security using `Set-VMSecurity`.

BIN
windows/security/hardware-security/images/system-information-virtualization-based-security.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 82 KiB

After

Width:  |  Height:  |  Size: 13 KiB

12
windows/whats-new/deprecated-features-resources.md
View File

@ -1,7 +1,7 @@
---
title: Resources for deprecated features in the Windows client
description: Resources and details for deprecated features in the Windows client.
ms.date: 10/09/2023
ms.date: 03/25/2024
ms.service: windows-client
ms.subservice: itpro-fundamentals
ms.localizationpriority: medium
@ -21,6 +21,16 @@ appliesto:
This article provides additional resources about [deprecated features for Windows client](deprecated-features.md) that may be needed by IT professionals. The following information is provided to help IT professionals plan for the removal of deprecated features:
## WordPad
WordPad will be removed from all editions of Windows starting in Windows 11, version 24H2 and Windows Server 2025. As a result, Windows will no longer have a built-in, default RTF reader. We recommend Microsoft Word for rich text documents like .doc and .rtf and Notepad for plain text documents like .txt. The following binaries will be removed as a result of WordPad removal:
- wordpad.exe
- wordpadfilter.dll
- write.exe
Avoid taking a direct dependency on these binaries and Wordpad in your product. Instead, for trying to open a text file, rely on Microsoft Word or Notepad.
## VBScript
VBScript will be available as a [feature on demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) before being retired in future Windows releases. Initially, the VBScript feature on demand will be preinstalled to allow for uninterrupted use while you prepare for the retirement of VBScript.

21
windows/whats-new/deprecated-features.md
View File

@ -1,7 +1,7 @@
---
title: Deprecated features in the Windows client
description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11.
ms.date: 03/14/2024
ms.date: 03/25/2024
ms.service: windows-client
ms.subservice: itpro-fundamentals
ms.localizationpriority: medium
@ -19,13 +19,13 @@ appliesto:
# Deprecated features for Windows client
Each version of Windows client adds new features and functionality. Occasionally, new versions also remove features and functionality, often because they've added a newer option. This article provides details about the features and functionalities that are no longer being developed in Windows client.<!-- this sentence is used by tip for RSS --> For more information about features that have been removed, see [Windows features removed](removed-features.md).
Each version of Windows client adds new features and functionality. Occasionally, new versions also remove features and functionality, often because they added a newer option. This article provides details about the features and functionalities that are no longer being developed in Windows client.<!-- this sentence is used by tip for RSS --> For more information about features that were removed, see [Windows features removed](removed-features.md).
For more information about features in Windows 11, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3).
To understand the distinction between *deprecation* and *removal*, see [Windows client features lifecycle](feature-lifecycle.md).
The features in this article are no longer being actively developed, and might be removed in a future update. Some features have been replaced with other features or functionality and some are now available from other sources.
The features in this article are no longer being actively developed, and might be removed in a future update. Some features were replaced with other features or functionality and some are now available from other sources.
> [!TIP]
> You can use RSS to be notified when this page is updated.<!-- 8590853 --> For example, the following RSS link includes this article:
@ -47,8 +47,9 @@ The features in this article are no longer being actively developed, and might b
| Feature | Details and mitigation | Deprecation announced |
|---|---|---|
| NPLogonNotify and NPPasswordChangeNotify APIs <!--8787264--> | Starting in Windows 11, version 24H2, the inclusion of password payload in MPR notifications is set to disabled by default through group policy in [NPLogonNotify](/windows/win32/api/npapi/nf-npapi-nplogonnotify) and [NPPasswordChangeNotify](/windows/win32/api/npapi/nf-npapi-nppasswordchangenotify) APIs. The APIs may be removed in a future release. The primary reason for disabling this feature is to enhance security. When enabled, these APIs allow the caller to retrieve a users password, presenting potential risks for password exposure and harvesting by malicious users. To include password payload in MPR notifications, set the [EnableMPRNotifications](/windows/client-management/mdm/policy-csp-windowslogon#enablemprnotifications) policy to `enabled`.| March 2024 |
| TLS server authentication certificates using RSA keys with key lengths shorter than 2048 bits <!--8644149-->| Support for certificates using RSA keys with key lengths shorter than 2048 bits will be deprecated. Internet standards and regulatory bodies disallowed the use of 1024-bit keys in 2013, recommending specifically that RSA keys should have a key length of 2048 bits or longer. For more information, see [Transitioning of Cryptographic Algorithms and Key Sizes - Discussion Paper (nist.gov)](https://csrc.nist.gov/CSRC/media/Projects/Key-Management/documents/transitions/Transitioning_CryptoAlgos_070209.pdf). This deprecation focuses on ensuring that all RSA certificates used for TLS server authentication must have key lengths greater than or equal to 2048 bits to be considered valid by Windows. </br></br> TLS certificates issued by enterprise or test certification authorities (CA) aren't impacted with this change. However, we recommend that they be updated to RSA keys greater than or equal to 2048 bits as a security best practice. This change is necessary to preserve security of Windows customers using certificates for authentication and cryptographic purposes.| March 2024|
| Test Base <!--8790681--> | [Test Base for Microsoft 365](/microsoft-365/test-base/overview), an Azure cloud service for application testing, is deprecated. The service will be retired in the future and will be no longer available for use after retirement. | March 2024 |
| Test Base <!--8790681--> | [Test Base for Microsoft 365](/microsoft-365/test-base/overview), an Azure cloud service for application testing, is deprecated. The service will be retired in the future and will be no longer available for use after retirement. | March 2024 |
| Windows Mixed Reality <!--8412877--> | [Windows Mixed Reality](/windows/mixed-reality/enthusiast-guide/before-you-start) is deprecated and will be removed in Windows 11, version 24H2. This deprecation includes the [Mixed Reality Portal](/windows/mixed-reality/enthusiast-guide/install-windows-mixed-reality) app, [Windows Mixed Reality for SteamVR](/windows/mixed-reality/enthusiast-guide/using-steamvr-with-windows-mixed-reality), and Steam VR Beta.Existing Windows Mixed Reality devices will continue to work with Steam through November 2026, if users remain on their current released version of Windows 11, version 23H2. After November 2026, Windows Mixed Reality will no longer receive security updates, nonsecurity updates, bug fixes, technical support, or online technical content updates.</br> </br>This deprecation doesn't affect HoloLens. We remain committed to HoloLens and our enterprise customers. | December 2023 |
| Microsoft Defender Application Guard for Edge <!--8591267-->| [Microsoft Defender Application Guard](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is being deprecated for Microsoft Edge for Business and [will no longer be updated](feature-lifecycle.md). Please download the [Microsoft Edge For Business Security Whitepaper](https://edgestatic.azureedge.net/shared/cms/pdfs/Microsoft_Edge_Security_Whitepaper_v2.pdf) to learn more about Edge for Business security capabilities. | December 2023 |
| Legacy console mode <!-- 8577271 -->| The [legacy console mode](/windows/console/legacymode) is deprecated and no longer being updated. In future Windows releases, it will be available as an optional [Feature on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). This feature won't be installed by default. | December 2023 |
@ -61,13 +62,13 @@ The features in this article are no longer being actively developed, and might b
| Remote Mailslots <!--8454244-->| Remote Mailslots are deprecated. The Remote Mailslot protocol is a dated, simple, unreliable, insecure IPC method first introduced in MS DOS. This protocol was first disabled by default in [Windows 11 Insider Preview Build ](https://blogs.windows.com/windows-insider/2023/03/08/announcing-windows-11-insider-preview-build-25314/). For more information on Remote Mailslots, see [About Mailslots](/windows/win32/ipc/about-mailslots) and [[MS-MAIL]: Remote Mailslot Protocol](/openspecs/windows_protocols/ms-mail/8ea19aa4-6e5a-4aed-b628-0b5cd75a1ab9).| November 2023 |
| Timeline for Microsoft Entra accounts <!--8396095--> | Cross-device syncing of Microsoft Entra user activity history will stop starting in January 2024. Microsoft will stop storing this data in the cloud, aligning with [the previous change for Microsoft accounts (MSA)](https://blogs.windows.com/windows-insider/2021/04/14/announcing-windows-10-insider-preview-build-21359) in 2021. The timeline user experience was retired in Windows 11, although it remains in Windows 10. The timeline user experience and all your local activity history still remains on Windows 10 devices. Users can access web history using their browser and access recent files through OneDrive and Office. | October 2023 |
| VBScript <!--7954828--> | VBScript is deprecated. In future releases of Windows, VBScript will be available as a feature on demand before its removal from the operating system. For more information, see [Resources for deprecated features](deprecated-features-resources.md#vbscript). | October 2023 |
| WordPad | WordPad is no longer being updated and will be removed in a future release of Windows. We recommend Microsoft Word for rich text documents like .doc and .rtf and Windows Notepad for plain text documents like .txt. | September 1, 2023 |
| AllJoyn | Microsoft's implementation of AllJoyn, which included the [Windows.Devices.AllJoyn API namespace](/uwp/api/windows.devices.alljoyn), a [Win32 API](/windows/win32/api/_alljoyn/), a [management configuration service provider (CSP)](/windows/client-management/mdm/alljoynmanagement-csp), and an [Alljoyn Router Service](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#alljoyn-router-service) has been deprecated. [AllJoyn](https://openconnectivity.org/technology/reference-implementation/alljoyn/), sponsored by AllSeen Alliance, was an open source discovery and communication protocol for Internet of Things scenarios such as turning on/off lights or reading temperatures.AllSeen Alliance promoted the AllJoyn project from 2013 until 2016 when it merged with the Open Connectivity Foundation (OCF), the sponsors of [Iotivity.org](https://iotivity.org/), another protocol for Internet of Things scenarios. Customers should refer to the [Iotivity.org](https://iotivity.org/) website for alternatives such as [Iotivity Lite](https://github.com/iotivity/iotivity-lite) or [Iotivity](https://github.com/iotivity/iotivity). | August 17, 2023 |
| WordPad | WordPad is no longer being updated and will be removed in a future release of Windows. We recommend Microsoft Word for rich text documents like .doc and .rtf and Windows Notepad for plain text documents like .txt. </br></br> **[Update - March 2024]**: WordPad will be removed from all editions of Windows starting in Windows 11, version 24H2 and Windows Server 2025. If you're a developer and need information about the affected binaries, see [Resources for deprecated features](deprecated-features-resources.md#wordpad). | September 1, 2023 |
| AllJoyn | Microsoft's implementation of AllJoyn, which included the [Windows.Devices.AllJoyn API namespace](/uwp/api/windows.devices.alljoyn), a [Win32 API](/windows/win32/api/_alljoyn/), a [management configuration service provider (CSP)](/windows/client-management/mdm/alljoynmanagement-csp), and an [Alljoyn Router Service](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#alljoyn-router-service) is deprecated. [AllJoyn](https://openconnectivity.org/technology/reference-implementation/alljoyn/), sponsored by AllSeen Alliance, was an open source discovery and communication protocol for Internet of Things scenarios such as turning on/off lights or reading temperatures.AllSeen Alliance promoted the AllJoyn project from 2013 until 2016 when it merged with the Open Connectivity Foundation (OCF), the sponsors of [Iotivity.org](https://iotivity.org/), another protocol for Internet of Things scenarios. Customers should refer to the [Iotivity.org](https://iotivity.org/) website for alternatives such as [Iotivity Lite](https://github.com/iotivity/iotivity-lite) or [Iotivity](https://github.com/iotivity/iotivity). | August 17, 2023 |
| TLS 1.0 and 1.1 | Over the past several years, internet standards and regulatory bodies have [deprecated or disallowed](https://www.ietf.org/rfc/rfc8996.html) TLS versions 1.0 and 1.1 due to various security issues. Starting in Windows 11 Insider Preview builds for September 2023 and continuing in future Windows OS releases, TLS 1.0 and 1.1 will be disabled by default. This change increases the security posture of Windows customers and encourages modern protocol adoption. For organizations that need to use these versions, there's an option to re-enable TLS 1.0 or TLS 1.1. For more information, see [Resources for deprecated features](deprecated-features-resources.md). | August 1, 2023|
| Cortana in Windows <!--7987543--> | Cortana in Windows as a standalone app is deprecated. This change only impacts Cortana in Windows, and your productivity assistant, Cortana, will continue to be available in Outlook mobile, Teams mobile, Microsoft Teams display, and Microsoft Teams rooms. | June 2023 |
| Microsoft Support Diagnostic Tool (MSDT) <!--6968128--> | [MSDT](/windows-server/administration/windows-commands/msdt) is deprecated and will be removed in a future release of Windows. MSDT is used to gather diagnostic data for analysis by support professionals. For more information, see [Resources for deprecated features](deprecated-features-resources.md) | January 2023 |
| Universal Windows Platform (UWP) Applications for 32-bit Arm <!--7116112-->| This change is applicable only to devices with an Arm processor, for example Snapdragon processors from Qualcomm. If you have a PC built with a processor from Intel or AMD, this content isn't applicable. If you aren't sure which type of processor you have, check **Settings** > **System** > **About**.</br> </br> Support for 32-bit Arm versions of applications will be removed in a future release of Windows 11. After this change, for the small number of applications affected, app features might be different and you might notice a difference in performance. For more technical details about this change, see [Update app architecture from Arm32 to Arm64](/windows/arm/arm32-to-arm64). | January 2023 |
| Update Compliance <!--7260188-->| [Update Compliance](/windows/deployment/update/update-compliance-monitor), a cloud-based service for the Windows client, is no longer being developed. This service has been replaced with [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), which provides reporting on client compliance with Microsoft updates from the Azure portal. | November 2022|
| Update Compliance <!--7260188-->| [Update Compliance](/windows/deployment/update/update-compliance-monitor), a cloud-based service for the Windows client, is no longer being developed. This service was replaced with [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), which provides reporting on client compliance with Microsoft updates from the Azure portal. | November 2022|
| Windows Information Protection <!-- 6010051 --> | [Windows Information Protection](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) will no longer be developed in future versions of Windows. For more information, see [Announcing sunset of Windows Information Protection (WIP)](https://go.microsoft.com/fwlink/?linkid=2202124).<br> <br>For your data protection needs, Microsoft recommends that you use [Microsoft Purview Information Protection](/microsoft-365/compliance/information-protection) and [Microsoft Purview Data Loss Prevention](/microsoft-365/compliance/dlp-learn-about-dlp). | July 2022 |
| BitLocker To Go Reader | **Note: BitLocker to Go as a feature is still supported.**<br>Reading of BitLocker-protected removable drives ([BitLocker To Go](/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)) from Windows XP or Windows Vista in later operating systems is deprecated and might be removed in a future release of Windows client.<br>The following items might not be available in a future release of Windows client:<br>- ADMX policy: **Allow access to BitLocker-protected removable data drives from earlier versions of Windows**<br>- Command line parameter: [`manage-bde -DiscoveryVolumeType`](/windows-server/administration/windows-commands/manage-bde-on) (-dv)<br>- Catalog file: **c:\windows\BitLockerDiscoveryVolumeContents**<br>- BitLocker 2 Go Reader app: **bitlockertogo.exe** and associated files | 21H1 |
| Personalization roaming | Roaming of Personalization settings (including wallpaper, slideshow, accent colors, and lock screen images) is no longer being developed and might be removed in a future release. | 21H1 |
@ -85,7 +86,7 @@ The features in this article are no longer being actively developed, and might b
| Wi-Fi WEP and TKIP | Since the 1903 release, a warning message has appeared when connecting to Wi-Fi networks secured with WEP or TKIP (which aren't as secure as those using WPA2 or WPA3). In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. | 1903 |
| Print 3D app | 3D Builder is the recommended 3D printing app. To 3D print objects on new Windows devices, customers must first install 3D Builder from the Store.| 1903 |
|Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this reason, and because non-Microsoft partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.| 1809 |
|OneSync service|The OneSync service synchronizes data for the Mail, Calendar, and People apps. We've added a sync engine to the Outlook app that provides the same synchronization.| 1809 |
|OneSync service|The OneSync service synchronizes data for the Mail, Calendar, and People apps. We added a sync engine to the Outlook app that provides the same synchronization.| 1809 |
|[Software Restriction Policies](/windows-server/identity/software-restriction-policies/software-restriction-policies) in Group Policy|Instead of using the Software Restriction Policies through Group Policy, you can use [AppLocker](/windows/security/threat-protection/applocker/applocker-overview) or [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control) to control which apps users can access and what code can run in the kernel.| 1803 |
|[Offline symbol packages](/windows-hardware/drivers/debugger/debugger-download-symbols) (Debug symbol MSIs)|We're no longer making the symbol packages available as a downloadable MSI. Instead, the [Microsoft Symbol Server is moving to be an Azure-based symbol store](/archive/blogs/windbg/update-on-microsofts-symbol-server). If you need the Windows symbols, connect to the Microsoft Symbol Server to cache your symbols locally or use a manifest file with SymChk.exe on a computer with internet access.| 1803 |
|Windows Help Viewer (WinHlp32.exe)|All Windows help information is [available online](https://support.microsoft.com/products/windows?os=windows-10). The Windows Help Viewer is no longer supported in Windows 10. For more information, see [Error opening Help in Windows-based programs: "Feature not included" or "Help not supported"](https://support.microsoft.com/topic/error-opening-help-in-windows-based-programs-feature-not-included-or-help-not-supported-3c841463-d67c-6062-0ee7-1a149da3973b).| 1803 |
@ -99,7 +100,7 @@ The features in this article are no longer being actively developed, and might b
|IIS Digest Authentication | We recommend that users use alternative authentication methods.| 1709 |
|RSA/AES Encryption for IIS | We recommend that users use CNG encryption provider. | 1709 |
|Screen saver functionality in Themes | Disabled in Themes. Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lock screen features and policies are preferred. | 1709 |
|Sync your settings (updated: August 17, 2017) | Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. The **Sync your settings** options and the Enterprise State Roaming feature will continue to work. | 1709 |
|Sync your settings (updated: August 17, 2017) | Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. The **Sync your settings** options and the Enterprise State Roaming feature will continue to work provided your clients are running an up-to-date version of: </br> - Windows 11 </br> - Windows 10, version 21H2, or later | 1709 |
|System Image Backup (SIB) Solution|This feature is also known as the **Backup and Restore (Windows 7)** legacy control panel. For full-disk backup solutions, look for a third-party product from another software publisher. You can also use [OneDrive](/onedrive/) to sync data files with Microsoft 365.| 1709 |
|TLS RC4 Ciphers |To be disabled by default. For more information, see [TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server)| 1709 |
|Trusted Platform Module (TPM) Owner Password Management |This functionality within TPM.msc will be migrated to a new user interface.| 1709 |
@ -112,7 +113,7 @@ The features in this article are no longer being actively developed, and might b
|TLS DHE_DSS ciphers DisabledByDefault| [TLS RC4 Ciphers](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server) will be disabled by default in this release. | 1703 |
|TCPChimney | TCP Chimney Offload is no longer being developed. See [Performance Tuning Network Adapters](/windows-server/networking/technologies/network-subsystem/net-sub-performance-tuning-nics). | 1703 |
|IPsec Task Offload| [IPsec Task Offload](/windows-hardware/drivers/network/task-offload) versions 1 and 2 are no longer being developed and shouldn't be used. | 1703 |
|`wusa.exe /uninstall /kb:####### /quiet`|The `wusa` tool usage to quietly uninstall an update has been deprecated. The uninstall command with `/quiet` switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507 <br /> Applies to Windows Server 2016 and Windows Server 2019.|
|`wusa.exe /uninstall /kb:####### /quiet`|The `wusa` tool usage to quietly uninstall an update is deprecated. The uninstall command with `/quiet` switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507 <br /> Applies to Windows Server 2016 and Windows Server 2019.|