deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 07:17:24 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into v-smandalika-bl-rcvgdplan-4318240

Browse Source
This commit is contained in:
Siddarth Mandalika 2022-09-26 14:36:52 +05:30
commit 67e747f9a2
45 changed files with 1901 additions and 867 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
education/includes/education-content-updates.md
View File

@ -2,6 +2,14 @@
## Week of September 19, 2022
| Published On |Topic title | Change |
|------|------------|--------|
| 9/20/2022 | [Education scenarios Microsoft Store for Education](/education/windows/education-scenarios-store-for-business) | modified |
## Week of September 12, 2022
@ -42,11 +50,3 @@
| 8/31/2022 | [Set up Azure Active Directory](/education/windows/tutorial-school-deployment/set-up-azure-ad) | added |
| 8/31/2022 | [Set up device management](/education/windows/tutorial-school-deployment/set-up-microsoft-intune) | added |
| 8/31/2022 | [Troubleshoot Windows devices](/education/windows/tutorial-school-deployment/troubleshoot-overview) | added |
## Week of August 15, 2022
| Published On |Topic title | Change |
|------|------------|--------|
| 8/17/2022 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified |

2
education/windows/set-up-school-pcs-azure-ad-join.md
View File

@ -1,7 +1,7 @@
---
title: Azure AD Join with Set up School PCs app
description: Describes how Azure AD Join is configured in the Set up School PCs app.
keywords: shared cart, shared PC, school, set up school pcs
keywords: shared PC, school, set up school pcs
ms.prod: windows
ms.mktglfcycl: plan
ms.sitesec: library

2
education/windows/set-up-school-pcs-provisioning-package.md
View File

@ -1,7 +1,7 @@
---
title: What's in Set up School PCs provisioning package
description: Lists the provisioning package settings that are configured in the Set up School PCs app.
keywords: shared cart, shared PC, school, set up school pcs
keywords: shared PC, school, set up school pcs
ms.prod: windows
ms.mktglfcycl: plan
ms.sitesec: library

4
education/windows/set-up-school-pcs-shared-pc-mode.md
View File

@ -1,7 +1,7 @@
---
title: Shared PC mode for school devices
description: Describes how shared PC mode is set for devices set up with the Set up School PCs app.
keywords: shared cart, shared PC, school, set up school pcs
keywords: shared PC, school, set up school pcs
ms.prod: windows
ms.mktglfcycl: plan
ms.sitesec: library
@ -63,7 +63,7 @@ To create a compatible image, first create your custom Windows image with all so
Teachers can then run the Set up School PCs package on the computer.
## Optimize device for use by a single student
Shared PC mode is enabled by default. This mode optimizes device settings for schools where PCs are shared by students. The Set up School PCs app also offers the option to configure settings for devices that aren't shared.
Shared PC mode is enabled by default. This mode optimizes device settings for schools where PCs are shared by students. The Set up School PCs app also offers the option to configure settings for devices that aren't shared.
If you select this setting, the app modifies shared PC mode so that it's appropriate for a single device. To see how the settings differ, refer to the Shared PC mode policy table in the article [What's in my provisioning package?](set-up-school-pcs-provisioning-package.md)
1. In the app, go to the **Create package** > **Settings** step.

2
education/windows/set-up-school-pcs-technical.md
View File

@ -1,7 +1,7 @@
---
title: Set up School PCs app technical reference overview
description: Describes the purpose of the Set up School PCs app for Windows 10 devices.
keywords: shared cart, shared PC, school, set up school pcs
keywords: shared PC, school, set up school pcs
ms.prod: windows
ms.mktglfcycl: plan
ms.sitesec: library

2
education/windows/set-up-school-pcs-whats-new.md
View File

@ -1,7 +1,7 @@
---
title: What's new in the Windows Set up School PCs app
description: Find out about app updates and new features in Set up School PCs.
keywords: shared cart, shared PC, school, set up school pcs
keywords: shared PC, school, set up school pcs
ms.prod: windows
ms.mktglfcycl: plan
ms.sitesec: library

8
education/windows/use-set-up-school-pcs-app.md
View File

@ -1,7 +1,7 @@
---
title: Use Set up School PCs app
description: Learn how to use the Set up School PCs app and apply the provisioning package.
keywords: shared cart, shared PC, school, Set up School PCs, overview, how to use
keywords: shared PC, school, Set up School PCs, overview, how to use
ms.prod: windows
ms.mktglfcycl: deploy
ms.sitesec: library
@ -179,13 +179,13 @@ The following table describes each setting and lists the applicable Windows 10 v
|Setting |1703|1709|1803|1809|What happens if I select it? |Note|
|---------|---------|---------|---------|---------|---------|---------|
|Remove apps pre-installed by the device manufacturer |X|X|X|X| Uninstalls apps that came loaded on the computer by the device's manufacturer. |Adds about 30 minutes to the provisioning process.|
|Allow local storage (not recommended for shared devices) |X|X|X|X| Lets students save files to the Desktop and Documents folder on the Student PC. |Not recommended if the device will be part of a shared cart or lab.|
|Optimize device for a single student, instead of a shared cart or lab |X|X|X|X|Optimizes the device for use by a single student, rather than many students. |Recommended option only if the device is not shared with other students in the school. Single-optimized accounts are set to expire, and require a signin, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. |
|Allow local storage (not recommended for shared devices) |X|X|X|X| Lets students save files to the Desktop and Documents folder on the Student PC. |Not recommended if the device will be shared between different students.|
|Optimize device for a single student, instead of a shared cart or lab |X|X|X|X|Optimizes the device for use by a single student, rather than many students. |Recommended if the device will be shared between different students. Single-optimized accounts are set to expire, and require a signin, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. |
|Let guests sign in to these PCs |X|X|X|X|Allows guests to use student PCs without a school account. |Common to use within a public, shared space, such as a library. Also used when a student loses their password. Adds a **Guest** account to the PC sign-in screen that anyone can sign in to.|
|Enable Autopilot Reset |Not available|X|X|X|Lets you remotely reset a students PC from the lock screen, apply the devices original settings, and enroll it in device management (Azure AD and MDM). |Requires Windows 10, version 1709 and WinRE must be enabled on the PC. Setup will fail if both requirements aren't met.|
|Lock screen background|X|X|X|X|Change the default screen lock background to a custom image.|Click **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.|
After you've made your selections, click **Next**.
After you've made your selections, click **Next**.
### Time zone

7
education/windows/windows-11-se-overview.md
View File

@ -60,7 +60,7 @@ The following table lists all the applications included in Windows 11 SE and the
| File Explorer | Win32 | | ✅ |
| FlipGrid | PWA | | |
| Get Help | UWP | | |
| Groove Music | UWP | ✅ | |
| Media Player | UWP | ✅ | |
| Maps | UWP | | |
| Minecraft: Education Edition | UWP | | |
| Movies & TV | UWP | | |
@ -87,7 +87,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| Application | Supported version | App Type | Vendor |
|-----------------------------------------|-------------------|----------|------------------------------|
| AirSecure | 8.0.0 | Win32 | AIR |
| Alertus Desktop | 5.4.44.0 | Win32 | Alertus technologies |
| Alertus Desktop | 5.4.44.0 | Win32 | Alertus technologies |
| Brave Browser | 1.34.80 | Win32 | Brave |
| Bulb Digital Portfolio | 0.0.7.0 | Store | Bulb |
| Cisco Umbrella | 3.0.110.0 | Win32 | Cisco |
@ -112,7 +112,8 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| Kite Student Portal | 8.0.3.0 | Win32 | Dynamic Learning Maps |
| Kortext | 2.3.433.0 | Store | Kortext |
| Kurzweil 3000 Assistive Learning | 20.13.0000 | Win32 | Kurzweil Educational Systems |
| LanSchool | 9.1.0.46 | Win32 | Stoneware |
| LanSchool Classic | 9.1.0.46 | Win32 | Stoneware, Inc. |
| LanSchool Air | 2.0.13312 | Win32 | Stoneware, Inc. |
| Lightspeed Smart Agent | 1.9.1 | Win32 | Lightspeed Systems |
| MetaMoJi ClassRoom | 3.12.4.0 | Store | MetaMoJi Corporation |
| Microsoft Connect | 10.0.22000.1 | Store | Microsoft |

21
windows/client-management/mdm/laps-csp.md
View File

@ -2,14 +2,14 @@
title: Local Administrator Password Solution CSP
description: Learn how the Local Administrator Password Solution configuration service provider (CSP) is used by the enterprise to manage backup of local administrator account passwords.
ms.author: jsimmons
ms.topic: article
ms.prod: w11
ms.technology: windows
author: jsimmons
author: jay98014
ms.reviewer: vinpa
manager: aaroncz
ms.topic: reference
ms.prod: windows-client
ms.technology: itpro-manage
ms.localizationpriority: medium
ms.date: 07/04/2022
ms.reviewer: jsimmons
manager: jsimmons
ms.date: 09/20/2022
---
# Local Administrator Password Solution CSP
@ -19,6 +19,9 @@ The Local Administrator Password Solution (LAPS) configuration service provider
> [!IMPORTANT]
> Windows LAPS is currently only available in Windows Insider builds as of 25145 and later. Support for the Windows LAPS Azure AD scenario is currently limited to a small group of Windows Insiders.
> [!TIP]
> This article covers the specific technical details of the LAPS CSP. For more information about the scenarios in which the LAPS CSP would be used, see [Windows Local Administrator Password Solution](/windows-server/identity/laps/laps).
The following example shows the LAPS CSP in tree format.
```xml
@ -231,7 +234,7 @@ Supported operations are Add, Get, Replace, and Delete.
<!--Policy-->
### PasswordExpirationProtectionEnabled
<!--Description-->
Use this setting to configure additional enforcement of maximum password age for the managed local administrator account.
Use this setting to configure enforcement of maximum password age for the managed local administrator account.
<!--/Description-->
<!--SupportedSKUs-->
@ -758,3 +761,5 @@ This example is configuring a hybrid device to back up its password to Active Di
## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)
[Windows LAPS](/windows-server/identity/laps/laps)

42
windows/client-management/mdm/passportforwork-csp.md
View File

@ -83,7 +83,8 @@ PassportForWork
-------UseBiometrics
-------Biometrics
----------UseBiometrics
----------FacialFeatureUse
----------FacialFeaturesUseEnhancedAntiSpoofing
----------EnableESSwithSupportedPeripherals
-------DeviceUnlock
----------GroupA
----------GroupB
@ -286,8 +287,6 @@ Boolean value used to enable or disable the use of biometric gestures, such as f
Default value is true, enabling the biometric gestures for use with Windows Hello for Business. If you set this policy to false, biometric gestures are disabled for use with Windows Hello for Business.
Supported operations are Add, Get, Delete, and Replace.
*Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).*
@ -305,6 +304,26 @@ Supported operations are Add, Get, Delete, and Replace.
*Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).*
<a href="" id="biometrics-enableESSwithSupportedPeripherals--only-for---device-vendor-msft-"></a>**Biometrics/EnableESSwithSupportedPeripherals** (only for ./Device/Vendor/MSFT)
If this policy is enabled, Windows Hello authentication using peripheral biometric sensors will be blocked. Any non-authentication operational functionalities such as camera usage (for instance, video calls and the camera) will be unaffected.
If you enable this policy it can have the following possible values:
**0 - Enhanced Sign-in Security Disabled** (not recommended)
Enhanced sign-in security will be disabled on all systems, enabling the use of peripheral biometric authentication. If this policy value is set to 0 after users have enrolled in ESS biometrics, users will be prompted to reset their PIN. They will lose all their existing biometric enrollments. To use biometrics they will have to enroll again.
**1 - Enhanced Sign-in Security Enabled** (default and recommended for highest security)
Enhanced sign-in security will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. Authentication operations of any biometric device that Enhanced Sign-in Security does not support, including that of peripheral devices, will be blocked and not available for Windows Hello.
If you disable or do not configure this policy, Enhanced Sign-in Security is preferred on the device. The behavior will be the same as enabling the policy and setting the value to 1.
Supported operations are Add, Get, Delete, and Replace.
*Supported from Windows 11 version 22H2*
<a href="" id="deviceunlock"></a>**DeviceUnlock** (only for ./Device/Vendor/MSFT)
Added in Windows 10, version 1803. Interior node.
@ -551,7 +570,7 @@ Here's an example for setting Windows Hello for Business and setting the PIN pol
<Data>true</Data>
</Item>
</Add>
<Add>
<Add>
<CmdID>15</CmdID>
<Item>
<Target>
@ -566,6 +585,21 @@ Here's an example for setting Windows Hello for Business and setting the PIN pol
<Data>true</Data>
</Item>
</Add>
<Add>
<CmdID>16</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/PassportForWork/Biometrics/EnableESSwithSupportedPeripherals
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>0</Data>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>

2
windows/client-management/mdm/personalization-csp.md
View File

@ -29,7 +29,7 @@ The Personalization CSP can set the lock screen and desktop background images. S
This CSP was added in Windows 10, version 1703.
> [!Note]
> Personalization CSP is supported in Windows 10 Enterprise and Education SKUs. It works in Windows 10 Pro and Windows 10 Pro in S mode if SetEduPolicies in [SharedPC CSP](sharedpc-csp.md) is set.
> Personalization CSP is supported in Windows Enterprise and Education SKUs. It works in Windows Professional if SetEduPolicies in [SharedPC CSP](sharedpc-csp.md) is set.
The following example shows the Personalization configuration service provider in tree format.
```

58
windows/client-management/mdm/secureassessment-csp.md
View File

@ -32,6 +32,10 @@ The following example shows the SecureAssessment configuration service provider
SecureAssessment
----LaunchURI
----TesterAccount
----AllowScreenMonitoring
----RequirePrinting
----AllowTextSuggestions
----Assessments
```
<a href="" id="--vendor-msft-secureassessment"></a>**./Vendor/MSFT/SecureAssessment**
The root node for the SecureAssessment configuration service provider.
@ -67,6 +71,60 @@ Added in Windows 10, version 1703. Boolean value that indicates whether keyboard
Supported operations are Get and Replace.
<a href="" id="Assessments"></a>**Assessments**
Added in Windows 11, version 22H2. Enables support for multiple assessments. When configured, users can select from a list of assessments. The node accepts an XML string that represents the list of available assessments.
Supported operations are Add, Delete, Get and Replace.
XML schema
```xml
<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="AssessmentsRoot">
<xs:complexType>
<xs:sequence>
<xs:element name="Assessments">
<xs:complexType>
<xs:sequence>
<xs:element name="Assessment" maxOccurs="unbounded" minOccurs="0">
<xs:complexType>
<xs:sequence>
<xs:element type="xs:string" name="TestName"/>
<xs:element type="xs:string" name="TestUri"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
```
Example:
```xml
<?xml version="1.0" encoding="utf-16"?>
<AssessmentsRoot xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Assessments>
<Assessment>
<TestName>English exam</TestName>
<TestUri>https://contoso.com/english</TestUri>
</Assessment>
<Assessment>
<TestName>Math exam</TestName>
<TestUri>https://contoso.com/math</TestUri>
</Assessment>
<Assessment>
<TestName>Geography exam</TestName>
<TestUri>https://contoso.com/geography</TestUri>
</Assessment>
</Assessments>
</AssessmentsRoot>
```
## Related topics
[Set up Take a Test on multiple PCs](/education/windows/take-a-test-multiple-pcs)

41
windows/client-management/mdm/sharedpc-csp.md
View File

@ -8,7 +8,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 01/16/2019
ms.date: 09/23/2022
---
# SharedPC CSP
@ -81,9 +81,6 @@ In Windows 10, version 1607, the value is set to True and the education environm
<a href="" id="setpowerpolicies"></a>**SetPowerPolicies**
Optional. A boolean value that specifies that the power policies should be set when configuring SharedPC mode.
> [!NOTE]
> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
The supported operations are Add, Get, Replace, and Delete.
The default value is Not Configured and the effective power settings are determined by the OS's default power settings. Its value in the SharedPC provisioning package is True.
@ -91,9 +88,6 @@ The default value is Not Configured and the effective power settings are determi
<a href="" id="maintenancestarttime"></a>**MaintenanceStartTime**
Optional. An integer value that specifies the daily start time of maintenance hour. Given in minutes from midnight. The range is 0-1440.
> [!NOTE]
>  If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
The supported operations are Add, Get, Replace, and Delete.
The default value is Not Configured and its value in the SharedPC provisioning package is 0 (12 AM).
@ -101,9 +95,6 @@ The default value is Not Configured and its value in the SharedPC provisioning p
<a href="" id="signinonresume"></a>**SignInOnResume**
Optional. A boolean value that, when set to True, requires sign in whenever the device wakes up from sleep mode.
> [!NOTE]
> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
The supported operations are Add, Get, Replace, and Delete.
The default value is Not Configured and its value in the SharedPC provisioning package is True.
@ -111,9 +102,6 @@ The default value is Not Configured and its value in the SharedPC provisioning p
<a href="" id="sleeptimeout"></a>**SleepTimeout**
The amount of time in seconds before the PC sleeps. 0 means the PC never sleeps. Default is 5 minutes. This node is optional.
> [!NOTE]
> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
The supported operations are Add, Get, Replace, and Delete.
The default value is Not Configured, and effective behavior is determined by the OS's default settings. Its value in the SharedPC provisioning package for Windows 10, version 1703 is 300, and in Windows 10, version 1607 is 3600.
@ -121,9 +109,6 @@ The default value is Not Configured, and effective behavior is determined by the
<a href="" id="enableaccountmanager"></a>**EnableAccountManager**
A boolean that enables the account manager for shared PC mode.
> [!NOTE]
> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
The supported operations are Add, Get, Replace, and Delete.
The default value is Not Configured and its value in the SharedPC provisioning package is True.
@ -131,9 +116,6 @@ The default value is Not Configured and its value in the SharedPC provisioning p
<a href="" id="accountmodel"></a>**AccountModel**
Configures which type of accounts are allowed to use the PC.
> [!NOTE]
> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
The supported operations are Add, Get, Replace, and Delete.
The following list shows the supported values:
@ -147,9 +129,6 @@ Its value in the SharedPC provisioning package is 1 or 2.
<a href="" id="deletionpolicy"></a>**DeletionPolicy**
Configures when accounts are deleted.
> [!NOTE]
> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
The supported operations are Add, Get, Replace, and Delete.
For Windows 10, version 1607, here's the list shows the supported values:
@ -168,9 +147,6 @@ The default value is Not Configured. Its value in the SharedPC provisioning pack
<a href="" id="diskleveldeletion"></a>**DiskLevelDeletion**
Sets the percentage of disk space remaining on a PC before cached accounts will be deleted to free disk space. Accounts that have been inactive the longest will be deleted first.
> [!NOTE]
> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
The default value is Not Configured. Its default value in the SharedPC provisioning package is 25.
For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevelDeletion** number is set to 25 (both default values). Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) during a daily maintenance period, accounts will be deleted (oldest last used first) when the system is idle until the free disk space is above 50% (the caching number). Accounts will be deleted immediately on signing out from an account if free space is under half of the deletion threshold and disk space is low, regardless of whether the PC is actively in use or not.
@ -180,9 +156,6 @@ The supported operations are Add, Get, Replace, and Delete.
<a href="" id="disklevelcaching"></a>**DiskLevelCaching**
Sets the percentage of available disk space a PC should have before it stops deleting cached accounts.
> [!NOTE]
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
The default value is Not Configured. The default value in the SharedPC provisioning package is 25.
For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevelDeletion** number is set to 25 (both default values). Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) during a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately on signing out from an account if free space is under the deletion threshold and disk space is low, regardless whether the PC is actively in use or not.
@ -194,26 +167,17 @@ Added in Windows 10, version 1703. Restricts the user from using local storage.
The default value is Not Configured and behavior is no such restriction applied. Value type is bool. Supported operations are Add, Get, Replace, and Delete. Default in SharedPC provisioning package is False.
> [!NOTE]
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
<a href="" id="kioskmodeaumid"></a>**KioskModeAUMID**
Added in Windows 10, version 1703. Specifies the AUMID of the app to use with assigned access. This node is optional.
- Value type is string.
- Supported operations are Add, Get, Replace, and Delete.
> [!NOTE]
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
<a href="" id="kioskmodeusertiledisplaytext"></a>**KioskModeUserTileDisplayText**
Added in Windows 10, version 1703. Specifies the display text for the account shown on the sign-in screen that launches the app specified by KioskModeAUMID. This node is optional.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
> [!NOTE]
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
<a href="" id="inactivethreshold"></a>**InactiveThreshold**
Added in Windows 10, version 1703. Accounts will start being deleted when they haven't been logged on during the specified period, given as number of days.
@ -226,9 +190,6 @@ The default in the SharedPC provisioning package is 30.
<a href="" id="maxpagefilesizemb"></a>**MaxPageFileSizeMB**
Added in Windows 10, version 1703. Maximum size of the paging file in MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM. This node is optional.
> [!NOTE]
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
- Default value is Not Configured.
- Value type is integer.
- Supported operations are Add, Get, Replace, and Delete.

20
windows/client-management/mdm/sharedpc-ddf-file.md
View File

@ -80,7 +80,7 @@ The XML below is the DDF for Windows 10, version 1703.
<Replace />
</AccessType>
<DefaultValue>false</DefaultValue>
<Description>Setting this node to “1” triggers the action to configure a device to Shared PC mode with OneDrive sync turned on</Description>
<Description>Setting this node to "1" triggers the action to configure a device to Shared PC mode with OneDrive sync turned on</Description>
<DFFormat>
<bool />
</DFFormat>
@ -104,7 +104,7 @@ The XML below is the DDF for Windows 10, version 1703.
<Replace />
</AccessType>
<DefaultValue>false</DefaultValue>
<Description>Set a list of EDU policies. This node is independent of EnableSharedPCMode.</Description>
<Description>Set a list of EDU policies.</Description>
<DFFormat>
<bool />
</DFFormat>
@ -128,7 +128,7 @@ The XML below is the DDF for Windows 10, version 1703.
<Replace />
</AccessType>
<DefaultValue>true</DefaultValue>
<Description>Specify that the power policies should be set when configuring SharedPC mode. This node is optional. If used, it needs to be set before the action on "EnableSharedPCMode" node is taken.</Description>
<Description>Specify that the power policies should be set when configuring SharedPC mode. This node is optional.</Description>
<DFFormat>
<bool />
</DFFormat>
@ -152,7 +152,7 @@ The XML below is the DDF for Windows 10, version 1703.
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Daily start time of maintenance hour. Given in minutes from midnight. Default is 0 (12am). This node is optional. If used, it needs to be set before the action on "EnableSharedPCMode" node is taken.</Description>
<Description>Daily start time of maintenance hour. Given in minutes from midnight. Default is 0 (12am). This node is optional.</Description>
<DFFormat>
<int />
</DFFormat>
@ -176,7 +176,7 @@ The XML below is the DDF for Windows 10, version 1703.
<Replace />
</AccessType>
<DefaultValue>true</DefaultValue>
<Description>Require signing in on waking up from sleep. This node is optional. If used, it needs to be set before the action on "EnableSharedPCMode" node is taken.</Description>
<Description>Require signing in on waking up from sleep. This node is optional.</Description>
<DFFormat>
<bool />
</DFFormat>
@ -200,7 +200,7 @@ The XML below is the DDF for Windows 10, version 1703.
<Replace />
</AccessType>
<DefaultValue>300</DefaultValue>
<Description>The amount of time before the PC sleeps, given in seconds. 0 means the PC never sleeps. Default is 5 minutes. This node is optional. If used, it needs to be set before the action on "EnableSharedPCMode" node is taken.</Description>
<Description>The amount of time before the PC sleeps, given in seconds. 0 means the PC never sleeps. Default is 5 minutes. This node is optional.</Description>
<DFFormat>
<int />
</DFFormat>
@ -344,7 +344,7 @@ The XML below is the DDF for Windows 10, version 1703.
<Replace />
</AccessType>
<DefaultValue>true</DefaultValue>
<Description>Restricts the user from using local storage. This node is optional. If used, it needs to be set before the action on "EnableSharedPCMode" node is taken.</Description>
<Description>Restricts the user from using local storage. This node is optional.</Description>
<DFFormat>
<bool />
</DFFormat>
@ -367,7 +367,7 @@ The XML below is the DDF for Windows 10, version 1703.
<Get />
<Replace />
</AccessType>
<Description>Specifies the AUMID of the app to use with assigned access. This node is optional. If used, it needs to be set before the action on "EnableSharedPCMode" node is taken.</Description>
<Description>Specifies the AUMID of the app to use with assigned access. This node is optional.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -390,7 +390,7 @@ The XML below is the DDF for Windows 10, version 1703.
<Get />
<Replace />
</AccessType>
<Description>Specifies the display text for the account shown on the sign-in screen which launches the app specified by KioskModeAUMID. This node is optional. If used, it needs to be set before the action on "EnableSharedPCMode" node is taken.</Description>
<Description>Specifies the display text for the account shown on the sign-in screen which launches the app specified by KioskModeAUMID. This node is optional.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -438,7 +438,7 @@ The XML below is the DDF for Windows 10, version 1703.
<Replace />
</AccessType>
<DefaultValue>1024</DefaultValue>
<Description>Maximum size of the paging file in MB. Applies only to systems with less than 32 GB storage and at least 3 GB of RAM. This node is optional. If used, it needs to be set before the action on "EnableSharedPCMode" node is taken.</Description>
<Description>Maximum size of the paging file in MB. Applies only to systems with less than 32 GB storage and at least 3 GB of RAM. This node is optional.</Description>
<DFFormat>
<int />
</DFFormat>

6
windows/deployment/update/update-compliance-configuration-manual.md
View File

@ -1,11 +1,11 @@
---
title: Manually configuring devices for Update Compliance
ms.reviewer:
manager: dougeby
manager: aczechowski
description: Manually configuring devices for Update Compliance
ms.prod: w10
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.localizationpriority: medium
ms.collection: M365-analytics
ms.topic: article

40
windows/deployment/update/update-compliance-configuration-mem.md
View File

@ -1,11 +1,11 @@
---
title: Configuring Microsoft Endpoint Manager devices for Update Compliance
ms.reviewer:
manager: dougeby
manager: aczechowski
description: Configuring devices that are enrolled in Endpoint Manager for Update Compliance
ms.prod: w10
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.localizationpriority: medium
ms.collection: M365-analytics
ms.topic: article
@ -21,62 +21,64 @@ ms.topic: article
This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) for Update Compliance, within Microsoft Endpoint Manager itself. Configuring devices for Update Compliance in Microsoft Endpoint Manager breaks down to the following steps:
1. [Create a configuration profile](#create-a-configuration-profile) for devices you want to enroll, that contains settings for all the MDM policies that must be configured.
2. [Deploy the configuration script](#deploy-the-configuration-script) as a Win32 app to those same devices, so additional checks can be performed to ensure devices are correctly configured.
3. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. You can learn more about this in the broad section on [enrolling devices to Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance).
1. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. You can learn more about this in the broad section on [enrolling devices to Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance).
> [!TIP]
> If you need to troubleshoot client enrollment, consider deploying the [configuration script](#deploy-the-configuration-script) as a Win32 app to a few devices and reviewing the logs it creates. Additional checks are performed with the script to ensure devices are correctly configured.
## Create a configuration profile
Take the following steps to create a configuration profile that will set required policies for Update Compliance:
1. Go to the Admin portal in Endpoint Manager and navigate to **Devices/Windows/Configuration profiles**.
2. On the **Configuration profiles** view, select **Create a profile**.
3. Select **Platform**="Windows 10 and later" and **Profile type**="Templates".
4. For **Template name**, select **Custom**, and then press **Create**.
5. You are now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**.
6. On the **Configuration settings** page, you will be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md).
1. On the **Configuration profiles** view, select **Create a profile**.
1. Select **Platform**="Windows 10 and later" and **Profile type**="Templates".
1. For **Template name**, select **Custom**, and then press **Create**.
1. You are now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**.
1. On the **Configuration settings** page, you will be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md).
1. If you don't already have it, get your Commercial ID. For steps, see [Get your CommmercialID](update-compliance-get-started.md#get-your-commercialid).
2. Add a setting for **Commercial ID** with the following values:
1. Add a setting for **Commercial ID** with the following values:
- **Name**: Commercial ID
- **Description**: Sets the Commercial ID that corresponds to the Update Compliance Log Analytics workspace.
- **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID`
- **Data type**: String
- **Value**: *Set this to your Commercial ID*
2. Add a setting configuring the **Windows Diagnostic Data level** for devices:
1. Add a setting configuring the **Windows Diagnostic Data level** for devices:
- **Name**: Allow Telemetry
- **Description**: Sets the maximum allowed diagnostic data to be sent to Microsoft, required for Update Compliance.
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowTelemetry`
- **Data type**: Integer
- **Value**: 1 (*all that is required is 1, but it can be safely set to a higher value*).
3. (*Recommended, but not required*) Add a setting for **disabling devices' Diagnostic Data opt-in settings interface**. If this is not disabled, users of each device can potentially override the diagnostic data level of devices such that data will not be available for those devices in Update Compliance:
1. (*Recommended, but not required*) Add a setting for **disabling devices' Diagnostic Data opt-in settings interface**. If this is not disabled, users of each device can potentially override the diagnostic data level of devices such that data will not be available for those devices in Update Compliance:
- **Name**: Disable Telemetry opt-in interface
- **Description**: Disables the ability for end-users of devices can adjust diagnostic data to levels lower than defined by the Allow Telemetry setting.
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx`
- **Data type**: Integer
- **Value**: 1
4. Add a setting to **Allow device name in diagnostic data**; otherwise, there will be no device name in Update Compliance:
1. Add a setting to **Allow device name in diagnostic data**; otherwise, there will be no device name in Update Compliance:
- **Name**: Allow device name in Diagnostic Data
- **Description**: Allows device name in Diagnostic Data.
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData`
- **Data type**: Integer
- **Value**: 1
5. Add a setting to **Allow Update Compliance processing**; this policy is required for Update Compliance:
1. Add a setting to **Allow Update Compliance processing**; this policy is required for Update Compliance:
- **Name**: Allow Update Compliance Processing
- **Description**: Opts device data into Update Compliance processing. Required to see data.
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowUpdateComplianceProcessing`
- **Data type**: Integer
- **Value**: 16
6. Add a setting to **Allow commercial data pipeline**; this policy is required for Update Compliance:
1. Add a setting to **Allow commercial data pipeline**; this policy is required for Update Compliance:
- **Name**: Allow commercial data pipeline
- **Description**: Configures Microsoft to be the processor of the Windows diagnostic data collected from an Azure Active Directory-joined device.
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline`
- **Data type**: Integer
- **Value**: 1
7. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll.
8. Review and select **Create**.
1. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll.
1. Review and select **Create**.
## Deploy the configuration script
The [Update Compliance Configuration Script](update-compliance-configuration-script.md) is an important component of properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management).
The [Update Compliance Configuration Script](update-compliance-configuration-script.md) is a useful tool for properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management).
When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in Pilot mode to a set of devices that you do have access to, or have a way to access the resultant log output the script provides, with as similar of a configuration profile as other devices which will be enrolled to Update Compliance, and analyzing the logs for any potential issues. Following this, you can deploy the configuration script in Deployment mode as a Win32 app to all Update Compliance devices.

2
windows/deployment/update/update-compliance-configuration-script.md
View File

@ -1,7 +1,7 @@
---
title: Update Compliance Configuration Script
ms.reviewer:
manager: dougeby
manager: aczechowski
description: Downloading and using the Update Compliance Configuration Script
ms.prod: w10
author: mestew

8
windows/deployment/update/update-compliance-delivery-optimization.md
View File

@ -1,11 +1,11 @@
---
title: Delivery Optimization in Update Compliance
ms.reviewer:
manager: dougeby
manager: aczechowski
description: Learn how the Update Compliance solution provides you with information about your Delivery Optimization configuration.
ms.prod: w10
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.localizationpriority: medium
ms.collection: M365-analytics
ms.topic: article
@ -46,7 +46,7 @@ The table breaks down the number of bytes from each download source into specifi
The download sources that could be included are:
- LAN Bytes: Bytes downloaded from LAN Peers which are other devices on the same local network
- Group Bytes: Bytes downloaded from Group Peers which are other devices that belong to the same Group (available when the "Group" download mode is used)
- HTTP Bytes: Non-peer bytes. The HTTP download source can be Microsoft Servers, Windows Update Servers, a WSUS server or an Configuration Manager Distribution Point for Express Updates.
- HTTP Bytes: Non-peer bytes. The HTTP download source can be Microsoft Servers, Windows Update Servers, a WSUS server or a Configuration Manager Distribution Point for Express Updates.
<!--Using include file, waas-delivery-optimization-monitor.md, for shared content on DO monitoring-->
[!INCLUDE [Monitor Delivery Optimization](../do/includes/waas-delivery-optimization-monitor.md)]

6
windows/deployment/update/update-compliance-feature-update-status.md
View File

@ -1,11 +1,11 @@
---
title: Update Compliance - Feature Update Status report
ms.reviewer:
manager: dougeby
manager: aczechowski
description: Learn how the Feature Update Status report provides information about the status of feature updates across all devices.
ms.prod: w10
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.collection: M365-analytics
ms.topic: article
ms.custom: seo-marvel-apr2020

6
windows/deployment/update/update-compliance-get-started.md
View File

@ -1,10 +1,10 @@
---
title: Get started with Update Compliance
manager: dougeby
manager: aczechowski
description: Prerequisites, Azure onboarding, and configuring devices for Update Compliance
ms.prod: w10
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.localizationpriority: medium
ms.collection:
- M365-analytics

6
windows/deployment/update/update-compliance-monitor.md
View File

@ -1,11 +1,11 @@
---
title: Monitor Windows Updates and Microsoft Defender AV with Update Compliance
ms.reviewer:
manager: dougeby
manager: aczechowski
description: You can use Update Compliance in Azure portal to monitor the progress of updates and key anti-malware protection features on devices in your network.
ms.prod: w10
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.localizationpriority: medium
ms.collection: M365-analytics
ms.topic: article

6
windows/deployment/update/update-compliance-need-attention.md
View File

@ -1,9 +1,9 @@
---
title: Update Compliance - Need Attention! report
manager: dougeby
manager: aczechowski
description: Learn how the Need attention! section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance.
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.collection: M365-analytics
ms.topic: article
ms.prod: w10

6
windows/deployment/update/update-compliance-privacy.md
View File

@ -1,11 +1,11 @@
---
title: Privacy in Update Compliance
ms.reviewer:
manager: dougeby
manager: aczechowski
description: an overview of the Feature Update Status report
ms.prod: w10
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.collection: M365-analytics
ms.topic: article
---

6
windows/deployment/update/update-compliance-safeguard-holds.md
View File

@ -1,11 +1,11 @@
---
title: Update Compliance - Safeguard Holds report
ms.reviewer:
manager: dougeby
manager: aczechowski
description: Learn how the Safeguard Holds report provides information about safeguard holds in your population.
ms.prod: w10
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.collection: M365-analytics
ms.topic: article
ms.custom: seo-marvel-apr2020

6
windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
View File

@ -1,11 +1,11 @@
---
title: Update Compliance Schema - WaaSDeploymentStatus
ms.reviewer:
manager: dougeby
manager: aczechowski
description: WaaSDeploymentStatus schema
ms.prod: w10
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.collection: M365-analytics
ms.topic: article
---

6
windows/deployment/update/update-compliance-schema-waasinsiderstatus.md
View File

@ -1,11 +1,11 @@
---
title: Update Compliance Schema - WaaSInsiderStatus
ms.reviewer:
manager: dougeby
manager: aczechowski
description: WaaSInsiderStatus schema
ms.prod: w10
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.collection: M365-analytics
ms.topic: article
---

6
windows/deployment/update/update-compliance-schema-waasupdatestatus.md
View File

@ -1,11 +1,11 @@
---
title: Update Compliance Schema - WaaSUpdateStatus
ms.reviewer:
manager: dougeby
manager: aczechowski
description: WaaSUpdateStatus schema
ms.prod: w10
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.collection: M365-analytics
ms.topic: article
---

6
windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md
View File

@ -1,11 +1,11 @@
---
title: Update Compliance Schema - WUDOAggregatedStatus
ms.reviewer:
manager: dougeby
manager: aczechowski
description: WUDOAggregatedStatus schema
ms.prod: w10
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.collection: M365-analytics
ms.topic: article
---

6
windows/deployment/update/update-compliance-schema-wudostatus.md
View File

@ -1,11 +1,11 @@
---
title: Update Compliance Schema - WUDOStatus
ms.reviewer:
manager: dougeby
manager: aczechowski
description: WUDOStatus schema
ms.prod: w10
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.collection: M365-analytics
ms.topic: article
---

8
windows/deployment/update/update-compliance-schema.md
View File

@ -1,11 +1,11 @@
---
title: Update Compliance Data Schema
ms.reviewer:
manager: dougeby
manager: aczechowski
description: an overview of Update Compliance data schema
ms.prod: w10
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.collection: M365-analytics
ms.topic: article
---
@ -21,7 +21,7 @@ The table below summarizes the different tables that are part of the Update Comp
|Table |Category |Description |
|--|--|--|
|[**WaaSUpdateStatus**](update-compliance-schema-waasupdatestatus.md) |Device record |This table houses device-centric data and acts as the device record for Update Compliance. Each record provided in daily snapshots map to a single device in a single tenant. This table has data such as the current device's installed version of Windows, whether it is on the latest available updates, and whether the device needs attention. |
|[**WaaSUpdateStatus**](update-compliance-schema-waasupdatestatus.md) |Device record |This table houses device-centric data and acts as the device record for Update Compliance. Each record provided in daily snapshots maps to a single device in a single tenant. This table has data such as the current device's installed version of Windows, whether it is on the latest available updates, and whether the device needs attention. |
|[**WaaSInsiderStatus**](update-compliance-schema-waasinsiderstatus.md) |Device record |This table houses device-centric data specifically for devices enrolled to the Windows Insider Program. Devices enrolled to the Windows Insider Program do not currently have any WaaSDeploymentStatus records, so do not have Update Session data to report on update deployment progress. |
|[**WaaSDeploymentStatus**](update-compliance-schema-waasdeploymentstatus.md) |Update Session record |This table tracks a specific update on a specific device. Multiple WaaSDeploymentStatus records can exist simultaneously for a given device, as each record is specific to a given update and its type. For example, a device can have both a WaaSDeploymentStatus tracking a Windows Feature Update, as well as one tracking a Windows Quality Update, at the same time. |
|[**WUDOStatus**](update-compliance-schema-wudostatus.md) |Delivery Optimization record |This table provides information, for a single device, on their bandwidth utilization across content types in the event they use [Delivery Optimization](https://support.microsoft.com/help/4468254/windows-update-delivery-optimization-faq). |

6
windows/deployment/update/update-compliance-security-update-status.md
View File

@ -1,11 +1,11 @@
---
title: Update Compliance - Security Update Status report
ms.reviewer:
manager: dougeby
manager: aczechowski
description: Learn how the Security Update Status section provides information about security updates across all devices.
ms.prod: w10
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.collection: M365-analytics
ms.topic: article
ms.custom: seo-marvel-apr2020

6
windows/deployment/update/update-compliance-using.md
View File

@ -1,11 +1,11 @@
---
title: Using Update Compliance
ms.reviewer:
manager: dougeby
manager: aczechowski
description: Learn how to use Update Compliance to monitor your device's Windows updates.
ms.prod: w10
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.localizationpriority: medium
ms.collection: M365-analytics
ms.topic: article

8
windows/deployment/update/update-compliance-v2-configuration-mem.md
View File

@ -24,8 +24,10 @@ ms.date: 08/24/2022
This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) for Update Compliance, within Microsoft Endpoint Manager itself. Configuring devices for Update Compliance in Microsoft Endpoint Manager breaks down to the following steps:
1. [Create a configuration profile](#create-a-configuration-profile) for devices you want to enroll. The configuration profile contains settings for all the Mobile Device Management (MDM) policies that must be configured.
2. [Deploy the configuration script](#deploy-the-configuration-script) as a Win32 app to those same devices, so additional checks can be performed to ensure devices are correctly configured.
3. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. For more information, see [Use Update Compliance](update-compliance-v2-use.md).
1. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. For more information, see [Use Update Compliance](update-compliance-v2-use.md).
> [!TIP]
> If you need to troubleshoot client enrollment, consider deploying the [configuration script](#deploy-the-configuration-script) as a Win32 app to a few devices and reviewing the logs it creates. Additional checks are performed with the script to ensure devices are correctly configured.
## Create a configuration profile
@ -105,7 +107,7 @@ Create a configuration profile that will set the required policies for Update Co
## Deploy the configuration script
The [Update Compliance Configuration Script](update-compliance-v2-configuration-script.md) is an important component of properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-v2-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management).
The [Update Compliance Configuration Script](update-compliance-v2-configuration-script.md) is a useful tool for properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-v2-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management).
When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in pilot mode to a set of devices that you do have access to, or have a way to access the resultant log output the script provides, with as similar of a configuration profile as other devices which will be enrolled to Update Compliance, and analyzing the logs for any potential issues. Following this, you can deploy the configuration script in deployment mode as a Win32 app to all Update Compliance devices.

2
windows/security/TOC.yml
View File

@ -159,7 +159,7 @@
items:
- name: Personal Data Encryption (PDE) overview
href: information-protection/personal-data-encryption/overview-pde.md
- name: Personal Data Encryption (PDE) (FAQ)
- name: Personal Data Encryption (PDE) frequently asked questions (FAQ)
href: information-protection/personal-data-encryption/faq-pde.yml
- name: Configure Personal Data Encryption (PDE) in Intune
href: information-protection/personal-data-encryption/configure-pde-in-intune.md

4
windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
View File

@ -253,8 +253,8 @@ Windows Hello for Business cloud Kerberos trust looks for a writeable DC to exch
### Do I need line of sight to a domain controller to use Windows Hello for Business cloud Kerberos trust?
Windows Hello for Business cloud Kerberos trust requires line of sight to a domain controller for some scenarios:
- The first sign-in or unlock with Windows Hello for Business after provisioning on a Hybrid Azure AD joined device
- When attempting to access an on-premises resource from an Azure AD joined device
- The first sign-in or unlock with Windows Hello for Business after provisioning
- When attempting to access an on-premises resource from a Hybrid Azure AD joined device
### Can I use RDP/VDI with Windows Hello for Business cloud Kerberos trust?

32
windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
View File

@ -1,12 +1,13 @@
---
title: BitLocker recovery guide (Windows 10)
description: This article for IT professionals describes how to recover BitLocker keys from AD DS.
ms.reviewer:
ms.prod: m365-security
title: BitLocker recovery guide
description: This article for IT professionals describes how to recover BitLocker keys from Active Directory Domain Services (AD DS).
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
author: frankroj
ms.author: frankroj
ms.reviewer: rafals
manager: aaroncz
ms.collection:
- M365-security-compliance
- highpri
@ -21,11 +22,11 @@ ms.custom: bitlocker
- Windows 10
- Windows 11
- Windows Server 2016 and above
- Windows Server 2016 and later
This topic describes how to recover BitLocker keys from AD DS.
Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. It is recommended to create a recovery model for BitLocker while you are planning your BitLocker deployment.
Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. It's recommended to create a recovery model for BitLocker while you are planning your BitLocker deployment.
This article assumes that you understand how to set up AD DS to back up BitLocker recovery information automatically, and what types of recovery information are saved to AD DS.
@ -44,7 +45,7 @@ BitLocker recovery is the process by which you can restore access to a BitLocker
The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive:
- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality, administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor. Or they can use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/microsoft-intune)), to limit the number of failed password attempts before the device goes into Device Lockout.
- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality, administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor. Or they can use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](/mem/intune)), to limit the number of failed password attempts before the device goes into Device Lockout.
- On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised.
- Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD.
- Failing to boot from a network drive before booting from the hard drive.
@ -280,7 +281,16 @@ This error might occur if you updated the firmware. As a best practice, you shou
## Windows RE and its usage in BitLocker Device Encryption
Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair can't run automatically from the PC and instead Windows RE is manually started from a repair disk, then the BitLocker recovery key must be provided to unlock the BitLockerprotected drives.
Windows Recovery Environment (Windows RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair can't run automatically from the PC and instead Windows RE is manually started from a repair disk, then the BitLocker recovery key must be provided to unlock the BitLockerprotected drives.
Windows RE will also ask for your BitLocker recovery key when you start a "Remove everything" reset from Windows RE on a device that uses the "TPM + PIN" or "Password for OS drive" protector. If you start BitLocker recovery on a keyboardless device with TPM-only protection, Windows RE, not the boot manager, will ask for the BitLocker recovery key. After you enter the key, you can access Windows RE troubleshooting tools or start Windows normally.
The BitLocker recovery screen that's shown by Windows RE has the accessibility tools like narrator and on-screen keyboard to help you enter your BitLocker recovery key. If the BitLocker recovery key is requested by the Windows boot manager, those tools might not be available.
To activate the narrator during BitLocker recovery in Windows RE, press **Windows** + **CTRL** + **Enter**.
To activate the on-screen keyboard, tap on a text input control.
:::image type="content" source="images/bl-narrator.png" alt-text="A screenshot of the BitLocker recovery screen showing Narrator activated.":::
## BitLocker recovery screen

BIN
windows/security/information-protection/bitlocker/images/bl-narrator.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 395 KiB

14
windows/security/information-protection/personal-data-encryption/faq-pde.yml
View File

@ -30,25 +30,25 @@ sections:
- question: Can an IT admin specify which files should be encrypted?
answer: |
Yes, but it can only be done using the PDE APIs.
Yes, but it can only be done using the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
- question: Do I need to use OneDrive as my backup provider?
answer: |
No. PDE doesn't have a requirement for a backup provider including OneDrive. However, backups are strongly recommended in case the encryption keys used by PDE are lost. OneDrive is a recommended backup provider.
No. PDE doesn't have a requirement for a backup provider including OneDrive. However, backups are strongly recommended in case the keys used by PDE to decrypt files are lost. OneDrive is a recommended backup provider.
- question: What is the relation between Windows Hello for Business and PDE?
answer: |
Windows Hello for Business unlocks PDE encryption keys during user sign on.
During user sign-on, Windows Hello for Business unlocks the keys that PDE uses to decrypt files.
- question: Can a file be encrypted with both PDE and EFS at the same time?
answer: |
No. PDE and EFS are mutually exclusive.
- question: Can a PDE encrypted files be accessed after signing on via a Remote Desktop connection (RDP)?
- question: Can PDE encrypted files be accessed after signing on via a Remote Desktop connection (RDP)?
answer: |
No. Accessing PDE encrypted files over RDP isn't currently supported.
- question: Can a PDE encrypted files be access via a network share?
- question: Can PDE encrypted files be access via a network share?
answer: |
No. PDE encrypted files can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
@ -62,11 +62,11 @@ sections:
- question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE encrypted files?
answer: |
No. PDE encryption keys are protected Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
No. The keys used by PDE to decrypt files are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
- question: What encryption method and strength does PDE use?
answer: |
PDE uses AES-256 to encrypt files
PDE uses AES-CBC with a 256-bit key to encrypt files
additionalContent: |
## See also

24
windows/security/information-protection/personal-data-encryption/overview-pde.md
View File

@ -1,6 +1,6 @@
---
title: Personal Data Encryption (PDE)
description: Personal Data Encryption unlocks user encrypted files at user sign in instead of at boot.
description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.
author: frankroj
ms.author: frankroj
@ -40,19 +40,19 @@ ms.date: 09/22/2022
- [BitLocker Drive Encryption](../bitlocker/bitlocker-overview.md) enabled
- Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to supplement BitLocker and not replace it.
- Backup solution such as [OneDrive](/onedrive/onedrive)
- In certain scenarios such as TPM resets or destructive PIN resets, the PDE encryption keys can be lost. In such scenarios, any file encrypted with PDE will no longer be accessible. The only way to recover such files would be from backup.
- In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to decrypt files can be lost. In such scenarios, any file encrypted with PDE will no longer be accessible. The only way to recover such files would be from backup.
- [Windows Hello for Business PIN reset service](../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
- Destructive PIN resets will cause PDE encryption keys to be lost. The destructive PIN reset will make any file encrypted with PDE no longer accessible after a destructive PIN reset. Files encrypted with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
- Destructive PIN resets will cause keys used by PDE to decrypt files to be lost. The destructive PIN reset will make any file encrypted with PDE no longer accessible after a destructive PIN reset. Files encrypted with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
- Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN
- [Kernel and user mode crash dumps disabled](/windows/client-management/mdm/policy-csp-memorydump)
- Crash dumps can potentially cause the PDE encryption keys to be exposed. For greatest security, disable kernel and user mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable crash dumps](configure-pde-in-intune.md#disable-crash-dumps).
- Crash dumps can potentially cause the keys used by PDE decrypt files to be exposed. For greatest security, disable kernel and user mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable crash dumps](configure-pde-in-intune.md#disable-crash-dumps).
- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
- Hibernation files can potentially cause the PDE encryption keys to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
- Hibernation files can potentially cause the keys used by PDE to decrypt files to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
## PDE protection levels
PDE uses AES-256 to encrypt files and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the PDE APIs.
PDE uses AES-CBC with a 256-bit key to encrypt files and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
| Item | Level 1 | Level 2 |
|---|---|---|
@ -94,15 +94,15 @@ For information on enabling PDE via Intune, see [Enable Personal Data Encryption
| Item | PDE | BitLocker |
|--|--|--|
| Release of encryption keys | At user sign in via Windows Hello for Business | At boot |
| Encryption keys discarded | At user sign out | At reboot |
| Release of key | At user sign-in via Windows Hello for Business | At boot |
| Keys discarded | At user sign-out | At reboot |
| Files encrypted | Individual specified files | Entire volume/drive |
| Authentication to access encrypted file | Windows Hello for Business | When BitLocker with PIN is enabled, BitLocker PIN plus Windows sign in |
| Accessibility | Windows Hello for Business is accessibility friendly | BitLocker with PIN doesn't have accessibility features |
## Differences between PDE and EFS
The main difference between encrypting files with PDE instead of EFS is the method they use to encrypt the file. PDE uses Windows Hello for Business to secure the encryption keys that encrypts the files. EFS uses certificates to secure and encrypt the files.
The main difference between encrypting files with PDE instead of EFS is the method they use to encrypt the file. PDE uses Windows Hello for Business to secure the keys to decrypt the files. EFS uses certificates to secure and encrypt the files.
To see if a file is encrypted with PDE or EFS:
@ -118,9 +118,7 @@ Encryption information including what encryption method is being used can be obt
## Disable PDE and decrypt files
Currently there's no method to disable PDE via MDM policy. However, PDE can be disabled locally and files can be decrypted using `cipher.exe`.
In certain scenarios a user may be able to manually decrypt a file using the following steps:
Currently there's no method to disable PDE via MDM policy. However, in certain scenarios PDE encrypted files can be decrypted using `cipher.exe` using the following steps:
1. Open the properties of the file
2. Under the **General** tab, select **Advanced...**
@ -139,4 +137,4 @@ Certain Windows applications support PDE out of the box. If PDE is enabled on a
## See also
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)
- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)

18
windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
View File

@ -56,15 +56,15 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind
|Name|Supported versions|Description|Options|
|-----------|------------------|-----------|-------|
|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher<p>Windows 10 Pro, 1803 or higher<p>Windows 11|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** This is effective only in managed mode. Turns On the clipboard functionality and lets you choose whether to additionally:<br/>- Disable the clipboard functionality completely when Virtualization Security is enabled.<br/>- Enable copying of certain content from Application Guard into Microsoft Edge.<br/>- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.<p>**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher<p>Windows 10 Pro, 1803 or higher<p>Windows 11|Determines whether Application Guard can use the print functionality.|**Enabled.** This is effective only in managed mode. Turns On the print functionality and lets you choose whether to additionally:<br/>- Enable Application Guard to print into the XPS format.<br/>- Enable Application Guard to print into the PDF format.<br/>- Enable Application Guard to print to locally attached printers.<br/>- Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.<br/><br/>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
|Allow Persistence|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803 or higher<p>Windows 11|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<p>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<p>**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<p>**To reset the container:**<br/>1. Open a command-line program and navigate to `Windows/System32`.<br/>2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.<br/>3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher<p>Windows 11|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:<br/>- Enable Microsoft Defender Application Guard only for Microsoft Edge<br/>- Enable Microsoft Defender Application Guard only for Microsoft Office<br/>- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office<br/><br/>**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office. <br/><br/>**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.|
|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher<p>Windows 11|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** This is effective only in managed mode. Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.<p>**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.|
|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher<br><br>Windows 10 Pro, 1803 or higher<p>Windows 11|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br>**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and wont load any third-party graphics drivers or interact with any connected graphics hardware.|
|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher<p>Windows 11|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.<p>**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher<p>Windows 11|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.<p>**Disabled or not configured.** Certificates aren't shared with Microsoft Defender Application Guard.|
|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher<p>Windows 11|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.<p>**Disabled or not configured.** Event logs aren't collected from your Application Guard container.|
|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher<p>Windows 11 Enterprise|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** This is effective only in managed mode. Turns on the clipboard functionality and lets you choose whether to additionally:<br/>- Disable the clipboard functionality completely when Virtualization Security is enabled.<br/>- Enable copying of certain content from Application Guard into Microsoft Edge.<br/>- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.<p>**Disabled or not configured.** Completely turns off the clipboard functionality for Application Guard.|
|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher<p>Windows 11 Enterprise|Determines whether Application Guard can use the print functionality.|**Enabled.** This is effective only in managed mode. Turns on the print functionality and lets you choose whether to additionally:<br/>- Enable Application Guard to print into the XPS format.<br/>- Enable Application Guard to print into the PDF format.<br/>- Enable Application Guard to print to locally attached printers.<br/>- Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.<br/><br/>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
|Allow Persistence|Windows 10 Enterprise, 1709 or higher<p>Windows 11 Enterprise|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<p>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<p>**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<p>**To reset the container:**<br/>1. Open a command-line program and navigate to `Windows/System32`.<br/>2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.<br/>3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher<p>Windows 11 Enterprise|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:<br/>- Enable Microsoft Defender Application Guard only for Microsoft Edge<br/>- Enable Microsoft Defender Application Guard only for Microsoft Office<br/>- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office<br/><br/>**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office. <br/><br/>**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.|
|Allow files to download to host operating system|Windows 10 Enterprise or Pro, 1803 or higher<p>Windows 11 Enterprise or Pro|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** This is effective only in managed mode. Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.<p>**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.|
|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher<p>Windows 11 Enterprise|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br>**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and wont load any third-party graphics drivers or interact with any connected graphics hardware.|
|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher<p>Windows 11 Enterprise|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.<p>**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise or Pro, 1809 or higher<p>Windows 11 Enterprise or Pro|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.<p>**Disabled or not configured.** Certificates aren't shared with Microsoft Defender Application Guard.|
|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher<p>Windows 11 Enterprise|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.<p>**Disabled or not configured.** Event logs aren't collected from your Application Guard container.|
## Application Guard support dialog settings

73
windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
View File

@ -1,18 +1,15 @@
---
title: Testing scenarios with Microsoft Defender Application Guard (Windows 10 or Windows 11)
title: Testing scenarios with Microsoft Defender Application Guard
description: Suggested testing scenarios for Microsoft Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode.
ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.reviewer:
manager: dansimp
ms.date: 03/14/2022
author: vinaypamnani-msft
ms.author: vinpa
ms.reviewer: sazankha
manager: aaroncz
ms.date: 09/23/2022
ms.custom: asr
ms.technology: windows-sec
---
# Application Guard testing scenarios
@ -59,7 +56,7 @@ Before you can use Application Guard in managed mode, you must install Windows 1
3. Set up the Network Isolation settings in Group Policy:
a. Click on the **Windows** icon, type `Group Policy`, and then click **Edit Group Policy**.
a. Select the **Windows** icon, type `Group Policy`, and then select **Edit Group Policy**.
b. Go to the **Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud** setting.
@ -75,7 +72,7 @@ Before you can use Application Guard in managed mode, you must install Windows 1
4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Turn on Microsoft Defender Application Guard in Managed Mode** setting.
5. Click **Enabled**, choose Option **1**, and click **OK**.
5. Select **Enabled**, choose Option **1**, and select **OK**.
![Group Policy editor with Turn On/Off setting.](images/appguard-gp-turn-on.png)
@ -110,15 +107,14 @@ You have the option to change each of these settings to work with your enterpris
**Applies to:**
- Windows 10 Enterprise edition, version 1709 or higher
- Windows 10 Professional edition, version 1803
- Windows 11
- Windows 10 Enterprise or Pro editions, version 1803 or later
- Windows 11 Enterprise or Pro editions
#### Copy and paste options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Configure Microsoft Defender Application Guard clipboard settings**.
2. Click **Enabled** and click **OK**.
2. Select **Enabled** and select **OK**.
![Group Policy editor clipboard options.](images/appguard-gp-clipboard.png)
@ -138,25 +134,25 @@ You have the option to change each of these settings to work with your enterpris
- Both text and images can be copied between the host PC and the isolated container.
5. Click **OK**.
5. Select **OK**.
#### Print options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Configure Microsoft Defender Application Guard print** settings.
2. Click **Enabled** and click **OK**.
2. Select **Enabled** and select **OK**.
![Group Policy editor Print options.](images/appguard-gp-print.png)
3. Based on the list provided in the setting, choose the number that best represents what type of printing should be available to your employees. You can allow any combination of local, network, PDF, and XPS printing.
4. Click **OK**.
4. Select **OK**.
#### Data persistence options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow data persistence for Microsoft Defender Application Guard** setting.
2. Click **Enabled** and click **OK**.
2. Select **Enabled** and select **OK**.
![Group Policy editor Data Persistence options.](images/appguard-gp-persistence.png)
@ -166,32 +162,33 @@ You have the option to change each of these settings to work with your enterpris
4. Add the site to your **Favorites** list and then close the isolated session.
5. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
5. Sign out and back in to your device, opening Microsoft Edge in Application Guard again.
The previously added site should still appear in your **Favorites** list.
> [!NOTE]
> If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10 and Windows 11.
> Starting with Windows 11, version 22H2, data persistence is disabled by default. If you don't allow or turn off data persistence, restarting a device or signing in and out of the isolated container triggers a recycle event. This action discards all generated data, such as session cookies and Favorites, and removes the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10 and Windows 11.
>
> If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
> <!--- Inline HTML is used on the next several lines so that the ordinal numbers will be rendered correctly; Markdown would otherwise try to render them as letters (a, b, c...) because they would be treated as a nested list --->
> **To reset the container, follow these steps:**<br/>1. Open a command-line program and navigate to Windows/System32.<br/>2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.<br/>3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.
>
> _Microsoft Edge version 90 or later no longer supports `RESET_PERSISTENCE_LAYER`._
**Applies to:**
- Windows 10 Enterprise edition, version 1803
- Windows 10 Professional edition, version 1803
- Windows 11
- Windows 10 Enterprise or Pro editions, version 1803
- Windows 11 Enterprise or Pro editions, version 21H2. Data persistence is disabled by default in Windows 11, version 22H2 and later.
#### Download options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow files to download and save to the host operating system from Microsoft Defender Application Guard** setting.
2. Click **Enabled** and click **OK**.
2. Select **Enabled** and select **OK**.
![Group Policy editor Download options.](images/appguard-gp-download.png)
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
3. Sign out and back in to your device, opening Microsoft Edge in Application Guard again.
4. Download a file from Microsoft Defender Application Guard.
@ -201,7 +198,7 @@ You have the option to change each of these settings to work with your enterpris
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow hardware-accelerated rendering for Microsoft Defender Application Guard** setting.
2. Click **Enabled** and click **OK**.
2. Select **Enabled** and Select **OK**.
![Group Policy editor hardware acceleration options.](images/appguard-gp-vgpu.png)
@ -209,21 +206,15 @@ You have the option to change each of these settings to work with your enterpris
4. Assess the visual experience and battery performance.
**Applies to:**
- Windows 10 Enterprise edition, version 1809
- Windows 10 Professional edition, version 1809
- Windows 11
#### Camera and microphone options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow camera and microphone access in Microsoft Defender Application Guard** setting.
2. Click **Enabled** and click **OK**.
2. Select **Enabled** and select **OK**.
![Group Policy editor Camera and microphone options.](images/appguard-gp-allow-camera-and-mic.png)
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
3. Sign out and back in to your device, opening Microsoft Edge in Application Guard again.
4. Open an application with video or audio capability in Edge.
@ -233,11 +224,11 @@ You have the option to change each of these settings to work with your enterpris
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device** setting.
2. Click **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and click **OK**.
2. Select **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and select **OK**.
![Group Policy editor Root certificate options.](images/appguard-gp-allow-root-certificates.png)
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
3. Sign out and back in to your device, opening Microsoft Edge in Application Guard again.
## Application Guard Extension for third-party web browsers
@ -245,9 +236,9 @@ The [Application Guard Extension](md-app-guard-browser-extension.md) available f
Once a user has the extension and its companion app installed on their enterprise device, you can run through the following scenarios.
1. Open either Firefox or Chrome whichever browser you have the extension installed on.
1. Open either Firefox or Chrome, whichever browser you have the extension installed on.
2. Navigate to an enterprise website, i.e. an internal website maintained by your organization. You might see this evaluation page for an instant before the site is fully loaded.
2. Navigate to an organizational website. In other words, an internal website maintained by your organization. You might see this evaluation page for an instant before the site is fully loaded.
![The evaluation page displayed while the page is being loaded, explaining that the user must wait.](images/app-guard-chrome-extension-evaluation-page.png)
3. Navigate to a non-enterprise, external website site, such as [www.bing.com](https://www.bing.com). The site should be redirected to Microsoft Defender Application Guard Edge.

93
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-security
ms.localizationpriority: medium
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
ms.reviewer: jgeurten
ms.author: vinpa
manager: aaroncz
ms.date: 09/29/2021
@ -62,6 +62,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
- texttransform.exe
- visualuiaverifynative.exe
- system.management.automation.dll
- webclnt.dll/davsvc.dll
- wfc.exe
- windbg.exe
- wmic.exe
@ -119,7 +120,7 @@ Select the correct version of each .dll for the Windows release you plan to supp
```xml
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.0.0</VersionEx>
<VersionEx>10.1.0.0</VersionEx>
<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
@ -143,50 +144,51 @@ Select the correct version of each .dll for the Windows release you plan to supp
<EKUs />
<!-- File Rules -->
<FileRules>
<Deny ID="ID_DENY_ADDINPROCESS" FriendlyName="AddInProcess.exe" FileName="AddInProcess.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_ADDINPROCESS32" FriendlyName="AddInProcess32.exe" FileName="AddInProcess32.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_ADDINUTIL" FriendlyName="AddInUtil.exe" FileName="AddInUtil.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_ASPNET" FriendlyName="aspnet_compiler.exe" FileName="aspnet_compiler.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_BASH" FriendlyName="bash.exe" FileName="bash.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_ADDINPROCESS" FriendlyName="AddInProcess.exe" FileName="AddInProcess.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_ADDINPROCESS32" FriendlyName="AddInProcess32.exe" FileName="AddInProcess32.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_ADDINUTIL" FriendlyName="AddInUtil.exe" FileName="AddInUtil.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_ASPNET" FriendlyName="aspnet_compiler.exe" FileName="aspnet_compiler.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_BASH" FriendlyName="bash.exe" FileName="bash.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_BGINFO" FriendlyName="bginfo.exe" FileName="BGINFO.Exe" MinimumFileVersion="4.21.0.0" />
<Deny ID="ID_DENY_CBD" FriendlyName="cdb.exe" FileName="CDB.Exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_CSI" FriendlyName="csi.exe" FileName="csi.Exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_CBD" FriendlyName="cdb.exe" FileName="CDB.Exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_CSI" FriendlyName="csi.exe" FileName="csi.Exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_CSCRIPT" FriendlyName="cscript.exe" FileName="cscript.exe" MinimumFileVersion="5.812.10240.0" />
<Deny ID="ID_DENY_DBGHOST" FriendlyName="dbghost.exe" FileName="DBGHOST.Exe" MinimumFileVersion="2.3.0.0" />
<Deny ID="ID_DENY_DBGSVC" FriendlyName="dbgsvc.exe" FileName="DBGSVC.Exe" MinimumFileVersion="2.3.0.0" />
<Deny ID="ID_DENY_DNX" FriendlyName="dnx.exe" FileName="dnx.Exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_DOTNET" FriendlyName="dotnet.exe" FileName="dotnet.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_FSI" FriendlyName="fsi.exe" FileName="fsi.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_FSI_ANYCPU" FriendlyName="fsiAnyCpu.exe" FileName="fsiAnyCpu.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_INFINSTALL" FriendlyName="infdefaultinstall.exe" FileName="infdefaultinstall.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_INSTALLUTIL" FriendlyName="Microsoft InstallUtil" FileName="InstallUtil.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_KD" FriendlyName="kd.exe" FileName="kd.Exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_KD_KMCI" FriendlyName="kd.exe" FileName="kd.Exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_KILL" FriendlyName="kill.exe" FileName="kill.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_LXRUN" FriendlyName="lxrun.exe" FileName="lxrun.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_LXSS" FriendlyName="LxssManager.dll" FileName="LxssManager.dll" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_DNX" FriendlyName="dnx.exe" FileName="dnx.Exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_DOTNET" FriendlyName="dotnet.exe" FileName="dotnet.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_FSI" FriendlyName="fsi.exe" FileName="fsi.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_FSI_ANYCPU" FriendlyName="fsiAnyCpu.exe" FileName="fsiAnyCpu.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_INFINSTALL" FriendlyName="infdefaultinstall.exe" FileName="infdefaultinstall.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_INSTALLUTIL" FriendlyName="Microsoft InstallUtil" FileName="InstallUtil.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_KD" FriendlyName="kd.exe" FileName="kd.Exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_KD_KMCI" FriendlyName="kd.exe" FileName="kd.Exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_KILL" FriendlyName="kill.exe" FileName="kill.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_LXRUN" FriendlyName="lxrun.exe" FileName="lxrun.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_LXSS" FriendlyName="LxssManager.dll" FileName="LxssManager.dll" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_INTUNE_AGENT" FriendlyName="IntuneWindowsAgent.exe" FileName="Microsoft.Management.Services.IntuneWindowsAgent.exe" MinimumFileVersion="1.46.204.0" />
<Deny ID="ID_DENY_MFC40" FriendlyName="mfc40.dll" FileName="mfc40.dll" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_MS_BUILD" FriendlyName="Microsoft.Build.dll" FileName="Microsoft.Build.dll" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_MS_BUILD_FMWK" FriendlyName="Microsoft.Build.Framework.dll" FileName="Microsoft.Build.Framework.dll" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_MWFC" FriendlyName="Microsoft.Workflow.Compiler.exe" FileName="Microsoft.Workflow.Compiler.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_MSBUILD" FriendlyName="MSBuild.exe" FileName="MSBuild.Exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_MSBUILD_DLL" FriendlyName="MSBuild.dll" FileName="MSBuild.dll" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_MSHTA" FriendlyName="mshta.exe" FileName="mshta.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_NTKD" FriendlyName="ntkd.exe" FileName="ntkd.Exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_NTSD" FriendlyName="ntsd.exe" FileName="ntsd.Exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_PWRSHLCUSTOMHOST" FriendlyName="powershellcustomhost.exe" FileName="powershellcustomhost.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_RCSI" FriendlyName="rcsi.exe" FileName="rcsi.Exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_RUNSCRIPTHELPER" FriendlyName="runscripthelper.exe" FileName="runscripthelper.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_TEXTTRANSFORM" FriendlyName="texttransform.exe" FileName="texttransform.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_VISUALUIAVERIFY" FriendlyName="visualuiaverifynative.exe" FileName="visualuiaverifynative.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_WFC" FriendlyName="WFC.exe" FileName="wfc.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_WINDBG" FriendlyName="windbg.exe" FileName="windbg.Exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_WMIC" FriendlyName="wmic.exe" FileName="wmic.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_MFC40" FriendlyName="mfc40.dll" FileName="mfc40.dll" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_MS_BUILD" FriendlyName="Microsoft.Build.dll" FileName="Microsoft.Build.dll" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_MS_BUILD_FMWK" FriendlyName="Microsoft.Build.Framework.dll" FileName="Microsoft.Build.Framework.dll" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_MWFC" FriendlyName="Microsoft.Workflow.Compiler.exe" FileName="Microsoft.Workflow.Compiler.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_MSBUILD" FriendlyName="MSBuild.exe" FileName="MSBuild.Exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_MSBUILD_DLL" FriendlyName="MSBuild.dll" FileName="MSBuild.dll" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_MSHTA" FriendlyName="mshta.exe" FileName="mshta.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_NTKD" FriendlyName="ntkd.exe" FileName="ntkd.Exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_NTSD" FriendlyName="ntsd.exe" FileName="ntsd.Exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_PWRSHLCUSTOMHOST" FriendlyName="powershellcustomhost.exe" FileName="powershellcustomhost.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_RCSI" FriendlyName="rcsi.exe" FileName="rcsi.Exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_RUNSCRIPTHELPER" FriendlyName="runscripthelper.exe" FileName="runscripthelper.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_TEXTTRANSFORM" FriendlyName="texttransform.exe" FileName="texttransform.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_VISUALUIAVERIFY" FriendlyName="visualuiaverifynative.exe" FileName="visualuiaverifynative.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_WEBCLNT" FriendlyName="BlockWebDAV WebClnt" FileName="davsvc.dll" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355"/>
<Deny ID="ID_DENY_WFC" FriendlyName="WFC.exe" FileName="wfc.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_WINDBG" FriendlyName="windbg.exe" FileName="windbg.Exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_WMIC" FriendlyName="wmic.exe" FileName="wmic.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_WSCRIPT" FriendlyName="wscript.exe" FileName="wscript.exe" MinimumFileVersion="5.812.10240.0" />
<Deny ID="ID_DENY_WSL" FriendlyName="wsl.exe" FileName="wsl.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_WSLCONFIG" FriendlyName="wslconfig.exe" FileName="wslconfig.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_WSLHOST" FriendlyName="wslhost.exe" FileName="wslhost.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_WSL" FriendlyName="wsl.exe" FileName="wsl.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_WSLCONFIG" FriendlyName="wslconfig.exe" FileName="wslconfig.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_WSLHOST" FriendlyName="wslhost.exe" FileName="wslhost.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<!-- pick the correct version of msxml3.dll, msxml6.dll, and jscript9.dll based on the release you are supporting -->
<!-- the versions of these files in the 1903 release have this issue fixed, so they dont need to be blocked -->
<!-- RS1 Windows 1607
@ -874,7 +876,7 @@ Select the correct version of each .dll for the Windows release you plan to supp
<FileRuleRef RuleID="ID_DENY_FSI" />
<FileRuleRef RuleID="ID_DENY_FSI_ANYCPU" />
<FileRuleRef RuleID="ID_DENY_INFINSTALL" />
<FileRuleRef RuleID="ID_DENY_INSTALLUTIL" />
<FileRuleRef RuleID="ID_DENY_INSTALLUTIL" />
<FileRuleRef RuleID="ID_DENY_KD" />
<FileRuleRef RuleID="ID_DENY_KILL" />
<FileRuleRef RuleID="ID_DENY_LXSS" />
@ -894,6 +896,7 @@ Select the correct version of each .dll for the Windows release you plan to supp
<FileRuleRef RuleID="ID_DENY_RUNSCRIPTHELPER" />
<FileRuleRef RuleID="ID_DENY_TEXTTRANSFORM" />
<FileRuleRef RuleID="ID_DENY_VISUALUIAVERIFY" />
<FileRuleRef RuleID="ID_DENY_WEBCLNT" />
<FileRuleRef RuleID="ID_DENY_WFC" />
<FileRuleRef RuleID="ID_DENY_WINDBG" />
<FileRuleRef RuleID="ID_DENY_WMIC" />
@ -902,10 +905,10 @@ Select the correct version of each .dll for the Windows release you plan to supp
<FileRuleRef RuleID="ID_DENY_WSLCONFIG" />
<FileRuleRef RuleID="ID_DENY_WSLHOST" />
<!-- uncomment the relevant line(s) below if you have uncommented them in the rule definitions above
<FileRuleRef RuleID="ID_DENY_MSXML3" />
<FileRuleRef RuleID="ID_DENY_MSXML6" />
<FileRuleRef RuleID="ID_DENY_JSCRIPT9" />
-->
<FileRuleRef RuleID="ID_DENY_MSXML3" />
<FileRuleRef RuleID="ID_DENY_MSXML6" />
<FileRuleRef RuleID="ID_DENY_JSCRIPT9" />
-->
<FileRuleRef RuleID="ID_DENY_D_1" />
<FileRuleRef RuleID="ID_DENY_D_2" />
<FileRuleRef RuleID="ID_DENY_D_3" />

2118
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
View File

File diff suppressed because it is too large Load Diff

11
windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
View File

@ -61,9 +61,18 @@ Smart App Control is only available on clean installation of Windows 11 version
> [!IMPORTANT]
> Once you turn Smart App Control off, it can't be turned on without resetting or reinstalling Windows.
### Smart App Control Enforced Blocks
Smart App Control enforces the [Microsoft Recommended Driver Block rules](microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](microsoft-recommended-block-rules.md), with a few exceptions for compatibility considerations. The following are not blocked by Smart App Control:
- Infdefaultinstall.exe
- Microsoft.Build.dll
- Microsoft.Build.Framework.dll
- Wslhost.dll
## Related articles
- [WDAC design guide](windows-defender-application-control-design-guide.md)
- [WDAC deployment guide](windows-defender-application-control-deployment-guide.md)
- [WDAC operational guide](windows-defender-application-control-operational-guide.md)
- [AppLocker overview](applocker/applocker-overview.md)
- [AppLocker overview](applocker/applocker-overview.md)

2
windows/whats-new/whats-new-windows-11-version-22H2.md
View File

@ -43,7 +43,7 @@ For more information, see [Enhanced Phishing Protection in Microsoft Defender Sm
<!-- 6286281-->
**Smart App Control** adds significant protection from malware, including new and emerging threats, by blocking apps that are malicious or untrusted. **Smart App Control** also helps to block potentially unwanted apps, which are apps that may cause your device to run slowly, display unexpected ads, offer extra software you didn't want, or do other things you don't expect.
For more information, see [Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md#wdac-and-smart-app-control).
For more information, see [Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control#wdac-and-smart-app-control).
## Credential Guard
<!--6289166-->