**Important**
This text file is only lets you add multiple sites at the same time. You can’t use this file to deploy Enterprise Mode into your company.
-
-You must separate each site using commas or carriage returns. For example:
-
-```
-microsoft.com, bing.com, bing.com/images
-```
-**-OR-**
-
-```
-microsoft.com
-bing.com
-bing.com/images
-```
-
-## Create an Enterprise Mode site list (XML) file using the v.1 version of the Enterprise Mode schema
-You can create and use a custom XML file with the Enterprise Mode Site List Manager to add multiple sites to your Enterprise Mode site list at the same time. For more info about the v.1 version of the Enterprise Mode schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
-
-Each XML file must include:
-
-- **Version number.** This number must be incremented with each version of the Enterprise Mode site list, letting Internet Explorer know whether the list is new. Approximately 65 seconds after Internet Explorer 11 starts, it compares your site list version to the stored version number. If your file has a higher number, the newer version is loaded.
**Important**
After this check, IE11 won’t look for an updated list again until you restart the browser.
-
-- **<emie> tag.** This tag specifies the domains and domain paths that must be rendered using IE7 Enterprise Mode, IE8 Enterprise Mode, or the default IE11 browser environment.
**Important**
If you decide a site requires IE7 Enterprise Mode, you must add `forceCompatView=”true”` to your XML file. That code tells Enterprise Mode to check for a `DOCTYPE` tag on the specified webpage. If there is, the site renders using Windows Internet Explorer 7. If there’s no tag, the site renders using Microsoft Internet Explorer 5.
-
-- **<docMode> tag.**This tag specifies the domains and domain paths that need either to appear using the specific doc mode you assigned to the site. Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
-
-### Enterprise Mode v.1 XML schema example
-The following is an example of what your XML file should look like when you’re done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
-
-```
-
**Important**
If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Enterprise Mode Site List Manager (.
-
-## Add multiple sites to the Enterprise Mode Site List Manager (schema v.1)
-After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.1).
-
- **To add multiple sites**
-
-1. In the Enterprise Mode Site List Manager (schema v.1), click **Bulk add from file**.
-
-2. Go to your site list (either .txt or .xml) to add the included sites to the tool, and then click **Open**.
-Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). - -3. Click **OK** to close the **Bulk add sites to the list** menu. - -4. On the **File** menu, click **Save to XML**, and save your file.
-You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
-
-## Next steps
-After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
-
-## Related topics
-- [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md)
-- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
-
-
-
-
-
-
diff --git a/browsers/enterprise-mode/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md b/browsers/enterprise-mode/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
deleted file mode 100644
index b4da3f64f5..0000000000
--- a/browsers/enterprise-mode/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
+++ /dev/null
@@ -1,122 +0,0 @@
----
-ms.localizationpriority: low
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Add multiple sites to your Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2).
-author: dansimp
-ms.prod: ie11
-ms.assetid: da659ff5-70d5-4852-995e-4df67c4871dd
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 10/24/2017
----
-
-
-# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-
-You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the **Bulk add from file** area of the Enterprise Mode Site List Manager (schema v.2). You can only add specific URLs, not Internet or Intranet Zones.
-
-To add your websites one at a time, see [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md).
-
-## Create an Enterprise Mode site list (TXT) file
-
-You can create and use a custom text file with the Enterprise Mode Site List Manager (schema v.2) to add multiple sites to your Enterprise Mode site list at the same time.
-
->**Important:**
This text file is only lets you add multiple sites at the same time. You can’t use this file to deploy Enterprise Mode into your company.
-
-You must separate each site using commas or carriage returns. For example:
-
-```
-microsoft.com, bing.com, bing.com/images
-```
-**-OR-**
-
-```
-microsoft.com
-bing.com
-bing.com/images
-```
-
-## Create an Enterprise Mode site list (XML) file using the v.2 version of the Enterprise Mode schema
-
-You can create and use a custom XML file with the Enterprise Mode Site List Manager (schema v.2) to add multiple sites to your Enterprise Mode site list at the same time.
-
-Each XML file must include:
-
-- **site-list version number**. This number must be incremented with each version of the Enterprise Mode site list, letting Internet Explorer know whether the list is new. Approximately 65 seconds after Internet Explorer 11 starts, it compares your site list version to the stored version number. If your file has a higher number, the newer version is loaded.
**Important**
After this check, IE11 won’t look for an updated list again until you restart the browser.
-
-- **<compat-mode> tag.** This tag specifies what compatibility setting are used for specific sites or domains.
-
-- **<open-in> tag.** This tag specifies what browser opens for each sites or domain.
-
-### Enterprise Mode v.2 XML schema example
-
-The following is an example of what your XML file should look like when you’re done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md).
-
-```
-
**Important**
If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Enterprise Mode Site List Manager (schema v.2).
-
-## Add multiple sites to the Enterprise Mode Site List Manager (schema v.2)
-After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.2).
-
- **To add multiple sites**
-
-1. In the Enterprise Mode Site List Manager (schema v.2), click **Bulk add from file**.
-
-2. Go to your site list (either .txt or .xml) to add the included sites to the tool, and then click **Open**.
-Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md). - -3. Click **OK** to close the **Bulk add sites to the list** menu. - -4. On the **File** menu, click **Save to XML**, and save your file.
-You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md). - -## Next steps -After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). - -## Related topics -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -- [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) - - - - - - diff --git a/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md b/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md deleted file mode 100644 index 55b2dcd28a..0000000000 --- a/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md +++ /dev/null @@ -1,66 +0,0 @@ ---- -ms.localizationpriority: low -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that's designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. -author: dansimp -ms.prod: ie11 -ms.assetid: 042e44e8-568d-4717-8fd3-69dd198bbf26 -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1) - -**Applies to:** - -- Windows 8.1 -- Windows 7 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
**Important**
You can only add specific URLs, not Internet or Intranet Zones.
-
-
**Note**
If you need to include a lot of sites, instead of adding them one at a time, you can create a list of websites and add them all at the same time. For more information, see [Add multiple sites to the Enterprise Mode site list using a file and the Windows 7 and 8.1 Enterprise Mode Site List Manager](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md).
-
-## Adding a site to your compatibility list
-You can add individual sites to your compatibility list by using the Enterprise Mode Site List Manager.
-
**Note**
If you're using the v.2 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md).
-
- **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.1)**
-
-1. In the Enterprise Mode Site List Manager (schema v.1), click **Add**.
-
-2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.
-Don't include the `https://` or `https://` designation. The tool automatically tries both versions during validation. - -3. Type any comments about the website into the **Notes about URL** box.
-Administrators can only see comments while they’re in this tool. - -4. Choose **IE7 Enterprise Mode**, **IE8 Enterprise Mode**, or the appropriate document mode for sites that must be rendered using the emulation of a previous version of IE, or pick **Default IE** if the site should use the latest version of IE. - -The path within a domain can require a different compatibility mode from the domain itself. For example, the domain might look fine in the default IE11 browser, but the path might have problems and require the use of Enterprise Mode. If you added the domain previously, your original compatibility choice is still selected. However, if the domain is new, **IE8 Enterprise Mode** is automatically selected. - -Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). - -5. Click **Save** to validate your website and to add it to the site list for your enterprise.
-If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway. - -6. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.
-You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). - -## Next steps -After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). - -## Related topics -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) - - - - - - diff --git a/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md b/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md deleted file mode 100644 index c1a7aee9b8..0000000000 --- a/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md +++ /dev/null @@ -1,82 +0,0 @@ ---- -ms.localizationpriority: low -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that''s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. -author: dansimp -ms.prod: ie11 -ms.assetid: 513e8f3b-fedf-4d57-8d81-1ea4fdf1ac0b -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2) - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 - -Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
**Important**
You can only add specific URLs, not Internet or Intranet Zones.
-
-
**Note**
If you need to include a lot of sites, instead of adding them one at a time, you can create a list of websites and add them all at the same time. For more information, see the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) topic, based on your operating system.
-
-## Adding a site to your compatibility list
-You can add individual sites to your compatibility list by using the Enterprise Mode Site List Manager.
-**Note**
If you're using the v.1 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see [Add sites to the Enterprise Mode site list using the WEnterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md).
-
- **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.2)**
-
-1. In the Enterprise Mode Site List Manager (schema v.2), click **Add**.
-
-2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.
-Don't include the `https://` or `https://` designation. The tool automatically tries both versions during validation. - -3. Type any comments about the website into the **Notes about URL** box.
-Administrators can only see comments while they’re in this tool. - -4. In the **Compat Mode** box, choose one of the following: - - - **IE8Enterprise**. Loads the site in IE8 Enterprise Mode. - - - **IE7Enterprise**. Loads the site in IE7 Enterprise Mode. - - - **IE\[*x*\]**. Where \[x\] is the document mode number and the site loads in the specified document mode. - - - **Default Mode**. Loads the site using the default compatibility mode for the page. - - The path within a domain can require a different compatibility mode from the domain itself. For example, the domain might look fine in the default IE11 browser, but the path might have problems and require the use of Enterprise Mode. If you added the domain previously, your original compatibility choice is still selected. However, if the domain is new, **IE8 Enterprise Mode** is automatically selected. - - Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). - -5. In conjunction with the compatibility mode, you'll need to use the **Open in** box to pick which browser opens the site. - - - **IE11**. Opens the site in IE11, regardless of which browser is opened by the employee. - - - **MSEdge**. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee. - - - **None**. Opens in whatever browser the employee chooses. - -6. Click **Save** to validate your website and to add it to the site list for your enterprise.
-If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway. - -7. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.
-You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). - -## Next steps -After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). - -## Related topics -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) - - - - - - diff --git a/browsers/enterprise-mode/administrative-templates-and-ie11.md b/browsers/enterprise-mode/administrative-templates-and-ie11.md deleted file mode 100644 index d92810ceb5..0000000000 --- a/browsers/enterprise-mode/administrative-templates-and-ie11.md +++ /dev/null @@ -1,82 +0,0 @@ ---- -ms.localizationpriority: low -ms.mktglfcycl: deploy -ms.pagetype: security -description: Administrative templates and Internet Explorer 11 -author: dansimp -ms.prod: ie11 -ms.assetid: 2b390786-f786-41cc-bddc-c55c8a4c5af3 -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Administrative templates and Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Administrative templates and Internet Explorer 11 - -Administrative Templates are made up of a hierarchy of policy categories and subcategories that define how your policy settings appear in the Local Group Policy Editor, including: - -- What registry locations correspond to each setting. - -- What value options or restrictions are associated with each setting. - -- The default value for many settings. - -- Text explanations about each setting and the supported version of Internet Explorer. - -For a conceptual overview of Administrative Templates, see [Managing Group Policy ADMX Files Step-by-Step Guide](https://go.microsoft.com/fwlink/p/?LinkId=214519). - -## What are Administrative Templates? -Administrative Templates are XML-based, multi-language files that define the registry-based Group Policy settings in the Local Group Policy Editor. There are two types of Administrative Templates: - -- **ADMX.** A language-neutral setup file that states the number and type of policy setting, and the location by category, as it shows up in the Local Group Policy Editor. - -- **ADML.** A language-specific setup file that provides language-related information to the ADMX file. This file lets the policy setting show up in the right language in the Local Group Policy Editor. You can add new languages by adding new ADML files in the required language. - -## How do I store Administrative Templates? -As an admin, you can create a central store folder on your SYSVOL directory, named **PolicyDefinitions**. For example, %*SystemRoot*%\\PolicyDefinitions. This folder provides a single, centralized storage location for your Administrative Templates (both ADMX and ADML) files, so they can be used by your domain-based Group Policy Objects (GPOs). -
**Important**
Your Group Policy tools use the ADMX files in your store, ignoring any local copies. For more information about creating a central store, see [Scenario 1: Editing the Local GPO Using ADMX Files](https://go.microsoft.com/fwlink/p/?LinkId=276810).
-
-## Administrative Templates-related Group Policy settings
-When you install Internet Explorer 11, it updates the local administrative files, Inetres.admx and Inetres.adml, both located in the **PolicyDefinitions** folder.
-
**Note**
You won't see the new policy settings if you try to view or edit your policy settings on a computer that isn't running IE11. To fix this, you can either install IE11, or you can copy the updated Inetres.admx and Inetres.adml files from another computer to the **PolicyDefinitions** folder on this computer.
-
-IE11 provides these new policy settings, which are editable in the Local Group Policy Editor, and appear in the following policy paths:
-
-- Computer Configuration\\Administrative Templates\\Windows Components\\
-
-- User Configuration\\Administrative Templates\\Windows Components\\
-
-
-|Catalog |Description |
-| ------------------------------------------------ | --------------------------------------------|
-|IE |Turns standard IE configuration on and off. |
-|Internet Explorer\Accelerators |Sets up and manages Accelerators. |
-|Internet Explorer\Administrator Approved Controls |Turns ActiveX controls on and off. |
-|Internet Explorer\Application Compatibility |Turns the **Cut**, **Copy**, or **Paste** operations on or off. This setting also requires that `URLACTION_SCRIPT_PASTE` is set to **Prompt**. |
-|Internet Explorer\Browser Menus |Shows or hides the IE menus and menu options.|
-|Internet Explorer\Corporate Settings |Turns off whether you specify the code download path for each computer. |
-|Internet Explorer\Delete Browsing History |Turns the **Delete Browsing History** settings on and off. |
-|Internet Explorer\Internet Control Panel |Turns pages on and off in the **Internet Options** dialog box. Also turns on and off the subcategories that manage settings on the **Content**, **General**, **Security** and **Advanced** pages. |
-|Internet Explorer\Internet Settings |Sets up and manages the **Advanced settings**, **AutoComplete**, **Display Settings**, and **URL Encoding** options. |
-|Internet Explorer\Persistence Behavior |Sets up and manages the file size limits for Internet security zones. |
-|Internet Explorer\Privacy |Turns various privacy-related features on and off. |
-|Internet Explorer\Security Features |Turns various security-related features on and off in the browser, Windows Explorer, and other applications. |
-|Internet Explorer\Toolbars |Turns on and off the ability for users to edit toolbars in the browser. You can also set the default toolbar buttons here. |
-|RSS Feeds |Sets up and manages RSS feeds in the browser. |
-
-
-## Editing Group Policy settings
-Regardless which tool you're using to edit your Group Policy settings, you'll need to follow one of these guides for step-by-step editing instructions:
-
-- **If you're using the Group Policy Management Console (GPMC) or the Local Group Policy Editor.** See [Edit Administrative Template Policy Settings](https://go.microsoft.com/fwlink/p/?LinkId=214521) for step-by-step instructions about editing your Administrative Templates.
-
-- **If you're using GPMC with Advanced Group Policy Management (AGPM).** See [Checklist: Create, Edit, and Deploy a GPO](https://go.microsoft.com/fwlink/p/?LinkId=214522) for step-by-step instructions about how to check out a GPO from the AGPM archive, edit it, and request deployment.
-
-## Related topics
-- [Administrative templates (.admx) for Windows 10 download](https://go.microsoft.com/fwlink/p/?LinkId=746579)
-- [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580)
-
diff --git a/browsers/enterprise-mode/approve-change-request-enterprise-mode-portal.md b/browsers/enterprise-mode/approve-change-request-enterprise-mode-portal.md
deleted file mode 100644
index fd58f63df5..0000000000
--- a/browsers/enterprise-mode/approve-change-request-enterprise-mode-portal.md
+++ /dev/null
@@ -1,62 +0,0 @@
----
-ms.localizationpriority: low
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Details about how Approvers can approve open change requests in the Enterprise Mode Site List Portal.
-author: dansimp
-ms.prod: ie11
-title: Approve a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
----
-
-# Approve a change request using the Enterprise Mode Site List Portal
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-After a change request is successfully submitted to the pre-defined Approver(s), employees granted the role of **App Manager**, **Group Head**, or **Administrator**, they must approve the changes.
-
-## Approve or reject a change request
-The Approvers get an email stating that a Requester successfully opened, tested, and submitted the change request to the Approvers group. The Approvers can accept or reject a change request.
-
-**To approve or reject a change request**
-1. The Approver logs onto the Enterprise Mode Site List Portal, **All Approvals** page.
-
- The Approver can also get to the **All Approvals** page by clicking **Approvals Pending** from the left pane.
-
-2. The Approver clicks the expander arrow (**\/**) to the right side of the change request, showing the list of Approvers and the **Approve** and **Reject** buttons.
-
-3. The Approver reviews the change request, making sure it's correct. If the info is correct, the Approver clicks **Approve** to approve the change request. If the info seems incorrect, or if the app shouldn't be added to the site list, the Approver clicks **Reject**.
-
- An email is sent to the Requester, the Approver(s) group, and the Administrator(s) group, with the updated status of the request.
-
-
-## Send a reminder to the Approver(s) group
-If the change request is sitting in the approval queue for too long, the Requester can send a reminder to the group.
-
-- From the **My Approvals** page, click the checkbox next to the name of each Approver to be reminded, and then click **Send reminder**.
-
- An email is sent to the selected Approver(s).
-
-
-## View rejected change requests
-The original Requester, the Approver(s) group, and the Administrator(s) group can all view the rejected change request.
-
-**To view the rejected change request**
-
-- In the Enterprise Mode Site List Portal, click **Rejected** from the left pane.
-
- All rejected change requests appear, with role assignment determining which ones are visible.
-
-
-## Next steps
-After an Approver approves the change request, it must be scheduled for inclusion in the production Enterprise Mode Site List. For the scheduling steps, see the [Schedule approved change requests for production using the Enterprise Mode Site List Portal](schedule-production-change-enterprise-mode-portal.md) topic.
diff --git a/browsers/enterprise-mode/check-for-new-enterprise-mode-site-list-xml-file.md b/browsers/enterprise-mode/check-for-new-enterprise-mode-site-list-xml-file.md
deleted file mode 100644
index 7696eedaca..0000000000
--- a/browsers/enterprise-mode/check-for-new-enterprise-mode-site-list-xml-file.md
+++ /dev/null
@@ -1,51 +0,0 @@
----
-title: Check for a new Enterprise Mode site list xml file (Internet Explorer 11 for IT Pros)
-description: You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode.
-ms.assetid: 2bbc7017-622e-4baa-8981-c0bbda10e9df
-ms.reviewer:
-manager: dansimp
-ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-ms.sitesec: library
-author: dansimp
-ms.author: dansimp
-ms.date: 08/14/2017
-ms.localizationpriority: low
----
-
-
-# Check for a new Enterprise Mode site list xml file
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode. You can add and remove sites from your XML list as frequently as you want, changing which sites should render in Enterprise Mode for your employees. For information about turning on Enterprise Mode and using site lists, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
-
-The information in this topic only covers HTTPS protocol. We strongly recommend that you use HTTPS protocol instead of file protocol due to increased performance.
-
-**How Internet Explorer 11 looks for an updated site list**
-
-1. Internet Explorer starts up and looks for an updated site list in the following places:
-
- 1. **In the cache container.** IE first checks the cache container to see if it finds your XML site list.
-
- 2. **In the local cache.** If there’s nothing in the cache container, IE checks your local cache for the site list.
-
- 3. **On the server.** Based on standard IE caching rules, IE might look for a copy of your site list in the location you put specified in the **SiteList** value of the registry.
-
-2. If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.
**Note**
If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.
-
-
-
-
-
-
-
-
-
diff --git a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md
deleted file mode 100644
index 91c262c502..0000000000
--- a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md
+++ /dev/null
@@ -1,446 +0,0 @@
----
-ms.localizationpriority: low
-ms.mktglfcycl: deploy
-description: Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7.
-author: dansimp
-ms.prod: ie11
-ms.assetid: a145e80f-eb62-4116-82c4-3cc35fd064b6
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-title: Collect data using Enterprise Site Discovery
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-# Collect data using Enterprise Site Discovery
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7 with Service Pack 1 (SP1)
-
-Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades.
-
->**Upgrade Analytics and Windows upgrades**
->You can use Upgrade Analytics to help manage your Windows 10 upgrades on devices running Windows 8.1 and Windows 7 (SP1). You can also use Upgrade Analytics to review several site discovery reports. Check out Upgrade Analytics from [here](https://technet.microsoft.com/itpro/windows/deploy/upgrade-analytics-get-started).
-
-
-## Before you begin
-Before you start, you need to make sure you have the following:
-
-- Latest cumulative security update (for all supported versions of Internet Explorer):
-
- 1. Go to the [Microsoft Security Bulletin](https://go.microsoft.com/fwlink/p/?LinkID=718223) page, and change the filter to **Windows Internet Explorer 11**.
-
- 
-
- 2. Click the title of the latest cumulative security update, and then scroll down to the **Affected software** table.
-
- 
-
- 3. Click the link that represents both your operating system version and Internet Explorer 11, and then follow the instructions in the **How to get this update** section.
-
-- [Setup and configuration package](https://go.microsoft.com/fwlink/p/?LinkId=517719), including:
-
- - Configuration-related PowerShell scripts
-
- - IETelemetry.mof file
-
- - Sample Configuration Manager report templates
-
- You must use System Center 2012 R2 Configuration Manager or later for these samples to work.
-
-Both the PowerShell script and the Managed Object Format (.MOF) file need to be copied to the same location on the client device, before you run the scripts.
-
-## What data is collected?
-Data is collected on the configuration characteristics of IE and the sites it browses, as shown here.
-
-|Data point |IE11 |IE10 |IE9 |IE8 |Description |
-|------------------------|-----|-----|-----|-----|------------------------------------------------------------------------|
-|URL | X | X | X | X |URL of the browsed site, including any parameters included in the URL. |
-|Domain | X | X | X | X |Top-level domain of the browsed site. |
-|ActiveX GUID | X | X | X | X |GUID of the ActiveX controls loaded by the site. |
-|Document mode | X | X | X | X |Document mode used by IE for a site, based on page characteristics. |
-|Document mode reason | X | X | | |The reason why a document mode was set by IE. |
-|Browser state reason | X | X | | |Additional information about why the browser is in its current state. Also called, browser mode. |
-|Hang count | X | X | X | X |Number of visits to the URL when the browser hung. |
-|Crash count | X | X | X | X |Number of visits to the URL when the browser crashed. |
-|Most recent navigation failure (and count) | X | X | X | X |Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened. |
-|Number of visits | X | X | X | X |Number of times a site has been visited. |
-|Zone | X | X | X | X |Zone used by IE to browse sites, based on browser settings. |
-
-
->**Important**
By default, IE doesn’t collect this data; you have to turn this feature on if you want to use it. After you turn on this feature, data is collected on all sites visited by IE, except during InPrivate sessions. Additionally, the data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements.
-
-### Understanding the returned reason codes
-The following tables provide more info about the Document mode reason, Browser state reason, and the Zone codes that are returned as part of your data collection.
-
-#### DocMode reason
-The codes in this table can tell you what document mode was set by IE for a webpage.
These codes only apply to Internet Explorer 10 and Internet Explorer 11.
-
-|Code |Description |
-|-----|------------|
-|3 |Page state is set by the `FEATURE_DOCUMENT_COMPATIBLE_MODE` feature control key.|
-|4 |Page is using an X-UA-compatible meta tag. |
-|5 |Page is using an X-UA-compatible HTTP header. |
-|6 |Page appears on an active **Compatibility View** list. |
-|7 |Page is using native XML parsing. |
-|8 |Page is using a special Quirks Mode Emulation (QME) mode that uses the modern layout engine, but the quirks behavior of Internet Explorer 5. |
-|9 |Page state is set by the browser mode and the page's DOCTYPE.|
-
-#### Browser state reason
-The codes in this table can tell you why the browser is in its current state. Also called “browser mode”.
These codes only apply to Internet Explorer 10 and Internet Explorer 11.
-
-|Code |Description |
-|-----|------------|
-|1 |Site is on the intranet, with the **Display intranet sites in Compatibility View** box checked. |
-|2 |Site appears on an active **Compatibility View** list, created in Group Policy. |
-|3 |Site appears on an active **Compatibility View** list, created by the user. |
-|4 |Page is using an X-UA-compatible tag. |
-|5 |Page state is set by the **Developer** toolbar. |
-|6 |Page state is set by the `FEATURE_BROWSER_EMULATION` feature control key. |
-|7 |Site appears on the Microsoft **Compatibility View (CV)** list. |
-|8 |Site appears on the **Quirks** list, created in Group Policy. |
-|11 |Site is using the default browser. |
-
-#### Zone
-The codes in this table can tell you what zone is being used by IE to browse sites, based on browser settings.
These codes apply to Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.
-
-|Code |Description |
-|-----|------------|
-|-1 |Internet Explorer is using an invalid zone. |
-|0 |Internet Explorer is using the Local machine zone. |
-|1 |Internet Explorer is using the Local intranet zone. |
-|2 |Internet Explorer is using the Trusted sites zone. |
-|3 |Internet Explorer is using the Internet zone. |
-|4 |Internet Explorer is using the Restricted sites zone. |
-
-## Where is the data stored and how do I collect it?
-The data is stored locally, in an industry-standard WMI class, .MOF file or in an XML file, depending on your configuration. This file remains on the client computer until it’s collected. To collect the files, we recommend:
-
-- **WMI file**. Use Microsoft Configuration Manager or any agent that can read the contents of a WMI class on your computer.
-
-- **XML file**. Any agent that works with XML can be used.
-
-## WMI Site Discovery suggestions
-We recommend that you collect your data for at most a month at a time, to capture a user’s typical workflow. We don’t recommend collecting data longer than that because the data is stored in a WMI provider and can fill up your computer’s hard drive. You may also want to collect data only for pilot users or a representative sample of people, instead of turning this feature on for everyone in your company.
-
-On average, a website generates about 250bytes of data for each visit, causing only a minor impact to Internet Explorer’s performance. Over the course of a month, collecting data from 20 sites per day from 1,000 users, you’ll get about 150MB of data:
250 bytes (per site visit) X 20 sites/day X 30 days = (approximately) 150KB X 1000 users = (approximately) 150MB
-
->**Important**
The data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements.
-
-## Getting ready to use Enterprise Site Discovery
-Before you can start to collect your data, you must run the provided PowerShell script (IETelemetrySetUp.ps1) on your client devices to start generating the site discovery data and to set up a place to store this data locally. Then, you must start collecting the site discovery data from the client devices, using one of these three options:
-
-- Collect your hardware inventory using the MOF Editor, while connecting to a client device.
--OR- -- Collect your hardware inventory using the MOF Editor with a .MOF import file.
--OR-
-- Collect your hardware inventory using the SMS\DEF.MOF file (Configuration Manager 2007 only)
-
-### WMI only: Running the PowerShell script to compile the .MOF file and to update security privileges
-You need to set up your computers for data collection by running the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file and to update security privileges for the new WMI classes.
-
->**Important**
You must run this script if you’re using WMI as your data output. It's not necessary if you're using XML as your data output.
-
-**To set up Enterprise Site Discovery**
-
-- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1 by by-passing the PowerShell execution policy, using this command: `powershell -ExecutionPolicy Bypass .\IETelemetrySetUp.ps1`. For more info, see [about Execution Policies](https://go.microsoft.com/fwlink/p/?linkid=517460).
-
-### WMI only: Set up your firewall for WMI data
-If you choose to use WMI as your data output, you need to make sure that your WMI data can travel through your firewall for the domain. If you’re sure, you can skip this section; otherwise, follow these steps:
-
-**To set up your firewall**
-
-1. In **Control Panel**, click **System and Security**, and then click **Windows Firewall**.
-
-2. In the left pane, click **Allow an app or feature through Windows Firewall** and scroll down to check the box for **Windows Management Instrumentation (WMI)**.
-
-3. Restart your computer to start collecting your WMI data.
-
-## Use PowerShell to finish setting up Enterprise Site Discovery
-You can determine which zones or domains are used for data collection, using PowerShell. If you don’t want to use PowerShell, you can do this using Group Policy. For more info, see [Use Group Policy to finish setting up Enterprise Site Discovery](#use-group-policy-to-finish-setting-up-enterprise-site-discovery).
-
->**Important**
The .ps1 file updates turn on Enterprise Site Discovery and WMI collection for all users on a device.
-
-- **Domain allow list.** If you have a domain allow list, a comma-separated list of domains that should have this feature turned on, you should use this process.
-
-- **Zone allow list.** If you have a zone allow list, a comma-separated list of zones that should have this feature turned on, you should use this process.
-
-**To set up data collection using a domain allow list**
-
-- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -SiteAllowList sharepoint.com,outlook.com,onedrive.com`.
-
- >**Important**
Wildcards, like \*.microsoft.com, aren’t supported.
-
-**To set up data collection using a zone allow list**
-
-- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites`.
-
- >**Important**
Only Computer, Intranet, TrustedSites, Internet, and RestrictedSites are supported.
-
-## Use Group Policy to finish setting up Enterprise Site Discovery
-You can use Group Policy to finish setting up Enterprise Site Discovery. If you don’t want to use Group Policy, you can do this using PowerShell. For more info, see [Use Powershell to finish setting up Enterprise Site Discovery](#use-powershell-to-finish-setting-up-enterprise-site-discovery).
-
->**Note**
All of the Group Policy settings can be used individually or as a group.
-
- **To set up Enterprise Site Discovery using Group Policy**
-
-- Open your Group Policy editor, and go to these new settings:
-
- |Setting name and location |Description |Options |
- |---------------------------|-------------|---------|
- |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output |Writes collected data to a WMI class, which can be aggregated using a client-management solution like Configuration Manager. |
0 – Restricted Sites zone
0 – Internet zone
0 – Trusted Sites zone
0 – Local Intranet zone
0 – Local Machine zone
**Example 1:** Include only the Local Intranet zone
Binary representation: *00010*, based on:
0 – Restricted Sites zone
0 – Internet zone
0 – Trusted Sites zone
1 – Local Intranet zone
0 – Local Machine zone
**Example 2:** Include only the Restricted Sites, Trusted Sites, and Local Intranet zones
Binary representation: *10110*, based on:
1 – Restricted Sites zone
0 – Internet zone
1 – Trusted Sites zone
1 – Local Intranet zone
1 – Local Machine zone |
- |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by domain |Manages which domains can collect data |To specify which domains can collect data, you must include your selected domains, one domain per line, in the provided box. It should look like:
microsoft.sharepoint.com
outlook.com
onedrive.com
timecard.contoso.com
LOBApp.contoso.com |
-
-### Combining WMI and XML Group Policy settings
-You can use both the WMI and XML settings individually or together:
-
-**To turn off Enterprise Site Discovery**
-
-|Setting name |Option |
-|---------|---------|
-|Turn on Site Discovery WMI output | Off |
-|Turn on Site Discovery XML output | Blank |
-
-**Turn on WMI recording only**
-
-|Setting name |Option |
-|---------|---------|
-|Turn on Site Discovery WMI output | On |
-|Turn on Site Discovery XML output | Blank |
-
-**To turn on XML recording only**
-
-|Setting name |Option |
-|---------|---------|
-|Turn on Site Discovery WMI output | Off |
-|Turn on Site Discovery XML output | XML file path |
-
-**To turn on both WMI and XML recording**
-
-|Setting name |Option |
-|---------|---------|
-|Turn on Site Discovery WMI output | On |
-|Turn on Site Discovery XML output | XML file path |
-
-## Use Configuration Manager to collect your data
-After you’ve collected your data, you’ll need to get the local files off of your employee’s computers. To do this, use the hardware inventory process in Configuration Manager, using one of these options:
-
-- Collect your hardware inventory using the MOF Editor, while connecting to a client device.
--OR- -- Collect your hardware inventory using the MOF Editor with a .MOF import file.
--OR-
-- Collect your hardware inventory using the SMS\DEF.MOF file (Configuration Manager 2007 only)
-
-### Collect your hardware inventory using the MOF Editor while connected to a client device
-You can collect your hardware inventory using the MOF Editor, while you’re connected to your client devices.
-
- **To collect your inventory**
-
-1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**.
-
- 
-
-2. Click **Add**, click **Connect**, and connect to a computer that has completed the setup process and has already existing classes.
-
-3. Change the **WMI Namespace** to `root\cimv2\IETelemetry`, and click **Connect**.
-
- 
-
-4. Select the check boxes next to the following classes, and then click **OK**:
-
- - IESystemInfo
-
- - IEURLInfo
-
- - IECountInfo
-
-5. Click **OK** to close the default windows. **or** Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does.|Internet Explorer 11 and Microsoft Edge|
-|<docMode>|Specifies the document mode to apply. This attribute is only supported on <domain> or <path>elements in the <docMode> section. **or** For IPv6 ranges: Where **Important** Your sites are all cleared from your list.
-
-## Related topics
-- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
-- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
-- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
-
-
-
-
-
-
diff --git a/browsers/enterprise-mode/remove-sites-from-a-local-compatibililty-view-list.md b/browsers/enterprise-mode/remove-sites-from-a-local-compatibililty-view-list.md
deleted file mode 100644
index 91ff0fab17..0000000000
--- a/browsers/enterprise-mode/remove-sites-from-a-local-compatibililty-view-list.md
+++ /dev/null
@@ -1,42 +0,0 @@
----
-ms.localizationpriority: low
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Instructions about how to remove sites from a local compatibility view list.
-author: dansimp
-ms.prod: ie11
-ms.assetid: f6ecaa75-ebcb-4f8d-8721-4cd6e73c0ac9
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-title: Remove sites from a local compatibility view list (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Remove sites from a local compatibility view list
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-Remove websites that were added to a local compatibility view list by mistake or because they no longer have compatibility problems.
-
- **To remove sites from a local compatibility view list**
-
-1. Open Internet Explorer 11, click **Tools**, and then click **Compatibility View Settings**.
-
-2. Pick the site to remove, and then click **Remove**.
-Sites can only be removed one at a time. If one is removed by mistake, it can be added back using this same box and the **Add** section.
-
-
-
-
-
-
-
diff --git a/browsers/enterprise-mode/remove-sites-from-a-local-enterprise-mode-site-list.md b/browsers/enterprise-mode/remove-sites-from-a-local-enterprise-mode-site-list.md
deleted file mode 100644
index 4e7e10efde..0000000000
--- a/browsers/enterprise-mode/remove-sites-from-a-local-enterprise-mode-site-list.md
+++ /dev/null
@@ -1,58 +0,0 @@
----
-ms.localizationpriority: low
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Instructions about how to remove sites from a local Enterprise Mode site list.
-author: dansimp
-ms.prod: ie11
-ms.assetid: c7d6dd0b-e264-42bb-8c9d-ac2f837018d2
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-title: Remove sites from a local Enterprise Mode site list (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Remove sites from a local Enterprise Mode site list
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-Remove websites that were added to a local Enterprise Mode site list by mistake or because the sites no longer have compatibility problems.
-
-**Note**
-The checkmark disappears from next to Enterprise Mode and the site is removed from the list.
-
-**Note**
-The first time a user starts Internet Explorer 11 on a managed device; Internet Explorer will look for a new version of the site list at the specified location. If the browser finds an updated site list, IE downloads the new XML site list and uses it.
-
-## Related topics
-- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
-- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
-- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
-
-
-
-
-
-
diff --git a/browsers/enterprise-mode/schedule-production-change-enterprise-mode-portal.md b/browsers/enterprise-mode/schedule-production-change-enterprise-mode-portal.md
deleted file mode 100644
index c946663dda..0000000000
--- a/browsers/enterprise-mode/schedule-production-change-enterprise-mode-portal.md
+++ /dev/null
@@ -1,53 +0,0 @@
----
-ms.localizationpriority: low
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Details about how Administrators can schedule approved change requests for production in the Enterprise Mode Site List Portal.
-author: dansimp
-ms.prod: ie11
-title: Schedule approved change requests for production using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
----
-
-# Schedule approved change requests for production using the Enterprise Mode Site List Portal
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-After a change request is approved, the original Requester can schedule the change for the production environment. The change can be immediate or set for a future time.
-
-**To schedule an immediate change**
-1. The Requester logs onto the Enterprise Mode Site List Portal and clicks **In Progress** from the left pane.
-
-2. The Requester clicks the **Approved** status for the change request.
-
- The **Schedule changes** page appears.
-
-3. The Requester clicks **Now**, and then clicks **Save**.
-
- The update is scheduled to immediately update the production environment, and an email is sent to the Requester. After the update finishes, the Requester is asked to verify the changes.
-
-
-**To schedule the change for a different day or time**
-1. The Requester logs onto the Enterprise Mode Site List Portal and clicks **In Progress** from the left pane.
-
-2. The Requester clicks the **Approved** status for the change request.
-
- The **Schedule changes** page appears.
-
-3. The Requester clicks **Schedule**, sets the **Preferred day**, **Preferred start time**, and the **Preferred end time**, and then clicks **Save**.
-
- The update is scheduled to update the production environment on that day and time and an email is sent to the Requester. After the update finishes, the Requester will be asked to verify the changes.
-
-
-## Next steps
-After the update to the production environment completes, the Requester must again test the change. If the testing succeeds, the Requester can sign off on the change request. If the testing fails, the Requester can contact the Administrator group for more help. For the production environment testing steps, see the [Verify the change request update in the production environment using the Enterprise Mode Site List Portal](verify-changes-production-enterprise-mode-portal.md) topic.
diff --git a/browsers/enterprise-mode/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
deleted file mode 100644
index bf7e73664e..0000000000
--- a/browsers/enterprise-mode/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ /dev/null
@@ -1,44 +0,0 @@
----
-ms.localizationpriority: low
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Search to see if a specific site already appears in your global Enterprise Mode site list.
-author: dansimp
-ms.prod: ie11
-ms.assetid: e399aeaf-6c3b-4cad-93c9-813df6ad47f9
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-title: Search your Enterprise Mode site list in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Search your Enterprise Mode site list in the Enterprise Mode Site List Manager
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-You can search to see if a specific site already appears in your global Enterprise Mode site list so you don’t try to add it again.
-
- **To search your compatibility list**
-
-- From the Enterprise Mode Site List Manager, type part of the URL into the **Search** box.
-The search query searches all of the text. For example, entering *“micro”* will return results like, www.microsoft.com, microsoft.com, and microsoft.com/images. Wildcard characters aren’t supported.
-
-## Related topics
-- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
-- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
-- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
-
-
-
-
-
-
diff --git a/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md
deleted file mode 100644
index 923d4dfe04..0000000000
--- a/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md
+++ /dev/null
@@ -1,160 +0,0 @@
----
-ms.localizationpriority: low
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Set up and turn on Enterprise Mode logging and data collection in your organization.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 2e98a280-f677-422f-ba2e-f670362afcde
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-title: Set up Enterprise Mode logging and data collection (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Set up Enterprise Mode logging and data collection
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-Using Group Policy, you can turn on Enterprise Mode for Internet Explorer and then you can turn on local user control using the **Let users turn on and use Enterprise Mode from the Tools menu** setting, located in the `Administrative Templates\Windows Components\Internet Explorer` category path. After you turn this setting on, your users can turn on Enterprise Mode locally, from the IE **Tools** menu.
-
-
-
-The **Let users turn on and use Enterprise Mode from the Tools menu** setting also lets you decide where to send the user reports (as a URL). We recommend creating a custom HTTP port 81 to let your incoming user information go to a dedicated site. A dedicated site is important so you can quickly pick out the Enterprise Mode traffic from your other website traffic.
-
-
-
-Getting these reports lets you find out about sites that aren’t working right, so you can add them to your Enterprise Mode site list, without having to locate them all yourself. For more information about creating and using a site list, see the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) topic, based on your operating system.
-
-## Using ASP to collect your data
-When you turn logging on, you need a valid URL that points to a server that can be listened to for updates to a user’s registry key. This means you need to set up an endpoint server for the incoming POST messages, which are sent every time the user turns Enterprise Mode on or off from the **Tools** menu.
-
- **To set up an endpoint server**
-
-1. Configure an IIS server to work with your Enterprise Mode data collection process. If you’re unsure how to set up IIS, see the [IIS installation webpage](https://go.microsoft.com/fwlink/p/?LinkId=507609).
-
-2. Open Internet Information Services (IIS) and turn on the ASP components from the **Add Roles and Features Wizard**, **Server Roles** page.
-This lets you create an ASP form that accepts the incoming POST messages.
-
-3. Open the Internet Information Services (IIS) Manager, click **Bindings**, highlight **Port 81**, click **Edit**, and then change the website information to point to Port 81 so it matches your custom-created port.
-
- 
-
-4. Open the **Logging** feature, pick **W3C** for the format, and click **Select Fields** to open the **W3C Logging Fields** box.
-
- 
-
-5. Change the WC3 logging fields to include only the **Date**, **Client IP**, **User Name**, and **URI Query** standard fields, and then click **OK**.
-Using only these fields keeps the log file simple, giving you the date, client IP address, and the website URI information for any site changed by your users.
-
-6. Apply these changes to your default website and close the IIS Manager.
-
-7. Put your EmIE.asp file into the root of the web server, using this command:
-
- ```
- <% @ LANGUAGE=javascript %>
- <%
- Response.AppendToLog(" ;" + Request.Form("URL") + " ;" + Request.Form("EnterpriseMode"));
- %>
- ```
-This code logs your POST fields to your IIS log file, where you can review all of the collected data.
-
-
-### IIS log file information
-This is what your log files will look like after you set everything up and at least one of your users has turned on Enterprise Mode locally from the **Tools** menu. You can see the URL of the problematic website and client IP address of the user that turned on Enterprise Mode.
-
-
-
-
-## Using the GitHub sample to collect your data
-Microsoft has created the [EMIE-Data-Collection_Sample](https://go.microsoft.com/fwlink/p/?LinkId=507401) that shows how to collect your Enterprise Mode reports. This sample only shows how to collect data, it doesn’t show how to aggregate the data into your Enterprise Mode site list.
-This sample starts with you turning on Enterprise Mode and logging (either through Group Policy, or by manually setting the EnterpriseMode registry key) so that your users can use Enterprise Mode locally. For the steps to do this, go to [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
-
-**Note**
-The required packages are automatically downloaded and included in the solution.
-
- **To set up your endpoint server**
-
-1. Right-click on the name, PhoneHomeSample, and click **Publish**.
-
- 
-
-2. In the **Publish Web** wizard, pick the publishing target and options that work for your organization.
-
- **Important**
-If you’re already on the webpage, you’ll need to refresh the page to see the results.
-
- 
-
-
-### Troubleshooting publishing errors
-If you have errors while you’re publishing your project, you should try to update your packages.
-
- **To update your packages**
-
-1. From the **Tools** menu of Microsoft Visual Studio, click **NuGet Package Manager**, and click **Manage NuGet Packages for Solution**.
-
- 
-
-2. Click **Updates** on the left side of the tool, and click the **Update All** button.
-You may need to do some additional package cleanup to remove older package versions.
-
-## Related topics
-- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
-- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
-- [What is Enterprise Mode?](what-is-enterprise-mode.md)
-- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
-- [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md)
-
-
-
-
-
-
diff --git a/browsers/enterprise-mode/set-up-enterprise-mode-portal.md b/browsers/enterprise-mode/set-up-enterprise-mode-portal.md
deleted file mode 100644
index ff7107b46a..0000000000
--- a/browsers/enterprise-mode/set-up-enterprise-mode-portal.md
+++ /dev/null
@@ -1,235 +0,0 @@
----
-ms.localizationpriority: low
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Details about how to set up the Enterprise Mode Site List Portal for your organization.
-author: dansimp
-ms.prod: ie11
-title: Set up the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
----
-
-# Set up the Enterprise Mode Site List Portal
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-The Enterprise Mode Site List Portal is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later.
-
-Before you can begin using the Enterprise Mode Site List Portal, you must set up your environment.
-
-## Step 1 - Copy the deployment folder to the web server
-You must download the deployment folder (**EMIEWebPortal/**), which includes all of the source code for the website, from the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) site to your web server.
-
-**To download the source code**
-1. Download the deployment folder from the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) source code to your web server.
-
-2. Install the Node.js® package manager, [npm](https://www.npmjs.com/).
-
- > [!NOTE]
- > You need to install the npm package manager to replace all the third-party libraries we removed to make the Enterprise Mode Site List Portal open-source.
-
-3. Open File Explorer and then open the **EMIEWebPortal/** folder.
-
-4. Press and hold **Shift**, right-click the window, then click **Open PowerShell window here**.
-
-5. Type _npm i_ into the command prompt, then press **Enter**.
-
- Installs the npm package manager and bulk adds all the third-party libraries back into your codebase.
-
-6. Go back up a directory, open the solution file **EMIEWebPortal.sln** in Visual Studio, and then build the entire solution.
-
-7. Copy the contents of the **EMIEWebPortal/** folder to a dedicated folder on your file system. For example, _D:\EMIEWebApp_. In a later step, you'll designate this folder as your website in the IIS Manager.
-
-## Step 2 - Create the Application Pool and website, by using IIS
-Create a new Application Pool and the website, by using the IIS Manager.
-
-**To create a new Application Pool**
-1. In IIS Manager, expand your local computer in the **Connections** pane, right-click **Application Pools**, then click **Add Application Pool**.
-
- The **Add Application Pool** box appears.
-
-2. In the **Add Application Pool** box, enter the following info:
-
- - **Name.** Type the name of your new application pool. For example, _EMIEWebAppPool_.
-
- - **.NET CLR version.** Pick the version of .NET CLR used by your application pool from the drop-down box. It must be version 4.0 or higher.
-
- - **Managed pipeline mode.** Pick **Integrated** from the drop-down box. IIS uses the integrated IIS and ASP.NET request-processing pipeline for managed content.
-
-3. Click **OK**.
-
-4. Select your new application pool from the **Application Pool** pane, click **Advanced Settings** from the **Edit Application Pool** area of the **Actions** pane.
-
- The **Advanced Settings** box appears.
-
-5. Make sure your **Identity** value is **ApplicationPoolIdentity**, click **OK**, and then close the box.
-
-6. Open File Explorer and go to your deployment directory, created in Step 1. For example, _D:\EMIEWebApp_.
-
-7. Right-click on the directory, click **Properties**, and then click the **Security** tab.
-
-8. Add your new application pool to the list (for example, _IIS AppPool\EMIEWebAppPool_) with **Full control access**, making sure the location searches the local computer.
-
-9. Add **Everyone** to the list with **Read & execute access**.
-
-**To create the website**
-1. In IIS Manager, expand your local computer in the **Connections** pane, right-click **Sites**, then click **Add Website**.
-
- The **Add Website** box appears.
-
-2. In the **Add Website** box, type the name of your website into the **Site name** box. For example, _EMIEWebApp_, and then click **Select**.
-
- The **Select Application Pool** box appears.
-
-4. Pick the name of the application pool created earlier in this step, and then click **OK**. For example, _EMIEWebAppPool_.
-
-5. In the **Physical path** box, browse to your folder that contains your deployment directory. For example, _D:\EMIEWebApp_.
-
-6. Set up your **Binding**, including your **Binding Type**, **IP address**, and **Port**, as appropriate for your organization.
-
-7. Clear the **Start Website immediately** check box, and then click **OK**.
-
-8. In IIS Manager, expand your local computer, and then double-click your new website. For example, _EMIEWebApp_.
-
- The **<website_name> Home** pane appears.
-
-9. Double-click the **Authentication** icon, right-click on **Windows Authentication**, and then click **Enable**.
-
- > [!NOTE]
- > You must also make sure that **Anonymous Authentication** is marked as **Enabled**.
-
-10. Return to the **<website_name> Home** pane, and double-click the **Connection Strings** icon.
-
-11. Open the **LOBMergedEntities Connection String** to edit:
-
- - **Data source.** Type the name of your local computer.
-
- - **Initial catalog.** The name of your database.
-
- > [!NOTE]
- > Step 3 of this topic provides the steps to create your database.
-
-## Step 3 - Create and prep your database
-Create a SQL Server database and run our custom query to create the Enterprise Mode Site List tables.
-
-**To create and prep your database**
-1. Start SQL Server Management Studio.
-
-2. Open **Object Explorer** and then connect to an instance of the SQL Server Database Engine.
-
-3. Expand the instance, right-click on **Databases**, and then click **New Database**.
-
-4. Type a database name. For example, _EMIEDatabase_.
-
-5. Leave all default values for the database files, and then click **OK**.
-
-6. Open the **DatabaseScripts/Create DB Tables/1_CreateEMIETables.sql** query file, located in the deployment directory.
-
-7. Replace the database name placeholder with the database name you created earlier. For example, _EMIEDatabase_.
-
-8. Run the query.
-
-## Step 4 - Map your Application Pool to a SQL Server role
-Map your ApplicationPoolIdentity to your database, adding the db_owner role.
-
-**To map your ApplicationPoolIdentity to a SQL Server role**
-1. Start SQL Server Management Studio and connect to your database.
-
-2. Expand the database instance and then open the server-level **Security** folder.
-
- > [!IMPORTANT]
- > Make sure you open the **Security** folder at the server level and not for the database.
-
-3. Right-click **Logins**, and then click **New Login**.
-
- The **Login-New** dialog box appears.
-
-4. Type the following into the **Login name** box, based on your server instance type:
-
- - **Local SQL Server instance.** If you have a local SQL Server instance, where IIS and SQL Server are on the same server, type the name of your Application Pool. For example, _IIS AppPool\EMIEWebAppPool_.
-
- - **Remote SQL Server instance.** If you have a remote SQL Server instance, where IIS and SQL Server are on different servers, type `Domain\ServerName$`.
-
- > [!IMPORTANT]
- > Don't click **Search** in the **Login name** box. Login name searches will resolve to a ServerName\AppPool Name account and SQL Server Management Studio won't be able to resolve the account's virtual Security ID (SID).
-
-5. Click **User Mapping** from the **Select a page** pane, click the checkbox for your database (for example, _EMIEDatabase_) from the **Users mapped to this login** pane, and then click **db_owner** from the list of available roles in the **Database role membership** pane.
-
-6. Click **OK**.
-
-## Step 5 - Restart the Application Pool and website
-Using the IIS Manager, you must restart both your Application Pool and your website.
-
-**To restart your Application Pool and website**
-1. In IIS Manager, expand your local computer in the **Connections** pane, select your website, then click **Restart** from the **Manage Website** pane.
-
-2. In the **Connections** pane, select your Application Pool, and then click **Recycle** from the **Application Pool Tasks** pane.
-
-## Step 6 - Registering as an administrator
-After you've created your database and website, you'll need to register yourself (or another employee) as an administrator for the Enterprise Mode Site List Portal.
-
-**To register as an administrator**
-1. Open Microsoft Edge and type your website URL into the Address bar. For example, https://emieportal:8085.
-
-2. Click **Register now**.
-
-3. Type your name or alias into the **Email** box, making sure it matches the info in the drop-down box.
-
-4. Click **Administrator** from the **Role** box, and then click **Save**.
-
-5. Append your website URL with `/#/EMIEAdminConsole` in the Address bar to go to your administrator console. For example, https://emieportal:8085/#/EMIEAdminConsole.
-
- A dialog box appears, prompting you for the system user name and password. The default user name is EMIEAdmin and the default password is Admin123. We strongly recommend that you change the password by using the **Change password** link as soon as you're done with your first visit.
-
-6. Select your name from the available list, and then click **Activate**.
-
-7. Go to the Enterprise Mode Site List Portal Home page and sign in.
-
-## Step 7 - Configure the SMTP server and port for email notification
-After you've set up the portal, you need to configure your SMTP server and port for email notifications from the system.
-
-**To set up your SMTP server and port for emails**
-1. Open Visual Studio, and then open the web.config file from your deployment directory.
-
-2. Update the SMTP server and port info with your info, using this format:
-
- ```
-
-Enterprise Mode will no longer look for the site list, effectively turning off Enterprise Mode. However, if you previously turned on local control for your employees, Enterprise Mode will still be available from the **Tools** menu. You need to turn that part of the functionality off separately.
-
- **To turn off local control using Group Policy**
-
-1. Open your Group Policy editor, like Group Policy Management Console (GPMC).
-
-2. Go to the **Let users turn on and use Enterprise Mode from the Tools menu** setting, and then click **Disable**.
-
-3. Enterprise Mode no longer shows up on the **Tools** menu for your employees. However, if you are still using an Enterprise Mode site list, all of the globally listed sites will still appear in Enterprise Mode. If you want to turn off all of Enterprise Mode, you will need to also turn off the site list functionality.
-
- **To turn off the site list using the registry**
-
-1. Open a registry editor, such as regedit.exe.
-
-2. Go to `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode`, and then delete the **SiteList** value.
-You can also use HKEY_LOCAL_MACHINE, depending whether you want to turn off the Enterprise Mode site list for users or for computers.
-
-3. Close all and restart all instances of Internet Explorer.
-IE11 stops looking at the site list for rendering instructions. However, Enterprise Mode is still available to your users locally (if it was turned on).
-
- **To turn off local control using the registry**
-
-1. Open a registry editor, such as regedit.exe.
-
-2. Go `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`, and then delete the **Enable** value.
-You can also use HKEY_CURRENT_USER, depending whether you want to turn off Enterprise Mode for users or for computers.
-
-3. Close and restart all instances of IE.
-Enterprise Mode is no longer a user option on the **Tools** menu in IE11. However, IE11 still looks at the site list (if it was turned on).
-
-## Related topics
-- [What is Enterprise Mode?](what-is-enterprise-mode.md)
-- [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md)
-- [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md)
-- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
-
-
-
-
-
-
diff --git a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md
deleted file mode 100644
index 2cfad8e8db..0000000000
--- a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md
+++ /dev/null
@@ -1,50 +0,0 @@
----
-ms.date: 07/17/2018
----
-Before you can use a site list with Enterprise Mode, you must turn the functionality on and set up the system for centralized control. By allowing
-centralized control, you can create one global list of websites that render using Enterprise Mode. Approximately 65 seconds after Internet Explorer 11 starts, it looks for a properly formatted site list. If a new site list if found, with a different version number than the active list, IE11 loads and uses the newer version. After the initial check, IE11 won’t look for an updated list again until you restart the browser.
-
-> [!NOTE]
-> We recommend that you store and download your website list from a secure web server (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employees' computers so if the centralized file location is unavailable, they can still use Enterprise Mode.
-
-**Group Policy**
-
-1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Microsoft Edge\\Configure the Enterprise Mode Site List** setting. Turning this setting on also requires you to create and store a site list.
-
-
-
-2. Click **Enabled**, and then in the **Options** area, type the location to your site list.
-
-3. Refresh your policy and then view the affected sites in Microsoft Edge. The site shows a message in Microsoft Edge, saying that the page needs IE. At the same time, the page opens in IE11; in a new frame if it's not yet running, or in a new tab if it is.
-
-**Registry**
-
-All of your managed devices must have access to this location if you want them to be able to access and use Enterprise Mode and your site list.
-
-1. **To turn on Enterprise Mode for all users on the PC:** Open the registry editor and go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\Main\EnterpriseMode`.
-
-2. Edit the `SiteList` registry key to point to where you want to keep your Enterprise Mode site list file. For example:
-
-
- - **HTTPS location:** `"SiteList"="https://localhost:8080/sites.xml"`
-
- - **Local network:** `"SiteList"="\\network\shares\sites.xml"`
-
- - **Local file:** `"SiteList"="file:///c:\\Users\\ The site shows a message in Microsoft Edge, saying that the page needs IE.
- At the same time, the page opens in IE11; in a new frame if it is not yet
- running, or in a new tab if it is.
diff --git a/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md
deleted file mode 100644
index c8ef3d030c..0000000000
--- a/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md
+++ /dev/null
@@ -1,64 +0,0 @@
----
-ms.localizationpriority: low
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Turn on local user control and logging for Enterprise Mode.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 6622ecce-24b1-497e-894a-e1fd5a8a66d1
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-title: Turn on local control and logging for Enterprise Mode (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Turn on local control and logging for Enterprise Mode
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-You can turn on local control of Enterprise Mode so that your users can turn Enterprise Mode on from the **Tools** menu. Turning on this feature also adds the **Enterprise** browser profile to the **Emulation** tab of the F12 developer tools.
-
-Besides turning on this feature, you also have the option to provide a URL for Enterprise Mode logging. If you turn logging on, Internet Explorer initiates a simple POST back to the supplied address, including the URL and a specification that **EnterpriseMode** was turned on or off through the **Tools** menu.
-
- **To turn on local control of Enterprise Mode using Group Policy**
-
-1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Internet Explorer\\Let users turn on and use Enterprise Mode from the Tools menu** setting.
-
- 
-
-2. Click **Enabled**, and then in the **Options** area, type the location for where to receive reports about when your employees use this functionality to turn Enterprise Mode on or off from the **Tools** menu.
-
- **To turn on local control of Enterprise Mode using the registry**
-
-1. Open a registry editor, like regedit.exe and go to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`.
-
-2. In the right pane, right-click and click **New**, click **String Value**, and then name the new value **Enable**.
-
-3. Right-click the **Enable** key, click **Modify**, and then type a **Value data** to point to a server that you can listen to for updates.
-
- 
-
-Your **Value data** location can be any of the following types:
-
-- **URL location (like, https://www.emieposturl.com/api/records or https://localhost:13000)**. IE sends a POST message to the URL every time a change is made to Enterprise Mode from the **Tools** menu. **Important** This topic applies to both versions of the Enterprise Mode Site List Manager. |
-|[Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md) |How to fix common site list validation errors. This topic applies to both versions of the Enterprise Mode Site List Manager. |
-|[Search your Enterprise Mode site list in the Enterprise Mode Site List Manager](search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to look to see if a site is already in your global Enterprise Mode site list. This topic applies to both versions of the Enterprise Mode Site List Manager. |
-|[Save your site list to XML in the Enterprise Mode Site List Manager](save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md) |How to save a site list as XML, so you can deploy and use it with your managed systems. This topic applies to both versions of the Enterprise Mode Site List Manager. |
-|[Export your Enterprise Mode site list from the Enterprise Mode Site List Manager](export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md) |How to export your site list so you can transfer your data and contents to someone else. This topic applies to both versions of the Enterprise Mode Site List Manager. |
-|[Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](import-into-the-enterprise-mode-site-list-manager.md) |How to import your site list to replace a corrupted or out-of-date list. This topic applies to both versions of the Enterprise Mode Site List Manager. |
-|[Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to delete a website from your site list. This topic applies to both versions of the Enterprise Mode Site List Manager. |
-|[Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to delete all of the websites in a site list. This topic applies to both versions of the Enterprise Mode Site List Manager. |
-
-## Related topics
-
-
-- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
-- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
-- [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md)
-- [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md)
-
-
-
-
-
-
diff --git a/browsers/enterprise-mode/using-enterprise-mode.md b/browsers/enterprise-mode/using-enterprise-mode.md
deleted file mode 100644
index c6f3e6048e..0000000000
--- a/browsers/enterprise-mode/using-enterprise-mode.md
+++ /dev/null
@@ -1,60 +0,0 @@
----
-ms.localizationpriority: low
-ms.mktglfcycl: deploy
-ms.pagetype: security
-description: Use this section to learn about how to turn on and use IE7 Enterprise Mode or IE8 Enterprise Mode.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 238ead3d-8920-429a-ac23-02f089c4384a
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-title: Using IE7 Enterprise Mode or IE8 Enterprise Mode (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Using IE7 Enterprise Mode or IE8 Enterprise Mode
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-Enterprise Mode gives you a way for your legacy websites and apps to run using emulated versions of Windows Internet Explorer 7 or Windows Internet Explorer 8, while your new sites and apps run using Internet Explorer 11, including modern standards and features.
-
-Although it’s called IE7 Enterprise Mode, it actually turns on Enterprise Mode along with Internet Explorer 7 or Microsoft Internet Explorer 5 Compatibility View. Compatibility View chooses which document mode to use based on whether there’s a `DOCTYPE` tag in your code:
-
-- **DOCTYPE tag found.** Webpages render using the Internet Explorer 7 document mode.
-- **No DOCTYPE tag found.** Webpages render using the Internet Explorer 5 document mode.
-
-**Important** For example, `C:\users\ **Important** **Important** **Important** **Important**
-Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
-
-3. Click **OK** to close the **Bulk add sites to the list** menu.
-
-4. On the **File** menu, click **Save to XML**, and save your file.
-You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
-
-## Next steps
-After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
-
-## Related topics
-- [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md)
-- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
deleted file mode 100644
index 18c0b63cac..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
+++ /dev/null
@@ -1,121 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Add multiple sites to your Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2).
-author: dansimp
-ms.prod: ie11
-ms.assetid: da659ff5-70d5-4852-995e-4df67c4871dd
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 10/24/2017
----
-
-
-# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-
-You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the **Bulk add from file** area of the Enterprise Mode Site List Manager (schema v.2). You can only add specific URLs, not Internet or Intranet Zones.
-
-To add your websites one at a time, see [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md).
-
-## Create an Enterprise Mode site list (TXT) file
-
-You can create and use a custom text file with the Enterprise Mode Site List Manager (schema v.2) to add multiple sites to your Enterprise Mode site list at the same time.
-
->**Important:** **Important** **Important**
-Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md).
-
-3. Click **OK** to close the **Bulk add sites to the list** menu.
-
-4. On the **File** menu, click **Save to XML**, and save your file.
-You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
-
-## Next steps
-After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
-
-## Related topics
-- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
-- [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md)
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
deleted file mode 100644
index 8c5e4b4426..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that's designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 042e44e8-568d-4717-8fd3-69dd198bbf26
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 8.1
-- Windows 7
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. **Important** Note Note
-Don't include the `https://` or `https://` designation. The tool automatically tries both versions during validation.
-
-3. Type any comments about the website into the **Notes about URL** box.
-Administrators can only see comments while they’re in this tool.
-
-4. Choose **IE7 Enterprise Mode**, **IE8 Enterprise Mode**, or the appropriate document mode for sites that must be rendered using the emulation of a previous version of IE, or pick **Default IE** if the site should use the latest version of IE.
-
-The path within a domain can require a different compatibility mode from the domain itself. For example, the domain might look fine in the default IE11 browser, but the path might have problems and require the use of Enterprise Mode. If you added the domain previously, your original compatibility choice is still selected. However, if the domain is new, **IE8 Enterprise Mode** is automatically selected.
-
-Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
-
-5. Click **Save** to validate your website and to add it to the site list for your enterprise.
- If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway.
-
-6. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.
- You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
-
-## Next steps
-After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
-
-## Related topics
-- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
deleted file mode 100644
index 10f60620a8..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
+++ /dev/null
@@ -1,86 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that''s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 513e8f3b-fedf-4d57-8d81-1ea4fdf1ac0b
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-
-Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. **Important** Note
-**Note**
- Don't include the `https://` or `https://` designation. The tool automatically tries both versions during validation.
-
-3. Type any comments about the website into the **Notes about URL** box.
- Administrators can only see comments while they’re in this tool.
-
-4. In the **Compat Mode** box, choose one of the following:
-
- - **IE8Enterprise**. Loads the site in IE8 Enterprise Mode.
-
- - **IE7Enterprise**. Loads the site in IE7 Enterprise Mode.
-
- - **IE\[*x*\]**. Where \[x\] is the document mode number and the site loads in the specified document mode.
-
- - **Default Mode**. Loads the site using the default compatibility mode for the page.
-
- The path within a domain can require a different compatibility mode from the domain itself. For example, the domain might look fine in the default IE11 browser, but the path might have problems and require the use of Enterprise Mode. If you added the domain previously, your original compatibility choice is still selected. However, if the domain is new, **IE8 Enterprise Mode** is automatically selected.
-
- Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
-
-5. In conjunction with the compatibility mode, you'll need to use the **Open in** box to pick which browser opens the site.
-
- - **IE11**. Opens the site in IE11, regardless of which browser is opened by the employee. If you have enabled [Internet Explorer mode integration on Microsoft Edge](/deployedge/edge-ie-mode), this option will open sites in Internet Explorer mode.
-
- - **MSEdge**. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.
-
- - **None**. Opens in whatever browser the employee chooses.
-
-6. If you have enabled [Internet Explorer mode integration on Microsoft Edge](/deployedge/edge-ie-mode), and you have sites that still need to opened in the standalone Internet Explorer 11 application, you can check the box for **Standalone IE**. This checkbox is only relevant when associated to 'Open in' IE11. Checking the box when 'Open In' is set to MSEdge or None will not change browser behavior.
-
-7. The checkbox **Allow Redirect** applies to the treatment of server side redirects. If you check this box, server side redirects will open in the browser specified by the open-in tag. For more information, see [here](./enterprise-mode-schema-version-2-guidance.md#updated-schema-attributes).
-
-8. Click **Save** to validate your website and to add it to the site list for your enterprise.
- If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway.
-
-9. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.
- You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
-
-## Next steps
-After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
-
-## Related topics
-- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md
deleted file mode 100644
index 4de574cbe2..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md
+++ /dev/null
@@ -1,86 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: security
-description: Administrative templates and Internet Explorer 11
-author: dansimp
-ms.prod: ie11
-ms.assetid: 2b390786-f786-41cc-bddc-c55c8a4c5af3
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Administrative templates and Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Administrative templates and Internet Explorer 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-Administrative Templates are made up of a hierarchy of policy categories and subcategories that define how your policy settings appear in the Local Group Policy Editor, including:
-
-- What registry locations correspond to each setting.
-
-- What value options or restrictions are associated with each setting.
-
-- The default value for many settings.
-
-- Text explanations about each setting and the supported version of Internet Explorer.
-
-For a conceptual overview of Administrative Templates, see [Managing Group Policy ADMX Files Step-by-Step Guide](/previous-versions/windows/it-pro/windows-vista/cc709647(v=ws.10)).
-
-## What are Administrative Templates?
-Administrative Templates are XML-based, multi-language files that define the registry-based Group Policy settings in the Local Group Policy Editor. There are two types of Administrative Templates:
-
-- **ADMX.** A language-neutral setup file that states the number and type of policy setting, and the location by category, as it shows up in the Local Group Policy Editor.
-
-- **ADML.** A language-specific setup file that provides language-related information to the ADMX file. This file lets the policy setting show up in the right language in the Local Group Policy Editor. You can add new languages by adding new ADML files in the required language.
-
-## How do I store Administrative Templates?
-As an admin, you can create a central store folder on your SYSVOL directory, named **PolicyDefinitions**. For example, %*SystemRoot*%\\PolicyDefinitions. This folder provides a single, centralized storage location for your Administrative Templates (both ADMX and ADML) files, so they can be used by your domain-based Group Policy Objects (GPOs).
- Important Note **Note** **Note** **Important** **Important** Important **Important** **Note** **Note** **-OR-** Create a canonical name (CNAME) alias record named, **WPAD**. This record has the resolved name (not the IP address) of the server storing your automatic configuration (.pac) file. **Note** **Note** **Important** **Note** **Note** 250 bytes (per site visit) X 20 sites/day X 30 days = (approximately) 150KB X 1000 users = (approximately) 150MB
-
->**Important**
--OR-
-- Collect your hardware inventory using the MOF Editor with a .MOF import file.
--OR-
-- Collect your hardware inventory using the SMS\DEF.MOF file (Configuration Manager 2007 only)
-
-### WMI only: Running the PowerShell script to compile the .MOF file and to update security privileges
-You need to set up your computers for data collection by running the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file and to update security privileges for the new WMI classes.
-
->**Important** 0 – Restricted Sites zone **Example 1:** Include only the Local Intranet zone Binary representation: *00010*, based on: 0 – Restricted Sites zone **Example 2:** Include only the Restricted Sites, Trusted Sites, and Local Intranet zones Binary representation: *10110*, based on: 1 – Restricted Sites zone microsoft.sharepoint.com
--OR-
-- Collect your hardware inventory using the MOF Editor with a .MOF import file.
--OR-
-- Collect your hardware inventory using the SMS\DEF.MOF file (Configuration Manager 2007 only)
-
-### Collect your hardware inventory using the MOF Editor while connected to a client device
-You can collect your hardware inventory using the MOF Editor, while you’re connected to your client devices.
-
- **To collect your inventory**
-
-1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**.
-
- 
-
-2. Click **Add**, click **Connect**, and connect to a computer that has completed the setup process and has already existing classes.
-
-3. Change the **WMI Namespace** to `root\cimv2\IETelemetry`, and click **Connect**.
-
- 
-
-4. Select the check boxes next to the following classes, and then click **OK**:
-
- - IESystemInfo
-
- - IEURLInfo
-
- - IECountInfo
-
-5. Click **OK** to close the default windows.
-**Important** **Note** **or** Where `https://fabrikam.com` doesn't use IE8 Enterprise Mode, but `https://fabrikam.com/products` does.|Internet Explorer 11 and Microsoft Edge|
-|docMode|Specifies the document mode to apply. This attribute is only supported on <domain> or <path>elements in the <docMode> section. Where `https://fabrikam.com` opens in the IE11 browser, but `https://fabrikam.com/products` loads in the current browser (eg. Microsoft Edge)|Internet Explorer 11 and Microsoft Edge|
-|forceCompatView|Specifies that the page should load in IE7 document mode (Compat View). This attribute is only supported on <domain> or <path> elements in the <emie> section. If the page is also configured to load in Enterprise Mode, it will load in IE7 Enterprise Mode. Otherwise (exclude="true"), it will load in IE11's IE7 document mode. If this attribute is absent, it defaults to false. Where `https://fabrikam.com` does not use Enterprise Mode, but `https://fabrikam.com/products` uses IE7 Enterprise Mode.|Internet Explorer 11|
-
-### Using Enterprise Mode and document mode together
-If you want to use both Enterprise Mode and document mode together, you need to be aware that <emie> entries override <docMode> entries for the same domain.
-
-For example, say you want all of the sites in the contoso.com domain to open using IE8 Enterprise Mode, except test.contoso.com, which needs to open in document mode 11. Because Enterprise Mode takes precedence over document mode, if you want test.contoso.com to open using document mode, you'll need to explicitly add it as an exclusion to the <emie> parent node.
-
-```xml
- **or** For IPv6 ranges: Where **Important** After the new Internet Explorer 11 package is available for download, you should manually synchronize the new package to your WSUS server, so that when you re-enable auto-approval it won’t be automatically installed.
-
-8. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**.
-
-9. Expand *ComputerName*, and then click **Synchronizations**.
-
-10. Click **Synchronize Now**.
-
-11. Expand *ComputerName*, expand **Updates**, and then click **All Updates**.
-
-12. Choose **Unapproved** in the **Approval** drop down box.
-
-13. Check to make sure that Microsoft Internet Explorer 11 is listed as an unapproved update.
-
- > [!NOTE]
- > There may be multiple updates, depending on the imported language and operating system updates.
-
-**Optional**
-
-If you need to reset your Update Rollups packages to auto-approve, do this:
-
-1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**.
-
-2. Expand *ComputerName*, and then click **Options**.
-
-3. Click **Automatic Approvals**.
-
-4. Click the rule that automatically approves updates of different classifications, and then click **Edit**.
-
-5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section.
-
-6. Check the **Update Rollups** check box, and then click **OK**.
-
-7. Click **OK** to close the **Automatic Approvals** dialog box.
-
-> [!NOTE]
-> Because auto-approval rules are only evaluated when an update is first imported into WSUS, turning this rule back on after the Internet Explorer 11 update has been imported and synchronized to the server won’t cause this update to be auto-approved.
-
-
-## Additional resources
-
-- [Automatic delivery process](what-is-the-internet-explorer-11-blocker-toolkit.md#automatic-delivery-process)
-
-- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722)
-
-- [Internet Explorer 11 FAQ for IT pros](../ie11-faq/faq-for-it-pros-ie11.yml)
-
-- [Internet Explorer 11 delivery through automatic updates]()
-
-- [Internet Explorer 11 deployment guide](./index.md)
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/affectedsoftware.png b/browsers/internet-explorer/ie11-deploy-guide/images/affectedsoftware.png
deleted file mode 100644
index df63b88432..0000000000
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/affectedsoftware.png and /dev/null differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/bulkadd-emiesitelistmgr.png b/browsers/internet-explorer/ie11-deploy-guide/images/bulkadd-emiesitelistmgr.png
deleted file mode 100644
index 040df5bb07..0000000000
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/bulkadd-emiesitelistmgr.png and /dev/null differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/configmgractivexreport.png b/browsers/internet-explorer/ie11-deploy-guide/images/configmgractivexreport.png
deleted file mode 100644
index a782b6657c..0000000000
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/configmgractivexreport.png and /dev/null differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/configmgrhardwareinventory.png b/browsers/internet-explorer/ie11-deploy-guide/images/configmgrhardwareinventory.png
deleted file mode 100644
index 7626296e87..0000000000
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/configmgrhardwareinventory.png and /dev/null differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/docmode-decisions-lg.png b/browsers/internet-explorer/ie11-deploy-guide/images/docmode-decisions-lg.png
deleted file mode 100644
index 07a182461b..0000000000
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/docmode-decisions-lg.png and /dev/null differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/docmode-decisions-sm.png b/browsers/internet-explorer/ie11-deploy-guide/images/docmode-decisions-sm.png
deleted file mode 100644
index c887d9c193..0000000000
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/docmode-decisions-sm.png and /dev/null differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/docmode-f12.png b/browsers/internet-explorer/ie11-deploy-guide/images/docmode-f12.png
deleted file mode 100644
index 28adf37af6..0000000000
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/docmode-f12.png and /dev/null differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/emie-listmgr.png b/browsers/internet-explorer/ie11-deploy-guide/images/emie-listmgr.png
deleted file mode 100644
index f3a1773a45..0000000000
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/emie-listmgr.png and /dev/null differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/emie-sitelistmgr.png b/browsers/internet-explorer/ie11-deploy-guide/images/emie-sitelistmgr.png
deleted file mode 100644
index ccd5c9cd4b..0000000000
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/emie-sitelistmgr.png and /dev/null differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-editbindings.png b/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-editbindings.png
deleted file mode 100644
index 3d22ce267e..0000000000
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-editbindings.png and /dev/null differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-editpolicy.png b/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-editpolicy.png
deleted file mode 100644
index f2b011d717..0000000000
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-editpolicy.png and /dev/null differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-editregistrystring.png b/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-editregistrystring.png
deleted file mode 100644
index dc365fc8ad..0000000000
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-editregistrystring.png and /dev/null differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-grouppolicy.png b/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-grouppolicy.png
deleted file mode 100644
index 115e7d8a05..0000000000
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-grouppolicy.png and /dev/null differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-grouppolicysitelist.png b/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-grouppolicysitelist.png
deleted file mode 100644
index 14079ffd7c..0000000000
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-grouppolicysitelist.png and /dev/null differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-logfile.png b/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-logfile.png
deleted file mode 100644
index b58e2a21b8..0000000000
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-logfile.png and /dev/null differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-logging.png b/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-logging.png
deleted file mode 100644
index becf942ecd..0000000000
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-logging.png and /dev/null differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-packageupdate.png b/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-packageupdate.png
deleted file mode 100644
index 66480b5f6c..0000000000
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-packageupdate.png and /dev/null differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-publishsolution.png b/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-publishsolution.png
deleted file mode 100644
index a3daa4e483..0000000000
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-publishsolution.png and /dev/null differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-publishweb.png b/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-publishweb.png
deleted file mode 100644
index eaf44305e2..0000000000
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-publishweb.png and /dev/null differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-registrysitelist.png b/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-registrysitelist.png
deleted file mode 100644
index 3c32b1af1a..0000000000
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-registrysitelist.png and /dev/null differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-reportwdetails.png b/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-reportwdetails.png
deleted file mode 100644
index 7209452cf3..0000000000
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-reportwdetails.png and /dev/null differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-toolsmenu.png b/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-toolsmenu.png
deleted file mode 100644
index 66e8ecf082..0000000000
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-toolsmenu.png and /dev/null differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/ie-site-discovery-sample-report.png b/browsers/internet-explorer/ie11-deploy-guide/images/ie-site-discovery-sample-report.png
deleted file mode 100644
index c53b4d160e..0000000000
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/ie-site-discovery-sample-report.png and /dev/null differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/ie11-inventory-addclassconnectscreen.png b/browsers/internet-explorer/ie11-deploy-guide/images/ie11-inventory-addclassconnectscreen.png
deleted file mode 100644
index 629267fb62..0000000000
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/ie11-inventory-addclassconnectscreen.png and /dev/null differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/ieoutdatedcontroloutsideofie.png b/browsers/internet-explorer/ie11-deploy-guide/images/ieoutdatedcontroloutsideofie.png
deleted file mode 100644
index 8c1d246aaf..0000000000
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/ieoutdatedcontroloutsideofie.png and /dev/null differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/ieoutdatedcontrolwarning.png b/browsers/internet-explorer/ie11-deploy-guide/images/ieoutdatedcontrolwarning.png
deleted file mode 100644
index 4a6ea00e6f..0000000000
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/ieoutdatedcontrolwarning.png and /dev/null differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/img-enterprise-mode-site-list-xml.jpg b/browsers/internet-explorer/ie11-deploy-guide/images/img-enterprise-mode-site-list-xml.jpg
deleted file mode 100644
index 0bcfd3b650..0000000000
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/img-enterprise-mode-site-list-xml.jpg and /dev/null differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/img-f12-developer-tools-emulation.jpg b/browsers/internet-explorer/ie11-deploy-guide/images/img-f12-developer-tools-emulation.jpg
deleted file mode 100644
index 48ed75b701..0000000000
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/img-f12-developer-tools-emulation.jpg and /dev/null differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/outdatedcontrolwarning.png b/browsers/internet-explorer/ie11-deploy-guide/images/outdatedcontrolwarning.png
deleted file mode 100644
index 87e49b5093..0000000000
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/outdatedcontrolwarning.png and /dev/null differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/securitybulletin-filter.png b/browsers/internet-explorer/ie11-deploy-guide/images/securitybulletin-filter.png
deleted file mode 100644
index 73d11e3644..0000000000
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/securitybulletin-filter.png and /dev/null differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/setdefaultbrowsergp.png b/browsers/internet-explorer/ie11-deploy-guide/images/setdefaultbrowsergp.png
deleted file mode 100644
index 2a52b20e23..0000000000
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/setdefaultbrowsergp.png and /dev/null differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/wedge.gif b/browsers/internet-explorer/ie11-deploy-guide/images/wedge.gif
deleted file mode 100644
index aa3490aee9..0000000000
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/wedge.gif and /dev/null differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
deleted file mode 100644
index 83c7c6b9b8..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
+++ /dev/null
@@ -1,21 +0,0 @@
----
-description: A full-sized view of how document modes are chosen in IE11.
-title: Full-sized flowchart detailing how document modes are chosen in IE11
-author: dansimp
-ms.date: 04/19/2017
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-ms.prod: ie11
----
-
-# Full-sized flowchart detailing how document modes are chosen in IE11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-Return to: [Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md)
-
-:::image type="content" source="images/docmode-decisions-lg.png" alt-text="Full-sized flowchart detailing how document modes are chosen in IE11" lightbox="images/docmode-decisions-lg.png":::
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
deleted file mode 100644
index f585e3210d..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager.
-author: dansimp
-ms.prod: ie11
-ms.assetid: cacd5d68-700b-4a96-b4c9-ca2c40c1ac5f
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Import your Enterprise Mode site list to the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Import your Enterprise Mode site list to the Enterprise Mode Site List Manager
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager.
-
-**Important**
-Importing your file overwrites everything that’s currently in the tool, so make sure it’s what you really mean to do.
-
- **To import your compatibility list**
-
-1. On the **File** menu of the Enterprise Mode Site List Manager, click **Import**.
-
-2. Go to your exported .EMIE file (for example, `C:\users\ This means that while IE11 will continue to support document modes, Microsoft Edge won’t. And because of that, it also means that if you want to use Microsoft Edge, you’re going to have to update your legacy webpages and apps to support modern features, browsers, and devices. Note Because of this change, your IEM-configured settings will no longer work on computers running Internet Explorer 10 or newer. To fix this, you need to update the affected settings using Group Policy preferences, Administrative Templates (.admx), or the IEAK 11. Because Group Policy Preferences and IEAK 11 run using asynchronous processes, you should choose to use only one of the tools within each group of settings. For example, using only IEAK 11 in the Security settings or Group Policy Preferences within the Internet Zone settings. Also, it's important to remember that policy is enforced and can't be changed by the user, while preferences are configured, but can be changed by the user. |
-|[Missing the Compatibility View Button](missing-the-compatibility-view-button.md) |Compatibility View was introduced in Internet Explorer 8 to help existing content continue to work with Windows Internet Explorer 7, while developers updated their content to support modern interoperable web standards. Since then, the IE web platform, and the web itself, have changed so that most public web content looks for standards-based features instead of IE 7-compatible behavior. Thanks to these changes, using IE11 in the latest standards mode is more compatible with the web than ever before. As a result, IE11 simplifies web page compatibility for users by removing the Compatibility View button and reducing the number of compatibility options in the F12 developer tools for developers. |
-|[Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013](deploy-pinned-sites-using-mdt-2013.md) |You can pin websites to the Windows 8.1 taskbar for quick access. You pin a website simply by dragging its tab to the taskbar. Some websites can also extend the icon’s Jump List. The ability to pin websites to the Windows 8.1 taskbar can help make end-users in businesses more productive. As an IT professional, for example, you can pin intranet and SharePoint websites to the taskbar to make them immediately available to employees. In this article, you learn how to deploy pinned websites by using Lite Touch Installation in the [Microsoft Deployment Toolkit (MDT) 2013](/mem/configmgr/mdt/).
-
-
-## IE11 naming conventions
-IE11 offers differing experiences in Windows 8.1:
-
-|Name |Description |
-|-----|------------|
-|Internet Explorer or IE |The immersive browser, or IE, without a specific version. |
-|Internet Explorer for the desktop |The desktop browser. This is the only experience available when running IE11 on Windows 7 SP1 |
-|Internet Explorer 11 or IE11 |The whole browser, which includes both IE and Internet Explorer for the desktop. |
-
-## Related topics
-- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.yml)
-- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md)
-- [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md
deleted file mode 100644
index 47a4d07569..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md
+++ /dev/null
@@ -1,48 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Use the topics in this section to learn how to customize your Internet Explorer installation package, how to choose the right method for installation, and how to deploy IE into your environment.
-author: dansimp
-ms.prod: ie11
-ms.assetid: caca18c1-d5c4-4404-84f8-d02bc562915f
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Install and Deploy Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Install and Deploy Internet Explorer 11 (IE11)
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1 Update
-- Windows 7 with Service Pack 1 (SP1)
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-Use the topics in this section to learn how to customize your Internet Explorer installation package, how to choose the right method for installation, and how to deploy IE into your environment. You can also find more info about your virtualization options for legacy apps.
-
-## In this section
-
-|Topic |Description |
-|------|------------|
-|[Customize Internet Explorer 11 installation packages](customize-ie11-install-packages.md) |Guidance about how to use .INF files or the IE Administration Kit 11 (IEAK 11) to create custom packages and about how to create those packages for multiple operating systems. |
-|[Choose how to install Internet Explorer 11 (IE11)](choose-how-to-install-ie11.md) |Guidance for the different ways you can install IE, including using System Center 2012 R2 Configuration Manager, Windows Server Update Services (WSUS), Microsoft Intune, your network, the operating system deployment system, or third-party tools. |
-|[Choose how to deploy Internet Explorer 11 (IE11)](choose-how-to-deploy-ie11.md) |Guidance about how to deploy your custom version of IE using Automatic Version Synchronization (AVS) or using your software distribution tools. |
-|[Virtualization and compatibility with Internet Explorer 11](virtualization-and-compatibility-with-ie11.md) |Info about the Microsoft-supported options for virtualizing web apps. |
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
deleted file mode 100644
index 0ec2a15346..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to add and deploy the Internet Explorer 11 update using Microsoft Intune.
-author: dansimp
-ms.prod: ie11
-ms.assetid: b2dfc08c-78af-4c22-8867-7be3b92b1616
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-title: Install Internet Explorer 11 (IE11) using Microsoft Intune (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Install Internet Explorer 11 (IE11) using Microsoft Intune
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Internet Explorer 11 is available as an update in Microsoft Intune. Microsoft Intune uses Windows cloud services to help you manage updates, monitor and protect your computers, provide remote assistance, track hardware and software inventory, and set security policies. For more information, see the [Documentation Library for Microsoft Intune](/mem/intune/).
-
-## Adding and deploying the IE11 package
-You can add and then deploy the IE11 package to any computer that's managed by Microsoft Intune.
-
- **To add the IE11 package**
-
-1. From the Microsoft Intune administrator console, start the Microsoft Intune Software Publisher.
-
-2. Add your IE11 package as either an external link or as a Windows installer package (.exe or .msi).
-
-For more info about how to decide which one to use, and how to use it, see [Deploy and configure apps](/mem/intune/).
-
- **To automatically deploy and install the IE11 package**
-
-1. From the Microsoft Intune administrator console, start and run through the Deploy Software wizard.
-
-2. Deploy the package to any of your employee computers that are managed by Microsoft Intune.
-
-3. After the package is on your employee's computers, the installation process runs, based on what you set up in your wizard.
-
-For more info about this, see [Deploy and configure apps](/mem/intune/).
-
- **To let your employees install the IE11 package**
-
-1. Install the package on your company's Microsoft Intune site, marking it as **Available** for the appropriate groups.
-
-2. Any employee in the assigned group can now install the package.
-
-For more info about this, see [Update apps using Microsoft Intune](/mem/intune/apps/apps-windows-10-app-deploy)
-
-
-
-
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
deleted file mode 100644
index 469b700481..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
+++ /dev/null
@@ -1,60 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to install the Internet Explorer 11 update using Microsoft Deployment Toolkit (MDT) and your Windows images.
-author: dansimp
-ms.prod: ie11
-ms.assetid: e16f9144-170c-4964-a62d-0d1a16f4cd1f
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Install Internet Explorer 11 (IE11) using Microsoft Deployment Toolkit (MDT) and your Windows images (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Install Internet Explorer 11 (IE11) using Microsoft Deployment Toolkit (MDT) and your Windows images
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-You can install Internet Explorer 11 (IE11) using Microsoft Deployment Toolkit (MDT) and your Windows images.
-
-You'll need to extract the .cab file for each supported operating system and platform combination and the .msu file for each prerequisite update. Download the IE11 update and prerequisites here:
-
-- [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=279697)
-
-- [Microsoft Update Catalog](https://go.microsoft.com/fwlink/p/?LinkId=214287)
-
-After you install the .msu file updates, you'll need to add them to your MDT deployment. You'll also need to extract the IE11 .cab update file from the IE11 installation package, using the `/x` command-line option. For example, `IE11-Windows6.1-x64-en-us.exe /x:c:\ie11cab`.
-
-## Installing IE11 using Microsoft Deployment Toolkit (MDT)
-
-MDT adds IE11 to your Windows images, regardless whether you are creating or deploying a customized or non-customized image. MDT also lets you perform offline servicing during the System Center 2012 R2 Configuration Manager task sequence, letting you add IE11 before starting Windows. For info, see [Microsoft Deployment Toolkit (MDT)](/mem/configmgr/mdt/).
-
- **To add IE11 to a MDT deployment share**
-
-1. Right-click **Packages** from each **Deployment Shares** location, and then click **Import OS Packages**.
-
-2. Go to the **Specify Directory** page, search for your folder with your update files (.cab and .msu) for import, and click **Next**.
-
-3. Go to the **Summary** page and click **Next**.
-MDT starts importing your update files. **Note**
- The wizard automatically puts your custom installation files in your `\ **Important**
- Where `
-If you get an error during the Windows Update process, see [Fix the problem with Microsoft Windows Update that is not working](https://go.microsoft.com/fwlink/p/?LinkId=302316).
-
-4. Restart your computer, making sure all of your the updates are finished.
-
-5. Try to reinstall IE11 from either Windows Update (if you saw it in Step 3) or from the [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=327753) website.
-
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
deleted file mode 100644
index 803fc7fb83..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
+++ /dev/null
@@ -1,46 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to fix intranet search problems with Internet Explorer 11
-author: dansimp
-ms.prod: ie11
-ms.assetid: 3ee71d93-d9d2-48e1-899e-07932c73faa6
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Fix intranet search problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Fix intranet search problems with Internet Explorer 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-After upgrading to Internet Explorer 11, you might experience search issues while using your intranet site.
-
-## Why is my intranet redirecting me to search results?
-IE11 works differently with search, based on whether your organization is domain-joined.
-
-- **Domain-joined computers.** A single word entry is treated as a search term. However, IE11 also checks for available intranet sites and offers matches through the **Notification bar**. If you select **Yes** from the **Notification bar** to navigate to the intranet site, IE11 associates that word with the site so that the next time you type in the intranet site name, inline auto-complete will resolve to the intranet site address.
-
-- **Non-domain-joined computers.** A single word entry is treated as an intranet site. However, if the term doesn't resolve to a site, IE11 then treats the entry as a search term and opens your default search provider.
-
-To explicitly go to an intranet site, regardless of the environment, users can type either a trailing slash like `contoso/` or the `https://` prefix. Either of these will cause IE11 to treat the entry as an intranet search. You can also change the default behavior so that IE11 treats your single word entry in the address bar as an intranet site, regardless of your environment.
-
- **To enable single-word intranet search**
-
-1. Open Internet Explorer for the desktop, click the **Tools** menu, and then click **Internet Options**.
-
-2. Click **Advanced**, check the **Go to an intranet site for a single word entry in the Address bar** box, and then click **OK**.
-
-If you'd like your entire organization to have single word entries default to an intranet site, you can turn on the **Go to an intranet site for a single word entry in the Address bar** Group Policy. With this policy turned on, a search for `contoso` automatically resolves to `https://contoso`.
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md b/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
deleted file mode 100644
index 58a2d5298b..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
+++ /dev/null
@@ -1,39 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Use the topics in this section to learn about how to auto detect your settings, auto configure your configuration settings, and auto configure your proxy configuration settings for Internet Explorer.
-author: dansimp
-ms.prod: ie11
-ms.assetid: eb3cce62-fc7b-41e3-97b6-2916b85bcf55
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Manage Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Manage Internet Explorer 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-Use the topics in this section to learn about how to auto detect your settings, auto configure your configuration settings, and auto configure your proxy configuration settings for Internet Explorer.
-
-## In this section
-
-|Topic |Description |
-|------|------------|
-|[Auto detect settings Internet Explorer 11](auto-detect-settings-for-ie11.md) |Guidance about how to update your automatic detection of DHCP and DNS servers. |
-|[Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md) |Guidance about how to add, update and lock your auto configuration settings. |
-|[Auto proxy configuration settings for Internet Explorer 11](auto-proxy-configuration-settings-for-ie11.md) |Guidance about how to add, update, and lock your auto-proxy settings. |
diff --git a/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
deleted file mode 100644
index e3e56157b3..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
+++ /dev/null
@@ -1,101 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: support
-description: IEM-configured settings have been deprecated for Internet Explorer 10 and newer. Use this topic to learn where to go to fix the affected settings through Group Policy Preferences, Administrative Templates (.admx), or the IEAK.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 89084e01-4e3f-46a6-b90e-48ee58d6821c
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Missing Internet Explorer Maintenance settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Missing Internet Explorer Maintenance settings for Internet Explorer 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-The Internet Explorer Maintenance (IEM) settings have been deprecated in favor of Group Policy Preferences, Administrative Templates (.admx), and the IE Administration Kit 11 (IEAK 11).
-
-Because of this change, your IEM-configured settings will no longer work on computers running Internet Explorer 10 or newer. To fix this, you need to update the affected settings using Group Policy Preferences, Administrative Templates (.admx), or IE Administration Kit 11 (IEAK 11).
-
-Because Group Policy Preferences and IEAK 11 run using asynchronous processes, you should choose to use only one of the tools within each group of settings. For example, using only IEAK 11 in the **Security** settings or Group Policy Preferences within the **Internet Zone** settings. Also, it's important to remember that policy is enforced and can't be changed by the user, while preferences are configured, but can be changed by the user.
-
-For more information about all of the new options and Group Policy, see:
-
-- [Group policy preferences and Internet Explorer 11](group-policy-preferences-and-ie11.md)
-
-- [Administrative templates and Internet Explorer 11](administrative-templates-and-ie11.md)
-
-- [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md)
-
-- [Group Policy Settings Reference for Windows and Windows Server](https://go.microsoft.com/fwlink/p/?LinkId=279876)
-
-- [Group Policy ADMX Syntax Reference Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753471(v=ws.10))
-
-- [Enable and Disable Settings in a Preference Item](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754299(v=ws.11))
-
-## IEM replacements
-The IEM settings have replacements you can use in either Group Policy Preferences or IEAK 11.
-
-### Browser user interface replacements
-
-|IEM setting |Description |Replacement tool |
-|------------|------------|-----------------|
-|Browser title |Lets you customize the text that shows up in the title bar of the browser.|On the **Browser User Interface** page of IEAK 11, click **Customize Title Bars**, and then type the text that appears on the title bar of the **Title Bar Text** box. Your text is appended to the text," Microsoft Internet Explorer provided by". |
-|Browser toolbar customizations (background and buttons) |Lets you customize the buttons on the browser toolbar. -OR- On the **Connection Settings** page of IEAK 11, change your connection settings, including importing your current connection settings and deleting existing dial-up connection settings (as needed). |
-|Automatic browser configuration |Lets you update your employee's computer after you've deployed IE11, by specifying a URL to an .ins file, an auto-proxy URL, or both. You can decide when the update occurs, in minutes. Typing zero, or not putting in any number, means that automatic configuration only happens after the browser is started and used to go to a page. |In the **Internet Settings Group Policy Preferences** dialog box, click the **Automatic Configuration** tab, and then add your URL. On the **Automatic Configuration** page of IEAK 11, modify the configuration settings, including providing the URL to an .ins file or an auto-proxy site. |
-|Proxy settings |Lets you specify your proxy servers. |In the **Internet Settings Group Policy Preferences** dialog box, click the **Connections** tab, click **LAN Settings**, and then choose whether to turn on automatic detection of your configuration settings and if you want to use proxy servers. -OR- On the **Proxy Settings** page of IEAK 11, turn on your proxy settings, adding your proxy server addresses and exceptions. |
-|User Agent string |Lets the browser provide identification to visited servers. This string is often used to keep Internet traffic statistics. |This setting isn't available anymore. |
-
-### URLs replacements
-
-|IEM setting |Description |Replacement tool |
-|------------|------------|-----------------|
-|Favorites and links |Lets you use custom URLs for the **Favorites** and **Links** folders. You can also specify the folder order, disable IE Suggested Sites, and import an existing folder structure. |On the **Favorites, Favorites Bar and Feeds** page of IEAK 11, add your custom URLs to the **Favorites**, **Favorites Bar**, or **RSS Feeds** folders, or create new folders. You can also edit, test, or remove your URLs, sort the list order, or disable IE Suggested Sites. |
-|Important URLs |Lets you add custom **Home** pages that can open different tabs. You can also add a **Support** page that shows up when an employee clicks online Help.|In the **Internet Settings Group Policy Preferences** dialog box, click the **General** tab, and add your custom **Home** page. On the **Important URLs - Home page and Support** page of IEAK 11, add the custom URLs to your **Home** and **Support** pages. You can also click to retain the previous home page information when the user upgrades to a newer version of IE. |
-
-### Security Zones and Content Ratings
-
-|IEM setting |Description |Replacement tool |
-|------------|------------|-----------------|
-|Security zones |Lets you change your security settings, by zone |In the **Internet Settings Group Policy Preferences** dialog box, click the **Security** tab, and update your security settings, based on zone. -OR- On the **Security and Privacy Settings** page of IEAK 11, choose your **Security Zones and Privacy** setting, changing it, as necessary. |
-|Content ratings |Lets you change your content ratings so your employees can't view sites with risky content. |On the **Security and Privacy Settings** page of IEAK 11, choose your **Content Ratings** setting, changing it, as necessary. |
-|Authenticode settings |Lets you pick your trustworthy software publishers and stop your employees from adding new, untrusted publishers while browsing. |These settings aren't available anymore. |
-
-### Programs
-
-|IEM setting |Description |Replacement tool |
-|------------|------------|-----------------|
-|Programs |Lets you import your default program settings, which specify the programs Windows uses for each Internet service. |In the **Internet Settings Group Policy Preferences** dialog box, click the **Programs** tab, and choose how to open IE11 links. -OR- On the **Programs** page of IEAK 11, choose whether to customize or import your program settings. |
-
-#### Advanced IEM settings
-The Advanced IEM settings, including Corporate and Internet settings, were also deprecated. However, they also have replacements you can use in either Group Policy Preferences or IEAK 11.
-
-**Note** -OR- On the Additional Settings page of IEAK 11, expand Internet Settings, and then customize your default values in the Internet Options dialog box. |
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md b/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
deleted file mode 100644
index a002fae480..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
+++ /dev/null
@@ -1,57 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: support
-description: Internet Explorer 11 uses the latest standards mode, which simplifies web page compatibility for users by removing the **Compatibility View** button and reducing the number of compatibility options in the F12 developer tools for developers.
-author: dansimp
-ms.prod: windows-client
-ms.assetid: 501c96c9-9f03-4913-9f4b-f67bd9edbb61
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Missing the Compatibility View Button (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Missing the Compatibility View Button
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-Compatibility View was introduced in Windows Internet Explorer 8 to help existing content continue to work with Windows Internet Explorer 7, while developers updated their content to support modern interoperable web standards. Since then, the Internet Explorer web platform, and the web itself, have changed so that most public web content looks for standards-based features instead of IE 7-compatible behavior.
-
-Thanks to these changes, using Internet Explorer 11 in the latest standards mode is more compatible with the web than ever before. As a result, IE11 simplifies web page compatibility for users by removing the **Compatibility View** button and reducing the number of compatibility options in the F12 developer tools for developers.
-
-## What happened to the Compatibility View button?
-In previous versions of IE, the **Compatibility View** button would attempt to fix a broken standards-based website, by getting the page to appear like it did in Internet Explorer 7. Today however, more standards-based websites are broken by attempting to appear like they did in Internet Explorer 7. So instead of implementing and using Compatibility View, developers are updating their server configuration to add X-UA-Compatible meta tags, which forces the content to the “edge”, making the **Compatibility View** button disappear. In support of these changes, the Compatibility View button has been completely removed for IE11.
-
-## What if I still need Compatibility View?
-There might be extenuating circumstances in your company, which require you to continue to use Compatibility View. In this situation, this process should be viewed strictly as a workaround. You should work with the website vendor to make sure that the affected pages are updated to match the latest web standards. The functionality described here is currently deprecated and will be removed at a time in the future.
-
-**Important**
-Compatibility View is turned on for this single website, for this specific computer.
-
-3. Decide if you want your intranet sites displayed using Compatibility View, decide whether to use Microsoft compatibility lists, and then click **Close**.
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
deleted file mode 100644
index 6c68a1ec01..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
+++ /dev/null
@@ -1,43 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: support
-description: How to turn managed browser hosting controls back on in Internet Explorer 11.
-author: dansimp
-ms.prod: ie11
-ms.assetid: b0b7f60f-9099-45ab-84f4-4ac64d7bcb43
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: .NET Framework problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# .NET Framework problems with Internet Explorer 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-## Summary
-
-If you’re having problems launching your legacy apps while running Internet Explorer 11, it’s most likely because Internet Explorer no longer starts apps that use managed browser hosting controls, like in .NET Framework 1.1 and 2.0.
-
- **To turn managed browser hosting controls back on**
-
-1. **For x86 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
-
-2. **For 32-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
-
-## More information
-
-IEHost is a Microsoft .NET Framework 1.1-based technology that provides a better model than ActiveX controls to host controls within the browser. The IEHost controls are lightweight and are operated under the .NET security model where they are operated inside a sandbox.
-
-From the .NET Framework 4, we remove the IEHost.dll file for the following reasons:
-
-- IEHost/HREF-EXE-style controls are exposed to the Internet. This poses a high security risk, and most customers who install the Framework are benefiting very little from this security risk.
-- Managed hosting controls and invoking random ActiveX controls may be unsafe, and this risk cannot be countered in the .NET Framework. Therefore, the ability to host is disabled. We strongly suggest that IEHost should be disabled in any production environment.
-- Potential security vulnerabilities and assembly versioning conflicts in the default application domain. By relying on COM Interop wrappers to load your assembly, it is implicitly loaded in the default application domain. If other browser extensions do the same function, they have the risks in the default application domain such as disclosing information, and so on. If you are not using strong-named assemblies as dependencies, type loading exceptions can occur. You cannot freely configure the common language runtime (CLR), because you do not own the host process, and you cannot run any code before your extension is loaded.
-
-For more information about .NET Framework application compatibility, see [Application compatibility in the .NET Framework](/dotnet/framework/migration-guide/application-compatibility).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
deleted file mode 100644
index 1dd3438086..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
+++ /dev/null
@@ -1,78 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: security
-description: New group policy settings for Internet Explorer 11
-author: dansimp
-ms.prod: windows-client
-ms.assetid: 669cc1a6-e2cb-403f-aa31-c1de52a615d1
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: New group policy settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# New group policy settings for Internet Explorer 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Internet Explorer 11 gives you some new Group Policy settings to help you manage your company's web browser configurations, including:
-
-
-| Policy | Category Path | Supported on | Explanation |
-|-----------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Allow IE to use the HTTP2 network protocol | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | IE11 on Windows 10 | This policy setting determines whether IE uses the HTTP2 network protocol. HTTP2 works with HTTP requests to optimize the latency of network requests through compression, multiplexing, and prioritization. If you enable this policy setting, IE uses the HTTP2 network protocol. If you disable this policy setting, IE won't use the HTTP2 network protocol. If you don't configure this policy setting, users can turn this behavior on or off, using the **Internet Explorer Advanced Internet Options** settings. The default is on. |
-| Allow IE to use the SPDY/3 network protocol | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | IE11 on Windows 10 | This policy setting determines whether Internet Explorer uses the SPDY/3 network protocol. SPDY/3 works with HTTP requests to optimize the latency of network requests through compression, multiplexing and prioritization. If you enable this policy setting, Internet Explorer uses the SPDY/3 network protocol. If you disable this policy setting, Internet Explorer won't use the SPDY/3 network protocol. If you don't configure this policy setting, users can turn this behavior on or off, on the **Advanced\* tab of the \*\*Internet Options** dialog box. The default is on. **Note** If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm. If you disable this policy setting, users won’t receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm. If you don’t configure this policy setting, users can change the **Suggestions** setting on the **Settings** charm. |
-| Allow only approved domains to use the TDC ActiveX control | If you enable this policy setting, users won’t be able to run the TDC ActiveX control from all sites in the specified zone. If you disable this policy setting, users can run the TDC Active X control from all sites in the specified zone. |
-| Allow SSL3 Fallback | Administrative Templates\Windows Components\Internet Explorer\Security Features | Internet Explorer 11 on Windows 10 | This policy setting allows you to stop websites from falling back to using Secure Socket Layer (SSL) 3.0 or lower, if Transport Layer Security (TLS) 1.0 or higher, fails. This setting doesn’t affect which security protocols are enabled. If you enable this policy setting and a website fails while using the TLS 1.0 or higher security protocols, Internet Explorer will try to fallback and use SSL 3.0 or lower security protocols. If you disable or don’t configure this setting, Internet Explorer uses the default system protocols. **Important:** If you enable this policy setting (default), you must also pick one of the following options from the Options box: If you disable or don’t configure this policy setting, VBScript runs without any interaction in the specified zone. |
-| Always send Do Not Track header | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | At least Internet Explorer 10 | This policy setting allows you to configure how IE sends the Do Not Track (DNT) header. If you enable this policy setting, IE sends a `DNT:1` header with all HTTP and HTTPS requests. The `DNT:1` header signals to the servers not to track the user. **In Internet Explorer 9 and 10:** **In at least IE11:** If you don't configure the policy setting, users can select the **Always send Do Not Track header** option on the **Advanced\* tab of the \*\*Internet Options** dialog box. By selecting this option, IE sends a `DNT:1` header with all HTTP and HTTPS requests; unless the user grants a site-specific exception, in which case IE sends a `DNT:0` header. By default, this option is enabled. |
-| Don't run antimalware programs against ActiveX controls If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. If you don't configure this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using the Internet Explorer's **Security** settings. |
-| Don't run antimalware programs against ActiveX controls If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. If you don't configure this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer's **Security** settings. |
-| Hide Internet Explorer 11 Application Retirement Notification | Administrative Templates\Windows Components\Internet Explorer | Internet Explorer 11 on Windows 10 20H2 & newer | This policy setting allows you to prevent the notification bar that informs users of Internet Explorer 11’s retirement from showing up. If you enable this policy setting, the button to open Microsoft Edge from Internet Explorer will be hidden. If you disable this policy setting, the button to open Microsoft Edge from Internet Explorer appears. If you don't configure this policy setting, the button to open Microsoft Edge from Internet Explorer can be configured by your employees. |
-| Let users turn on and use Enterprise Mode from the **Tools** menu | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10 | This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the **Tools** menu. If you enable this policy setting, users can see and use the **Enterprise Mode** option from the **Tools** menu. If you enable this setting, but don’t specify a report location, Enterprise Mode will still be available to your users, but you won’t get any reports. If you disable or don’t configure this policy setting, the menu option won’t appear and users won’t be able to turn on Enterprise Mode locally. |
-| Limit Site Discovery output by Domain | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to control which domains are included in the discovery function of the Internet Explorer Site Discovery Toolkit. If you enable this policy setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in your specified domains, configured by adding one domain per line to the included text box. If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in all domains. **Note:** If you enable this policy setting, the Internet Explorer Site Discovery Toolkit collects data from all specified security zones. If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in all security zones. To specify which zones can collect data, you must include a binary number that represents your selected zones, based on this order: **Note:** **In IE11:** If you enable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is preserved when the user clicks **Delete**. If you disable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is deleted when the user clicks **Delete**. If you don’t configure this policy setting, users can turn this feature on and off, determining whether to delete ActiveX Filtering, Tracking Protection, and Do Not Track data when clicking **Delete**. |
-| Send all sites not included in the Enterprise Mode Site List to Microsoft Edge | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10, version 1607 | This policy setting lets you decide whether to open all sites that aren’t specified to open in IE11 by the Enterprise Mode site list, to open in Microsoft Edge. If you enable this policy setting, you must also enable the Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list policy setting and you must include at least one site in the Enterprise Mode site list. If you disable or don't configure this policy setting, all sites will open based on the currently active browser. **Note:** If you enable this policy setting, employees see an additional page in Internet Explorer 11, stating that a site has been opened using Microsoft Edge with Enterprise Mode. If you disable or don't configure this policy setting, the default app behavior occurs and no additional page appears. |
-| Turn off automatic download of the ActiveX VersionList | Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management | At least Windows Internet Explorer 8 | This policy setting allows you to decide whether Internet Explorer automatically downloads updated versions of Microsoft's VersionList.XML file. This file tells Internet Explorer whether to stop specific ActiveX controls from loading. If you enable this policy setting, Internet Explorer stops automatically downloading updated versions of the VersionList.XML file. If you disable or don’t configure this setting, Internet Explorer continues to download updated versions of the VersionList.XML file. **Important:** If you enable this policy setting, IE doesn't load any websites or content in the background. If you disable this policy setting, IE preemptively loads websites and content in the background. If you don’t configure this policy setting, users can turn this behavior on or off, using IE settings. This feature is turned on by default. |
-| Turn off phone number detection | Administrative Templates\Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing | IE11 on Windows 10 | This policy setting determines whether phone numbers are recognized and turned into hyperlinks, which can be used to invoke the default phone application on the system. If you enable this policy setting, phone number detection is turned off. Users won’t be able to modify this setting. If you disable this policy setting, phone number detection is turned on. Users won’t be able to modify this setting. If you don't configure this policy setting, users can turn this behavior on or off, using IE settings. The default is on. |
-| Turn off sending URL path as UTF-8 | User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Settings\URL Encoding | At least Windows Internet Explorer 7 | This policy setting determines whether to let IE send the path portion of a URL using the UTF-8 standard. This standard defines characters so they're readable in any language and lets you exchange Internet addresses (URLs) with characters included in any language. If you enable this policy setting, UTF-8 is not allowed. Users won't be able to change this setting. If you disable this policy setting, UTF-8 is allowed. Users won't be able to change this setting. If you don't configure this policy setting, users can turn this behavior on or off. |
-| Turn off sending UTF-8 query strings for URLs | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | IE11 on Windows 10 | This policy setting determines whether IE uses 8-bit Unicode Transformation Format (UTF-8) to encode query strings in URLs before sending them to servers or to proxy servers. If you enable this policy setting, you must specify when to use UTF-8 to encode query strings: If you disable or don't configure this policy setting, users can turn this behavior on or off, using IE Advanced Options settings. The default is to encode all query strings in UTF-8. |
-| Turn off the ability to launch report site problems using a menu option | Administrative Templates\Windows Components\Internet Explorer\Browser menus | Internet Explorer 11 | This policy setting allows you to manage whether users can start the **eport Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu. If you enable this policy setting, users won’t be able to start the **Report Site Problems** dialog box from the Internet Explorer settings or the Tools menu. If you disable or don’t configure this policy setting, users will be able to start the **Report Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu. |
-| Turn off the flip ahead with page prediction feature | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | At least Internet Explorer 10 on Windows 8 | This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website. If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn’t loaded into the background. If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background. If you don’t configure this setting, users can turn this behavior on or off, using the **Settings** charm. **Note** If you enable this policy setting, IE11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows. If you disable this policy setting, IE11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows. If you don't configure this policy setting, users can turn this feature on or off using IE settings. This feature is turned off by default. **Important** If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an WMI class, which can be aggregated by using a client-management solution, such as Microsoft Configuration Manager. If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an WMI class. **Note:** If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an XML file, stored in your specified location. If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an XML file. **Note:** If you enable this policy setting, Internet Explorer downloads the Enterprise Mode website list from the `HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE`\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode hive, opening all included websites using Enterprise Mode. We recommend storing and downloading your list from a secure web server `(https://)`, to help protect against data tampering. If you disable or don’t configure this policy setting, Internet Explorer opens all websites using **Standard** mode. |
-
-## Removed Group Policy settings
-IE11 no longer supports these Group Policy settings:
-
-- Turn on Internet Explorer 7 Standards Mode
-
-- Turn off Compatibility View button
-
-- Turn off Quick Tabs functionality
-
-- Turn off the quick pick menu
-
-- Use large icons for command buttons
-
-## Viewing your policy settings
-After you've finished updating and deploying your Group Policy, you can use the Resultant Set of Policy (RSoP) snap-in to view your settings.
-
-**To use the RSoP snap-in**
-
-1. Open and run the Resultant Set of Policy (RSoP) wizard, specifying the information you want to see.
-
-2. Open your wizard results in the Group Policy Management Console (GPMC).
-For complete instructions about how to add, open, and use RSoP, see [Use the RSoP Snap-in](/previous-versions/windows/it-pro/windows-server-2003/cc736424(v=ws.10))
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
deleted file mode 100644
index 4eed39657f..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
+++ /dev/null
@@ -1,211 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: security
-description: Use out-of-date ActiveX control blocking to help you know when IE prevents a webpage from loading outdated ActiveX controls and to update the outdated control, so that it’s safer to use.
-author: dansimp
-ms.author: dansimp
-ms.prod: ie11
-ms.assetid: e61866bb-1ff1-4a8d-96f2-61d3534e8199
-ms.reviewer:
-audience: itpro
-manager: dansimp
-title: Out-of-date ActiveX control blocking (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 05/10/2018
----
-
-
-# Out-of-date ActiveX control blocking
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-- Windows Vista SP2
-
-ActiveX controls are small apps that let websites provide content, like videos, games, and let you interact with content like toolbars. Unfortunately, because many ActiveX controls aren’t automatically updated, they can become outdated as new versions are released. It’s very important that you keep your ActiveX controls up-to-date because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. To help avoid this situation, Internet Explorer includes a new security feature, called *out-of-date ActiveX control blocking*.
-
-Out-of-date ActiveX control blocking lets you:
-
-- Know when IE prevents a webpage from loading common, but outdated ActiveX controls.
-
-- Interact with other parts of the webpage that aren’t affected by the outdated control.
-
-- Update the outdated control, so that it’s up-to-date and safer to use.
-
-The out-of-date ActiveX control blocking feature works with all [Security Zones](https://go.microsoft.com/fwlink/p/?LinkId=403863), except the Local Intranet Zone and the Trusted Sites Zone.
-
-It also works with these operating system and IE combinations:
-
-|Windows operating system |IE version |
-|----------------------------------------|---------------------------------|
-|Windows 10 |All supported versions of IE.
-IE opens the ActiveX control’s website.
-
-2. Download the latest version of the control.
-
-**Security Note:**
-IE opens the app’s website.
-
-2. Download the latest version of the app.
-
-**Security Note:** If you enable this setting, IE logs ActiveX control information (including the source URI that loaded the control and whether it was blocked) to a local file. If you disable or don't configure this setting, IE won't log ActiveX control information. Note that you can turn this setting on or off regardless of the **Turn off blocking of outdated ActiveX controls for IE** or **Turn off blocking of outdated ActiveX controls for IE on specific domains** settings. |
-|Remove the **Run this time** button for outdated ActiveX controls in IE |`Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management`|Internet Explorer 8 through IE11 |This setting allows you stop users from seeing the **Run this time** button and from running specific outdated ActiveX controls in IE. If you enable this setting, users won't see the **Run this time** button on the warning message that appears when IE blocks an outdated ActiveX control. If you disable or don't configure this setting, users will see the **Run this time** button on the warning message that appears when IE blocks an outdated ActiveX control. Clicking this button lets the user run the outdated ActiveX control once. |
-|Turn off blocking of outdated ActiveX controls for IE on specific domains |`Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management` |Internet Explorer 8 through IE11 |This setting allows you to manage a list of domains on which IE will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone. If you enable this setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in IE. Each domain entry must be formatted like one of the following: If you disable or don't configure this setting, the list is deleted and IE continues to block specific outdated ActiveX controls on all domains in the Internet Zone. |
-|Turn off blocking of outdated ActiveX controls for IE |`Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management` |Internet Explorer 8 through IE11 |This setting determines whether IE blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone. If you enable this setting, IE stops blocking outdated ActiveX controls. If you disable or don't configure this setting, IE continues to block specific outdated ActiveX controls. |
-|Remove the **Update** button in the out-of-date ActiveX control blocking notification for IE |This functionality is only available through the registry |Internet Explorer 8 through IE11 |This setting determines whether the out-of-date ActiveX control blocking notification shows the **Update** button. This button points users to update specific out-of-date ActiveX controls in IE. |
-
-
-If you don't want to use Group Policy, you can also turn these settings on or off using the registry. You can update the registry manually.
-
-|Setting |Registry setting |
-|-------------------------|----------------------------------------------------------------|
-|Turn on ActiveX control logging in IE |`reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" /v AuditModeEnabled /t REG_DWORD /d 1 /f` Where: Where: Where: Where: Where: **Note**
- If the browser doesn't crash, open Internet Explorer for the desktop, click the **Tools** menu, and click **Manage Add-ons**.
-
-3. Click **Toolbars and Extensions**, click each toolbar or extension, clicking **Disable** to turn off all of the browser extensions and toolbars.
-
-4. Restart IE11. Go back to the **Manage Add-Ons** window and turn on each item, one-by-one.
- After you turn each item back on, see if IE crashes or slows down. Doing it this way will help you identify the add-on that's causing IE to crash. After you've figured out which add-on was causing the problem, turn it off until you have an update from the manufacturer.
-
- **To check for Software Rendering mode**
-
-5. Open Internet Explorer for the desktop, click the **Tools** menu, and then click **Internet Options**.
-
-6. On the **Advanced** tab, go to the **Accelerated graphics** section, and then turn on Software Rendering mode by choosing the **Use software rendering instead of GPU rendering** box.
- If the **Use software rendering instead of GPU rendering** option is greyed out, it means that your current video card or video driver doesn't support GPU hardware acceleration. For more information, see [Windows 10 Support](https://go.microsoft.com/fwlink/?LinkId=746588).
-
-## Adaptive streaming and DRM playback don’t work with Windows Server 2012 R2
-IE11 in Windows Server 2012 R2 doesn’t include media features like adaptive streaming or Digital Rights Management (DRM) playback. To add these features, you’ll need to download and install the Media Feature Pack from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=320789), as well as an app that uses PlayReady DRM from the Microsoft Store, such as the Xbox Music app or Xbox Video app. The app must be installed to specifically turn on DRM features, while all other media features are installed with the Media Feature Pack.
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
deleted file mode 100644
index 4c973ffad6..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ /dev/null
@@ -1,52 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Instructions about how to clear all of the sites from your global Enterprise Mode site list.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 90f38a6c-e0e2-4c93-9a9e-c425eca99e97
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Remove all sites from your Enterprise Mode site list using the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Remove all sites from your Enterprise Mode site list using the Enterprise Mode Site List Manager
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-You can clear all of the sites from your global Enterprise Mode site list.
-
-**Important**
-This is a permanent removal and erases everything. However, if you determine it was a mistake, and you saved an XML copy of your list, you can add the file again by following the steps in the [Add multiple sites to the Enterprise Mode site list using a file and Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md), depending on your operating system.
-
- **To clear your compatibility list**
-
-1. On the **File** menu of the Enterprise Mode Site List Manager, click **Clear list**.
-
-2. Click **Yes** in the warning message. Your sites are all cleared from your list.
-
-## Related topics
-- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
-- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
-- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
deleted file mode 100644
index 4a0eace5e7..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
+++ /dev/null
@@ -1,46 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Instructions about how to remove sites from a local compatibility view list.
-author: dansimp
-ms.prod: windows-client
-ms.assetid: f6ecaa75-ebcb-4f8d-8721-4cd6e73c0ac9
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Remove sites from a local compatibility view list (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Remove sites from a local compatibility view list
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-Remove websites that were added to a local compatibility view list by mistake or because they no longer have compatibility problems.
-
- **To remove sites from a local compatibility view list**
-
-1. Open Internet Explorer 11, click **Tools**, and then click **Compatibility View Settings**.
-
-2. Pick the site to remove, and then click **Remove**.
-Sites can only be removed one at a time. If one is removed by mistake, it can be added back using this same box and the **Add** section.
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
deleted file mode 100644
index d6bb2e98eb..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
+++ /dev/null
@@ -1,57 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Instructions about how to remove sites from a local Enterprise Mode site list.
-author: dansimp
-ms.prod: ie11
-ms.assetid: c7d6dd0b-e264-42bb-8c9d-ac2f837018d2
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Remove sites from a local Enterprise Mode site list (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Remove sites from a local Enterprise Mode site list
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-Remove websites that were added to a local Enterprise Mode site list by mistake or because the sites no longer have compatibility problems.
-
-> [!NOTE]
-> The changes described in this topic only impact sites added to a local Enterprise Mode site list and not the list of sites deployed to all employees by an administrator. Employees can't delete sites added to the list by an administrator.
-
-**To remove single sites from a local Enterprise Mode site list**
-
-1. Open Internet Explorer 11 and go to the site you want to remove.
-
-2. Click **Tools**, and then click **Enterprise Mode**.
-
- The checkmark disappears from next to Enterprise Mode and the site is removed from the list.
-
- > [!NOTE]
- > If the site is removed by mistake, it can be added back by clicking **Enterprise Mode** again.
-
-**To remove all sites from a local Enterprise Mode site list**
-
-1. Open Internet Explorer 11, click **Tools**, and then click **Internet options**.
-
-2. Click the **Delete** button from the **Browsing history** area.
-
-3. Click the box next to **Cookies and website data**, and then click **Delete**.
-
- > [!NOTE]
- > This removes all of the sites from a local Enterprise Mode site list.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md
deleted file mode 100644
index 4b385be382..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md
+++ /dev/null
@@ -1,50 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: How to use Site List Manager to review neutral sites for IE mode
-author: dansimp
-ms.prod: windows-client
-ms.assetid: f4dbed4c-08ff-40b1-ab3f-60d3b6e8ec9b
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager
-ms.sitesec: library
-ms.date: 04/02/2020
----
-
-# Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8
-- Windows Server 2012 R2
-- Microsoft Edge version 77 or later
-
-> [!NOTE]
-> This feature is available on the Enterprise Mode Site List Manager version 11.0.
-
-## Overview
-
-While converting your site from v.1 schema to v.2 schema using the latest version of the Enterprise Mode Site List Manager, sites with the *doNotTransition=true* in v.1 convert to *open-in=None* in the v.2 schema, which is characterized as a "neutral site". This is the expected behavior for conversion unless you are using Internet Explorer mode (IE mode). When IE mode is enabled, only authentication servers that are used for modern and legacy sites should be set as neutral sites. For more information, see [Configure neutral sites](/deployedge/edge-ie-mode-sitelist#configure-neutral-sites). Otherwise, a site meant to open in Edge might potentially be tagged as neutral, which results in inconsistent experiences for users.
-
-The Enterprise Mode Site List Manager provides the ability to flag sites that are listed as neutral sites, but might have been added in error. This check is automatically performed when you are converting from v.1 to v.2 through the tool. This check might flag sites even if there was no prior schema conversion.
-
-## Flag neutral sites
-
-To identify neutral sites to review:
-
-1. In the Enterprise Mode Site List Manager (schema v.2), click **File > Flag neutral sites**.
-2. If selecting this option has no effect, there are no sites that needs to be reviewed. Otherwise, you will see a message **"Engine neutral sites flagged for review"**. When a site is flagged, you can assess if the site needs to be removed entirely, or if it needs the open-in attribute changed from None to MSEdge.
-3. If you believe that a flagged site is correctly configured, you can edit the site entry and click on **"Clear Flag"**. Once you select that option for a site, it will not be flagged again.
-
-## Related topics
-
-- [About IE Mode](/deployedge/edge-ie-mode)
-- [Configure neutral sites](/deployedge/edge-ie-mode-sitelist#configure-neutral-sites)
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
deleted file mode 100644
index 7b80dd178d..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
+++ /dev/null
@@ -1,50 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: You can save your current Enterprise Mode compatibility site list as an XML file, for distribution and use by your managed systems.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 254a986b-494f-4316-92c1-b089ee8b3e0a
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Save your site list to XML in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Save your site list to XML in the Enterprise Mode Site List Manager
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-You can save your current Enterprise Mode compatibility site list as an XML file, for distribution and use by your managed systems.
-
- **To save your list as XML**
-
-1. On the **File** menu of the Enterprise Mode Site List Manager, click **Save to XML**.
-
-2. Save the file to the location you specified in your Enterprise Mode registry key, set up when you turned on Enterprise Mode for use in your company. For information about the Enterprise Mode registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
-The first time a user starts Internet Explorer 11 on a managed device; Internet Explorer will look for a new version of the site list at the specified location. If the browser finds an updated site list, IE downloads the new XML site list and uses it.
-
-## Related topics
-- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
-- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
-- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md
deleted file mode 100644
index 52343886ce..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md
+++ /dev/null
@@ -1,57 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Details about how Administrators can schedule approved change requests for production in the Enterprise Mode Site List Portal.
-author: dansimp
-ms.prod: windows-client
-title: Schedule approved change requests for production using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
-ms.reviewer:
-audience: itprom
-manager: dansimp
-ms.author: dansimp
----
-
-# Schedule approved change requests for production using the Enterprise Mode Site List Portal
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-After a change request is approved, the original Requester can schedule the change for the production environment. The change can be immediate or set for a future time.
-
-**To schedule an immediate change**
-1. The Requester logs onto the Enterprise Mode Site List Portal and clicks **In Progress** from the left pane.
-
-2. The Requester clicks the **Approved** status for the change request.
-
- The **Schedule changes** page appears.
-
-3. The Requester clicks **Now**, and then clicks **Save**.
-
- The update is scheduled to immediately update the production environment, and an email is sent to the Requester. After the update finishes, the Requester is asked to verify the changes.
-
-
-**To schedule the change for a different day or time**
-1. The Requester logs onto the Enterprise Mode Site List Portal and clicks **In Progress** from the left pane.
-
-2. The Requester clicks the **Approved** status for the change request.
-
- The **Schedule changes** page appears.
-
-3. The Requester clicks **Schedule**, sets the **Preferred day**, **Preferred start time**, and the **Preferred end time**, and then clicks **Save**.
-
- The update is scheduled to update the production environment on that day and time and an email is sent to the Requester. After the update finishes, the Requester will be asked to verify the changes.
-
-
-## Next steps
-After the update to the production environment completes, the Requester must again test the change. If the testing succeeds, the Requester can sign off on the change request. If the testing fails, the Requester can contact the Administrator group for more help. For the production environment testing steps, see the [Verify the change request update in the production environment using the Enterprise Mode Site List Portal](verify-changes-production-enterprise-mode-portal.md) topic.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
deleted file mode 100644
index f96a952626..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ /dev/null
@@ -1,48 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Search to see if a specific site already appears in your global Enterprise Mode site list.
-author: dansimp
-ms.prod: ie11
-ms.assetid: e399aeaf-6c3b-4cad-93c9-813df6ad47f9
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Search your Enterprise Mode site list in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Search your Enterprise Mode site list in the Enterprise Mode Site List Manager
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-You can search to see if a specific site already appears in your global Enterprise Mode site list so you don’t try to add it again.
-
- **To search your compatibility list**
-
-- From the Enterprise Mode Site List Manager, type part of the URL into the **Search** box.
- The search query searches all of the text. For example, entering *“micro”* will return results like, `www.microsoft.com`, `microsoft.com`, and `microsoft.com/images`. Wildcard characters aren’t supported.
-
-## Related topics
-- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
-- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
-- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
deleted file mode 100644
index 6ea7312b42..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
+++ /dev/null
@@ -1,42 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: security
-description: Use the Group Policy setting, Set a default associations configuration file, to set the default browser for your company devices running Windows 10.
-author: dansimp
-ms.prod: windows-client
-ms.assetid: f486c9db-0dc9-4cd6-8a0b-8cb872b1d361
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Set the default browser using Group Policy (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Set the default browser using Group Policy
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-You can use the Group Policy setting, **Set a default associations configuration file**, to set the default browser for your company devices running Windows 10.
-
- **To set the default browser as Internet Explorer 11**
-
-1. Open your Group Policy editor and go to the **Computer Configuration\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.
-Turning this setting on also requires you to create and store a default associations configuration file, locally or on a network share. For more information about creating this file, see [Export or Import Default Application Associations]( https://go.microsoft.com/fwlink/p/?LinkId=618268).
-
- 
-
-2. Click **Enabled**, and then in the **Options** area, type the location to your default associations configuration file.
-If this setting is turned on and your employee's device is domain-joined, this file is processed and default associations are applied at logon. If this setting isn't configured or is turned off, or if your employee's device isn't domain-joined, no default associations are applied at logon.
-
-Your employees can change this setting by changing the Internet Explorer default value from the **Set Default Programs** area of the Control Panel.
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
deleted file mode 100644
index b42426f1d7..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
+++ /dev/null
@@ -1,160 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Set up and turn on Enterprise Mode logging and data collection in your organization.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 2e98a280-f677-422f-ba2e-f670362afcde
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Set up Enterprise Mode logging and data collection (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Set up Enterprise Mode logging and data collection
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-Using Group Policy, you can turn on Enterprise Mode for Internet Explorer and then you can turn on local user control using the **Let users turn on and use Enterprise Mode from the Tools menu** setting, located in the `Administrative Templates\Windows Components\Internet Explorer` category path. After you turn this setting on, your users can turn on Enterprise Mode locally, from the IE **Tools** menu.
-
-
-
-The **Let users turn on and use Enterprise Mode from the Tools menu** setting also lets you decide where to send the user reports (as a URL). We recommend creating a custom HTTP port 81 to let your incoming user information go to a dedicated site. A dedicated site is important so you can quickly pick out the Enterprise Mode traffic from your other website traffic.
-
-
-
-Getting these reports lets you find out about sites that aren’t working right, so you can add them to your Enterprise Mode site list, without having to locate them all yourself. For more information about creating and using a site list, see the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) topic, based on your operating system.
-
-## Using ASP to collect your data
-When you turn logging on, you need a valid URL that points to a server that can be listened to for updates to a user’s registry key. This means you need to set up an endpoint server for the incoming POST messages, which are sent every time the user turns Enterprise Mode on or off from the **Tools** menu.
-
- **To set up an endpoint server**
-
-1. Configure an IIS server to work with your Enterprise Mode data collection process. If you’re unsure how to set up IIS, see the [IIS installation webpage](/iis/install/installing-iis-7/installing-necessary-iis-components-on-windows-vista).
-
-2. Open Internet Information Services (IIS) and turn on the ASP components from the **Add Roles and Features Wizard**, **Server Roles** page.
- This lets you create an ASP form that accepts the incoming POST messages.
-
-3. Open the Internet Information Services (IIS) Manager, click **Bindings**, highlight **Port 81**, click **Edit**, and then change the website information to point to Port 81 so it matches your custom-created port.
-
- 
-
-4. Open the **Logging** feature, pick **W3C** for the format, and click **Select Fields** to open the **W3C Logging Fields** box.
-
- 
-
-5. Change the WC3 logging fields to include only the **Date**, **Client IP**, **User Name**, and **URI Query** standard fields, and then click **OK**.
- Using only these fields keeps the log file simple, giving you the date, client IP address, and the website URI information for any site changed by your users.
-
-6. Apply these changes to your default website and close the IIS Manager.
-
-7. Put your EmIE.asp file into the root of the web server, using this command:
-
- ```
- <% @ LANGUAGE=javascript %>
- <%
- Response.AppendToLog(" ;" + Request.Form("URL") + " ;" + Request.Form("EnterpriseMode"));
- %>
- ```
- This code logs your POST fields to your IIS log file, where you can review all of the collected data.
-
-
-### IIS log file information
-This is what your log files will look like after you set everything up and at least one of your users has turned on Enterprise Mode locally from the **Tools** menu. You can see the URL of the problematic website and client IP address of the user that turned on Enterprise Mode.
-
-
-
-
-## Using the GitHub sample to collect your data
-Microsoft has created the [EMIE-Data-Collection_Sample](https://go.microsoft.com/fwlink/p/?LinkId=507401) that shows how to collect your Enterprise Mode reports. This sample only shows how to collect data, it doesn’t show how to aggregate the data into your Enterprise Mode site list.
-This sample starts with you turning on Enterprise Mode and logging (either through Group Policy, or by manually setting the EnterpriseMode registry key) so that your users can use Enterprise Mode locally. For the steps to do this, go to [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
-
-**Note**
- The required packages are automatically downloaded and included in the solution.
-
- **To set up your endpoint server**
-
-5. Right-click on the name, PhoneHomeSample, and click **Publish**.
-
- 
-
-6. In the **Publish Web** wizard, pick the publishing target and options that work for your organization.
-
- **Important**
-If you’re already on the webpage, you’ll need to refresh the page to see the results.
-
- 
-
-
-### Troubleshooting publishing errors
-If you have errors while you’re publishing your project, you should try to update your packages.
-
- **To update your packages**
-
-1. From the **Tools** menu of Microsoft Visual Studio, click **NuGet Package Manager**, and click **Manage NuGet Packages for Solution**.
-
- 
-
-2. Click **Updates** on the left side of the tool, and click the **Update All** button.
-You may need to do some additional package cleanup to remove older package versions.
-
-## Related topics
-- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
-- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
-- [What is Enterprise Mode?](what-is-enterprise-mode.md)
-- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
-- [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md)
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
deleted file mode 100644
index c022c08569..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
+++ /dev/null
@@ -1,231 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Details about how to set up the Enterprise Mode Site List Portal for your organization.
-author: dansimp
-ms.prod: ie11
-title: Set up the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
----
-
-# Set up the Enterprise Mode Site List Portal
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-The Enterprise Mode Site List Portal is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later.
-
-Before you can begin using the Enterprise Mode Site List Portal, you must set up your environment.
-
-## Step 1 - Copy the deployment folder to the web server
-You must download the deployment folder (**EMIEWebPortal/**), which includes all of the source code for the website, from the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) site to your web server.
-
-**To download the source code**
-1. Download the deployment folder from the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) source code to your web server.
-
-2. Install the Node.js® package manager, [npm](https://www.npmjs.com/).
-
- > [!NOTE]
- > You need to install the npm package manager to replace all the third-party libraries we removed to make the Enterprise Mode Site List Portal open-source.
-
-3. Open File Explorer and then open the **EMIEWebPortal/** folder.
-
-4. Press and hold **Shift**, right-click the window, then click **Open PowerShell window here**.
-
-5. Type _npm i_ into the command prompt, then press **Enter**.
-
- Installs the npm package manager and bulk adds all the third-party libraries back into your codebase.
-
-6. Go back up a directory, open the solution file **EMIEWebPortal.sln** in Visual Studio, open **Web.config** from **EMIEWebPortal/** folder, and replace MSIT-LOB-COMPAT with your server name hosting your database, replace LOBMerged with your database name, and build the entire solution.
-
- > [!NOTE]
- > Step 3 of this topic provides the steps to create your database.
-
-7. Copy the contents of the **EMIEWebPortal/** folder to a dedicated folder on your file system. For example, _D:\EMIEWebApp_. In a later step, you'll designate this folder as your website in the IIS Manager.
-
-## Step 2 - Create the Application Pool and website, by using IIS
-Create a new Application Pool and the website, by using the IIS Manager.
-
-**To create a new Application Pool**
-1. In IIS Manager, expand your local computer in the **Connections** pane, right-click **Application Pools**, then click **Add Application Pool**.
-
- The **Add Application Pool** box appears.
-
-2. In the **Add Application Pool** box, enter the following info:
-
- - **Name.** Type the name of your new application pool. For example, _EMIEWebAppPool_.
-
- - **.NET CLR version.** Pick the version of .NET CLR used by your application pool from the drop-down box. It must be version 4.0 or higher.
-
- - **Managed pipeline mode.** Pick **Integrated** from the drop-down box. IIS uses the integrated IIS and ASP.NET request-processing pipeline for managed content.
-
-3. Click **OK**.
-
-4. Select your new application pool from the **Application Pool** pane, click **Advanced Settings** from the **Edit Application Pool** area of the **Actions** pane.
-
- The **Advanced Settings** box appears.
-
-5. Make sure your **Identity** value is **ApplicationPoolIdentity**, click **OK**, and then close the box.
-
-6. Open File Explorer and go to your deployment directory, created in Step 1. For example, _D:\EMIEWebApp_.
-
-7. Right-click on the directory, click **Properties**, and then click the **Security** tab.
-
-8. Add your new application pool to the list (for example, _IIS AppPool\EMIEWebAppPool_) with **Full control access**, making sure the location searches the local computer.
-
-9. Add **Everyone** to the list with **Read & execute access**.
-
-**To create the website**
-1. In IIS Manager, expand your local computer in the **Connections** pane, right-click **Sites**, then click **Add Website**.
-
- The **Add Website** box appears.
-
-2. In the **Add Website** box, type the name of your website into the **Site name** box. For example, _EMIEWebApp_, and then click **Select**.
-
- The **Select Application Pool** box appears.
-
-4. Pick the name of the application pool created earlier in this step, and then click **OK**. For example, _EMIEWebAppPool_.
-
-5. In the **Physical path** box, browse to your folder that contains your deployment directory. For example, _D:\EMIEWebApp_.
-
-6. Set up your **Binding**, including your **Binding Type**, **IP address**, and **Port**, as appropriate for your organization.
-
-7. Clear the **Start Website immediately** check box, and then click **OK**.
-
-8. In IIS Manager, expand your local computer, and then double-click your new website. For example, _EMIEWebApp_.
-
- The **<website_name> Home** pane appears.
-
-9. Double-click the **Authentication** icon, right-click on **Windows Authentication**, and then click **Enable**.
-
- > [!NOTE]
- > You must also make sure that **Anonymous Authentication** is marked as **Enabled**.
-
-## Step 3 - Create and prep your database
-Create a SQL Server database and run our custom query to create the Enterprise Mode Site List tables.
-
-**To create and prep your database**
-1. Start SQL Server Management Studio.
-
-2. Open **Object Explorer** and then connect to an instance of the SQL Server Database Engine.
-
-3. Expand the instance, right-click on **Databases**, and then click **New Database**.
-
-4. Type a database name. For example, _EMIEDatabase_.
-
-5. Leave all default values for the database files, and then click **OK**.
-
-6. Open the **DatabaseScripts/Create DB Tables/1_CreateEMIETables.sql** query file, located in the deployment directory.
-
-7. Replace the database name placeholder with the database name you created earlier. For example, _EMIEDatabase_.
-
-8. Run the query.
-
-## Step 4 - Map your Application Pool to a SQL Server role
-Map your ApplicationPoolIdentity to your database, adding the db_owner role.
-
-**To map your ApplicationPoolIdentity to a SQL Server role**
-1. Start SQL Server Management Studio and connect to your database.
-
-2. Expand the database instance and then open the server-level **Security** folder.
-
- > [!IMPORTANT]
- > Make sure you open the **Security** folder at the server level and not for the database.
-
-3. Right-click **Logins**, and then click **New Login**.
-
- The **Login-New** dialog box appears.
-
-4. Type the following into the **Login name** box, based on your server instance type:
-
- - **Local SQL Server instance.** If you have a local SQL Server instance, where IIS and SQL Server are on the same server, type the name of your Application Pool. For example, _IIS AppPool\EMIEWebAppPool_.
-
- - **Remote SQL Server instance.** If you have a remote SQL Server instance, where IIS and SQL Server are on different servers, type `Domain\ServerName$`.
-
- > [!IMPORTANT]
- > Don't click **Search** in the **Login name** box. Login name searches will resolve to a ServerName\AppPool Name account and SQL Server Management Studio won't be able to resolve the account's virtual Security ID (SID).
-
-5. Click **User Mapping** from the **Select a page** pane, click the checkbox for your database (for example, _EMIEDatabase_) from the **Users mapped to this login** pane, and then click **db_owner** from the list of available roles in the **Database role membership** pane.
-
-6. Click **OK**.
-
-## Step 5 - Restart the Application Pool and website
-Using the IIS Manager, you must restart both your Application Pool and your website.
-
-**To restart your Application Pool and website**
-1. In IIS Manager, expand your local computer in the **Connections** pane, select your website, then click **Restart** from the **Manage Website** pane.
-
-2. In the **Connections** pane, select your Application Pool, and then click **Recycle** from the **Application Pool Tasks** pane.
-
-## Step 6 - Registering as an administrator
-After you've created your database and website, you'll need to register yourself (or another employee) as an administrator for the Enterprise Mode Site List Portal.
-
-**To register as an administrator**
-1. Open Microsoft Edge and type your website URL into the Address bar. For example, https://emieportal:8085.
-
-2. Click **Register now**.
-
-3. Type your name or alias into the **Email** box, making sure it matches the info in the drop-down box.
-
-4. Click **Administrator** from the **Role** box, and then click **Save**.
-
-5. Append your website URL with `/#/EMIEAdminConsole` in the Address bar to go to your administrator console. For example, https://emieportal:8085/#/EMIEAdminConsole.
-
- A dialog box appears, prompting you for the system user name and password. The default user name is EMIEAdmin and the default password is Admin123. We strongly recommend that you change the password by using the **Change password** link as soon as you're done with your first visit.
-
-6. Select your name from the available list, and then click **Activate**.
-
-7. Go to the Enterprise Mode Site List Portal Home page and sign in.
-
-## Step 7 - Configure the SMTP server and port for email notification
-After you've set up the portal, you need to configure your SMTP server and port for email notifications from the system.
-
-**To set up your SMTP server and port for emails**
-1. Open Visual Studio, and then open the web.config file from your deployment directory.
-
-2. Update the SMTP server and port info with your info, using this format:
-
- ```
-
- Enterprise Mode will no longer look for the site list, effectively turning off Enterprise Mode. However, if you previously turned on local control for your employees, Enterprise Mode will still be available from the **Tools** menu. You need to turn that part of the functionality off separately.
-
- **To turn off local control using Group Policy**
-
-3. Open your Group Policy editor, like Group Policy Management Console (GPMC).
-
-4. Go to the **Let users turn on and use Enterprise Mode from the Tools menu** setting, and then click **Disable**.
-
-5. Enterprise Mode no longer shows up on the **Tools** menu for your employees. However, if you are still using an Enterprise Mode site list, all of the globally listed sites will still appear in Enterprise Mode. If you want to turn off all of Enterprise Mode, you will need to also turn off the site list functionality.
-
- **To turn off the site list using the registry**
-
-6. Open a registry editor, such as regedit.exe.
-
-7. Go to `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode`, and then delete the **SiteList** value.
- You can also use HKEY_LOCAL_MACHINE, depending whether you want to turn off the Enterprise Mode site list for users or for computers.
-
-8. Close all and restart all instances of Internet Explorer.
- IE11 stops looking at the site list for rendering instructions. However, Enterprise Mode is still available to your users locally (if it was turned on).
-
- **To turn off local control using the registry**
-
-9. Open a registry editor, such as regedit.exe.
-
-10. Go `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`, and then delete the **Enable** value.
- You can also use HKEY_CURRENT_USER, depending whether you want to turn off Enterprise Mode for users or for computers.
-
-11. Close and restart all instances of IE.
- Enterprise Mode is no longer a user option on the **Tools** menu in IE11. However, IE11 still looks at the site list (if it was turned on).
-
-## Related topics
-- [What is Enterprise Mode?](what-is-enterprise-mode.md)
-- [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md)
-- [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md)
-- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md b/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
deleted file mode 100644
index 178085c2ad..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
+++ /dev/null
@@ -1,41 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: support
-description: Turn off natural metrics for Internet Explorer 11
-author: dansimp
-ms.prod: ie11
-ms.assetid: e31a27d7-662e-4106-a3d2-c6b0531961d5
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Fix font rendering problems by turning off natural metrics (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Fix font rendering problems by turning off natural metrics
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-By default, Internet Explorer 11 uses “natural metrics”. Natural metrics use inter-pixel spacing that creates more accurately rendered and readable text, avoiding many common font rendering problems with Windows Internet Explorer 9 or older sites.
-
-However, you might find that many intranet sites need you to use Windows Graphics Device Interface (GDI) metrics. To avoid potential compatibility issues, you must turn off natural metrics for those sites.
-
- **To turn off natural metrics**
-
-- Add the following HTTP header to each site: `X-UA-TextLayoutMetrics: gdi`
-
- -OR-
-
-- Add the following <meta> tag to each site: ``
-
-Turning off natural metrics automatically turns on GDI metrics.
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
deleted file mode 100644
index 1b32fa64ad..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
+++ /dev/null
@@ -1,69 +0,0 @@
----
-title: Turn on Enterprise Mode and use a site list (Internet Explorer 11 for IT Pros)
-description: How to turn on Enterprise Mode and specify a site list.
-ms.assetid: 800e9c5a-57a6-4d61-a38a-4cb972d833e1
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-ms.sitesec: library
-author: dansimp
-ms.author: dansimp
-ms.date: 08/14/2017
-ms.localizationpriority: medium
----
-
-
-# Turn on Enterprise Mode and use a site list
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-Before you can use a site list with Enterprise Mode, you need to turn the functionality on and set up the system for centralized control. By allowing centralized control, you can create one global list of websites that render using Enterprise Mode. Approximately 65 seconds after Internet Explorer 11 starts, it looks for a properly formatted site list. If a new site list if found, with a different version number than the active list, IE11 loads and uses the newer version. After the initial check, IE11 won’t look for an updated list again until you restart the browser.
-
-> [!NOTE]
-> We recommend that you store and download your website list from a secure web server (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employees' computers so if the centralized file location is unavailable, they can still use Enterprise Mode.
-
- **To turn on Enterprise Mode using Group Policy**
-
-1. Open your Group Policy editor and go to the `Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list` setting.
- Turning this setting on also requires you to create and store a site list. For more information about creating your site list, see the [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics.
-
- 
-
-2. Click **Enabled**, and then in the **Options** area, type the location to your site list.
-
- **To turn on Enterprise Mode using the registry**
-
-3. **For only the local user:** Open a registry editor, like regedit.exe and go to `HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`.
- -OR-
- For all users on the device: Open a registry editor, like regedit.exe and go to This topic applies to both versions of the Enterprise Mode Site List Manager. |
-|[Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md) |How to fix common site list validation errors. This topic applies to both versions of the Enterprise Mode Site List Manager. |
-|[Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager](review-neutral-sites-with-site-list-manager.md) |How to flag sites listed as neutral, to ensure that they are intentional and not a result of schema conversion. This topic applies to the Enterprise Mode Site List Manager version 11.0 or later. |
-|[Search your Enterprise Mode site list in the Enterprise Mode Site List Manager](search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to look to see if a site is already in your global Enterprise Mode site list. This topic applies to both versions of the Enterprise Mode Site List Manager. |
-|[Save your site list to XML in the Enterprise Mode Site List Manager](save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md) |How to save a site list as XML, so you can deploy and use it with your managed systems. This topic applies to both versions of the Enterprise Mode Site List Manager. |
-|[Export your Enterprise Mode site list from the Enterprise Mode Site List Manager](export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md) |How to export your site list so you can transfer your data and contents to someone else. This topic applies to both versions of the Enterprise Mode Site List Manager. |
-|[Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](import-into-the-enterprise-mode-site-list-manager.md) |How to import your site list to replace a corrupted or out-of-date list. This topic applies to both versions of the Enterprise Mode Site List Manager. |
-|[Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to delete a website from your site list. This topic applies to both versions of the Enterprise Mode Site List Manager. |
-|[Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to delete all of the websites in a site list. This topic applies to both versions of the Enterprise Mode Site List Manager. |
-| [Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager](review-neutral-sites-with-site-list-manager.md)|How to flag sites listed as neutral, to ensure that they are intentional and not a result of schema conversion. This topic applies to the latest version of the Enterprise Mode Site List Manager.
-
-## Related topics
-
-
-- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
-- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
-- [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md)
-- [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md)
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
deleted file mode 100644
index b7669cf1ca..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: support
-description: Info about where features went in the IEAK11, where the Favorites, Command, and Status bars went, and where the search bar went.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 7324faff-ccb6-4e14-ad91-af12dbca575e
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: User interface problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# User interface problems with Internet Explorer 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Some of the features in both Internet Explorer 11 and IEAK 11 have moved around. Here are some of the more common changes.
-
-## Where did features go in the Internet Explorer Customization Wizard 11?
-Various installation or set up choices can prevent you from seeing certain pages in the Internet Explorer Customization Wizard 11. If, after going through the entire Wizard you still haven't found the screen you were looking for, try:
-
-- Making sure you picked the right version of IEAK 11 during installation. Most administrators should pick the **Internal** version, which has more screens and options available.
-
-- Making sure you picked all of the features you wanted from the **Feature Selection** page of the IE Customization Wizard 11. If you don't pick a feature, the associated page won't appear.
-
-## Where are the security zone settings?
-You can see your security zone settings by opening Internet Explorer for the desktop, clicking **Internet Options** from the **Tools** menu, and then clicking **Security**.
-
-## Where did the Favorites, Command, and Status bars go?
-For IE11, the UI has been changed to provide just the controls needed to support essential functionality, hiding anything considered non-essential, such as the **Favorites Bar**, **Command Bar**, **Menu Bar**, and **Status Bar**. This is intended to help focus users on the content of the page, rather than the browser itself. However, if you want these bars to appear, you can turn them back on using Group Policy settings.
-
- **To turn the toolbars back on**
-
-- Right click in the IE toolbar heading and choose to turn on the **Command bar**, **Favorites bar**, and **Status bar** from the menu.
- -OR-
- In IE, press ALT+V to show the View menu, press T to enter the Toolbars menu, and then press:
-
- - **C** to turn on the **Command Bar**
-
- - **F** to turn on the **Favorites Bar**
-
- - **S** to turn on the **Status Bar**
-
-## Where did the search box go?
-IE11 uses the **One Box** feature, which lets users type search terms directly into the **Address bar**. Any text entered into the **Address bar** that doesn't appear to be a URL is automatically sent to the currently selected search provider.
-
-> [!NOTE]
-> Depending on how you've set up your intranet search, the text entry might resolve to an intranet site. For more information about this, see [Intranet problems with Internet Explorer 11](intranet-problems-and-ie11.md).
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md
deleted file mode 100644
index 677f1c974a..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md
+++ /dev/null
@@ -1,64 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: security
-description: Use this section to learn about how to turn on and use IE7 Enterprise Mode or IE8 Enterprise Mode.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 238ead3d-8920-429a-ac23-02f089c4384a
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Using IE7 Enterprise Mode or IE8 Enterprise Mode (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Using IE7 Enterprise Mode or IE8 Enterprise Mode
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-Enterprise Mode gives you a way for your legacy websites and apps to run using emulated versions of Windows Internet Explorer 7 or Windows Internet Explorer 8, while your new sites and apps run using Internet Explorer 11, including modern standards and features.
-
-Although it’s called IE7 Enterprise Mode, it actually turns on Enterprise Mode along with Internet Explorer 7 or Microsoft Internet Explorer 5 Compatibility View. Compatibility View chooses which document mode to use based on whether there’s a `DOCTYPE` tag in your code:
-
-- **DOCTYPE tag found.** Webpages render using the Internet Explorer 7 document mode.
-- **No DOCTYPE tag found.** Webpages render using the Internet Explorer 5 document mode.
-
-**Important** Note
-For more information about virtualization options, see [Microsoft Desktop Virtualization](https://go.microsoft.com/fwlink/p/?LinkId=271662).
-
-
-
-
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
deleted file mode 100644
index fd8cca1014..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
+++ /dev/null
@@ -1,173 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Info about the features included in Enterprise Mode with Internet Explorer 11.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 3c77e9f3-eb21-46d9-b5aa-f9b2341cfefa
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Enterprise Mode and the Enterprise Mode Site List (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 10/25/2018
----
-
-
-# Enterprise Mode and the Enterprise Mode Site List
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-Internet Explorer and Microsoft Edge can work together to support your legacy web apps, while still defaulting to the higher bar for security and modern experiences enabled by Microsoft Edge. Working with multiple browsers can be difficult, particularly if you have a substantial number of internal sites. To help manage this dual-browser experience, we are introducing a new web tool specifically targeted towards larger organizations: the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal).
-
-## Available dual-browser experiences
-If you have specific websites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to open using IE11 automatically.
-
-Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11.
-
-> [!TIP]
-> If you are running an earlier version of Internet Explorer, we recommend upgrading to IE11, so that any legacy apps continue to work correctly.
-
-For Windows 10, Microsoft Edge is the default browser experience. However, Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List.
-
-
-## What is Enterprise Mode?
-Enterprise Mode, a compatibility mode that runs on Internet Explorer 11 on Windows 10, Windows 8.1, and Windows 7 devices, lets websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8. Running in this mode helps to avoid many of the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
-
-Many customers identify web app compatibility as a significant cost to upgrading because web apps need to be tested and upgraded before adopting a new browser. The improved compatibility provided by Enterprise Mode can help give customers confidence to upgrade to IE11, letting customers benefit from modern web standards, increased performance, improved security, and better reliability.
-
-### Enterprise Mode features
-Enterprise Mode includes the following features:
-
-- **Improved web app and website compatibility.** Through improved emulation, Enterprise Mode lets many legacy web apps run unmodified on IE11, supporting several site patterns that aren’t currently supported by existing document modes.
-
-- **Tool-based management for website lists.** Use the Enterprise Mode Site List Manager to add website domains and domain paths and to specify whether a site renders using Enterprise Mode.
-Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) or the [Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378), based on your operating system and schema.
-
-- **Centralized control.** You can specify the websites or web apps to interpret using Enterprise Mode, through an XML file on a website or stored locally. Domains and paths within those domains can be treated differently, allowing granular control. Use Group Policy to let users turn Enterprise Mode on or off from the Tools menu and to decide whether the Enterprise browser profile appears on the Emulation tab of the F12 developer tools.
-
- > [!Important]
- > All centrally-made decisions override any locally-made choices.
-
-- **Integrated browsing.** When Enterprise Mode is set up, users can browse the web normally, letting the browser change modes automatically to accommodate Enterprise Mode sites.
-
-- **Data gathering.** You can configure Enterprise Mode to collect local override data, posting back to a named server. This lets you "crowd source" compatibility testing from key users; gathering their findings to add to your central site list.
-
-## Enterprise Mode and the Enterprise Mode Site List
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
- XML file
-The Enterprise Mode Site List is an XML document that specifies a list of sites, their compatibility mode, and their intended browser. Using [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853), you can automatically start a webpage using a specific browser. In IE11, the webpage can also be launched in a specific compatibility mode, so it always renders correctly. Your employees can easily view this site list by typing `about:compat` in either Microsoft Edge or IE11.
-
-Starting with Windows 10, version 1511 (also known as the Anniversary Update), you can also [restrict IE11 to only the legacy web apps that need it](https://blogs.windows.com/msedgedev/2016/05/19/edge14-ie11-better-together/), automatically sending sites not included in the Enterprise Mode Site List to Microsoft Edge.
-
-### Site list xml file
-This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](turn-on-enterprise-mode-and-use-a-site-list.md). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compatibility mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location.
-
-```xml
-
-Wait for the message, **Blocking deployment of IE11 on the local machine. The operation completed successfully.**
-
-6. Close the Command Prompt.
-
-For answers to frequently asked questions, see [Internet Explorer 11 Blocker Toolkit: Frequently Asked Questions](../ie11-faq/faq-ie11-blocker-toolkit.yml).
-
-## Automatic updates
-Internet Explorer 11 makes browsing the web faster, easier, safer, and more reliable than ever. To help customers become more secure and up-to-date, Microsoft will distribute Internet Explorer 11 through Automatic Updates and the Windows Update and Microsoft Update sites. Internet Explorer 11 will be available for users of the 32-bit and 64-bit versions of Windows 7 Service Pack 1 (SP1), and 64-bit version of Windows Server 2008 R2 SP1. This article provides an overview of the delivery process and options available for IT administrators to control how and when Internet Explorer 11 is deployed to their organization through Automatic Updates.
-
-### Automatic delivery process
-Internet Explorer 11 only downloads and installs if it’s available for delivery through Automatic Updates; and Automatic Updates only offer Internet Explorer 11 to users with local administrator accounts. User’s without local administrator accounts won’t be prompted to install the update and will continue using their current version of Internet Explorer.
-
-Internet Explorer 11 replaces Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10. If you decide you don’t want Internet Explorer 11, and you’re running Windows 7 SP1 or Windows Server 2008 R2 with SP1, you can uninstall it from the **View installed updates** section of the **Uninstall an update** page of the Control Panel.
-
-### Internet Explorer 11 automatic upgrades
-
-Internet Explorer 11 is offered through Automatic Updates and Windows Update as an Important update. Users running Windows 7 SP1, who have chosen to download and install updates automatically through Windows Update, are automatically upgraded to Internet Explorer 11.
-
-Users who were automatically upgraded to Internet Explorer 11 can decide to uninstall Internet Explorer 11. However, Internet Explorer 11 will still appear as an optional update through Windows Update.
-
-### Options for blocking automatic delivery
-
-If you use Automatic Updates in your company, but want to stop your users from automatically getting Internet Explorer 11, do one of the following:
-
-- **Download and use the Internet Explorer 11 Blocker Toolkit.** Includes a Group Policy template and a script that permanently blocks Internet Explorer 11 from being offered by Windows Update or Microsoft Update as a high-priority update. You can download this kit from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722).
-
- > [!NOTE]
- >The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-for-it-pros-ie11.yml).
-
-- **Use an update management solution to control update deployment.** If you already use an update management solution, like [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)), you should use that instead of the Internet Explorer Blocker Toolkit.
-
-> [!NOTE]
-> If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company.
-
-
-### Prevent automatic installation of Internet Explorer 11 with WSUS
-
-Internet Explorer 11 will be released to WSUS as an Update Rollup package. Therefore, if you’ve configured WSUS to “auto-approve” Update Rollup packages, it’ll be automatically approved and installed. To stop Internet Explorer 11 from being automatically approved for installation, you need to:
-
-1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**.
-
-2. Expand *ComputerName*, and then click **Options**.
-
-3. Click **Automatic Approvals**.
-
-4. Click the rule that automatically approves an update that is classified as Update Rollup, and then click **Edit.**
-
- > [!NOTE]
- > If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else.
-
-5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section.
-
- > [!NOTE]
- > The properties for this rule will resemble the following:
- Supported web standards include:
-
- - Web Graphics Library (WebGL)
-
- - Canvas 2D L2 extensions, including image smoothing using the nearest neighbor, dashed lines, and fill rules
-
- - Fullscreen API
-
- - Encrypted media extensions
-
- - Media source extensions
-
- - CSS flexible box layout module
-
- - And mutation observers like DOM4 and 5.3
-
- For more information about specific changes and additions, see the [IE11 guide for developers](/previous-versions/windows/internet-explorer/ie-developer/dev-guides/bg182636(v=vs.85)).
-
- - question: |
- What test tools exist to test for potential application compatibility issues?
- answer: |
- The Compat Inspector tool supports Windows Internet Explorer 9 through IE11. For more information, see [Compat Inspector User Guide](https://testdrive-archive.azurewebsites.net/html5/compatinspector/help/post.htm). In addition, you can use the new [F12 Developer Tools](/previous-versions/windows/internet-explorer/ie-developer/dev-guides/bg182632(v=vs.85)) that are included with IE11, or the [modern.ie](https://go.microsoft.com/fwlink/p/?linkid=308902) website for Microsoft Edge.
-
- - question: |
- Why am I having problems launching my legacy apps with Internet Explorer 11?
- answer: |
- It’s most likely because IE no longer starts apps that use managed browser hosting controls, like in the .NET Framework 1.1 and 2.0. You can get IE11 to use managed browser hosting controls again, by:
-
- - **For x86 systems or for 32-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
-
- - **For x64 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
-
- For more information, see the [Web Applications](/dotnet/framework/migration-guide/application-compatibility) section of the Application Compatibility in the .NET Framework 4.5 page.
-
- - question: |
- Is there a compatibility list for IE?
- answer: |
- Yes. You can review the XML-based [compatibility version list](https://go.microsoft.com/fwlink/p/?LinkId=403864).
-
- - question: |
- What is Enterprise Mode?
- answer: |
- Enterprise Mode is a compatibility mode designed for Enterprises. This mode lets websites render using a modified browser configuration that’s designed to avoid the common compatibility problems associated with web apps written and tested on older versions of IE, like Windows Internet Explorer 7 or Windows Internet Explorer 8.
- For more information, see [Turn on Enterprise Mode and use a site list](../ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md).
-
- - question: |
- What is the Enterprise Mode Site List Manager tool?
- answer: |
- Enterprise Mode Site List Manager tool gives you a way to add websites to your Enterprise Mode site list, without having to manually code XML.
- For more information, see all of the topics in [Use the Enterprise Mode Site List Manager](../ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md).
-
- - question: |
- Are browser plug-ins supported in IE11?
- answer: |
- The immersive version of IE11 provides an add-on–free experience, so browser plugins won't load and dependent content won't be displayed. This doesn't apply to Internet Explorer for the desktop. For more information, see [Browsing Without Plug-ins](https://go.microsoft.com/fwlink/p/?LinkId=242587). However, Internet Explorer for the desktop and IE11 on Windows 7 with SP1 do support browser plugins, including ActiveX controls such as Adobe Flash and Microsoft Silverlight.
-
- - question: |
- Is Adobe Flash supported on IE11?
- answer: |
- Adobe Flash is included as a platform feature and is available out of the box for Windows 8.1, running on both IE and Internet Explorer for the desktop. Users can turn this feature on or off using the **Manage Add-ons** dialog box, while administrators can turn this feature on or off using the Group Policy setting, **Turn off Adobe Flash in IE and prevent applications from using IE technology to instantiate Flash objects**.
- **Important**
-
- |Setting |Result |
- |--------|-------|
- |Let IE decide |Links open in the same type of experience from where they're launched. For example, clicking a link from a Microsoft Store app, opens IE. However, clicking a link from a desktop app, opens Internet Explorer for the desktop. |
- |Always in IE11 |Links always open in IE. |
- |Always in Internet Explorer for the desktop |Links always open in Internet Explorer for the desktop. |
-
-
- - question: |
- Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?
- answer: |
- Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard.
-
- IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. Select a language below and download IEAK 11 from the download center:
-
- | | | |
- |---------|---------|---------|
- |[English](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) |
- |[Arabic](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[Chinese (Simplified)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Chinese(Traditional)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) |
- |[Czech](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Danish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Dutch](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) |
- |[Finnish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[German](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Greek](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) |
- |[Hebrew](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Hungarian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Italian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) |
- |[Japanese](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Korean](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Polish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) |
- |[Portuguese (Brazil)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) |[Portuguese (Portugal)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) |[Russian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) |
- |[Spanish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) |[Swedish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) |[Turkish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) |
-
-
-
-
- - question: |
- What are the different modes available for the Internet Explorer Customization Wizard?
- answer: |
- The IEAK Customization Wizard displays pages based on your licensing mode selection, either **Internal** or **External**. For more information on IEAK Customization Wizard modes, see [Determine the licensing version and features to use in IEAK 11](../ie11-ieak/licensing-version-and-features-ieak11.md).
-
- The following table displays which pages are available in IEAK 11, based on the licensing mode:
-
- | **Wizard Pages** | **External** | **Internal** |
- |-------------------------------------------|--------------|--------------|
- | Welcome to the IEAK | Yes | Yes |
- | File Locations | Yes | Yes |
- | Platform Selection | Yes | Yes |
- | Language Selection | Yes | Yes |
- | Package Type Selection | Yes | Yes |
- | Feature Selection | Yes | Yes |
- | Automatic Version Synchronization | Yes | Yes |
- | Custom Components | Yes | Yes |
- | Corporate Install | No | Yes |
- | User Experience | No | Yes |
- | Browser User Interface | Yes | Yes |
- | Search Providers | Yes | Yes |
- | Important URLs - Home page and Support | Yes | Yes |
- | Accelerators | Yes | Yes |
- | Favorites, Favorites Bar, and Feeds | Yes | Yes |
- | Browsing Options | No | Yes |
- | First Run Wizard and Welcome Page Options | Yes | Yes |
- | Compatibility View | Yes | Yes |
- | Connection Manager | Yes | Yes |
- | Connection Settings | Yes | Yes |
- | Automatic Configuration | No | Yes |
- | Proxy Settings | Yes | Yes |
- | Security and Privacy Settings | No | Yes |
- | Add a Root Certificate | Yes | No |
- | Programs | Yes | Yes |
- | Additional Settings | No | Yes |
- | Wizard Complete | Yes | Yes |
-
-
-additionalContent: |
-
- ## Related topics
-
- - [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/)
- - [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md)
- - [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md)
diff --git a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.yml b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.yml
deleted file mode 100644
index 618ec339b5..0000000000
--- a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.yml
+++ /dev/null
@@ -1,161 +0,0 @@
-### YamlMime:FAQ
-metadata:
- ms.localizationpriority: medium
- ms.mktglfcycl: explore
- description: Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit.
- author: dansimp
- ms.author: dansimp
- ms.prod: ie11
- ms.assetid:
- ms.reviewer:
- audience: itpro
- manager: dansimp
- title: Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions
- ms.sitesec: library
- ms.date: 05/10/2018
- ms.topic: faq
-title: Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions
-summary: |
- [!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
- Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit.
-
- > [!Important]
- > If you administer your company’s environment using an update management solution, such as Windows Server Update Services (WSUS) or Configuration Manager, you don’t need to use the Internet Explorer 11 Blocker Toolkit. Update management solutions let you completely manage your Windows Updates and Microsoft Updates, including your Internet Explorer 11 deployment.
-
- - [Automatic updates delivery process](/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit#automatic-updates-delivery-process)
-
- - [How the Internet Explorer 11 Blocker Toolkit works](/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit#how-the-internet-explorer-11-blocker-toolkit-works)
-
- - [Internet Explorer 11 Blocker Toolkit and other update services](/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit#internet-explorer-11-blocker-toolkit-and-other-update-services)
-
-
-sections:
- - name: Automatic Updates delivery process
- questions:
- - question: |
- Which users will receive Internet Explorer 11 important update?
- answer: |
- Users running either Windows 7 with Service Pack 1 (SP1) or the 64-bit version of Windows Server 2008 R2 with Service Pack 1 (SP1) will receive Internet Explorer 11 important update, if Automatic Updates are turned on. Windows Update is manually run. Automatic Updates will automatically downloand install the Internet Explorer 11 files if it’s turned on. For more information about how Internet Explorer works with Automatic Updates and information about other deployment blocking options, see [Internet Explorer 11 Delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md).
-
- - question: |
- When is the Blocker Toolkit available?
- answer: |
- The Blocker Toolkit is currently available from the [Microsoft DownloCenter](https://www.microsoft.com/download/details.aspx?id=40722).
-
- - question: |
- Whtools cI use to manage Windows Updates and Microsoft Updates in my company?
- answer: |
- We encourage anyone who wants full control over their company’s deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You calso use the more advanced configuration management tool, [Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682041(v=technet.10)).
-
- - question: |
- How long does the blocker mechanism work?
- answer: |
- The Internet Explorer 11 Blocker Toolkit uses a registry key value to permanently turn off the automatic delivery of Internet Explorer 11. This behavior lasts long the registry key value isn’t removed or changed.
-
- - question: |
- Why should I use the Internet Explorer 11 Blocker Toolkit to stop delivery of Internet Explorer 11? Why can’t I just disable all of Automatic Updates?
- answer: |
- Automatic Updates provide you with ongoing criticsecurity and reliability updates. Turning this feature off cleave your computers more vulnerable. Instead, we suggest thyou use update management solution, such WSUS, to fully control your environment while leaving this feature running, managing how and when the updates get to your user’s computers.
-
- The Internet Explorer 11 Blocker Toolkit safely allows Internet Explorer 11 to downloand install in companies thcan’t use WSUS, Configuration Manager, or
- other update management solution.
-
- - question: |
- Why don’t we just block URL access to Windows Update or Microsoft Update?
- answer: |
- Blocking the Windows Update or Microsoft Update URLs also stops delivery of criticsecurity and reliability updates for all of the supported versions of the Windows operating system; leaving your computers more vulnerable.
-
- - name: How the Internet Explorer 11 Blocker Toolkit works
- questions:
- - question: |
- How should I test the Internet Explorer 11 Blocker Toolkit in my company?
- answer: |
- Because the toolkit only sets a registry key to turn on and off the delivery of Internet Explorer 11, there should be no additionimpact or side effects to your environment. No additiontesting should be necessary.
-
- - question: |
- What’s the registry key used to block delivery of Internet Explorer 11?
- answer: |
- HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Setup\\11.0
-
- - question: |
- What’s the registry key name and values?
- answer: |
- The registry key name is **DoNotAllowIE11**, where:
-
- - A value of **1** turns off the automatic delivery of Internet Explorer 11 using Automatic Updates and turns off the Express install option.
-
- - Not providing a registry key, or using a value of anything other th**1**, lets the user install Internet Explorer 11 through Automatic Updates or a
- manuupdate.
-
- - question: |
- Does the Internet Explorer 11 Blocker Toolkit stop users from manually installing Internet Explorer 11?
- answer: |
- No. The Internet Explorer 11 Blocker Toolkit only stops computers from automatically installing Internet Explorer 11 through Automatic Updates. Users cstill downloand install Internet Explorer 11 from the Microsoft DownloCenter or from externmedia.
-
- - question: |
- Does the Internet Explorer 11 Blocker Toolkit stop users from automatically upgrading to Internet Explorer 11?
- answer: |
- Yes. The Internet Explorer 11 Blocker Toolkit also prevents Automatic Updates from automatically upgrading a computer from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11.
-
- - question: |
- How does the provided script work?
- answer: |
- The script accepts one of two command line options:
-
- - **Block:** Creates the registry key thstops Internet Explorer 11 from installing through Automatic Updates.
-
- - **Unblock:** Removes the registry key thstops Internet Explorer 11 from installing through Automatic Updates.
-
- - question: |
- What’s the ADM template file used for?
- answer: |
- The Administrative Template (.adm file) lets you import the new Group Policy environment and use Group Policy Objects to centrally manage all of the computers in your company.
-
- - question: |
- Is the tool localized?
- answer: |
- No. The tool isn’t localized, it’s only available in English (en-us). However, it does work, without any modifications, on any language edition of the supported operating systems.
-
- - name: Internet Explorer 11 Blocker Toolkit and other update services
- questions:
- - question: |
- Is there a version of the Internet Explorer Blocker Toolkit thwill prevent automatic installation of IE11?
- answer: |
- Yes. The IE11 Blocker Toolkit is available for download. For more information, see [Toolkit to Disable Automatic Delivery of IE11](https://go.microsoft.com/fwlink/p/?LinkId=328195) on the Microsoft DownloCenter.
-
- - question: |
- Does the Internet Explorer 11 blocking mechanism also block delivery of Internet Explorer 11 through update management solutions, like WSUS?
- answer: |
- No. You cstill deploy Internet Explorer 11 using one of the upgrade management solutions, even if the blocking mechanism is activated. The Internet Explorer 11 Blocker Toolkit is only intended for companies thdon’t use upgrade management solutions.
-
- - question: |
- If WSUS is set to 'auto-approve' Update Rollup packages (this is not the default configuration), how do I stop Internet Explorer 11 from automatically installing throughout my company?
- answer: |
- You only need to change your settings if:
-
- - You use WSUS to manage updates and allow auto-approvals for Update Rollup installation.
-
- -and-
-
- - You have computers running either Windows 7 SP1 or Windows Server 2008 R2 (SP1) with Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 installed.
-
- -and-
-
- - You don’t want to upgrade your older versions of Internet Explorer to Internet Explorer 11 right now.
-
- If these scenarios apply to your company, see [Internet Explorer 11 delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md) for more information on how to prevent automatic installation.
-
-
-additionalContent: |
-
- ## Additionresources
-
- - [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722)
-
- - [Internet Explorer 11 Ffor IT pros](./faq-for-it-pros-ie11.yml)
-
- - [Internet Explorer 11 delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md)
-
- - [Internet Explorer 11 deployment guide](../ie11-deploy-guide/index.md)
diff --git a/browsers/internet-explorer/ie11-faq/faq-ieak11.yml b/browsers/internet-explorer/ie11-faq/faq-ieak11.yml
deleted file mode 100644
index 20e3889f45..0000000000
--- a/browsers/internet-explorer/ie11-faq/faq-ieak11.yml
+++ /dev/null
@@ -1,140 +0,0 @@
-### YamlMime:FAQ
-metadata:
- ms.localizationpriority: medium
- ms.mktglfcycl: support
- ms.pagetype: security
- description: Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions.
- author: dansimp
- ms.author: dansimp
- ms.manager: elizapo
- ms.prod: ie11
- ms.assetid:
- ms.reviewer:
- audience: itpro
- manager: dansimp
- title: IEAK 11 - Frequently Asked Questions
- ms.sitesec: library
- ms.date: 05/10/2018
- ms.topic: faq
-title: IEAK 11 - Frequently Asked Questions
-summary: |
- [!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
- Get answers to commonly asked questions about the Internet Explorer Administration Kit 11 (IEAK 11), and find links to additional material you might find helpful.
-
-
-sections:
- - name: Ignored
- questions:
- - question: |
- What is IEAK 11?
- answer: |
- IEAK 11 enables you to customize, brand, and distribute customized Internet Explorer 11 browser packages across an organization. Download the kit from the [Internet Explorer Administration Kit (IEAK) information and downloads](../ie11-ieak/ieak-information-and-downloads.md).
-
- - question: |
- What are the supported operating systems?
- answer: |
- You can customize and install IEAK 11 on the following supported operating systems:
-
- - Windows 8
-
- - Windows Server 2012
-
- - Windows 7 Service Pack 1 (SP1)
-
- - Windows Server 2008 R2 Service Pack 1 (SP1)
-
- > [!NOTE]
- > IEAK 11 does not support building custom packages for Windows RT.
-
-
- - question: |
- What can I customize with IEAK 11?
- answer: |
- The IEAK 11 enables you to customize branding and settings for Internet Explorer 11. For PCs running Windows 7, the custom package also includes the Internet Explorer executable.
-
- > [!NOTE]
- > Internet Explorer 11 is preinstalled on PCs running Windows 8. Therefore, the executable is not included in the customized package.
-
- - question: |
- Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?
- answer: |
- Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard.
-
- > [!NOTE]
- > IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. To download IEAK 11, see [Internet Explorer Administration Kit (IEAK) information and downloads](../ie11-ieak/ieak-information-and-downloads.md).
-
- - question: |
- Is there a version of the Internet Explorer Administration Kit (IEAK) supporting IE11?
- answer: |
- Yes. The Internet Explorer Administration Kit 11 (IEAK 11) is available for download. IEAK 11 lets you create custom versions of IE11 for use in your organization. For more information, see the following resources:
-
- - [Internet Explorer Administration Kit Information and Downloads](../ie11-ieak/ieak-information-and-downloads.md) on the Internet Explorer TechCenter.
-
- - [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md)
-
- - question: |
- What are the different modes available for the Internet Explorer Customization Wizard?
- answer: |
- The IEAK Customization Wizard displays pages based on your licensing mode selection, either **Internal** or **External**. For more information on IEAK Customization Wizard modes, see [What IEAK can do for you](../ie11-ieak/what-ieak-can-do-for-you.md).
-
- The following table displays which pages are available in IEAK 11, based on the licensing mode:
-
- | **Wizard Pages** | **External** | **Internal** |
- |-------------------------------------------|--------------|--------------|
- | Welcome to the IEAK | Yes | Yes |
- | File Locations | Yes | Yes |
- | Platform Selection | Yes | Yes |
- | Language Selection | Yes | Yes |
- | Package Type Selection | Yes | Yes |
- | Feature Selection | Yes | Yes |
- | Automatic Version Synchronization | Yes | Yes |
- | Custom Components | Yes | Yes |
- | Corporate Install | No | Yes |
- | User Experience | No | Yes |
- | Browser User Interface | Yes | Yes |
- | Search Providers | Yes | Yes |
- | Important URLs - Home page and Support | Yes | Yes |
- | Accelerators | Yes | Yes |
- | Favorites, Favorites Bar, and Feeds | Yes | Yes |
- | Browsing Options | No | Yes |
- | First Run Wizard and Welcome Page Options | Yes | Yes |
- | Compatibility View | Yes | Yes |
- | Connection Manager | Yes | Yes |
- | Connection Settings | Yes | Yes |
- | Automatic Configuration | No | Yes |
- | Proxy Settings | Yes | Yes |
- | Security and Privacy Settings | No | Yes |
- | Add a Root Certificate | Yes | No |
- | Programs | Yes | Yes |
- | Additional Settings | No | Yes |
- | Wizard Complete | Yes | Yes |
-
-
- - question: |
- Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?
- answer: |
- Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard.
-
- IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. Select a language below and download IEAK 11 from the download center:
-
- | | | |
- |---------|---------|---------|
- |[English](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) |
- |[Arabic](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[Chinese (Simplified)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Chinese(Traditional)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) |
- |[Czech](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Danish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Dutch](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) |
- |[Finnish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[German](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Greek](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) |
- |[Hebrew](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Hungarian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Italian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) |
- |[Japanese](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Korean](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Polish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) |
- |[Portuguese (Brazil)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) |[Portuguese (Portugal)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) |[Russian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) |
- |[Spanish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) |[Swedish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) |[Turkish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) |
-
-additionalContent: |
-
- ## Additional resources
-
- -[Download IEAK 11](../ie11-ieak/ieak-information-and-downloads.md)
- -[IEAK 11 overview](../ie11-ieak/index.md)
- -[IEAK 11 product documentation](../ie11-ieak/index.md)
- -[IEAK 11 licensing guidelines](../ie11-ieak/licensing-version-and-features-ieak11.md)
diff --git a/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md
deleted file mode 100644
index 40a7886b0a..0000000000
--- a/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use the Accelerators page in the IEAK 11 Customization Wizard to add accelerators to employee devices.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 208305ad-1bcd-42f3-aca3-0ad1dda7048b
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Use the Accelerators page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the Accelerators page in the IEAK 11 Wizard
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-The **Accelerators** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you add accelerators to your employee computers. Accelerators are contextual menu options that can quickly get to a web service from any webpage. For example, an accelerator can look up a highlighted word in the dictionary or a selected location on a map.
-
-**Note**
-The **Add Accelerator** box appears.
-
-3. Use the **Browse** button to go to your custom accelerator XML file.
-
-4. Check the **Set this Accelerator as the default for the category** box if you want this accelerator to be the default value that shows up for the category.
-
-5. Click **Edit** to change your accelerator information, click **Set Default** to make an accelerator the default value for a category, or **Remove** to delete an accelerator.
-
-6. Click **Next** to go to the [Favorites, Favorites Bar, and Feeds](favorites-favoritesbar-and-feeds-ieak11-wizard.md) page or **Back** to go to the [Important URLs - Home Page and Support](important-urls-home-page-and-support-ieak11-wizard.md) page.
-
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md b/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md
deleted file mode 100644
index b4d0459c78..0000000000
--- a/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md
+++ /dev/null
@@ -1,56 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use IEAK 11 to add and approve ActiveX controls for your organization.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 33040bd1-f0e4-4541-9fbb-16e0c76752ab
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Add and approve ActiveX controls using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Add and approve ActiveX controls using IEAK 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-There are two main approaches to how you can control the use of ActiveX controls in your company. For more info about ActiveX controls, including how to manage the controls using Group Policy, see [Group Policy and ActiveX installation](../ie11-deploy-guide/activex-installation-using-group-policy.md) in the [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md).
-
-**Note** Note Note
- For more detailed info about how to set up your DHCP server, see your server documentation.
-
-**To set up automatic detection for DNS servers**
-
-1. In your DNS database file, the file that’s used to associate your host (computer) names to static IP addresses in a zone, you need to create a host record named, **WPAD**. This record contains entries for all of the hosts that require static mappings, such as workstations, name servers, and mail servers. It also has the IP address to the web server storing your automatic configuration (.js, .jvs, .pac, or .ins) file. The syntax is: -OR-
- Create a canonical name (CNAME) alias record, named WPAD. This record lets you use more than one name to point to a single host, letting you host both an FTP server and a web server on the same computer. It also includes the resolved name (not the IP address) of the server storing your automatic configuration (.pac) file.
- Note
-You might receive a security warning before downloading your Setup file, asking if you want to continue. Click **Run** to continue.
-
-2. Click **Next** to go to the [Custom Components](custom-components-ieak11-wizard.md) page or **Back** to go to the [Feature Selection](feature-selection-ieak11-wizard.md) page.
-
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md b/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md
deleted file mode 100644
index 7271837b2e..0000000000
--- a/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md
+++ /dev/null
@@ -1,43 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: plan
-description: A list of steps to follow before you start to create your custom browser installation packages.
-author: dansimp
-ms.author: dansimp
-ms.manager: elizapo
-ms.prod: ie11
-ms.assetid: 6ed182b0-46cb-4865-9563-70825be9a5e4
-ms.reviewer:
-audience: itpro
-manager: dansimp
-title: Before you start using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 04/24/2018
----
-
-
-# Before you start using IEAK 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-Before you run IEAK 11 and the Customization Wizard, make sure you have met the following requirements:
-
-- Have you determined which licensing version of the Internet Explorer Administration Kit 11 to install? For info, see [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md).
-
-- Do you meet the necessary hardware and software requirements? See [Hardware and software requirements for IEAK 11](hardware-and-software-reqs-ieak11.md).
-
-- Have you gotten all of the URLs needed to customize your **Home**, **Search**, and **Support** pages? See [Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard](important-urls-home-page-and-support-ieak11-wizard.md).
-
-- Have you reviewed the security features to determine how to set up and manage them? See [Security features and IEAK 11](security-and-ieak11.md).
-
-- Have you created a test lab, where you can run the test version of your browser package to make sure it runs properly?
-
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md
deleted file mode 100644
index 351b1bbb76..0000000000
--- a/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md
+++ /dev/null
@@ -1,58 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Use the \[Branding\] .INS file setting to set up your custom branding and setup info in your browser install package.
-author: dansimp
-ms.prod: ie11
-ms.assetid: cde600c6-29cf-4bd3-afd1-21563d2642df
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Use the Branding .INS file to create custom branding and setup info (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the Branding .INS file to create custom branding and setup info
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Info about the custom branding and setup information in your browser package.
-
-|Name |Value | Description |
-|-----------|--------------------------------|--------------------------------------------------------------|
-|Add on URL | ` **Note** **Note**
-The text shows up in the title bar as **IE provided by** <*your_custom_text*>.
-
-2. Check the **Delete existing toolbar buttons, if present** box so you can delete all of the toolbar buttons in your employee’s browser, except for the standard buttons installed with IE (which can’t be removed).
-
-**Note**
- The **Browser Toolbar Button Information** box appears.
-
-4. In the **Toolbar caption** box, type the text that shows up when an employee hovers over your custom button. We recommend no more than 10 characters.
-
-5. In the **Toolbar action** box, browse to your script or executable file that runs when an employee clicks your custom button.
-
-6. In the **Toolbar icon** box, browse to the icon file that represents your button while active. This icon must be 20x20 pixels.
-
-7. Check the **This button should be shown on the toolbar by default** box so your custom button shows by default.
- This box should be cleared if you want to offer a custom set of buttons, but want your employees to choose whether or not to use them. In this situation, your buttons will show up in the **Customize Toolbars** dialog box, under **Available toolbar buttons**. Your employees can get to this dialog box in IE by clicking **Tools** from the **Command Bar**, clicking **Toolbars**, and then clicking **Customize**.
-
-8. Click **OK.**
-
-9. Click **Edit** to change your custom toolbar button or **Remove** to delete the button. The removed button will disappear from your employee’s computer after you apply the updated customization. Only custom toolbar buttons can be removed.
-
-10. Click **Next** to go to the [Search Providers](search-providers-ieak11-wizard.md) page or **Back** to go to the [User Experience](user-experience-ieak11-wizard.md) page.
-
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md
deleted file mode 100644
index 05fb2324f7..0000000000
--- a/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md
+++ /dev/null
@@ -1,43 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: plan
-description: Use the \[BrowserToolbars\] .INS file setting to customize your Internet Explorer toolbar and buttons.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 83af0558-9df3-4c2e-9350-44f7788efa6d
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Use the BrowserToolbars .INS file to customize the Internet Explorer toolbar and buttons (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the BrowserToolbars .INS file to customize the Internet Explorer toolbar and buttons
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Info about how to customize the Internet Explorer toolbar.
-
-|Name |Value |Description |
-|-----------|---------------------------|-------------|
-|Action0 |` **Note** **Note**
-**Important**
-Where *description* is the string that’s shown in the **Uninstall or change a program** box.
-
-2. Add another new key and value to:
-Where *command-line* is the command that’s run when the component is picked from the **Uninstall or change a program** box.
-
-Your uninstall script must also remove your key from under the **Uninstall** registry key, so that your component no longer appears in the **Uninstall or change a program** after uninstallation. You can also run just a section of an .inf file by using the Setupx.dll InstallHinfSection entry point. To make this work, your installation script must copy the .inf file to the Windows\Inf folder for your custom component.
-
diff --git a/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md
deleted file mode 100644
index 1a981a5a16..0000000000
--- a/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md
+++ /dev/null
@@ -1,64 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use the Custom Components page in the IEAK 11 Customization Wizard to add additional components for your employees to install with IE.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 38a2b90f-c324-4dc8-ad30-8cd3e3e901d7
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Use the Custom Components page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the Custom Components page in the IEAK 11 Wizard
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-The **Custom Components** page of the Internet Explorer Customization Wizard 11 lets you add up to 10 additional components that your employees can install at the same time they install IE. These components can be created by Microsoft or your organization as either compressed cabinet (.cab) or self-extracting executable (.exe) files. If you’re using Microsoft components, make sure you have the latest version and software patches from the [Microsoft Support](https://go.microsoft.com/fwlink/p/?LinkId=258658) site. To include Microsoft Update components, you must bundle the associated files into a custom component.
-
-**Important**
-The **Add a Custom Component** box appears.
-
-2. Type in the name of your component and then browse to the location of your file (either .cab or .exe).
-
-3. Pick when to install the component. This can be before IE, after IE, or after the computer restarts.
-**Important**
-The boxes clear and you can add another component. Click **Cancel** to go back to the **Custom Components** page.
-
-12. Click **Edit** to change your custom component information, **Verify** to make sure the component is digitally signed, or **Remove** to delete the component from your custom installation package.
-
-13. Click **Next** to go to the [Internal Install](internal-install-ieak11-wizard.md) page or **Back** to go to the [Automatic Version Synchronization](auto-version-sync-ieak11-wizard.md) page.
-
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md
deleted file mode 100644
index 7a5556235d..0000000000
--- a/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md
+++ /dev/null
@@ -1,28 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: plan
-description: Use the \[CustomBranding\] .INS file setting to specify the location of your branding cabinet (.cab) file.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 9c74e239-65c5-4aa5-812f-e0ed80c5c2b0
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Use the CustomBranding .INS file to create custom branding and setup info (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the CustomBranding .INS file to create custom branding and setup info
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Provide the URL to your branding cabinet (.cab) file.
-
-
-| Name | Value | Description |
-|----------|------------------|------------------------------------------------------------------------------------------------------------------------|
-| Branding | `
- For info about the acceptable values for the *%1* and *%2* parameters, see the [Automatic Search parameters](#automatic-search-parameters). For an example of the script file, see the [Sample Automatic Search script](#sample-automatic-search-script).
- **Important**
-The links are imported and added to the **Favorites, Favorites Bar, and Feeds** page, beneath the **Favorites** folder.
-
-3. To add a new favorite link, pick **Favorites**, and then click **Add URL**.
-The **Details** box appears.
-
-4. Type the new link name in the **Name** box.
-
-5. Type the new URL in the **URL** box.
-
-6. Optionally, you can add a 16x16 pixel icon to your link by adding the location in the **Icon** box.
-
-7. Click **OK**.
-
-8. To add a new **Favorites** folder, pick **Favorites**, and then click **Add Folder**.
-The **Details** box appears.
-
-9. Type the folder name into the **Name** box, and then click **OK**.
-
-10. Click **Edit** to change any of your new information, **Test URL** to test each of your links to make sure they go to the right place, or **Remove** to delete a **Favorites** item.
-
-11. If you have multiple **Favorites** links, you can update their order in the list. Check the **Add to the top of the list** box, click the link you want to move, and then click **Move Up** or **Move Down**.
-
-12. Check the **Disable IE Suggested Sites** box to disable the Suggested Sites feature. By turning this on, your employees won’t receive suggested sites based on the sites that they visit.
-
-13. Continue with the next procedures in this topic to add additional **Favorites Bar** or **RSS Feeds** links, or you can click **Next** to go to the [Browsing Options](browsing-options-ieak11-wizard.md) page or **Back** to go to the [Accelerators](accelerators-ieak11-wizard.md) page.
-
-**To work with the Favorites Bar**
-
-1. To import your existing folder of links, pick **Favorites Bar**, and then click **Import**.
-
-2. Go to your existing link folder, most likely in the `
-The links are imported and added to the **Favorites, Favorites Bar, and Feeds** page, beneath the **Favorites Bar** folder.
-
-3. To add a new link to the **Favorites Bar**, pick **Favorites Bar**, and then click **Add URL**.
-The **Details** box appears.
-
-4. Type the new quick link name in the **Name** box.
-
-5. Type the new URL in the **URL** box.
-
-6. Optionally, you can add a 16x16 pixel icon to your link by adding the location in the **Icon** box.
-
-7. Pick whether your link is a simple **Link**, a **Feed**, or a **Web Slice**, and then click **OK**.
-
-8. Click **Edit** to change any of your new information, **Test URL** to test each of your links to make sure they go to the right place, or **Remove** to delete a **Favorites Bar** item.
-
-9. If you have multiple **Favorites Bar** links, you can update their order in the list. Check the **Add to the top of the list** box, click the link you want to move, and then click **Move Up** or **Move Down**.
-
-10. Check the **Disable IE Suggested Sites** box to disable the Suggested Sites feature. By turning this on, your employees won’t receive suggested sites based on the sites that they visit.
-
-11. Continue with the next procedures in this topic to add additional **Favorites** or **RSS Feeds** links, or you can click **Next** to go to the [Browsing Options](browsing-options-ieak11-wizard.md) page or **Back** to go to the [Accelerators](accelerators-ieak11-wizard.md) page.
-
-**To work with RSS Feeds**
-
-1. To add a new link to the **RSS Feeds**, pick **Favorites Bar**, and then click **Add URL**.
-The **Details** box appears.
-
-2. Type the new link name in the **Name** box.
-
-3. Type the new URL in the **URL** box, and then click **OK**.
-
-4. Click **Edit** to change any of your new information, **Test URL** to test each of your links to make sure they go to the right place, or **Remove** to delete a **RSS Feeds** item.
-
-5. If you have multiple **RSS Feeds** links, you can update their order in the list. Check the **Add to the top of the list** box, click the link you want to move, and then click **Move Up** or **Move Down**.
-
-6. Check the **Disable IE Suggested Sites** box to disable the Suggested Sites feature. By turning this on, your employees won’t receive suggested sites based on the sites that they visit.
-
-7. Continue with the next procedures in this topic to add additional **Favorites** or **Favorites Bar** links, or you can click **Next** to go to the [Browsing Options](browsing-options-ieak11-wizard.md) page or **Back** to go to the [Accelerators](accelerators-ieak11-wizard.md) page.
-
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md
deleted file mode 100644
index ac736e20df..0000000000
--- a/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md
+++ /dev/null
@@ -1,30 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Use the \[FavoritesEx\] .INS file setting to specify your Favorites icon file, whether Favorites is available offline, and your Favorites URLs.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 55de376a-d442-478e-8978-3b064407b631
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Use the FavoritesEx .INS file for your Favorites icon and URLs (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the FavoritesEx .INS file for your Favorites icon and URLs
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Info about where you store your **Favorites** icon file, whether your **Favorites** are available offline, and the URLs for each **Favorites** site.
-
-|Name |Value |Description |
-|----------------|-----------------------|--------------------------------------------------------------------------|
-|IconFile1 |`
-You can also click **Select All** to add, or **Clear All** to remove, all of the features.
-
-2. Click **Next** to go to the [Automatic Version Synchronization](auto-version-sync-ieak11-wizard.md) page or **Back** to go to the [Package Type Selection](pkg-type-selection-ieak11-wizard.md) page.
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md
deleted file mode 100644
index 0aee908cd4..0000000000
--- a/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md
+++ /dev/null
@@ -1,59 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use the File Locations page in the IEAK 11 Customization Wizard to change the location of your install package and IE11 folders.
-author: dansimp
-ms.prod: ie11
-ms.assetid: bd0620e1-0e07-4560-95ac-11888c2c389e
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Use the File Locations page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the File Locations page in the IEAK 11 Wizard
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-The **File Locations** page of the Internet Explorer Customization Wizard 11 lets you change the location of your folders, including:
-
-- Where you’ll create and store your custom installation package.
-
-- Where you’ll download and store Internet Explorer 11.
-
-**Important**
-**Note**
-The **Advanced Options** box opens and lets you change how the wizard downloads and gets files, and how it imports settings from your .ins file.
-
-3. Check the box letting IE Customization Wizard 11 look for the latest components, using Automatic Version Synchronization.
-This option lets the wizard connect to the IE **Downloads** page to look for updated versions of IE since you last ran the wizard.
-**Important**
-By importing settings from an .ins file, you can re-use existing configurations. This saves you time if your packages have the same or similar settings.
-
-5. Browse to your component download folder.
-Automatic Version Synchronization automatically checks the component download folder to see if you have the latest version of IE. To keep this folder up-to-date, you shouldn’t change its location. However, if you want to keep both a previous version of IE and the latest version, we recommend you download the components to a different location.
-
-6. Click **OK** to close the **Advanced Options** box, and then click **Next** to go to the [Platform Selection](platform-selection-ieak11-wizard.md) page.
-
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md b/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md
deleted file mode 100644
index 616e3b9938..0000000000
--- a/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md
+++ /dev/null
@@ -1,41 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: plan
-description: Review the file types that are created and used by tools in the Internet Explorer Administration Kit 11 (IEAK 11).
-author: dansimp
-ms.prod: ie11
-ms.assetid: e5735074-3e9b-4a00-b1a7-b8fd8baca327
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: File types used or created by IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# File types used or created by IEAK 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-A list of the file types used or created by tools in IEAK 11:
-
-|File type |Description |
-|----------|-------------------------|
-|.adm | An admin file (located at ` **Important**
-Clearing this box lets you use the IE11 **Welcome** page or your custom **Welcome** page.
-
-2. If you cleared the First Run wizard box, you can decide which **Welcome** page to use:
-
- - **Use IE11 Welcome Page.** Check this box if you want to use the default IE11 **Welcome** page.
-
- - **Use a custom Welcome Page.** Check this box if you want to use a custom **Welcome** page. If you choose this option, you need to add the URL to your custom page.
-
-3. Click **Next** to go to the [Compatibility View](compat-view-ieak11-wizard.md) page or **Back** to go to the [Browsing Options](browsing-options-ieak11-wizard.md) page.
-
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md b/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md
deleted file mode 100644
index e3d95badec..0000000000
--- a/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md
+++ /dev/null
@@ -1,32 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: plan
-description: Customization guidelines for your Internet Explorer toolbar button and Favorites List icons.
-author: dansimp
-ms.prod: ie11
-ms.assetid: bddc8f23-9ac1-449d-ad71-f77f43ae3b5c
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Customize the toolbar button and Favorites List icons using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Customize the Toolbar button and Favorites List icons using IEAK 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Use these customization guidelines to change the browser toolbar button and the **Favorites List** icons, using your own branding and graphics.
-
-**Important** However, you must use the Windows 8.1 target platform and only the "Configuration-only package" is available.
-
-- Windows 8.1
-
-- Windows Server 2012 R2
-
-- Windows® 7 Service Pack 1 (SP1)
-
-- Windows Server 2008 R2 (SP1)
-
-**Important**
-
-|Parameter (Setup options) |Description |
-|--------------------------|-------------------------------------------------------------------------------------------------|
-|`/update-no` |Doesn't look for Internet Explorer updates. |
-|`/no-default` |Doesn't make Internet Explorer the default browser. |
-|`/no-backup` |Doesn't back up the files necessary to uninstall IE. |
-|`/ieak-full` |Reserved for use by the IEAK 11. |
-|`/ieak-branding` |Reserved for use by the IEAK 11. |
-
-
-|Parameter (Restart options) |Description |
-|----------------------------|--------------------------------------------|
-|`/norestart` |Doesn't restart after installation. |
-|`/forcerestart` |Restarts after installation. |
-
-
-|Parameter (miscellaneous options) |Description |
-|----------------------------------|--------------------------------------------|
-|`/help` |Provides help info. Can't be used with any other option. |
-|`/log **Important** **Note** This only applies to IE11 on Windows 7 SP1 |
-|[Browser user interface](browser-ui-ieak11-wizard.md) |Internet Explorer for the desktop |Customize your title bars and toolbar buttons. |
-|[Search Providers](search-providers-ieak11-wizard.md) |Both |Import and add Search providers. |
-|[Important URLs – Home page and Support](important-urls-home-page-and-support-ieak11-wizard.md) |The **Support** page is supported by both experiences. The **Home** page is only supported on Internet Explorer for the desktop. |Add URLs for your **Home** and **Support** pages. |
-|[Accelerators](accelerators-ieak11-wizard.md) |Internet Explorer for the desktop |Import and add default accelerators. |
-|[Favorites, Favorites Bar and Feeds](favorites-favoritesbar-and-feeds-ieak11-wizard.md) |Internet Explorer for the desktop |Import and add items to the **Favorites** folder, the **Favorites Bar**, and the **Feeds** folder. **Note** **Note** -OR- -AND- -OR-
-If you add multiple **Home** pages, each page appears on a separate tab in the browser. If you don’t add a custom **Home** page, IE uses https://www.msn.com by default. If you want to delete an existing page, click the URL and then click **Remove**.
-
-2. Check the **Retain previous Home Page (Upgrade)** box if you have employees with previous versions of IE, who need to keep their **Home** page settings when the browser is updated.
-
-3. Check the **Online support page URL** box to type in the URL to your own support page. Customizing the support page is only supported in Internet Explorer for the desktop.
-
-4. Click **Next** to go to the [Accelerators](accelerators-ieak11-wizard.md) page or **Back** to go to the [Search Providers](search-providers-ieak11-wizard.md) page.
-
-
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-ieak/index.md b/browsers/internet-explorer/ie11-ieak/index.md
deleted file mode 100644
index d4dde73e8c..0000000000
--- a/browsers/internet-explorer/ie11-ieak/index.md
+++ /dev/null
@@ -1,53 +0,0 @@
----
-ms.mktglfcycl: plan
-description: IEAK 11 - Internet Explorer Administration Kit 11 Users Guide
-author: dansimp
-ms.author: dansimp
-ms.prod: ie11
-ms.assetid: 847bd7b4-d5dd-4e10-87b5-4d7d3a99bbac
-title: Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.localizationpriority: medium
-manager: dansimp
-ms.date: 03/15/2016
----
-
-
-# Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment.
-
-Use this guide to learn about the several options and processes you'll need to consider while you're using the Internet Explorer Administration Kit 11 (IEAK 11) to customize, deploy, and manage Internet Explorer 11 for your employee's devices.
-
-> [!IMPORTANT]
-> Because this content isn't intended to be a step-by-step guide, not all of the steps are necessary.
-
-
-## Included technology
-IEAK 11 includes the following technology:
-- **Internet Explorer Customization Wizard.** This wizard guides you through the process of creating custom browser packages. After these packages are installed on your user's desktop, the user receives customized versions of Internet Explorer 11, with the settings and options you selected through the wizard.
-- **Windows Installer (MSI).** IEAK 11 supports creating an MSI wrapper for your custom Internet Explorer 11 packages, enabling you to use Active Directory to deploy the package to your user's PC.
-- **IEAK Help.** IEAK 11 Help includes many conceptual and procedural topics, which you can view from the **Index**, **Contents**, or **Search** tabs. You also have the option to print any topic, or the entire Help library.
-
-
-## Naming conventions
-IE11 and IEAK 11 offers differing experiences between Windows 7 and Windows 8.1 Update and newer versions of the Windows operating system:
-
-|Name |Description |
-|-----|-----------------------------------------------------------|
-|IE |The immersive browser, or IE, without a specific version. |
-|Internet Explorer for the desktop |The desktop browser. This is the only experience available when running IE11 on Windows 7 SP1. |
-|IE11 |The whole browser, which includes both IE and Internet Explorer for the desktop. |
-|Internet Explorer Customization Wizard 11 |Step-by-step wizard screens that help you create custom IE11 installation packages. |
-
-## Related topics
-- [IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.yml)
-- [Download IEAK 11](ieak-information-and-downloads.md)
-- [IEAK 11 administrators guide]()
-- [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md)
-- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.yml)
-- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md)
-- [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/)
diff --git a/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md
deleted file mode 100644
index 6936f198d0..0000000000
--- a/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md
+++ /dev/null
@@ -1,43 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use the Internal Install page in the IEAK 11 Customization Wizard to customize Setup for the default browser and the latest browser updates.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 33d078e3-75b8-455b-9126-f0d272ed676f
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Use the Internal Install page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the Internal Install page in the IEAK 11 Wizard
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-The **Internal Install** page of the Internet Explorer Customization Wizard 11 lets you customize Setup for the default browser and the latest browser updates, based on your company’s guidelines.
-
-**Note** -OR-
-
- - **Do not set IE as the default browser.** Won’t set IE as the default browser. However, your employees can still make IE the default.
-
-2. Click **Next** to go to the [User Experience](user-experience-ieak11-wizard.md) page or **Back** to go to the [Custom Components](custom-components-ieak11-wizard.md).
-
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md
deleted file mode 100644
index 666c5f8b17..0000000000
--- a/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md
+++ /dev/null
@@ -1,27 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Use the \[ISP_Security\] .INS file setting to add the root certificate for your custom Internet Explorer package.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 4eca2de5-7071-45a2-9c99-75115be00d06
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Use the ISP_Security .INS file to add your root certificate (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the ISP_Security .INS file to add your root certificate
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Info about where you store the root certificate you’re adding to your custom package.
-
-|Name |Value |Description |
-|---------------|-----------------------|------------------------------------------------------------------------------------------|
-|RootCertPath |`
-You can support as many languages as you want, but each localized version must be in its own install package.
-**Note** -OR-
-
-2. Check the **Configuration-only package** box if you want to update an existing installation of IE11. This media package is named **IE11- Setup-Branding.exe**, in the `
-You can distribute this file on any media format or server. It customizes the IE11 features without re-installing IE.
-**Important**
-You must create individual packages for each supported operating system.
-**Note** -OR-
-
- - **Import the current Program Settings.** Pick this option to import the program associations from your device and use them as the preset for your employee’s program settings. **Note**
-Proxy locations that don’t begin with a protocol (like, https:// or ftp://) are assumed to be a CERN-type HTTP proxy. For example, the entry *proxy* is treated the same as the entry `https://proxy`.
-
-3. Type the port for each service. The default value is *80*.
-
-4. Check the **Use the same proxy server for all addresses** box to use the same proxy server settings for all of your services.
-
-5. Type any services that shouldn’t use a proxy server into the **Do not use proxy server for addresses beginning with** box.
-When filling out your exceptions, keep in mind:
-
- - Proxy bypass entries can begin with a protocol type, such as https://, https://, or ftp://. However, if a protocol type is used, the exception entry applies only to requests for that protocol.
-
- - Protocol values are not case sensitive and you can use a wildcard character (*) in place of zero or more characters.
-
- - You must use a semicolon between your entries.
-
- - This list is limited to **2064** characters.
-
-6. Check the **Do not use proxy server for local (intranet) addresses** to bypass your proxy servers for all addresses on your intranet.
-
-7. Click **Next** to go to the [Security and Privacy Settings](security-and-privacy-settings-ieak11-wizard.md) page or **Back** to go to the [Automatic Configuration](auto-config-ieak11-wizard.md) page.
-
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md b/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md
deleted file mode 100644
index f3b4414183..0000000000
--- a/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md
+++ /dev/null
@@ -1,32 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Learn how to register an uninstall app for your custom components, using IEAK 11.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 4da1d408-af4a-4c89-a491-d6f005fd5005
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Register an uninstall app for custom components using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
-ms.date: 07/27/2017
----
-
-
-# Register an uninstall app for custom components using IEAK 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Register the uninstall apps for any custom components you’ve included in your Internet Explorer 11 package. Registering these apps lets your employees remove the components later, using **Uninstall or change a program** in the Control Panel.
-
-## Register your uninstallation program
-While you’re running your custom component setup process, your app can add information to the subkeys in the `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ApplicationName` registry key, registering your uninstallation program.
-
-**Note**
-The Microsoft Management Console opens.
-
-2. Click **File**, and then click **Add/Remove Snap-in**.
-
-3. In the **Available snap-ins** window, go down to the **Resultant Set of Policy** snap-in option, click **Add**, and then click **OK**.
-You’re now ready to use the RSoP snap-in from the console.
-
-**To use the RSoP snap-in**
-
-1. Right-click **Resultant Set of Policy** and then click **Generate RSoP Data**.
-You’ll only need to go through the resulting RSoP Wizard first time you run the snap-in.
-
-2. Click **Next** on the **Welcome** screen.
-
-3. Under **Computer Configuration**, click **Administrative Templates**, click **Windows Components**, click **IE**, and then click the feature you want to review the policy settings for.
-
-
-
-
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md
deleted file mode 100644
index c092a2101b..0000000000
--- a/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md
+++ /dev/null
@@ -1,60 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use the Search Providers page in the IEAK 11 Customization Wizard to add additional providers and set the default.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 48cfaba5-f4c0-493c-b656-445311b7bc52
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Use the Search Providers page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the Search Providers page in the IEAK 11 Wizard
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-The **Search Providers** page of the Internet Explorer Customization Wizard 11 lets you add a default search provider (typically, Bing®) and additional providers to your custom version of IE.
-
-**Note**
-The **Search Provider** box appears.
-
-3. In the **Display Name** box, type the text that appears in the **Search Options** menu for the search provider.
-
-4. In the **URL** box, type the full URL to the search provider, including the https:// prefix.
-
-5. In the **Favicon URL** box, type the full URL to any icon to associate with your provider.
-
-6. In the **Suggestions URL (XML)** box, type the associated search suggestions in XML format.
-
-7. In the **Suggestions URL (JSON)** box, type the associated search suggestions in JavaScript Object Notation format.
-
-8. In the **Accelerator Preview URL** box, type the associated Accelerator preview URL for each provider, if it’s necessary.
-
-9. Check the **Display Search Suggestions for this provider** box to turn on search suggestions for the provider, and then click **OK**.
-
-10. Check the **Search Guide URL Customization** box if you’re going to add your search providers to a custom webpage for your employees. Then, type the URL to the custom webpage in the text box.
-
-11. Click **Edit** to change your search provider information, click **Set Default** to make a search provider the default for your employees, or **Remove** to delete a search provider.
-
-12. Click **Next** to go to the [Important URLs - Home Page and Support](important-urls-home-page-and-support-ieak11-wizard.md) page or **Back** to go to the [Browser User Interface](browser-ui-ieak11-wizard.md) page.
-
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md b/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md
deleted file mode 100644
index 6c1c936553..0000000000
--- a/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md
+++ /dev/null
@@ -1,68 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: plan
-description: Learn about the security features available in Internet Explorer 11 and IEAK 11.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 5b64c9cb-f8da-411a-88e4-fa69dea473e2
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Security features and IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Security features and IEAK 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Use Internet Explorer in conjunction with your new and existing security measures, to make sure the computers in your company aren’t compromised while on the Internet.
-
-## Enhanced Protection Mode
-Extends Protected Mode to further restrict the ability of an attacker to access sensitive or personal information in personal and corporate environments, including:
-
-- Restricting access to higher-level processes in the AppContainer.
-
-- Improving security against memory safety exploits in 64-bit tab processes.
-
-This feature is turned off by default. For more info, see [Enhanced Protected Mode problems with Internet Explorer](../ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md).
-
-## Certificates and Digital Signatures
-Web browsers have security features that help protect users from downloading harmful programs. Depending on the security level and the platform that you are using, the user may be prevented from, or warned against, downloading programs that are not digitally signed. Digital signatures show users where programs come from, verify that the programs have not been altered, and ensure that users do not receive unnecessary warnings when installing the custom browser.
-
-Because of this, the custom .cab files created by the Internet Explorer Customization Wizard should be signed, unless you pre-configure the Local intranet zone with a Low security setting. Any custom components you distribute with your browser package for these platforms should also be signed.
-
-### Understanding digital certificates
-To sign your package and custom programs digitally, you must first obtain a digital certificate. You can obtain a certificate from a certification authority or a privately-controlled certificate server. For more info about obtaining certificates or setting up a certificate server, see the following:
-
-- Microsoft-trusted certification authorities ([Windows root certificate program requirements](/previous-versions//cc751157(v=technet.10))).
-
-- Certificates overview documentation ([Certificates](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732331(v=ws.11))).
-
-- Microsoft Active Directory Certificate Services ( [Active Directory Certificate Services](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732625(v=ws.11))).
-
-- Enterprise public key infrastructure (PKI) snap-in documentation ([Enterprise PKI](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771400(v=ws.11))).
-
-After you get a certificate, you should note the public and private keys, which are a matched set of keys that are created by the software publisher for encryption and decryption. They are generated on your device at the time the certificate is requested, and your private key is never sent to the certification authority or any other party.
-
-### Understanding code signing
-Code signing varies, depening on how you plan to distribute your custom install package.
-
-- **If you plan to distribute custom packages over the Internet**, you must sign all custom components and the CMAK profile package (if used). Before you start the Internet Explorer Customization Wizard, make sure that both are signed. Typically, their respective manufacturers will have signed them. Otherwise, you can sign these using the Sign Tool (SignTool.exe) ( [SignTool.exe (Sign Tool)](/dotnet/framework/tools/signtool-exe)) or use the File Signing Tool (Signcode.exe) ([Signcode.exe (File Signing Tool)](/previous-versions/9sh96ycy(v=vs.100))). You should read the documentation included with these tools for more info about all of the signing options.
-In addition, after you run the Internet Explorer Customization Wizard, we highly recommend that you sign the IEAK package and the branding.cab file (if you are using it separately from the package). You can do this also using the tools mentioned above. For more information, download Code-Signing Best Practices ([Code-Signing Best Practices](/previous-versions/windows/hardware/design/dn653556(v=vs.85))).
-
-- **If you plan to distribute your custom packages over an intranet**, sign the custom files or preconfigure the Local intranet zone with a Low security setting, because the default security setting does not allow users to download unsigned programs or code.
-
-### Understanding your private key
-Your device creates two keys during the enrollment process of your digital certificate. One is a public key, which is sent to anyone you want to communicate with, and one is a private key, which is stored on your local device and must be kept secret. You use the private key to encrypt your data and the corresponding public key to decrypt it.
-
-You must keep your private key, private. To do this, we recommend:
-
-- **Separate test and release signing.** Set up a parallel code signing infrastructure, using test certificates created by an internal test root certificate authority. This helps to ensure that your certificates aren’t stored on an insecure build system, reducing the likelihood that they will be compromised.
-
-- **Tamper-proof storage.** Save your private keys on secure, tamper-proof hardware devices.
-
-- **Security.** Protect your private keys using physical security measures, such as cameras and card readers.
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
deleted file mode 100644
index c78a131719..0000000000
--- a/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
+++ /dev/null
@@ -1,47 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use the Security and Privacy Settings page in the IEAK 11 Customization Wizard to manage your security zones, privacy settings, and content ratings.
-author: dansimp
-ms.prod: ie11
-ms.assetid: cb7cd1df-6a79-42f6-b3a1-8ae467053f82
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Use the Security and Privacy Settings page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the Security and Privacy Settings page in the IEAK 11 Wizard
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-The **Security and Privacy Settings** page of the Internet Explorer Customization Wizard 11 lets you manage your security zones, privacy settings, and content ratings. These settings help restrict the types of content your employees can access from the Internet, including any content that might be considered offensive or otherwise inappropriate in a corporate setting.
-
-**To use the Security and Privacy Settings page**
-
-1. Decide if you want to customize your security zones and privacy settings. You can pick:
-
- - **Do not customize security zones and privacy.** Pick this option if you don’t want to customize your security zones and privacy settings.
-
- - **Import the current security zones and privacy.** Pick this option to import your security zone and privacy settings from your computer and use them as the preset for your employee’s settings. **Note** **Note** The customizations you make on this page only apply to Internet Explorer for the desktop on Windows 7.
-
-**To use the User Experience page**
-
-1. Choose how your employee should interact with Setup, including:
-
- - **Interactive installation**. Lets your employees change installation options while installing your custom package. This experience shows all of the progress and error messages throughout the process.
-
- - **Hands-free installation**. Lets you make all of the decisions for your employees. However, they’ll still see all of the progress and error messages throughout the process.
-
- - **Completely silent installation**. Lets you make all of the decisions for your employees and hides all of the progress and error messages. Because this mode is completely silent, if the installation fails, your employees won’t know and they won’t be able to run the installation package again.
- Both the hands-free and completely silent installation options will:
-
- - Answer prompts so Setup can continue.
-
- - Accept the license agreement.
-
- - Determine that Internet Explorer 11 is installed and not just downloaded.
-
- - Perform your specific installation type.
-
- - Install IE in the default location, unless it is already installed. In that case, the new version of the browser is installed in the same location as the previous version.
-
-2. Choose if your employee’s device will restart at the end of Setup.
-
- - **Default**. Prompts your employees to restart after installing IE.
-
- - **No restart**. Doesn’t restart the computer after installing IE. The employee will have to manually restart later.
-
- - **Force restart**. Automatically restarts the computer after installing IE.
-
-3. Click **Next** to go to the [Browser User Interface](browser-ui-ieak11-wizard.md) page or **Back** to go to the [Internal Install](internal-install-ieak11-wizard.md) page.
-
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md b/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md
deleted file mode 100644
index c9bb888bed..0000000000
--- a/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md
+++ /dev/null
@@ -1,41 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Info about how to use Internet Settings (.ins) files and the IEAK 11 to configure your custom browser package.
-author: dansimp
-ms.prod: ie11
-ms.assetid: a24a7cdb-681e-4f34-a53c-6d8383c5f977
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Using Internet Settings (.INS) files with IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Using Internet Settings (.INS) files with IEAK 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Use the Internet Settings (.ins) files and the Internet Explorer Administration Kit 11 (IEAK 11) to configure your custom browser and its components. You can create multiple versions of your custom package by customizing copies of this file.
-
-Here's a list of the available .INS file settings:
-
-|Setting |Description |
-|-----------------------------------------|------------------------------------------------------------------------------|
-|[Branding](branding-ins-file-setting.md) |Customize the branding and setup information in your browser package. |
-|[BrowserToolbars](browsertoolbars-ins-file-setting.md) |Customize the appearance of the IE toolbar. |
-|[CabSigning](cabsigning-ins-file-setting.md) |Digital signature information for your programs. |
-|[ConnectionSettings](connectionsettings-ins-file-setting.md) |Info about the networking connection settings used to install your custom package. |
-|[CustomBranding](custombranding-ins-file-setting.md) |URL location to your branding cabinet (.cab) file. |
-|[ExtRegInf](extreginf-ins-file-setting.md) |Names of your Setup information (.inf) files and the installation mode for components. |
-|[FavoritesEx](favoritesex-ins-file-setting.md) |Add a path to your icon file for **Favorites**, decide whether **Favorites** are available offline, and add URLs to each**Favorites** site. |
-|[HideCustom](hidecustom-ins-file-setting.md) |Whether to hide the globally unique identifier (GUID) for each custom component. |
-|[ISP_Security](isp-security-ins-file-setting.md) |The root certificate you’re adding to your custom package. |
-|[Media](media-ins-file-setting.md) |Types of media in which your custom installation package is available. |
-|[Proxy](proxy-ins-file-setting.md) |Whether to use a proxy server. |
-|[Security Imports](security-imports-ins-file-setting.md) |Whether to import security information for your custom package. |
-|[URL](url-ins-file-setting.md) |Whether to use an auto-configured proxy server. |
-
diff --git a/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md b/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md
deleted file mode 100644
index b6c2cc7087..0000000000
--- a/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md
+++ /dev/null
@@ -1,72 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: support
-ms.pagetype: security
-description: Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions.
-author: dansimp
-ms.author: dansimp
-ms.manager: elizapo
-ms.prod: ie11
-ms.assetid:
-ms.reviewer:
-audience: itpro
-manager: dansimp
-title: What IEAK can do for you
-ms.sitesec: library
-ms.date: 05/10/2018
----
-
-# What IEAK can do for you
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions.
-
-IEAK 10 and newer includes the ability to install using one of the following installation modes:
-
-- Internal
-
-- External
-
-## IEAK 11 users
-Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions.
-
-IEAK 10 and newer includes the ability to install using one of the following installation modes:
-- Internal
-- External
-
-> [!NOTE]
-> IEAK 11 works in network environments, with or without Microsoft Active Directory service.
-
-
-### Corporations
-IEAK helps corporate administrators establish version control, centrally distribute and manage browser installation, configure automatic connection profiles, and customize large portions of Internet Explorer, including features, security, communications settings, and other important functionality.
-
-Corporate administrators install IEAK using Internal mode (for Internet Explorer 10 or newer) or Corporate mode (for Internet Explorer 9 or older).
-
-### Internet service providers
-IEAK helps ISPs customize, deploy and distribute, add third-party add-ons, search providers, and custom components, as well as include web slices and accelerators all as part of a custom Internet Explorer installation package.
-
-ISPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Service Provider (ISP) mode (for Internet Explorer 9 or older).
-
-### Internet content providers
-IEAK helps ICPs customize the appearance of Internet Explorer and its Setup program, including letting you add your company name or specific wording to the Title bar, set up a customer support webpage, set up the user home page and search providers, add links to the Favorites and the Explorer bars, add optional components, web slices and accelerators, and determine which compatibility mode Internet Explorer should use.
-
-ICPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older)
-
-### Independent software vendors
-IEAK helps ISVs distribute (and redistribute) a custom version of Internet Explorer that can include custom components, programs, and controls (like the web browser control) that you create for your users. ISVs can also determine home pages, search providers, and add websites to the Favorites bar.
-
-ISVs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older).
-
-## Additional resources
-
-- [IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.yml)
-- [Download IEAK 11](ieak-information-and-downloads.md)
-- [IEAK 11 overview](index.md)
-- [IEAK 11 administrators guide](./index.md)
-- [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md)
-- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.yml)
-- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md)
-- [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/)
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md
deleted file mode 100644
index 03de7ed423..0000000000
--- a/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md
+++ /dev/null
@@ -1,35 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use the Wizard Complete - Next Steps page in the IEAK 11 Customization Wizard to build your custom Internet Explorer install package.
-author: dansimp
-ms.prod: ie11
-ms.assetid: aaaac88a-2022-4d0b-893c-b2404b45cabc
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-The **Wizard Complete – Next Steps** page of the Internet Explorer Customization Wizard 11 lets you build your custom installation package, after you click **Finish**.
-
-In most cases, your next steps will be to prepare your files for installation from your network or from another distribution method. If you haven’t already done it, you’ll need to digitally sign any program or .cab files that are going to be distributed over the Internet or over an intranet that isn’t configured to allow downloads.
-
-After that, the steps you’ll use to distribute your customized browser will vary, depending on your version of IEAK (Internal or External) and the media you’re using to distribute the package. For more information, see the [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md).
-
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/images/deploy1.png b/browsers/internet-explorer/images/deploy1.png
deleted file mode 100644
index 1e16c46e03..0000000000
Binary files a/browsers/internet-explorer/images/deploy1.png and /dev/null differ
diff --git a/browsers/internet-explorer/images/deploy2.png b/browsers/internet-explorer/images/deploy2.png
deleted file mode 100644
index 44b4aad41c..0000000000
Binary files a/browsers/internet-explorer/images/deploy2.png and /dev/null differ
diff --git a/browsers/internet-explorer/images/explore1.png b/browsers/internet-explorer/images/explore1.png
deleted file mode 100644
index 3a956dc394..0000000000
Binary files a/browsers/internet-explorer/images/explore1.png and /dev/null differ
diff --git a/browsers/internet-explorer/images/explore2.png b/browsers/internet-explorer/images/explore2.png
deleted file mode 100644
index c07bbd197b..0000000000
Binary files a/browsers/internet-explorer/images/explore2.png and /dev/null differ
diff --git a/browsers/internet-explorer/images/explore3.png b/browsers/internet-explorer/images/explore3.png
deleted file mode 100644
index 4ea3adee19..0000000000
Binary files a/browsers/internet-explorer/images/explore3.png and /dev/null differ
diff --git a/browsers/internet-explorer/images/ie-deploy.png b/browsers/internet-explorer/images/ie-deploy.png
deleted file mode 100644
index 622d9e250b..0000000000
Binary files a/browsers/internet-explorer/images/ie-deploy.png and /dev/null differ
diff --git a/browsers/internet-explorer/images/ie-explore.png b/browsers/internet-explorer/images/ie-explore.png
deleted file mode 100644
index 184cfdf381..0000000000
Binary files a/browsers/internet-explorer/images/ie-explore.png and /dev/null differ
diff --git a/browsers/internet-explorer/images/ie-manage.png b/browsers/internet-explorer/images/ie-manage.png
deleted file mode 100644
index 51c9cc4aa9..0000000000
Binary files a/browsers/internet-explorer/images/ie-manage.png and /dev/null differ
diff --git a/browsers/internet-explorer/images/ie-plan.png b/browsers/internet-explorer/images/ie-plan.png
deleted file mode 100644
index 9b158a815f..0000000000
Binary files a/browsers/internet-explorer/images/ie-plan.png and /dev/null differ
diff --git a/browsers/internet-explorer/images/ie-support.png b/browsers/internet-explorer/images/ie-support.png
deleted file mode 100644
index 4152163abc..0000000000
Binary files a/browsers/internet-explorer/images/ie-support.png and /dev/null differ
diff --git a/browsers/internet-explorer/images/informed1.png b/browsers/internet-explorer/images/informed1.png
deleted file mode 100644
index a1f1f0b0fe..0000000000
Binary files a/browsers/internet-explorer/images/informed1.png and /dev/null differ
diff --git a/browsers/internet-explorer/images/informed2.png b/browsers/internet-explorer/images/informed2.png
deleted file mode 100644
index 544ad83db6..0000000000
Binary files a/browsers/internet-explorer/images/informed2.png and /dev/null differ
diff --git a/browsers/internet-explorer/images/manage1.png b/browsers/internet-explorer/images/manage1.png
deleted file mode 100644
index df84f05983..0000000000
Binary files a/browsers/internet-explorer/images/manage1.png and /dev/null differ
diff --git a/browsers/internet-explorer/images/manage2.png b/browsers/internet-explorer/images/manage2.png
deleted file mode 100644
index 94d111e32c..0000000000
Binary files a/browsers/internet-explorer/images/manage2.png and /dev/null differ
diff --git a/browsers/internet-explorer/images/manage3.png b/browsers/internet-explorer/images/manage3.png
deleted file mode 100644
index c0043c5a8e..0000000000
Binary files a/browsers/internet-explorer/images/manage3.png and /dev/null differ
diff --git a/browsers/internet-explorer/images/manage4.png b/browsers/internet-explorer/images/manage4.png
deleted file mode 100644
index 20af91d5a5..0000000000
Binary files a/browsers/internet-explorer/images/manage4.png and /dev/null differ
diff --git a/browsers/internet-explorer/images/plan1.png b/browsers/internet-explorer/images/plan1.png
deleted file mode 100644
index 1bf8e4264e..0000000000
Binary files a/browsers/internet-explorer/images/plan1.png and /dev/null differ
diff --git a/browsers/internet-explorer/images/plan2.png b/browsers/internet-explorer/images/plan2.png
deleted file mode 100644
index 95103ecc5b..0000000000
Binary files a/browsers/internet-explorer/images/plan2.png and /dev/null differ
diff --git a/browsers/internet-explorer/images/support1.png b/browsers/internet-explorer/images/support1.png
deleted file mode 100644
index e771ed999a..0000000000
Binary files a/browsers/internet-explorer/images/support1.png and /dev/null differ
diff --git a/browsers/internet-explorer/images/support2.png b/browsers/internet-explorer/images/support2.png
deleted file mode 100644
index 9841cf1962..0000000000
Binary files a/browsers/internet-explorer/images/support2.png and /dev/null differ
diff --git a/browsers/internet-explorer/images/support3.png b/browsers/internet-explorer/images/support3.png
deleted file mode 100644
index a3a0425c73..0000000000
Binary files a/browsers/internet-explorer/images/support3.png and /dev/null differ
diff --git a/browsers/internet-explorer/images/twitter.png b/browsers/internet-explorer/images/twitter.png
deleted file mode 100644
index 3b30a9a1cc..0000000000
Binary files a/browsers/internet-explorer/images/twitter.png and /dev/null differ
diff --git a/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md b/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md
deleted file mode 100644
index 2ba0956295..0000000000
--- a/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md
+++ /dev/null
@@ -1,12 +0,0 @@
----
-author: aczechowski
-ms.author: aaroncz
-ms.date: 02/14/2023
-ms.reviewer: cathask
-manager: aaroncz
-ms.prod: ie11
-ms.topic: include
----
-
-> [!CAUTION]
-> **Update:** The retired, out-of-support Internet Explorer 11 desktop application has been permanently disabled through a Microsoft Edge update on certain versions of Windows 10. For more information, see [Internet Explorer 11 desktop app retirement FAQ](https://aka.ms/iemodefaq).
diff --git a/browsers/internet-explorer/index.md b/browsers/internet-explorer/index.md
deleted file mode 100644
index 7aeb739bc8..0000000000
--- a/browsers/internet-explorer/index.md
+++ /dev/null
@@ -1,24 +0,0 @@
----
-ms.mktglfcycl: deploy
-description: The landing page for IE11 that lets you access the documentation.
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.prod: ie11
-title: Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
-assetid: be3dc32e-80d9-4d9f-a802-c7db6c50dbe0
-ms.sitesec: library
-ms.localizationpriority: medium
-ms.date: 07/27/2017
----
-
-
-# Internet Explorer 11 (IE11)
-Find info about Internet Explorer 11 that's important to IT Pros.
-
-- [Internet Explorer 11 - FAQ for IT Pros](ie11-faq/faq-for-it-pros-ie11.yml)
-
-- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](ie11-deploy-guide/index.md)
-
-- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](ie11-ieak/index.md)
-
diff --git a/browsers/internet-explorer/internet-explorer.yml b/browsers/internet-explorer/internet-explorer.yml
deleted file mode 100644
index 17eee2393b..0000000000
--- a/browsers/internet-explorer/internet-explorer.yml
+++ /dev/null
@@ -1,151 +0,0 @@
-### YamlMime:Landing
-
-title: Internet Explorer 11 documentation
-summary: Consistent, reliable web browsing on Windows 7, Windows 8.1, and Windows 10, with the security, performance, backward compatibility, and modern standards support that large organizations need.
-metadata:
- title: Internet Explorer 11 documentation
- description: Consistent, reliable web browsing on Windows 7, Windows 8.1, and Windows 10, with the security, performance, backward compatibility, and modern standards support that large organizations need.
- ms.topic: landing-page
- author: aczechowski
- ms.author: aaroncz
- ms.date: 07/29/2022
- ms.prod: ie11
-
-# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
-
-landingContent:
-# Cards and links should be based on top customer tasks or top subjects
-# Start card title with a verb
- # Card
- - title: Explore
- linkLists:
- - linkListType: get-started
- links:
- - text: IE11 features and tools
- url: ./ie11-deploy-guide/updated-features-and-tools-with-ie11.md
- - text: System requirements and language support
- url: ./ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
- - text: Frequently asked questions
- url: ./ie11-faq/faq-for-it-pros-ie11.yml
- - text: Internet Explorer 11 deployment guide
- url: ./ie11-deploy-guide/index.md
- - text: Use Enterprise Mode to improve compatibility
- url: /microsoft-edge/deploy/emie-to-improve-compatibility
- - text: Lifecycle FAQ - Internet Explorer
- url: /lifecycle/faq/internet-explorer-microsoft-edge
- - linkListType: download
- links:
- - text: Enterprise Mode Site List Manager (schema, v.2)
- url: https://www.microsoft.com/download/details.aspx?id=49974
- - text: Cumulative security updates for Internet Explorer 11
- url: https://www.catalog.update.microsoft.com/Search.aspx?q=cumulative%20security%20update%20for%20internet%20explorer%2011
-
- # Card
- - title: Plan
- linkLists:
- - linkListType: get-started
- links:
- - text: What is Enterprise Mode?
- url: ./ie11-deploy-guide/what-is-enterprise-mode.md
- - text: Tips and tricks to manage Internet Explorer compatibility
- url: ./ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
- - text: Download the Enterprise Site Discovery Toolkit
- url: https://www.microsoft.com/download/details.aspx?id=44570
- - text: Collect data using Enterprise Site Discovery
- url: ./ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
- - text: Manage Windows upgrades with Upgrade Readiness
- url: /windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness
- - linkListType: how-to-guide
- links:
- - text: Turn on Enterprise Mode and use a site list
- url: ./ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
- - text: Add sites to the Enterprise Mode site list
- url: ./ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
- - text: Edit the Enterprise Mode site list
- url: ./ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
- - text: Turn on local control and logging for Enterprise Mode
- url: ./ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
-
- # Card
- - title: Deploy
- linkLists:
- - linkListType: get-started
- links:
- - text: IEAK 11 user's guide
- url: ./ie11-ieak/index.md
- - text: Download IEAK 11
- url: ./ie11-ieak/ieak-information-and-downloads.md
- - text: Frequently asked questions about IEAK 11
- url: ./ie11-faq/faq-ieak11.yml
- - text: Customization and distribution guidelines
- url: ./ie11-ieak/licensing-version-and-features-ieak11.md#customization-guidelines
- - linkListType: deploy
- links:
- - text: Install Internet Explorer 11 through automatic updates (recommended)
- url: ./ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
- - text: Install Internet Explorer 11 as part of an operating system deployment
- url: ./ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
- - text: Install Internet Explorer 11 over the network
- url: ./ie11-deploy-guide/install-ie11-using-the-network.md
- - text: Install Internet Explorer 11 with System Center 2012 R2 Configuration Manager
- url: ./ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
- - text: Install Internet Explorer 11 with Windows Server Update Services (WSUS)
- url: ./ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
- - text: Install Internet Explorer 11 with Microsoft Intune
- url: ./ie11-deploy-guide/install-ie11-using-microsoft-intune.md
- - text: Install Internet Explorer 11 with third-party tools
- url: ./ie11-deploy-guide/install-ie11-using-third-party-tools.md
-
- # Card
- - title: Manage
- linkLists:
- - linkListType: tutorial
- links:
- - text: Group Policy for beginners
- url: /previous-versions/windows/it-pro/windows-7/hh147307(v=ws.10)
- - text: New Group Policy settings for IE11
- url: ./ie11-deploy-guide/new-group-policy-settings-for-ie11.md
- - text: Administrative templates for IE11
- url: https://www.microsoft.com/download/details.aspx?id=40905
- - text: Group Policy preferences for IE11
- url: ./ie11-deploy-guide/group-policy-preferences-and-ie11.md
- - text: Configure Group Policy preferences
- url: /troubleshoot/browsers/how-to-configure-group-policy-preference-settings
- - text: Blocked out-of-date ActiveX controls
- url: ./ie11-deploy-guide/blocked-out-of-date-activex-controls.md
- - text: Out-of-date ActiveX control blocking
- url: ./ie11-deploy-guide/out-of-date-activex-control-blocking.md
- - text: Update to block out-of-date ActiveX controls in Internet Explorer
- url: https://support.microsoft.com/topic/update-to-block-out-of-date-activex-controls-in-internet-explorer-39ced8f8-5d98-3c7b-4792-b62fad4e2277
-
- # Card
- - title: Support
- linkLists:
- - linkListType: get-started
- links:
- - text: Change or reset Internet Explorer settings
- url: https://support.microsoft.com/windows/change-or-reset-internet-explorer-settings-2d4bac50-5762-91c5-a057-a922533f77d5
- - text: Troubleshoot problems with setup, installation, auto configuration, and more
- url: ./ie11-deploy-guide/troubleshoot-ie11.md
- - text: Disable VBScript execution in Internet Explorer for Internet Zone and Restricted Sites Zone
- url: https://support.microsoft.com/topic/option-to-disable-vbscript-execution-in-internet-explorer-for-internet-zone-and-restricted-sites-zone-3a2104c0-5af0-9aae-6c57-8207d3cb3e65
- - text: Frequently asked questions about IEAK 11
- url: ./ie11-faq/faq-ieak11.yml
- - text: Internet Explorer 8, 9, 10, 11 forum
- url: https://social.technet.microsoft.com/forums/ie/home?forum=ieitprocurrentver
- - text: Contact a Microsoft support professional
- url: https://support.microsoft.com/contactus
- - text: General support
- url: https://support.microsoft.com/windows/internet-explorer-help-23360e49-9cd3-4dda-ba52-705336cc0de2
-
- # Card
- - title: Stay informed
- linkLists:
- - linkListType: get-started
- links:
- - text: Sign up for the Windows IT Pro Insider
- url: https://aka.ms/windows-it-pro-insider
- - text: Microsoft Edge Dev blog
- url: https://blogs.windows.com/msedgedev
- - text: Microsoft Edge Dev on Twitter
- url: https://twitter.com/MSEdgeDev
diff --git a/browsers/internet-explorer/kb-support/ie-edge-faqs.yml b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml
deleted file mode 100644
index fc5a540272..0000000000
--- a/browsers/internet-explorer/kb-support/ie-edge-faqs.yml
+++ /dev/null
@@ -1,241 +0,0 @@
-### YamlMime:FAQ
-metadata:
- title: IE and Microsoft Edge FAQ for IT Pros
- description: Describes frequently asked questions about Internet Explorer and Microsoft Edge for IT professionals.
- manager: msmets
- author: ramakoni1
- ms.author: ramakoni
- ms.reviewer: ramakoni, DEV_Triage
- ms.service: internet-explorer
- ms.technology:
- ms.topic: faq
- ms.localizationpriority: medium
- ms.date: 01/23/2020
-title: Internet Explorer and Microsoft Edge frequently asked questions (FAQ) for IT Pros
-summary: |
-
-sections:
- - name: Cookie-related questions
- questions:
- - question: |
- What is a cookie?
- answer: |
- An HTTP cookie (the web cookie or browser cookie) is a small piece of data that a server sends to the user's web browser. The web browser may store the cookie and return it to the server together with the next request. For example, a cookie might be used to indicate whether two requests come from the same browser in order to allow the user to remain logged-in. The cookie records stateful information for the stateless HTTP protocol.
-
- - question: |
- How does Internet Explorer handle cookies?
- answer: |
- For more information about how Internet Explorer handles cookies, see the following articles:
-
- - [Beware Cookie Sharing in Cross-Zone Scenarios](/archive/blogs/ieinternals/beware-cookie-sharing-in-cross-zone-scenarios)
- - [A Quick Look at P3P](/archive/blogs/ieinternals/a-quick-look-at-p3p)
- - [Internet Explorer Cookie Internals FAQ](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq)
- - [Privacy Beyond Blocking Cookies](/archive/blogs/ie/privacy-beyond-blocking-cookies-bringing-awareness-to-third-party-content)
- - [Description of Cookies](https://support.microsoft.com/help/260971/description-of-cookies)
-
- - question: |
- Where does Internet Explorer store cookies?
- answer: |
- To see where Internet Explorer stores its cookies, follow these steps:
-
- 1. Start File Explorer.
- 2. Select **Views** \> **Change folder and search options**.
- 3. In the **Folder Options** dialog box, select **View**.
- 4. In **Advanced settings**, select **Do not show hidden files, folders, or drivers**.
- 5. Clear **Hide protected operation system files (Recommended)**.
- 6. Select **Apply**.
- 7. Select **OK**.
-
- The following are the folder locations where the cookies are stored:
-
- **In Windows 10**
- C:\Users\username\AppData\Local\Microsoft\Windows\INetCache
-
- **In Windows 8 and Windows 8.1**
- C:\Users\username\AppData\Local\Microsoft\Windows\INetCookies
-
- **In Windows 7**
- C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies
- C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies\Low
-
- - question: |
- What is the per-domain cookie limit?
- answer: |
- Since the June 2018 cumulative updates for Internet Explorer and Microsoft Edge, the per-domain cookie limit is increased from 50 to 180 for both browsers. The cookies vary by path. So, if the same cookie is set for the same domain but for different paths, it's essentially a new cookie.
-
- There's still a 5 Kilobytes (KB) limit on the size of the cookie header that is sent out. This limit can cause some cookies to be lost after they exceed that value.
-
- The JavaScript limitation was updated to 10 KB from 4 KB.
-
- For more information, see [Internet Explorer Cookie Internals (FAQ)](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq).
-
- - name: Additional information about cookie limits
- questions:
- - question: |
- What does the Cookie RFC allow?
- answer: |
- RFC 2109 defines how cookies should be implemented, and it defines minimum values that browsers support. According to the RFC, browsers would ideally have no limits on the size and number of cookies that a browser can handle. To meet the specifications, the user agent should support the following:
-
- - At least 300 cookies total
- - At least 20 cookies per unique host or domain name
-
- For practicality, individual browser makers set a limit on the total number of cookies that any one domain or unique host can set. They also limit the total number of cookies that can be stored on a computer.
-
- - question: |
- Cookie size limit per domain
- answer: |
- Some browsers also limit the amount of space that any one domain can use for cookies. This means that if your browser sets a limit of 4,096 bytes per domain for cookies, 4,096 bytes is the maximum available space in that domain even though you can set up to 180 cookies.
-
- - name: Proxy Auto Configuration (PAC)-related questions
- questions:
- - question: |
- Is an example Proxy Auto Configuration (PAC) file available?
- answer: |
- Here's a simple PAC file:
-
- ```vb
- function FindProxyForURL(url, host)
- {
- return "PROXY proxyserver:portnumber";
- }
- ```
-
- > [!NOTE]
- > The previous PAC always returns the `proxyserver:portnumber` proxy.
-
- For more information about how to write a PAC file and about the different functions in a PAC file, see [the FindProxyForURL website](https://findproxyforurl.com/).
-
- **Third-party information disclaimer**
- The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
-
- - question: |
- How to improve performance by using PAC scripts
- answer: |
- For more information, see [Optimizing performance with automatic Proxy configuration scripts (PAC)](/troubleshoot/developer/browsers/connectivity-navigation/optimize-pac-performance).
-
- - name: Other questions
- questions:
- - question: |
- How to set home and start pages in Microsoft Edge and allow user editing
- answer: |
- For more information, see the following blog article:
-
- [How do I set the home page in Microsoft Edge?](https://support.microsoft.com/microsoft-edge/change-your-browser-home-page-a531e1b8-ed54-d057-0262-cc5983a065c6)
-
- - question: |
- How to add sites to the Enterprise Mode (EMIE) site list
- answer: |
- For more information about how to add sites to an EMIE list, see [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](../ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md).
-
- - question: |
- What is Content Security Policy (CSP)?
- answer: |
- By using [Content Security Policy](/microsoft-edge/dev-guide/security/content-security-policy), you create an allowlist of sources of trusted content in the HTTP headers. You also pre-approve certain servers for content that is loaded into a webpage, and instruct the browser to execute or render only resources from those sources. You can use this technique to prevent malicious content from being injected into sites.
-
- Content Security Policy is supported in all versions of Microsoft Edge. It lets web developers lock down the resources that can be used by their web application. This helps prevent [cross-site scripting](https://en.wikipedia.org/wiki/Cross-site_scripting) attacks that remain a common vulnerability on the web. However, the first version of Content Security Policy was difficult to implement on websites that used inline script elements that either pointed to script sources or contained script directly.
-
- CSP2 makes these scenarios easier to manage by adding support for nonces and hashes for script and style resources. A nonce is a cryptographically strong random value that is generated on each page load that appears in both the CSP policy and in the script tags on the page. Using nonces can help minimize the need to maintain a list of allowed source URL values while also allowing trusted scripts that are declared in script elements to run.
-
- For more information, see the following articles:
-
- - [Introducing support for Content Security Policy Level 2](https://blogs.windows.com/msedgedev/2017/01/10/edge-csp-2/)
- - [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy)
-
- - question: |
- Where to find Internet Explorer security zones registry entries
- answer: |
- Most of the Internet Zone entries can be found in [Internet Explorer security zones registry entries for advanced users](/troubleshoot/browsers/ie-security-zones-registry-entries).
-
- This article was written for Internet Explorer 6 but is still applicable to Internet Explorer 11.
-
- The default Zone Keys are stored in the following locations:
-
- - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
- - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
-
- - question: |
- Why don't HTML5 videos play in Internet Explorer 11?
- answer: |
- To play HTML5 videos in the Internet Zone, use the default settings or make sure that the registry key value of **2701** under **Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3** is set to **0**.
-
- - 0 (the default value): Allow
- - 3: Disallow
-
- This key is read by the **URLACTION\_ALLOW\_AUDIO\_VIDEO 0x00002701** URL action flag that determines whether media elements (audio and video) are allowed in pages in a URL security zone.
-
- For more information, see [Unable to play HTML5 Videos in IE](/archive/blogs/askie/unable-to-play-html5-videos-in-ie).
-
- For Windows 10 N and Windows KN editions, you must also download the feature pack that is discussed in [Media feature pack for Windows 10 N and Windows 10 KN editions](https://support.microsoft.com/help/3010081/media-feature-pack-for-windows-10-n-and-windows-10-kn-editions).
-
- For more information about how to check Windows versions, see [Which version of Windows operating system am I running?](https://support.microsoft.com/help/13443/windows-which-version-am-i-running)
-
- - question: |
- What is the Enterprise Mode Site List Portal?
- answer: |
- This is a new feature to add sites to your enterprise mode site list XML. For more information, see [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal).
-
- - question: |
- What is Enterprise Mode Feature?
- answer: |
- For more information, see [Enterprise Mode and the Enterprise Mode Site List](../ie11-deploy-guide/what-is-enterprise-mode.md).
-
- - question: |
- Where can I obtain a list of HTTP Status codes?
- answer: |
- For information about this list, see [HTTP Status Codes](/windows/win32/winhttp/http-status-codes).
-
- - question: |
- What is end of support for Internet Explorer 11?
- answer: |
- Internet Explorer 11 is the last major version of Internet Explorer. Internet Explorer 11 will continue receiving security updates and technical support for the lifecycle of the version of Windows on which it's installed.
-
- For more information, see [Lifecycle FAQ - Internet Explorer and Microsoft Edge](/lifecycle/faq/internet-explorer-microsoft-edge).
-
- - question: |
- How to configure TLS (SSL) for Internet Explorer
- answer: |
- For more information about how to configure TLS/SSL for Internet Explorer, see [Group Policy Setting to configure TLS/SSL](https://gpsearch.azurewebsites.net/#380).
-
- - question: |
- What is Site to Zone?
- answer: |
- Site to Zone usually refers to one of the following:
-
- **Site to Zone Assignment List**
- This is a Group Policy policy setting that can be used to add sites to the various security zones.
-
- The Site to Zone Assignment List policy setting associates sites to zones by using the following values for the Internet security zones:
-
- - Intranet zone
- - Trusted Sites zone
- - Internet zone
- - Restricted Sites zone
-
- If you set this policy setting to **Enabled**, you can enter a list of sites and their related zone numbers. By associating a site to a zone, you can make sure that the security settings for the specified zone are applied to the site.
-
- **Site to Zone Mapping**
- Site to Zone Mapping is stored as the name of the key. The protocol is a registry value that has a number that assigns it to the corresponding zone. Internet Explorer will read from the following registry subkeys for the sites that are deployed through the Site to Zone assignment list:
-
- - HKEY\_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
- - HKEY\_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey
-
- **Site to Zone Assignment List policy**
- This policy setting is available for both Computer Configuration and User Configuration:
-
- - Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
- - User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
-
- **References**
- [How to configure Internet Explorer security zone sites using group policies](/archive/blogs/askie/how-to-configure-internet-explorer-security-zone-sites-using-group-polices)
-
- - question: |
- What are the limits for MaxConnectionsPerServer, MaxConnectionsPer1_0Server for the current versions of Internet Explorer?
- answer: |
- For more information about these settings and limits, see [Connectivity Enhancements in Windows Internet Explorer 8](/previous-versions/cc304129(v=vs.85)).
-
- - question: |
- What is the MaxConnectionsPerProxy setting, and what are the maximum allowed values for this setting?
- answer: |
- The **MaxConnectionsPerProxy** setting controls the number of connections that a single-user client can maintain to a given host by using a proxy server.
-
- For more information, see [Understanding Connection Limits and New Proxy Connection Limits in WinInet and Internet Explorer](/archive/blogs/jpsanders/understanding-connection-limits-and-new-proxy-connection-limits-in-wininet-and-internet-explorer).
diff --git a/education/docfx.json b/education/docfx.json
index 60af34def4..f066cfa6c2 100644
--- a/education/docfx.json
+++ b/education/docfx.json
@@ -34,8 +34,8 @@
"education",
"tier2"
],
- "ms.prod": "windows-client",
- "ms.technology": "itpro-edu",
+ "ms.subservice": "itpro-edu",
+ "ms.service": "windows-client",
"author": "paolomatarazzo",
"ms.author": "paoloma",
"manager": "aaroncz",
@@ -51,10 +51,10 @@
}
},
"titleSuffix": "Windows Education",
- "contributors_to_exclude": [
- "rjagiewich",
- "traya1",
- "rmca14",
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
"claydetels19",
"Kellylorenebaker",
"jborsecnik",
diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md
index 9a93fa8064..e367821ba4 100644
--- a/education/includes/education-content-updates.md
+++ b/education/includes/education-content-updates.md
@@ -2,13 +2,27 @@
-## Week of December 11, 2023
+## Week of January 29, 2024
| Published On |Topic title | Change |
|------|------------|--------|
-| 12/12/2023 | Chromebook migration guide | removed |
-| 12/12/2023 | Deploy Windows 10 in a school district | removed |
-| 12/12/2023 | Deploy Windows 10 in a school | removed |
-| 12/12/2023 | Windows 10 for Education | removed |
-| 12/12/2023 | [Reset devices with Autopilot Reset](/education/windows/autopilot-reset) | modified |
+| 1/30/2024 | [Microsoft 365 Education Documentation](/education/index) | modified |
+
+
+## Week of January 15, 2024
+
+
+| Published On |Topic title | Change |
+|------|------------|--------|
+| 1/16/2024 | Deployment recommendations for school IT administrators | removed |
+| 1/16/2024 | Microsoft Entra join with Set up School PCs app | removed |
+| 1/16/2024 | [Set up School PCs app technical reference overview](/education/windows/set-up-school-pcs-technical) | modified |
+| 1/16/2024 | Set up student PCs to join domain | removed |
+| 1/16/2024 | Provision student PCs with apps | removed |
+| 1/16/2024 | Set up Windows devices for education | removed |
+| 1/16/2024 | [Configure applications with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-apps) | modified |
+| 1/16/2024 | [Configure and secure devices with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-settings) | modified |
+| 1/16/2024 | [Configure devices with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-devices-overview) | modified |
+| 1/16/2024 | [Set up Microsoft Entra ID](/education/windows/tutorial-school-deployment/set-up-microsoft-entra-id) | modified |
+| 1/16/2024 | Windows 10 editions for education customers | removed |
diff --git a/education/index.yml b/education/index.yml
index a79c5f8617..adc8d30041 100644
--- a/education/index.yml
+++ b/education/index.yml
@@ -14,7 +14,7 @@ productDirectory:
title: For IT admins
summary: This guide is designed for IT admins looking for the simplest way to move their platform to the cloud. It does not capture all the necessary steps for large scale or complex deployments.
items:
- # Card
+ # Card
- title: Phase 1 - Cloud deployment
imageSrc: ./images/EDU-Deploy.svg
summary: Create your Microsoft 365 tenant, secure and configure your environment, sync your Active Directory and SIS, and license users.
@@ -24,12 +24,12 @@ productDirectory:
imageSrc: ./images/EDU-Device-Mgmt.svg
summary: Get started with Windows for Education, set up and enroll devices in Intune.
url: /microsoft-365/education/deploy/set-up-windows-10-education-devices
- # Card
+ # Card
- title: Phase 3 - Apps management
imageSrc: ./images/EDU-Apps-Mgmt.svg
summary: Configure admin settings, set up Teams for Education, install apps and install Minecraft.
url: /microsoft-365/education/deploy/configure-admin-settings
- # Card
+ # Card
- title: Phase 4 - Complete your deployment
# imageSrc should be square in ratio with no whitespace
imageSrc: ./images/EDU-Tasks.svg
@@ -51,7 +51,7 @@ productDirectory:
text: Microsoft Purview compliance
- url: https://social.technet.microsoft.com/wiki/contents/articles/35748.office-365-what-is-customer-lockbox-and-how-to-enable-it.aspx
text: Deploying Lockbox
- # Card
+ # Card
- title: Analytics & insights
imageSrc: ./images/EDU-Education.svg
links:
@@ -59,7 +59,7 @@ productDirectory:
text: Power BI for IT admins
- url: /dynamics365/
text: Dynamics 365
- # Card
+ # Card
- title: Find deployment help and other support resources
imageSrc: ./images/EDU-Teachers.svg
links:
@@ -69,14 +69,6 @@ productDirectory:
text: Education help center
- url: /training/educator-center/
text: Teacher training packs
- # Card
- - title: Check out our education journey
- imageSrc: ./images/EDU-ITJourney.svg
- links:
- - url: https://edujourney.microsoft.com/k-12/
- text: K-12
- - url: https://edujourney.microsoft.com/hed/
- text: Higher education
additionalContent:
sections:
diff --git a/education/windows/configure-aad-google-trust.md b/education/windows/configure-aad-google-trust.md
index 8f3304ae76..75606b7b94 100644
--- a/education/windows/configure-aad-google-trust.md
+++ b/education/windows/configure-aad-google-trust.md
@@ -26,7 +26,7 @@ To test federation, the following prerequisites must be met:
1. A Google Workspace environment, with users already created
> [!IMPORTANT]
> Users require an email address defined in Google Workspace, which is used to match the users in Microsoft Entra ID.
- > For more information about identity matching, see [Identity matching in Microsoft Entra ID](federated-sign-in.md#identity-matching-in-azure-ad).
+ > For more information about identity matching, see [Identity matching in Microsoft Entra ID](federated-sign-in.md#identity-matching-in-microsoft-entra-id).
1. Individual Microsoft Entra accounts already created: each Google Workspace user will require a matching account defined in Microsoft Entra ID. These accounts are commonly created through automated solutions, for example:
- School Data Sync (SDS)
- Microsoft Entra Connect Sync for environment with on-premises AD DS
diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md
deleted file mode 100644
index d343391f22..0000000000
--- a/education/windows/edu-deployment-recommendations.md
+++ /dev/null
@@ -1,129 +0,0 @@
----
-title: Deployment recommendations for school IT administrators
-description: Provides guidance on ways to customize the OS privacy settings, and some of the apps, for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.
-ms.topic: best-practice
-ms.date: 08/10/2022
-appliesto:
- - ✅ Windows 10
----
-
-# Deployment recommendations for school IT administrators
-
-Your privacy is important to us, so we want to provide you with ways to customize the OS privacy settings, and some of the apps, so that you can choose what information is shared with Microsoft. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305). The following sections provide some best practices and specific privacy settings we'd like you to be aware of. For more information about ways to customize the OS diagnostic data, consumer experiences, Cortana, and search, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
-
-We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store, and use devices running Windows 10 S, will be able to configure the device at no extra charge to Windows 10 Pro Education. To learn more about the steps to configure this device, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md).
-
-## Deployment best practices
-
-Keep these best practices in mind when deploying any edition of Windows 10 in schools or districts:
-
-* A Microsoft account is only intended for consumer services. Enterprises and educational institutions should use enterprise versions where possible, such as Skype for Business, OneDrive for Business, and so on. For schools, consider using mobile device management (MDM) or Group Policy to block students from adding a Microsoft account as a secondary account
-* If schools allow the use of personal accounts by their students to access personal services, schools should be aware that these accounts belong to individuals, not the school
-* IT administrators, school officials, and teachers should also consider ratings when picking apps from the Microsoft Store
-* If you've students or school personnel who rely on assistive technology apps that aren't available in the Microsoft Store, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info
-
-## Windows 10 Contacts privacy settings
-
-If you're an IT administrator who deploys Windows 10 in a school or district, we recommend that you review these deployment resources to make informed decisions about how you can configure telemetry for your school or district:
-
-* [Configure Windows telemetry in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization) - Describes the types of telemetry we gather and the ways you can manage this data
-* [Manage connections from Windows operating system components to Microsoft services](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services) - Learn about network connections that Windows components make to Microsoft and also the privacy settings (such as location, camera, messaging, and more) that affect data that is shared with either Microsoft or apps and how you can manage this data
-
-In particular, the **Contacts** area in the **Settings** > **Privacy** section lets you choose which apps can access a student's contacts list. By default, this setting is turned on.
-
-To change the setting, you can:
-* [Turn off access to contacts for all apps](#turn-off-access-to-contacts-for-all-apps)
-* [Choose the apps that you want to allow access to contacts](#choose-the-apps-that-you-want-to-allow-access-to-contacts)
-
-### Turn off access to contacts for all apps
-
-To turn off access to contacts for all apps on individual Windows devices:
-
-1. On the computer, go to **Settings** and select **Privacy**.
-1. Under the list of **Privacy** areas, select **Contacts**.
-1. Turn off **Let apps access my contacts**.
-
-For IT-managed Windows devices, you can use a Group Policy to turn off the setting. To turn off the setting:
-
-1. Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts**.
-1. Set the **Select a setting** box to **Force Deny**.
-
-### Choose the apps that you want to allow access to contacts
-
-If you want to allow only certain apps to have access to contacts, you can use the switch for each app to specify which ones you want on or off.
-
-The list of apps on the Windows-based device may vary from the above example. The list depends on what apps you've installed and which of these apps access contacts.
-
-To allow only certain apps to have access to contacts, you can:
-
-- Configure each app individually using the **Settings** > **Contacts** option in the Windows UI
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** and then specify the default for each app by adding the app's Package Family Name under the default behavior you want to enforce
-
-## Skype and Xbox settings
-
-Skype (a Universal Windows Platform [UWP]) and Xbox are preinstalled as part of Windows 10.
-
-The Skype app replaces the integration of Skype features into Skype video and Messaging apps on Windows PCs and large tablets. The Skype app provides all these features in one place and lets users have a single place to manage both their chat and voice conversations so they can take better advantage of their screen. For information about the new Skype UWP app preview, see [Skype for Windows 10 Insiders – your most asked questions](https://go.microsoft.com/fwlink/?LinkId=821441).
-
-With the Xbox app, students can use their Xbox profiles to play and make progress on their games using their Windows-based device. They can also unlock achievements and show off to their friends with game clips and screenshots. The Xbox app requires a Microsoft account, which is a personal account.
-
-Both Skype and Xbox include searchable directories that let students find other people to connect to. The online privacy and security settings for Skype and Xbox aren't manageable through Group Policy so we recommend that school IT administrators and school officials let parents and students know about these searchable directories.
-
-If the school allows the use of personal or Microsoft account in addition to organization accounts, we also recommend that IT administrators inform parents and students that they can optionally remove any identifying information from the directories by:
-
-* [Managing the user profile](#managing-the-user-profile)
-* [Deleting the account if the user name is part of the identifying information](#delete-an-account-if-username-is-identifying)
-
-### Managing the user profile
-
-#### Skype
-
-Skype uses the user's contact details to deliver important information about the account and it also lets friends find each other on Skype.
-
-To manage and edit your profile in the Skype UWP app, follow these steps:
-
-1. In the Skype UWP app, select the user profile icon to go to the user's profile page.
-2. In the account page, select **Manage account** for the Skype account that you want to change. This will take you to the online Skype portal.
-3. In the online Skype portal, scroll down to the **Account details** section. In **Settings and preferences**, click **Edit profile**.
-
- The profile page includes these sections:
-
- * Personal information
- * Contact details
- * Profile settings
-
-4. Review the information in each section and click **Edit profile** in either or both the **Personal information** and **Contact details** sections to change the information being shared. You can also remove the checks in the **Profile settings** section to change settings on discoverability, notifications, and staying in touch.
-5. If you don't wish the name to be included, edit the fields and replace the fields with **XXX**.
-6. To change the profile picture, go to the Skype app and click on the current profile picture or avatar. The **Manage Profile Picture** window pops up.
-
- * To take a new picture, click the camera icon in the pop-up window. To upload a new picture, click the three dots (**...**)
- * You can also change the visibility of the profile picture between public (everyone) or for contacts only. To change the profile picture visibility, select the dropdown under **Profile picture** and choose between **Show to everyone** or **Show to contacts only**
-
-#### Xbox
-
-A user's Xbox friends and their friends' friends can see their real name and profile. By default, the Xbox privacy settings enforce that no personal identifying information of a minor is shared on the Xbox Live network, although adults in the child's family can change these default settings to allow it to be more permissive.
-
-To learn more about how families can manage security and privacy settings on Xbox, see this [Xbox article on security](https://go.microsoft.com/fwlink/?LinkId=821445).
-
-
-### Delete an account if username is identifying
-
-If you want to delete either (or both) the Skype and the Xbox accounts, here's how to do it.
-
-#### Skype
-
-To delete a Skype account, you can follow the instructions here: [How do I close my Skype account?](https://go.microsoft.com/fwlink/?LinkId=816515)
-
-If you need help with deleting the account, you can contact Skype customer service by going to the [Skype support request page](https://go.microsoft.com/fwlink/?LinkId=816519). You may need to sign in and specify a Skype account. Once you've signed in, you can:
-
-1. Select a help topic (**Account and Password**)
-1. Select a related problem (**Deleting an account**)
-1. Click **Next**.
-1. Select a contact method to get answers to your questions.
-
-#### Xbox
-
-To delete an Xbox account, you can follow the instructions here: [How to delete your Microsoft account and personal information associated with it](https://go.microsoft.com/fwlink/?LinkId=816521).
-
-## Related topics
-[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md
index a1273e7bd7..3d414e043d 100644
--- a/education/windows/federated-sign-in.md
+++ b/education/windows/federated-sign-in.md
@@ -46,7 +46,7 @@ To enable a federated sign-in experience, the following prerequisites must be me
- PowerShell scripts that call the [Microsoft Graph API][GRAPH-1]
- provisioning tools offered by the IdP
- For more information about identity matching, see [Identity matching in Microsoft Entra ID](#identity-matching-in-azure-ad).
+ For more information about identity matching, see [Identity matching in Microsoft Entra ID](#identity-matching-in-microsoft-entra-id).
1. Licenses assigned to the Microsoft Entra user accounts. It's recommended to assign licenses to a dynamic group: when new users are provisioned in Microsoft Entra ID, the licenses are automatically assigned. For more information, see [Assign licenses to users by group membership in Microsoft Entra ID][AZ-2]
1. Enable Federated sign-in or Web sign-in on the Windows devices, depending if the devices are shared or assigned to a single student
@@ -201,8 +201,6 @@ The following issues are known to affect student shared devices:
For student shared devices, it's recommended to configure the account management policies to automatically delete the user profiles after a certain period of inactivity or disk levels. For more information, see [Set up a shared or guest Windows device][WIN-3].
-
-
### Preferred Microsoft Entra tenant name
To improve the user experience, you can configure the *preferred Microsoft Entra tenant name* feature.\
@@ -210,8 +208,6 @@ When using preferred Microsoft Entra tenant name, the users bypass the disambigu
For more information about preferred tenant name, see [Authentication CSP - PreferredAadTenantDomainName][WIN-4].
-
-
### Identity matching in Microsoft Entra ID
When a Microsoft Entra user is federated, the user's identity from the IdP must match an existing user object in Microsoft Entra ID.
diff --git a/education/windows/images/setedupolicies_omauri.PNG b/education/windows/images/setedupolicies_omauri.png
similarity index 100%
rename from education/windows/images/setedupolicies_omauri.PNG
rename to education/windows/images/setedupolicies_omauri.png
diff --git a/education/windows/images/suspcs/suspc_getstarted_050817.PNG b/education/windows/images/suspcs/suspc_getstarted_050817.png
similarity index 100%
rename from education/windows/images/suspcs/suspc_getstarted_050817.PNG
rename to education/windows/images/suspcs/suspc_getstarted_050817.png
diff --git a/education/windows/images/suspcs/suspc_runpackage_getpcsready.PNG b/education/windows/images/suspcs/suspc_runpackage_getpcsready.png
similarity index 100%
rename from education/windows/images/suspcs/suspc_runpackage_getpcsready.PNG
rename to education/windows/images/suspcs/suspc_runpackage_getpcsready.png
diff --git a/education/windows/images/wcd/setedupolicies.PNG b/education/windows/images/wcd/setedupolicies.png
similarity index 100%
rename from education/windows/images/wcd/setedupolicies.PNG
rename to education/windows/images/wcd/setedupolicies.png
diff --git a/education/windows/images/wcd/wcd_settings_assignedaccess.PNG b/education/windows/images/wcd/wcd_settings_assignedaccess.png
similarity index 100%
rename from education/windows/images/wcd/wcd_settings_assignedaccess.PNG
rename to education/windows/images/wcd/wcd_settings_assignedaccess.png
diff --git a/education/windows/index.yml b/education/windows/index.yml
index 3c3dfae79b..d14d00dd63 100644
--- a/education/windows/index.yml
+++ b/education/windows/index.yml
@@ -6,11 +6,10 @@ brand: windows
metadata:
ms.topic: hub-page
- ms.prod: windows-client
- ms.technology: itpro-edu
ms.collection:
- education
- tier1
+ - essentials-navigation
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md
deleted file mode 100644
index 27bffd9a4e..0000000000
--- a/education/windows/set-up-school-pcs-azure-ad-join.md
+++ /dev/null
@@ -1,86 +0,0 @@
----
-title: Microsoft Entra join with Set up School PCs app
-description: Learn how Microsoft Entra join is configured in the Set up School PCs app.
-ms.topic: reference
-ms.date: 08/10/2022
-appliesto:
- - ✅ Windows 10
----
-
-# Microsoft Entra join for school PCs
-
-> [!NOTE]
-> Set up School PCs app uses Microsoft Entra join to configure PCs. The app is helpful if you use the cloud based directory, Microsoft Entra ID. If your organization uses Active Directory or requires no account to connect, install and use [Windows Configuration
-> Designer](set-up-students-pcs-to-join-domain.md) to
-> join your PCs to your school's domain.
-
-Set up School PCs lets you create a provisioning package that automates Microsoft Entra ID
-Join on your devices. This feature eliminates the need to manually:
-
-- Connect to your school's network.
-- Join your organization's domain.
-
-## Automated connection to school domain
-
-During initial device setup, Microsoft Entra join automatically connects your PCs to your school's Microsoft Entra domain. You can skip all of the Windows setup experience that is typically a part of the out-of-the-box-experience (OOBE). Devices that are managed by a mobile device manager, such as Intune, are automatically enrolled with the provider upon initial device startup.
-
-Students who sign in to their PCs with their Microsoft Entra credentials get access to on-premises apps and the following cloud apps:
-* Office 365
-* OneDrive
-* OneNote
-
-
-
-## Enable Microsoft Entra join
-
-Learn how to enable Microsoft Entra join for your school. After you configure this setting, you'll be able to request an automated Microsoft Entra bulk token, which you need to create a provisioning package.
-
-1. Sign in to the Azure portal with your organization's credentials.
-2. Go to **Azure
-Active Directory** \> **Devices** \> **Device settings**.
-3. Enable the setting
-for Microsoft Entra ID by selecting **All** or **Selected**. If you choose the latter
-option, select the teachers and IT staff to allow them to connect to Microsoft Entra ID.
-
-
-
-You can also create an account that holds the exclusive rights to join devices. When a student PC has to be set up, provide the account credentials to the appropriate teachers or staff.
-
-## All Device Settings
-
-The following table describes each setting within **Device Settings**.
-
-| Setting | Description |
-|------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Users may join devices to Microsoft Entra ID | Choose the scope of people in your organization that are allowed to join devices to Microsoft Entra ID. **All** allows all users and groups within your tenant to join devices. **Selected** prompts you to choose specific users or groups to allow. **None** allows no one in your tenant to join devices to Microsoft Entra ID. |
-| More local administrators on Microsoft Entra joined devices | Only applicable to Microsoft Entra ID P1 or P2 tenants. Grant extra local administrator rights on devices, to selected users. Global administrators and the device owner are granted local administrator rights by default. |
-| Users may register their devices with Microsoft Entra ID | Allow all or none of your users to register their devices with Microsoft Entra ID (Workplace Join). If you're enrolled in Microsoft Intune or Mobile Device Management for Office 365, your devices are required to be registered. In this case, **All** is automatically selected for you. |
-| Require Multi-Factor Authentication to join devices | Recommended when adding devices to Microsoft Entra ID. When set to **Yes**, users that are setting up devices must enter a second method of authentication. |
-| Maximum number of devices per user | Set the maximum number of devices a user is allowed to have in Microsoft Entra ID. If the maximum is exceeded, the user must remove one or more existing devices before more devices are added. |
-| Users may sync settings and enterprise app data | Allow all or none of your users to sync settings and app data across multiple devices. Tenants with Microsoft Entra ID P1 or P2 are permitted to select specific users to allow. |
-
-
-
-## Clear Microsoft Entra tokens
-
-Your Intune tenant can only have 500 active Microsoft Entra tokens, or packages, at a time. You'll receive a notification in the Intune portal when you reach 500 active tokens.
-
-To reduce your inventory, clear out all unnecessary and inactive tokens.
-1. Go to **Microsoft Entra ID** > **Users** > **All users**
-2. In the **User Name** column, select and delete all accounts with a **package\ _**
-prefix. These accounts are created at a 1:1 ratio for every token and are safe
-to delete.
-3. Select and delete inactive and expired user accounts.
-
-### How do I know if my package expired?
-Automated Microsoft Entra tokens expire after 180 days. The expiration date for each token is appended to the end of the saved provisioning package, on the USB drive. After this date, you must create a new package. Be careful that you don't delete active accounts.
-
-
-
-## Next steps
-Learn more about setting up devices with the Set up School PCs app.
-* [What's in my provisioning package?](set-up-school-pcs-provisioning-package.md)
-* [Set up School PCs technical reference](set-up-school-pcs-technical.md)
-* [Set up Windows 10 devices for education](set-up-windows-10.md)
-
-When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md).
diff --git a/education/windows/set-up-school-pcs-provisioning-package.md b/education/windows/set-up-school-pcs-provisioning-package.md
index 0396303749..6086d0f017 100644
--- a/education/windows/set-up-school-pcs-provisioning-package.md
+++ b/education/windows/set-up-school-pcs-provisioning-package.md
@@ -5,7 +5,7 @@ ms.date: 06/02/2023
ms.topic: reference
appliesto:
- ✅ Windows 10
----
+---
# What's in my provisioning package?
@@ -48,7 +48,7 @@ For a more detailed look at the policies, see the Windows article [Set up shared
This section lists only the MDM and local group policies that are configured uniquely for the Set up School PCs app.
-For a more detailed look of each policy listed, see [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) in the Windows IT Pro Center documentation.
+For a more detailed look of each policy listed, see [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) in the Windows IT Pro Center documentation.
| Policy name | Default value | Description |
|--|--|--|
@@ -81,10 +81,10 @@ For a more detailed look of each policy listed, see [Policy CSP](/windows/client
## Apps uninstalled from Windows devices
-Set up School PCs app uses the Universal app uninstall policy. The policy identifies default apps that aren't relevant to the classroom experience, and uninstalls them from each device. The apps uninstalled from Windows devices are:
+Set up School PCs app uses the Universal app uninstall policy. The policy identifies default apps that aren't relevant to the classroom experience, and uninstalls them from each device. The apps uninstalled from Windows devices are:
- Mixed Reality Viewer
-- Weather
+- Weather
- Desktop App Installer
- Tips
- Messaging
@@ -106,11 +106,11 @@ Set up School PCs uses the Universal app install policy to install school-releva
## Provisioning time estimates
-The time it takes to install a package on a device depends on the:
+The time it takes to install a package on a device depends on the:
- Strength of network connection
- Number of policies and apps within the package
-- Other configurations made to the device
+- Other configurations made to the device
Review the table below to estimate your expected provisioning time. A package that only applies Set Up School PC's default configurations will provision the fastest. A package that removes preinstalled apps, through CleanPC, will take much longer to provision.
diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md
index 8dd635d04e..213c75c26f 100644
--- a/education/windows/set-up-school-pcs-technical.md
+++ b/education/windows/set-up-school-pcs-technical.md
@@ -2,7 +2,7 @@
title: Set up School PCs app technical reference overview
description: Describes the purpose of the Set up School PCs app for Windows 10 devices.
ms.topic: overview
-ms.date: 08/10/2022
+ms.date: 01/16/2024
appliesto:
- ✅ Windows 10
---
@@ -14,47 +14,36 @@ The **Set up School PCs** app helps you configure new Windows 10 PCs for school
If your school uses Microsoft Entra ID or Office 365, the Set up
School PCs app will create a setup file. This file joins the PC to your Microsoft Entra tenant. The app also helps set up PCs for use with or without Internet connectivity.
-
+## Join devices to Microsoft Entra ID
-## Join PC to Microsoft Entra ID
-If your school uses Microsoft Entra ID or Office 365, the Set up
-School PCs app creates a setup file that joins your PC to your Azure Active
-Directory tenant.
+If your school uses Microsoft Entra ID or Office 365, the Set up School PCs app creates a setup file that joins your PC to your Microsoft Entra ID tenant.
The app also helps set up PCs for use with or without Internet connectivity.
## List of Set up School PCs features
+
The following table describes the Set up School PCs app features and lists each type of Intune subscription. An X indicates that the feature is available with the specific subscription.
-| Feature | No Internet | Microsoft Entra ID | Office 365 | Microsoft Entra ID P1 or P2 |
-|--------------------------------------------------------------------------------------------------------|-------------|----------|------------|------------------|
-| **Fast sign-in** | X | X | X | X |
-| Students sign in and start using the computer in under a minute, even on initial sign-in. | | | | |
-| **Custom Start experience** | X | X | X | X |
-| Necessary classroom apps are pinned to Start and unnecessary apps are removed. | | | | |
-| **Guest account, no sign-in required** | X | X | X | X |
-| Set up computers for use by anyone with or without an account. | | | | |
-| **School policies** | X | X | X | X |
-| Settings create a relevant, useful learning environment and optimal computer performance. | | | | |
-| **Microsoft Entra join** | | X | X | X |
-| Computers join with your existing Microsoft Entra ID or Office 365 subscription for centralized management. | | | | |
-| **Single sign-on to Office 365** | | | X | X |
-| Students sign in with their IDs to access all Office 365 web apps or installed Office apps. | | | | |
-| **Take a Test app** | | | | X |
-| Administer quizzes and assessments through test providers such as Smarter Balanced. | | | | |
-| [Settings roaming](/azure/active-directory/devices/enterprise-state-roaming-overview) **via Microsoft Entra ID** | | | | X |
-| Synchronize student and application data across devices for a personalized experience. | | | | |
+| Feature | No Internet | Microsoft Entra ID | Office 365 | Microsoft Entra ID P1 or P2 |
+|--|--|--|--|--|
+| **Fast sign-in** | X | X | X | X |
+| Students sign in and start using the computer in under a minute, even on initial sign-in. | | | | |
+| **Custom Start experience** | X | X | X | X |
+| Necessary classroom apps are pinned to Start and unnecessary apps are removed. | | | | |
+| **Guest account, no sign-in required** | X | X | X | X |
+| Set up computers for use by anyone with or without an account. | | | | |
+| **School policies** | X | X | X | X |
+| Settings create a relevant, useful learning environment and optimal computer performance. | | | | |
+| **Microsoft Entra join** | | X | X | X |
+| Computers join with your existing Microsoft Entra ID or Office 365 subscription for centralized management. | | | | |
+| **Single sign-on to Office 365** | | | X | X |
+| Students sign in with their IDs to access all Office 365 web apps or installed Office apps. | | | | |
+| **Take a Test app** | | | | X |
+| Administer quizzes and assessments through test providers such as Smarter Balanced. | | | | |
+| [Settings roaming](/azure/active-directory/devices/enterprise-state-roaming-overview) **via Microsoft Entra ID** | | | | X |
+| Synchronize student and application data across devices for a personalized experience. | | | | |
-> [!NOTE]
-> If your school uses Active Directory, use [Windows Configuration
-> Designer](set-up-students-pcs-to-join-domain.md)
-> to configure your PCs to join the domain. You can only use the Set up School
-> PCs app to set up PCs that are connected to Microsoft Entra ID.
-
-## Next steps
-Learn more about setting up devices with the Set up School PCs app.
-* [Microsoft Entra join with Set up School PCs](set-up-school-pcs-azure-ad-join.md)
-* [What's in my provisioning package](set-up-school-pcs-provisioning-package.md)
-* [Set up Windows 10 devices for education](set-up-windows-10.md)
+>[!NOTE]
+>You can only use the Set up School PCs app to set up PCs that are connected to Microsoft Entra ID.
When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md).
diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md
deleted file mode 100644
index 91f2ad28d1..0000000000
--- a/education/windows/set-up-students-pcs-to-join-domain.md
+++ /dev/null
@@ -1,59 +0,0 @@
----
-title: Set up student PCs to join domain
-description: Learn how to use Windows Configuration Designer to provision student devices to join Active Directory.
-ms.topic: how-to
-ms.date: 08/10/2022
-appliesto:
- - ✅ Windows 10
----
-
-# Set up student PCs to join domain
-
-If your school uses Active Directory, use the Windows Configuration Designer tool to create a provisioning package that will configure a PC for student use that is joined to the Active Directory domain.
-
-## Install Windows Configuration Designer
-Follow the instructions in [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
-
-## Create the provisioning package
-Follow the steps in [Provision PCs with common settings for initial deployment (desktop wizard)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment). However, make a note of these steps to further customize the provisioning package for use in a school that will join a student PC to a domain:
-
-1. In the **Account Management** step:
-
- > [!WARNING]
- > If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you'll have to reimage the device and start over. As a best practice, we recommend:
- > - Use a least-privileged domain account to join the device to the domain.
- > - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully.
- > - [Use Group Policy to delete the temporary administrator account](/archive/blogs/canitpro/group-policy-creating-a-standard-local-admin-account) after the device is enrolled in Active Directory.
-
-2. After you're done with the wizard, don't click **Create**. Instead, click the **Switch to advanced editor** to switch the project to the advanced editor to see all the available **Runtime settings**.
-3. Find the **SharedPC** settings group.
- - Set **EnableSharedPCMode** to **TRUE** to configure the PC for shared use.
-4. (Optional) To configure the PC for secure testing, follow these steps.
- 1. Under **Runtime settings**, go to **AssignedAccess > AssignedAccessSettings**.
- 2. Enter **{"Account":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}**, using the account that you want to set up.
-
- **Figure 7** - Add the account to use for test-taking
-
- 
-
- The account can be in one of the following formats:
- - username
- - domain\username
- - computer name\\username
- - username@tenant.com
-
- 3. Under **Runtime settings**, go to **TakeATest** and configure the following settings:
- 1. In **LaunchURI**, enter the assessment URL.
- 2. In **TesterAccount**, enter the test account you entered in the previous step.
-
-5. To configure other settings to make Windows education ready, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) and follow the guidance on what settings you can set using Windows Configuration Designer.
-
-6. Follow the steps to [build a package](/windows/configuration/provisioning-packages/provisioning-create-package#build-package).
- - You'll see the file path for your provisioning package. By default, this path is set to %windir%\Users\*your_username\Windows Imaging and Configuration Designer (WICD)\*Project name).
- - Copy the provisioning package to a USB drive.
-
- > [!IMPORTANT]
- > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
-
-## Apply package
-Follow the steps in [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) to apply the package that you created.
\ No newline at end of file
diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md
deleted file mode 100644
index 669dc2484c..0000000000
--- a/education/windows/set-up-students-pcs-with-apps.md
+++ /dev/null
@@ -1,25 +0,0 @@
----
-title: Provision student PCs with apps
-description: Learn how to use Windows Configuration Designer to easily provision student devices to join Active Directory.
-ms.topic: how-to
-ms.date: 08/10/2022
-appliesto:
- - ✅ Windows 10
----
-# Provision student PCs with apps
-
-To create and apply a provisioning package that contains apps to a device running all desktop editions of Windows 10 except Windows 10 Home, follow the steps in [Provision PCs with apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps).
-
-Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more.
-
-You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices.
-
-- If you want to [provision a school PC to join a domain](set-up-students-pcs-to-join-domain.md) and add apps in the same provisioning package, follow the steps in [Provision PCs with apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps).
-
-- If you want to provision a school PC to join Microsoft Entra ID, set up the PC using the steps in [Use Set up School PCs App](use-set-up-school-pcs-app.md). Set up School PCs now lets you add recommended apps from the Store so you can add these apps while you're creating your package through Set up School PCs. You can also follow the steps in [Provision PCs with apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps) if you want to add apps to student PCs after initial setup with the Set up School PCs package.
-
-## Learn more
-
--[Develop Universal Windows Education apps](/windows/uwp/apps-for-education/)
-
-- [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md
deleted file mode 100644
index 784d5978ac..0000000000
--- a/education/windows/set-up-windows-10.md
+++ /dev/null
@@ -1,33 +0,0 @@
----
-title: Set up Windows devices for education
-description: Decide which option for setting up Windows 10 is right for you.
-ms.topic: overview
-ms.date: 08/10/2022
-appliesto:
- - ✅ Windows 10
----
-
-# Set up Windows devices for education
-
-You have two tools to choose from to set up PCs for your classroom:
-
-- Set up School PCs
-- Windows Configuration Designer
-
-Choose the tool that is appropriate for how your students will sign in (Active Directory, Microsoft Entra ID, or no account).
-
-You can use the following diagram to compare the tools.
-
-
-
-## In this section
-
-- [Use the Set up School PCs app](use-set-up-school-pcs-app.md)
-- [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md)
-- [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md)
-- [Provision student PCs with apps](set-up-students-pcs-with-apps.md)
-
-## Related topics
-
-[Take tests in Windows](take-tests-in-windows.md)
-[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)S
diff --git a/education/windows/toc.yml b/education/windows/toc.yml
index a574722c09..667c2ddc07 100644
--- a/education/windows/toc.yml
+++ b/education/windows/toc.yml
@@ -9,7 +9,7 @@ items:
- name: Deploy applications to Windows 11 SE
href: tutorial-deploy-apps-winse/toc.yml
- name: Concepts
- items:
+ items:
- name: Windows 11 SE
items:
- name: Overview
@@ -26,8 +26,6 @@ items:
href: /windows/deployment/windows-10-pro-in-s-mode?context=/education/context/context
- name: Deploy Win32 apps to S Mode devices
href: /windows/security/threat-protection/windows-defender-application-control/lob-win32-apps-on-s?context=/education/context/context
- - name: Windows 10 editions for education customers
- href: windows-editions-for-education-customers.md
- name: Considerations for shared and guest devices
href: /windows/configuration/shared-devices-concepts?context=/education/context/context
- name: Windows 10 configuration recommendations for education customers
@@ -49,7 +47,7 @@ items:
- name: Configure federation between Google Workspace and Microsoft Entra ID
href: configure-aad-google-trust.md
- name: Configure Shared PC
- href: /windows/configuration/set-up-shared-or-guest-pc?context=/education/context/context
+ href: /windows/configuration/shared-pc/set-up-shared-or-guest-pc?context=/education/context/context
- name: Get and deploy Minecraft Education
href: get-minecraft-for-education.md
- name: Use the Set up School PCs app
@@ -64,11 +62,9 @@ items:
href: set-up-school-pcs-technical.md
- name: Provisioning package settings
href: set-up-school-pcs-provisioning-package.md
- - name: What's new in Set up School PCs
- href: set-up-school-pcs-whats-new.md
- name: Take a Test technical reference
href: take-a-test-app-technical.md
- name: Shared PC technical reference
- href: /windows/configuration/shared-pc-technical?context=/education/context/context
+ href: /windows/configuration/shared-pc/shared-pc-technical?context=/education/context/context
+
-
diff --git a/education/windows/tutorial-school-deployment/configure-device-apps.md b/education/windows/tutorial-school-deployment/configure-device-apps.md
index ef1e695396..25171ff770 100644
--- a/education/windows/tutorial-school-deployment/configure-device-apps.md
+++ b/education/windows/tutorial-school-deployment/configure-device-apps.md
@@ -1,7 +1,7 @@
---
title: Configure applications with Microsoft Intune
description: Learn how to configure applications with Microsoft Intune in preparation for device deployment.
-ms.date: 03/08/2023
+ms.date: 01/16/2024
ms.topic: tutorial
---
@@ -14,11 +14,12 @@ Applications can be assigned to groups:
- If you target apps to a **group of users**, the apps will be installed on any managed devices that the users sign into
- If you target apps to a **group of devices**, the apps will be installed on those devices and available to any user who signs in
-In this section you will:
> [!div class="checklist"]
-> * Add apps to Intune for Education
-> * Assign apps to groups
-> * Review some considerations for Windows 11 SE devices
+>In this section you will:
+>
+> - Add apps to Intune for Education
+> - Assign apps to groups
+> - Review some considerations for Windows 11 SE devices
## Add apps to Intune for Education
diff --git a/education/windows/tutorial-school-deployment/configure-device-settings.md b/education/windows/tutorial-school-deployment/configure-device-settings.md
index fc71325532..5733d483e9 100644
--- a/education/windows/tutorial-school-deployment/configure-device-settings.md
+++ b/education/windows/tutorial-school-deployment/configure-device-settings.md
@@ -1,8 +1,9 @@
---
title: Configure and secure devices with Microsoft Intune
description: Learn how to configure policies with Microsoft Intune in preparation for device deployment.
-ms.date: 11/09/2023
+ms.date: 01/16/2024
ms.topic: tutorial
+ms.collection: essentials-manage
---
# Configure and secure devices with Microsoft Intune
@@ -23,12 +24,14 @@ There are two ways to manage settings in Intune for Education:
> [!NOTE]
> Express Configuration is ideal when you are getting started. Settings are pre-configured to Microsoft-recommended values, but can be changed to fit your school's needs. It is recommended to use Express Configuration to initially set up your Windows devices.
-In this section you will:
+
> [!div class="checklist"]
-> * Configure settings with Express Configuration
-> * Configure group settings
-> * Create Windows Update policies
-> * Configure security policies
+>In this section you will:
+>
+> - Configure settings with Express Configuration
+> - Configure group settings
+> - Create Windows Update policies
+> - Configure security policies
## Configure settings with Express Configuration
diff --git a/education/windows/tutorial-school-deployment/configure-devices-overview.md b/education/windows/tutorial-school-deployment/configure-devices-overview.md
index fa6e5c218a..27ad5f3a8d 100644
--- a/education/windows/tutorial-school-deployment/configure-devices-overview.md
+++ b/education/windows/tutorial-school-deployment/configure-devices-overview.md
@@ -3,6 +3,7 @@ title: Configure devices with Microsoft Intune
description: Learn how to configure policies and applications in preparation for device deployment.
ms.date: 11/09/2023
ms.topic: tutorial
+ms.collection: essentials-manage
---
# Configure settings and applications with Microsoft Intune
@@ -11,11 +12,13 @@ Before distributing devices to your users, you must ensure that the devices will
Microsoft Intune uses Microsoft Entra groups to assign policies and applications to devices.
With Microsoft Intune for Education, you can conveniently create groups and assign policies and applications to them.
-In this section you will:
+
> [!div class="checklist"]
-> * Create groups
-> * Create and assign policies to groups
-> * Create and assign applications to groups
+>In this section you will:
+>
+> - Create groups
+> - Create and assign policies to groups
+> - Create and assign applications to groups
## Create groups
diff --git a/education/windows/tutorial-school-deployment/enroll-autopilot.md b/education/windows/tutorial-school-deployment/enroll-autopilot.md
index 26300b5115..23985289cf 100644
--- a/education/windows/tutorial-school-deployment/enroll-autopilot.md
+++ b/education/windows/tutorial-school-deployment/enroll-autopilot.md
@@ -1,7 +1,7 @@
---
title: Enrollment in Intune with Windows Autopilot
description: Learn how to join Microsoft Entra ID and enroll in Intune using Windows Autopilot.
-ms.date: 03/08/2023
+ms.date: 01/16/2024
ms.topic: tutorial
---
@@ -61,8 +61,9 @@ More advanced dynamic membership rules can be created from Microsoft Intune admi
For Autopilot devices to offer a customized OOBE experience, you must create **Windows Autopilot deployment profiles** and assign them to a group containing the devices.
A deployment profile is a collection of settings that determine the behavior of the device during OOBE. Among other settings, a deployment profile specifies a **deployment mode**, which can either be:
+
1. **User-driven:** devices with this profile are associated with the user enrolling the device. User credentials are required to complete the Microsoft Entra join process during OOBE
-1. **Self-deploying:** devices with this profile aren't associated with the user enrolling the device. User credentials aren't required to complete the Microsoft Entra join process. Rather, the device is joined automatically and, for this reason, specific hardware requirements must be met to use this mode.
+1. **Self-deploying:** devices with this profile aren't associated with the user enrolling the device. User credentials aren't required to complete the Microsoft Entra join process. Rather, the device is joined automatically and, for this reason, specific hardware requirements must be met to use this mode
To create an Autopilot deployment profile:
@@ -142,8 +143,6 @@ With the devices joined to Microsoft Entra tenant and managed by Intune, you can
[M365-1]: https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2
-[EDU-1]: /education/windows/windows-11-se-overview
-[EDU-2]: /intune-education/windows-11-se-overview#windows-autopilot
[EDU-3]: ../tutorial-deploy-apps-winse/considerations.md#enrollment-status-page
[SURF-1]: /surface/surface-autopilot-registration-support
diff --git a/education/windows/tutorial-school-deployment/index.md b/education/windows/tutorial-school-deployment/index.md
index 6ddb3c8c54..c72273b7aa 100644
--- a/education/windows/tutorial-school-deployment/index.md
+++ b/education/windows/tutorial-school-deployment/index.md
@@ -3,6 +3,7 @@ title: Introduction to the tutorial deploy and manage Windows devices in a schoo
description: Introduction to deployment and management of Windows devices in education environments.
ms.date: 11/09/2023
ms.topic: tutorial
+ms.collection: essentials-get-started
---
# Tutorial: deploy and manage Windows devices in a school
diff --git a/education/windows/tutorial-school-deployment/set-up-microsoft-entra-id.md b/education/windows/tutorial-school-deployment/set-up-microsoft-entra-id.md
index b1ab1cfc12..845d66a892 100644
--- a/education/windows/tutorial-school-deployment/set-up-microsoft-entra-id.md
+++ b/education/windows/tutorial-school-deployment/set-up-microsoft-entra-id.md
@@ -1,7 +1,7 @@
---
title: Set up Microsoft Entra ID
description: Learn how to create and prepare your Microsoft Entra tenant for an education environment.
-ms.date: 11/09/2023
+ms.date: 01/16/2024
ms.topic: tutorial
appliesto:
---
@@ -12,12 +12,13 @@ The Microsoft platform for education simplifies the management of Windows device
Microsoft Entra ID, which is included with the Microsoft 365 Education subscription, provides authentication and authorization to any Microsoft cloud services. Identity objects are defined in Microsoft Entra ID for human identities, like students and teachers, as well as non-human identities, like devices, services, and applications. Once users get Microsoft 365 licenses assigned, they'll be able to consume services and access resources within the tenant. With Microsoft 365 Education, you can manage identities for your teachers and students, assign licenses to devices and users, and create groups for the classrooms.
-In this section you will:
> [!div class="checklist"]
-> * Set up a Microsoft 365 Education tenant
-> * Add users, create groups, and assign licenses
-> * Configure school branding
-> * Enable bulk enrollment
+>In this section you will:
+>
+> - Set up a Microsoft 365 Education tenant
+> - Add users, create groups, and assign licenses
+> - Configure school branding
+> - Enable bulk enrollment
## Create a Microsoft 365 tenant
@@ -45,7 +46,7 @@ For more information, see [Overview of the Microsoft 365 admin center][M365-2].
With the Microsoft 365 tenant in place, it's time to add users, create groups, and assign licenses. All students and teachers need a user account before they can sign in and access the different Microsoft 365 services. There are multiple ways to do this, including using School Data Sync (SDS), synchronizing an on-premises Active Directory, manually, or a combination of the above.
> [!NOTE]
-> Synchronizing your Student Information System (SIS) with School Data Sync is the preferred way to create students and teachers as users in a Microsoft 365 Education tenant. However, if you want to integrate an on-premises directory and synchronize accounts to the cloud, skip to [Azure Active Directory Sync](#azure-active-directory-sync) below.
+> Synchronizing your Student Information System (SIS) with School Data Sync is the preferred way to create students and teachers as users in a Microsoft 365 Education tenant. However, if you want to integrate an on-premises directory and synchronize accounts to the cloud, skip to [Microsoft Entra Connect Sync](#microsoft-entra-connect-sync) below.
### School Data Sync
@@ -61,7 +62,7 @@ For more information, see [Overview of School Data Sync][SDS-1].
>
> Remember that you should typically deploy test SDS data (users, groups, and so on) in a separate test tenant, not your school production environment.
-### Azure Active Directory Sync
+### Microsoft Entra Connect Sync
To integrate an on-premises directory with Microsoft Entra ID, you can use **Microsoft Entra Connect** to synchronize users, groups, and other objects. Microsoft Entra Connect lets you configure the authentication method appropriate for your school, including:
diff --git a/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md
index 38dc58b276..1ee9608b0c 100644
--- a/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md
+++ b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md
@@ -1,7 +1,7 @@
---
title: Set up device management
description: Learn how to configure the Intune service and set up the environment for education.
-ms.date: 11/09/2023
+ms.date: 01/16/2024
ms.topic: tutorial
appliesto:
---
@@ -18,10 +18,11 @@ The Microsoft Intune service can be managed in different ways, and one of them i
For more information, see [Intune for Education documentation][INT-1].
-In this section you will:
> [!div class="checklist"]
-> * Review Intune's licensing prerequisites
-> * Configure the Intune service for education devices
+>In this section you will:
+>
+> - Review Intune's licensing prerequisites
+> - Configure the Intune service for education devices
## Prerequisites
diff --git a/education/windows/windows-11-se-faq.yml b/education/windows/windows-11-se-faq.yml
index 52fa4c5d69..4a9b022c07 100644
--- a/education/windows/windows-11-se-faq.yml
+++ b/education/windows/windows-11-se-faq.yml
@@ -3,7 +3,7 @@ metadata:
title: Windows 11 SE Frequently Asked Questions (FAQ)
description: Use these frequently asked questions (FAQ) to learn important details about Windows 11 SE.
ms.topic: faq
- ms.date: 03/09/2023
+ ms.date: 01/16/2024
appliesto:
- ✅ Windows 11 SE
diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md
deleted file mode 100644
index 7c6ecca23b..0000000000
--- a/education/windows/windows-editions-for-education-customers.md
+++ /dev/null
@@ -1,46 +0,0 @@
----
-title: Windows 10 editions for education customers
-description: Learn about the two Windows 10 editions that are designed for the needs of education institutions.
-ms.topic: overview
-ms.date: 07/25/2023
-appliesto:
- - ✅ Windows 10
----
-
-# Windows 10 editions for education customers
-
-Windows 10 offers various new features and functionalities, such as simplified provisioning with the [Set up School PCs app](./use-set-up-school-pcs-app.md) or [Windows Configuration Designer](./set-up-students-pcs-to-join-domain.md), easier delivery of digital assessments with [Take a Test](./take-tests-in-windows.md), and faster sign-in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information on [windows.com](https://www.windows.com/).
-
-Windows 10 introduces two editions designed for the unique needs of K-12 institutions: [Windows 10 Pro Education](#windows-10-pro-education) and [Windows 10 Education](#windows-10-education). These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.
-
-## Windows 10 Pro Education
-
-Windows 10 Pro Education builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools. Windows 10 Pro Education is a variant of Windows 10 Pro that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Microsoft Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions).
-
-Windows 10 Pro Education is available on new devices pre-installed with Windows 10, version 1607 or newer versions that are purchased with discounted K-12 academic licenses through OEM partners (these discounted licenses are sometimes referred to as National Academic or Shape the Future).
-
-Existing devices running Windows 10 Pro, currently activated with the original OEM digital product key and purchased with discounted K-12 academic licenses through OEM partners (these discounted licenses are sometimes referred to as National Academic or Shape the Future), will upgrade automatically to Windows 10 Pro Education as part of the Windows 10, version 1607 installation.
-
-Customers with Academic Volume Licensing agreements with rights for Windows can get Windows 10 Pro Education through the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
-
-Customers who deploy Windows 10 Pro are able to configure the product to have similar feature settings to Windows 10 Pro Education using policies. More detailed information on these policies and the configuration steps required is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions). We recommend that K-12 customers using commercial Windows 10 Pro read the [document](/windows/configuration/manage-tips-and-suggestions) and apply desired settings for your environment.
-
-## Windows 10 Education
-
-Windows 10 Education builds on Windows 10 Enterprise and provides the enterprise-grade manageability and security desired by many schools. Windows 10 Education is effectively a variant of Windows 10 Enterprise that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Microsoft Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions).
-
-Windows 10 Education is available through Microsoft Volume Licensing. Customers who are already running Windows 10 Education can upgrade to Windows 10, version 1607 or newer versions through Windows Update or from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). We recommend Windows 10 Education to all K-12 customers as it provides the most complete and secure edition for education environments. If you don't have access to Windows 10 Education, contact your Microsoft representative or see more information [here](https://go.microsoft.com/fwlink/?LinkId=822628).
-
-Customers who deploy Windows 10 Enterprise are able to configure the product to have similar feature settings to Windows 10 Education using policies. More detailed information on these policies and the configuration steps required is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions). We recommend that K-12 customers using commercial Windows 10 Enterprise read the [document](/windows/configuration/manage-tips-and-suggestions) and apply desired settings for your environment.
-
-For any other questions, contact [Microsoft Customer Service and Support](https://support.microsoft.com/en-us).
-
-## Related topics
-
-- [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md)
-- [Windows deployment for education](./index.yml)
-- [Windows 10 upgrade paths](/windows/deployment/upgrade/windows-10-upgrade-paths)
-- [Volume Activation for Windows 10](/windows/deployment/volume-activation/volume-activation-windows-10)
-- [Plan for volume activation](/windows/deployment/volume-activation/plan-for-volume-activation-client)
-- [Windows 10 subscription activation](/windows/deployment/windows-10-subscription-activation)
--
\ No newline at end of file
diff --git a/images/group-policy.svg b/images/group-policy.svg
index ace95add6b..95957a5914 100644
--- a/images/group-policy.svg
+++ b/images/group-policy.svg
@@ -1,3 +1,9 @@
-
\ No newline at end of file
+
diff --git a/includes/configure/gpo-settings-1.md b/includes/configure/gpo-settings-1.md
index 4a7b56a8be..296a1025d2 100644
--- a/includes/configure/gpo-settings-1.md
+++ b/includes/configure/gpo-settings-1.md
@@ -3,7 +3,7 @@ author: paolomatarazzo
ms.author: paoloma
ms.date: 08/15/2023
ms.topic: include
-ms.prod: windows-client
+ms.service: windows-client
---
To configure a device with group policy, use the [Local Group Policy Editor](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731745(v=ws.10)). To configure multiple devices joined to Active Directory, [create or edit](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754740(v=ws.11)) a group policy object (GPO) and use the following settings:
diff --git a/includes/configure/gpo-settings-2.md b/includes/configure/gpo-settings-2.md
index 88fd46ec27..fa200244ae 100644
--- a/includes/configure/gpo-settings-2.md
+++ b/includes/configure/gpo-settings-2.md
@@ -3,7 +3,7 @@ author: paolomatarazzo
ms.author: paoloma
ms.date: 08/15/2023
ms.topic: include
-ms.prod: windows-client
+ms.service: windows-client
---
Group policies can be [linked](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732979(v=ws.10)) to domains or organizational units, [filtered using security groups](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc752992(v=ws.10)), or [filtered using WMI filters](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717288(v=ws.11)).
diff --git a/includes/configure/intune-custom-settings-1.md b/includes/configure/intune-custom-settings-1.md
index 60125a46d1..05f77b0843 100644
--- a/includes/configure/intune-custom-settings-1.md
+++ b/includes/configure/intune-custom-settings-1.md
@@ -3,7 +3,7 @@ author: paolomatarazzo
ms.author: paoloma
ms.date: 08/15/2023
ms.topic: include
-ms.prod: windows-client
+ms.service: windows-client
---
To configure devices with Microsoft Intune, use a custom policy:
diff --git a/includes/configure/intune-custom-settings-2.md b/includes/configure/intune-custom-settings-2.md
index 03977b7a0d..92dc4bf22d 100644
--- a/includes/configure/intune-custom-settings-2.md
+++ b/includes/configure/intune-custom-settings-2.md
@@ -3,7 +3,7 @@ author: paolomatarazzo
ms.author: paoloma
ms.date: 08/15/2023
ms.topic: include
-ms.prod: windows-client
+ms.service: windows-client
---
7. Select **Next**
diff --git a/includes/configure/intune-custom-settings-info.md b/includes/configure/intune-custom-settings-info.md
index 8f406cf058..fc2277cecb 100644
--- a/includes/configure/intune-custom-settings-info.md
+++ b/includes/configure/intune-custom-settings-info.md
@@ -3,7 +3,7 @@ author: paolomatarazzo
ms.author: paoloma
ms.date: 08/15/2023
ms.topic: include
-ms.prod: windows-client
+ms.service: windows-client
---
For more information about how to create custom settings using Intune, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10).
\ No newline at end of file
diff --git a/includes/configure/intune-settings-catalog-1.md b/includes/configure/intune-settings-catalog-1.md
index b27582fd32..6afcc21dab 100644
--- a/includes/configure/intune-settings-catalog-1.md
+++ b/includes/configure/intune-settings-catalog-1.md
@@ -3,7 +3,7 @@ author: paolomatarazzo
ms.author: paoloma
ms.date: 08/15/2023
ms.topic: include
-ms.prod: windows-client
+ms.service: windows-client
---
To configure devices with Microsoft Intune, [create a Settings catalog policy](/mem/intune/configuration/settings-catalog) and use the following settings:
\ No newline at end of file
diff --git a/includes/configure/intune-settings-catalog-2.md b/includes/configure/intune-settings-catalog-2.md
index 287d5ebbf1..66b5ceae1d 100644
--- a/includes/configure/intune-settings-catalog-2.md
+++ b/includes/configure/intune-settings-catalog-2.md
@@ -3,7 +3,7 @@ author: paolomatarazzo
ms.author: paoloma
ms.date: 08/15/2023
ms.topic: include
-ms.prod: windows-client
+ms.service: windows-client
---
Assign the policy to a group that contains as members the devices or users that you want to configure.
\ No newline at end of file
diff --git a/includes/configure/provisioning-package-1.md b/includes/configure/provisioning-package-1.md
index 951ca428e3..62543ac656 100644
--- a/includes/configure/provisioning-package-1.md
+++ b/includes/configure/provisioning-package-1.md
@@ -3,7 +3,7 @@ author: paolomatarazzo
ms.author: paoloma
ms.date: 09/12/2023
ms.topic: include
-ms.prod: windows-client
+ms.service: windows-client
---
Use the following settings to [create a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package):
diff --git a/includes/configure/provisioning-package-2.md b/includes/configure/provisioning-package-2.md
index b600e58e47..8915e7aebd 100644
--- a/includes/configure/provisioning-package-2.md
+++ b/includes/configure/provisioning-package-2.md
@@ -3,7 +3,7 @@ author: paolomatarazzo
ms.author: paoloma
ms.date: 09/12/2023
ms.topic: include
-ms.prod: windows-client
+ms.service: windows-client
---
[Apply the provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) to the devices that you want to configure.
diff --git a/includes/configure/registry.md b/includes/configure/registry.md
index 2c620f057a..6c76a6b9b1 100644
--- a/includes/configure/registry.md
+++ b/includes/configure/registry.md
@@ -3,7 +3,7 @@ author: paolomatarazzo
ms.author: paoloma
ms.date: 08/15/2023
ms.topic: include
-ms.prod: windows-client
+ms.service: windows-client
---
To configure devices with the [Registry Editor](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc755256(v=ws.11)), use the following settings:
\ No newline at end of file
diff --git a/includes/configure/tab-intro.md b/includes/configure/tab-intro.md
index a818e4df8b..c9c293a8c5 100644
--- a/includes/configure/tab-intro.md
+++ b/includes/configure/tab-intro.md
@@ -3,7 +3,7 @@ author: paolomatarazzo
ms.author: paoloma
ms.date: 08/15/2023
ms.topic: include
-ms.prod: windows-client
+ms.service: windows-client
---
The following instructions provide details how to configure your devices. Select the option that best suits your needs.
\ No newline at end of file
diff --git a/includes/licensing/windows-defender-system-guard.md b/includes/licensing/system-guard.md
similarity index 75%
rename from includes/licensing/windows-defender-system-guard.md
rename to includes/licensing/system-guard.md
index cecce5edd5..0c165234b4 100644
--- a/includes/licensing/windows-defender-system-guard.md
+++ b/includes/licensing/system-guard.md
@@ -7,13 +7,13 @@ ms.topic: include
## Windows edition and licensing requirements
-The following table lists the Windows editions that support Windows Defender System Guard:
+The following table lists the Windows editions that support System Guard:
|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|
-Windows Defender System Guard license entitlements are granted by the following licenses:
+System Guard license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|
diff --git a/store-for-business/images/msfb-add-collection.PNG b/store-for-business/images/msfb-add-collection.png
similarity index 100%
rename from store-for-business/images/msfb-add-collection.PNG
rename to store-for-business/images/msfb-add-collection.png
diff --git a/store-for-business/images/wsfb-private-store-gpo.PNG b/store-for-business/images/wsfb-private-store-gpo.png
similarity index 100%
rename from store-for-business/images/wsfb-private-store-gpo.PNG
rename to store-for-business/images/wsfb-private-store-gpo.png
diff --git a/template.md b/template.md
index c9529e25a3..c114acd13f 100644
--- a/template.md
+++ b/template.md
@@ -2,8 +2,8 @@
title: # ARTICLE TITLE in 55 chars or less, most important for SEO. Best to match H1 and TOC, but doesn't have to.
description: # A summary of the content. 75-300 characters. Used in site search. Sometimes used on a search engine results page for improved SEO. Always end with period.
ms.date: mm/dd/yyyy
-ms.prod: windows-client
-ms.technology: itpro-fundamentals # itpro-deploy itpro-updates itpro-apps itpro-manage itpro-configure itpro-security itpro-privacy itpro-edu
+ms.service: windows-client
+ms.subservice: itpro-fundamentals # itpro-deploy itpro-updates itpro-apps itpro-manage itpro-configure itpro-security itpro-privacy itpro-edu
ms.topic: conceptual #reference troubleshooting how-to end-user-help overview (more in contrib guide)
ms.localizationpriority: medium #high null
author: # GitHub username (aczechowski)
@@ -13,6 +13,7 @@ manager: # MS alias of manager (dougeby/aaroncz)
ms.collection: # optional
- # highpri - high priority, strategic, important, current, etc. articles (confirm with manager prior to use)
- # education - part of M365 for Education vertical
+- # tier1 tier2 tier3
---
# Metadata and Markdown Template
diff --git a/windows/application-management/add-apps-and-features.md b/windows/application-management/add-apps-and-features.md
index db4571a9c6..534e26d426 100644
--- a/windows/application-management/add-apps-and-features.md
+++ b/windows/application-management/add-apps-and-features.md
@@ -6,8 +6,8 @@ ms.author: aaroncz
manager: aaroncz
ms.date: 08/18/2023
ms.topic: how-to
-ms.prod: windows-client
-ms.technology: itpro-apps
+ms.service: windows-client
+ms.subservice: itpro-apps
ms.localizationpriority: medium
ms.collection: tier2
appliesto:
diff --git a/windows/application-management/app-v/appv-about-appv.md b/windows/application-management/app-v/appv-about-appv.md
index 4fc8997a6e..94c799e8af 100644
--- a/windows/application-management/app-v/appv-about-appv.md
+++ b/windows/application-management/app-v/appv-about-appv.md
@@ -2,14 +2,14 @@
title: What's new in App-V for Windows 10, version 1703 and earlier (Windows 10)
description: Information about what's new in App-V for Windows 10, version 1703 and earlier.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 06/08/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# What's new in App-V for Windows 10, version 1703 and earlier
diff --git a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md
index 040eda052e..21175a8da7 100644
--- a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md
@@ -2,14 +2,14 @@
title: How to Add or Remove an Administrator by Using the Management Console (Windows 10/11)
description: Add or remove an administrator on the Microsoft Application Virtualization (App-V) server by using the Management Console.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 06/08/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to add or remove an administrator by using the Management Console
diff --git a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md
index b11acc20a7..ee6544a181 100644
--- a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md
@@ -2,14 +2,14 @@
title: How to Add or Upgrade Packages by Using the Management Console (Windows 10/11)
description: Add or upgrade packages on the Microsoft Application Virtualization (App-V) server by using the Management Console.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 06/08/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to add or upgrade packages by using the Management Console
diff --git a/windows/application-management/app-v/appv-administering-appv-with-powershell.md b/windows/application-management/app-v/appv-administering-appv-with-powershell.md
index ec381c1293..9260eaa159 100644
--- a/windows/application-management/app-v/appv-administering-appv-with-powershell.md
+++ b/windows/application-management/app-v/appv-administering-appv-with-powershell.md
@@ -2,14 +2,14 @@
title: Administering App-V by using Windows PowerShell (Windows 10/11)
description: Administer App-V by using Windows PowerShell and learn where to find more information about PowerShell for App-V.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 06/08/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Administering App-V by using Windows PowerShell
diff --git a/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md b/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md
index cf6f1e8a76..3ae0ecc41f 100644
--- a/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md
@@ -2,14 +2,14 @@
title: Administering App-V Virtual Applications by using the Management Console (Windows 10/11)
description: Administering App-V Virtual Applications by using the Management Console
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 06/08/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Administering App-V Virtual Applications by using the Management Console
diff --git a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md
index a02875375a..24ab5d46a1 100644
--- a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md
+++ b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md
@@ -2,14 +2,14 @@
title: Only Allow Admins to Enable Connection Groups (Windows 10/11)
description: Configure the App-V client so that only administrators, not users, can enable or disable connection groups.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 06/08/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to allow only administrators to enable connection groups
diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
index 025efdca77..363bf2e7ec 100644
--- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
+++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
@@ -2,14 +2,14 @@
title: Application Publishing and Client Interaction (Windows 10/11)
description: Learn technical information about common App-V Client operations and their integration with the local operating system.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 06/08/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Application publishing and client interaction
diff --git a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
index 24903fe377..310cac6312 100644
--- a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
+++ b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
@@ -2,14 +2,14 @@
title: Apply deployment config file via Windows PowerShell (Windows 10/11)
description: How to apply the deployment configuration file by using Windows PowerShell for Windows 10/11.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 06/15/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to apply the deployment configuration file by using Windows PowerShell
diff --git a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
index 9d78748d49..cb64552879 100644
--- a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
+++ b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
@@ -2,14 +2,14 @@
title: How to apply the user configuration file by using Windows PowerShell (Windows 10/11)
description: How to apply the user configuration file by using Windows PowerShell (Windows 10/11).
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 06/15/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to apply the user configuration file by using Windows PowerShell
diff --git a/windows/application-management/app-v/appv-auto-batch-sequencing.md b/windows/application-management/app-v/appv-auto-batch-sequencing.md
index c8a8e980b5..415ade7895 100644
--- a/windows/application-management/app-v/appv-auto-batch-sequencing.md
+++ b/windows/application-management/app-v/appv-auto-batch-sequencing.md
@@ -2,14 +2,14 @@
title: Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11)
description: How to automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer).
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)
diff --git a/windows/application-management/app-v/appv-auto-batch-updating.md b/windows/application-management/app-v/appv-auto-batch-updating.md
index 42e883d6c6..4b2246bee4 100644
--- a/windows/application-management/app-v/appv-auto-batch-updating.md
+++ b/windows/application-management/app-v/appv-auto-batch-updating.md
@@ -2,14 +2,14 @@
title: Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11)
description: How to automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer).
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)
diff --git a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
index f73f89ee26..d56ea57fc8 100644
--- a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
+++ b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
@@ -2,14 +2,14 @@
title: Auto-remove unpublished packages on App-V client (Windows 10/11)
description: How to automatically clean up any unpublished packages on your App-V client devices.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 06/15/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Automatically clean up unpublished packages on the App-V client
diff --git a/windows/application-management/app-v/appv-auto-provision-a-vm.md b/windows/application-management/app-v/appv-auto-provision-a-vm.md
index 0f09ca265b..50e6dd4a87 100644
--- a/windows/application-management/app-v/appv-auto-provision-a-vm.md
+++ b/windows/application-management/app-v/appv-auto-provision-a-vm.md
@@ -2,14 +2,14 @@
title: Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11)
description: How to automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) PowerShell cmdlet or the user interface.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)
diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md
index e869fd86fb..32afb3de6b 100644
--- a/windows/application-management/app-v/appv-available-mdm-settings.md
+++ b/windows/application-management/app-v/appv-available-mdm-settings.md
@@ -2,14 +2,14 @@
title: Available Mobile Device Management (MDM) settings for App-V (Windows 10/11)
description: Learn the available Mobile Device Management (MDM) settings you can use to configure App-V on Windows 10.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 06/15/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Available Mobile Device Management (MDM) settings for App-V
diff --git a/windows/application-management/app-v/appv-capacity-planning.md b/windows/application-management/app-v/appv-capacity-planning.md
index 2b7edc6c54..5d052067c5 100644
--- a/windows/application-management/app-v/appv-capacity-planning.md
+++ b/windows/application-management/app-v/appv-capacity-planning.md
@@ -2,14 +2,14 @@
title: App-V Capacity Planning (Windows 10/11)
description: Use these recommendations as a baseline to help determine capacity planning information that is appropriate to your organization’s App-V infrastructure.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# App-V Capacity Planning
diff --git a/windows/application-management/app-v/appv-client-configuration-settings.md b/windows/application-management/app-v/appv-client-configuration-settings.md
index d87457a13f..c7b029ac7a 100644
--- a/windows/application-management/app-v/appv-client-configuration-settings.md
+++ b/windows/application-management/app-v/appv-client-configuration-settings.md
@@ -2,14 +2,14 @@
title: About Client Configuration Settings (Windows 10/11)
description: Learn about the App-V client configuration settings and how to use Windows PowerShell to modify the client configuration settings.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# About Client Configuration Settings
diff --git a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
index ab350e2a83..23f43e8cb3 100644
--- a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
@@ -2,14 +2,14 @@
title: How to configure access to packages by using the Management Console (Windows 10/11)
description: How to configure access to packages by using the App-V Management Console.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 06/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to configure access to packages by using the Management Console
diff --git a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
index 9e7f90b5a1..9524c2d447 100644
--- a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
+++ b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
@@ -2,14 +2,14 @@
title: How to make a connection group ignore the package version (Windows 10/11)
description: Learn how to make a connection group ignore the package version with the App-V Server Management Console.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 06/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to make a connection group ignore the package version
diff --git a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md
index 687c339a07..c8e45c8af1 100644
--- a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md
+++ b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md
@@ -2,14 +2,14 @@
title: How to configure the client to receive package and connection groups updates from the publishing server (Windows 10/11)
description: How to configure the client to receive package and connection groups updates from the publishing server.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 06/25/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to configure the client to receive package and connection groups updates from the publishing server
diff --git a/windows/application-management/app-v/appv-connect-to-the-management-console.md b/windows/application-management/app-v/appv-connect-to-the-management-console.md
index 95ec5914c4..50ed9fd433 100644
--- a/windows/application-management/app-v/appv-connect-to-the-management-console.md
+++ b/windows/application-management/app-v/appv-connect-to-the-management-console.md
@@ -2,14 +2,14 @@
title: How to connect to the Management Console (Windows 10/11)
description: In this article, learn the procedure for connecting to the App-V Management Console through your web browser.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 06/25/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to connect to the Management Console
diff --git a/windows/application-management/app-v/appv-connection-group-file.md b/windows/application-management/app-v/appv-connection-group-file.md
index df85debbf2..bfad2cc36f 100644
--- a/windows/application-management/app-v/appv-connection-group-file.md
+++ b/windows/application-management/app-v/appv-connection-group-file.md
@@ -2,14 +2,14 @@
title: About the connection group file (Windows 10/11)
description: A summary of what the connection group file is and how to configure it.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 06/25/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# About the connection group file
diff --git a/windows/application-management/app-v/appv-connection-group-virtual-environment.md b/windows/application-management/app-v/appv-connection-group-virtual-environment.md
index 26f5a073a8..d84704a33f 100644
--- a/windows/application-management/app-v/appv-connection-group-virtual-environment.md
+++ b/windows/application-management/app-v/appv-connection-group-virtual-environment.md
@@ -2,14 +2,14 @@
title: About the connection group virtual environment (Windows 10/11)
description: Learn how the connection group virtual environment works and how package priority is determined.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 06/25/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# About the connection group virtual environment
diff --git a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
index 3a2f20cbb5..e12fd39cb0 100644
--- a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
+++ b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
@@ -2,14 +2,14 @@
title: How to convert a package created in a previous version of App-V (Windows 10/11)
description: Use the package converter utility to convert a virtual application package created in a previous version of App-V.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 07/10/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to convert a package created in a previous version of App-V
diff --git a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
index 09a658895f..e602397d30 100644
--- a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
+++ b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
@@ -2,14 +2,14 @@
title: How to create a connection croup with user-published and globally published packages (Windows 10/11)
description: How to create a connection croup with user-published and globally published packages.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 07/10/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to create a connection croup with user-published and globally published packages
diff --git a/windows/application-management/app-v/appv-create-a-connection-group.md b/windows/application-management/app-v/appv-create-a-connection-group.md
index 18a61bee6e..a78ae6f6cd 100644
--- a/windows/application-management/app-v/appv-create-a-connection-group.md
+++ b/windows/application-management/app-v/appv-create-a-connection-group.md
@@ -2,14 +2,14 @@
title: How to create a connection group (Windows 10/11)
description: Learn how to create a connection group with the App-V Management Console and where to find information about managing connection groups.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 07/10/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to create a connection group
diff --git a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md
index 0dd4402170..ead8b2f662 100644
--- a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md
@@ -2,14 +2,14 @@
title: How to create a custom configuration file by using the App-V Management Console (Windows 10/11)
description: How to create a custom configuration file by using the App-V Management Console.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 07/10/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to create a custom configuration file by using the App-V Management Console
diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
index 30cddc907d..cbe79ac2df 100644
--- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
+++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
@@ -2,14 +2,14 @@
title: How to create a package accelerator by using Windows PowerShell (Windows 10/11)
description: Learn how to create an App-v Package Accelerator by using Windows PowerShell. App-V Package Accelerators automatically sequence large, complex applications.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 07/10/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to create a package accelerator by using Windows PowerShell
diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator.md b/windows/application-management/app-v/appv-create-a-package-accelerator.md
index 93333681f5..e1500e3807 100644
--- a/windows/application-management/app-v/appv-create-a-package-accelerator.md
+++ b/windows/application-management/app-v/appv-create-a-package-accelerator.md
@@ -2,14 +2,14 @@
title: How to create a package accelerator (Windows 10/11)
description: Learn how to create App-V Package Accelerators to automatically generate new virtual application packages.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 07/10/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to create a package accelerator
diff --git a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md
index 162c56efbc..2ee8100f3e 100644
--- a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md
+++ b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md
@@ -2,14 +2,14 @@
title: How to create a virtual application package using an App-V Package Accelerator (Windows 10/11)
description: How to create a virtual application package using an App-V Package Accelerator.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 07/10/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to create a virtual application package using an App-V Package Accelerator
diff --git a/windows/application-management/app-v/appv-create-and-use-a-project-template.md b/windows/application-management/app-v/appv-create-and-use-a-project-template.md
index 9420f67b5f..a37682809c 100644
--- a/windows/application-management/app-v/appv-create-and-use-a-project-template.md
+++ b/windows/application-management/app-v/appv-create-and-use-a-project-template.md
@@ -2,14 +2,14 @@
title: Create and apply an App-V project template to a sequenced App-V package (Windows 10/11)
description: Steps for how to create and apply an App-V project template (.appvt) to a sequenced App-V package.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 07/10/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Create and apply an App-V project template to a sequenced App-V package
diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
index 4616ec336f..ef0e7deee1 100644
--- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
+++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
@@ -2,14 +2,14 @@
title: Creating and managing App-V virtualized applications (Windows 10/11)
description: Create and manage App-V virtualized applications to monitor and record the installation process for an application to be run as a virtualized application.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Creating and managing App-V virtualized applications
diff --git a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md
index 117cbd91bd..bbb9594d7c 100644
--- a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md
@@ -2,14 +2,14 @@
title: How to customize virtual application extensions for a specific AD group by using the Management Console (Windows 10/11)
description: How to customize virtual application extensions for a specific AD group by using the Management Console.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 07/10/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to customize virtual applications extensions for a specific AD group by using the Management Console
diff --git a/windows/application-management/app-v/appv-delete-a-connection-group.md b/windows/application-management/app-v/appv-delete-a-connection-group.md
index 55dc6b0ec7..88af78ee9f 100644
--- a/windows/application-management/app-v/appv-delete-a-connection-group.md
+++ b/windows/application-management/app-v/appv-delete-a-connection-group.md
@@ -2,14 +2,14 @@
title: How to delete a connection group (Windows 10/11)
description: Learn how to delete an existing App-V connection group in the App-V Management Console and where to find information about managing connection groups.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 09/27/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to delete a connection group
diff --git a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
index 1917d768e9..2bd65704c0 100644
--- a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
@@ -2,14 +2,14 @@
title: How to delete a package in the Management Console (Windows 10/11)
description: Learn how to delete a package in the App-V Management Console and where to find information about operations for App-V.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 09/27/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to delete a package in the Management Console
diff --git a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
index 3fac560518..af21f7aff4 100644
--- a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
+++ b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
@@ -2,14 +2,14 @@
title: How to Deploy the App-V Databases by Using SQL Scripts (Windows 10/11)
description: Learn how to use SQL scripts to install the App-V databases and upgrade the App-V databases to a later version.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to deploy the App-V databases by using SQL scripts
diff --git a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
index cbaf3e7123..a085662790 100644
--- a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
@@ -2,14 +2,14 @@
title: How to deploy App-V packages using electronic software distribution (Windows 10/11)
description: Learn how to use an electronic software distribution (ESD) system to deploy App-V virtual applications to App-V clients.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 09/27/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to deploy App-V packages using electronic software distribution
diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
index 19e48512a0..d0e531b234 100644
--- a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
+++ b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
@@ -2,14 +2,14 @@
title: How to Deploy the App-V Server Using a Script (Windows 10/11)
description: 'Learn how to deploy the App-V server by using a script (appv_server_setup.exe) from the command line.'
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to deploy the App-V server using a script
diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server.md b/windows/application-management/app-v/appv-deploy-the-appv-server.md
index 4a9f49f03b..ccd4d5e8c2 100644
--- a/windows/application-management/app-v/appv-deploy-the-appv-server.md
+++ b/windows/application-management/app-v/appv-deploy-the-appv-server.md
@@ -2,14 +2,14 @@
title: How to Deploy the App-V Server (Windows 10/11)
description: Use these instructions to deploy the Application Virtualization (App-V) Server in App-V for Windows 10/11.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to Deploy the App-V Server (new installation)
diff --git a/windows/application-management/app-v/appv-deploying-appv.md b/windows/application-management/app-v/appv-deploying-appv.md
index d1d23d6d74..57ec089771 100644
--- a/windows/application-management/app-v/appv-deploying-appv.md
+++ b/windows/application-management/app-v/appv-deploying-appv.md
@@ -2,14 +2,14 @@
title: Deploying App-V (Windows 10/11)
description: App-V supports several different deployment options. Learn how to complete App-V deployment at different stages in your App-V deployment.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Deploying App-V for Windows client
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
index 02924fde4f..e68c95f230 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
@@ -2,14 +2,14 @@
title: Deploying Microsoft Office 2010 by Using App-V
description: Create Office 2010 packages for Microsoft Application Virtualization (App-V) using the App-V Sequencer or the App-V Package Accelerator.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Deploying Microsoft Office 2010 by Using App-V
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
index 0cb31fa36f..8b8c6ca547 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
@@ -2,14 +2,14 @@
title: Deploying Microsoft Office 2013 by Using App-V (Windows 10/11)
description: Use Application Virtualization (App-V) to deliver Microsoft Office 2013 as a virtualized application to computers in your organization.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Deploying Microsoft Office 2013 by Using App-V
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
index ee4cbe5751..e76a52b47d 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
@@ -2,14 +2,14 @@
title: Deploying Microsoft Office 2016 by using App-V (Windows 10/11)
description: Use Application Virtualization (App-V) to deliver Microsoft Office 2016 as a virtualized application to computers in your organization.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Deploying Microsoft Office 2016 by using App-V
diff --git a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
index 20e131feb1..f9ba5b9a57 100644
--- a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
@@ -2,14 +2,14 @@
title: Deploying App-V packages by using electronic software distribution (ESD)
description: Deploying App-V packages by using electronic software distribution (ESD)
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 09/27/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Deploying App-V packages by using electronic software distribution (ESD)
diff --git a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
index e2fd60d1e8..d9f2150218 100644
--- a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
+++ b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
@@ -2,14 +2,14 @@
title: Deploying the App-V Sequencer and configuring the client (Windows 10/11)
description: Learn how to deploy the App-V Sequencer and configure the client by using the ADMX template and Group Policy.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Deploying the App-V Sequencer and configuring the client
diff --git a/windows/application-management/app-v/appv-deploying-the-appv-server.md b/windows/application-management/app-v/appv-deploying-the-appv-server.md
index 2b08876aed..35e22a1400 100644
--- a/windows/application-management/app-v/appv-deploying-the-appv-server.md
+++ b/windows/application-management/app-v/appv-deploying-the-appv-server.md
@@ -2,14 +2,14 @@
title: Deploying the App-V Server (Windows 10/11)
description: Learn how to deploy the Application Virtualization (App-V) Server in App-V for Windows 10/11 by using different deployment configurations described in this article.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Deploying the App-V server
diff --git a/windows/application-management/app-v/appv-deployment-checklist.md b/windows/application-management/app-v/appv-deployment-checklist.md
index fd90b055be..0b06042ae1 100644
--- a/windows/application-management/app-v/appv-deployment-checklist.md
+++ b/windows/application-management/app-v/appv-deployment-checklist.md
@@ -2,14 +2,14 @@
title: App-V Deployment Checklist (Windows 10/11)
description: Use the App-V deployment checklist to understand the recommended steps and items to consider when deploying App-V features.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# App-V Deployment Checklist
diff --git a/windows/application-management/app-v/appv-dynamic-configuration.md b/windows/application-management/app-v/appv-dynamic-configuration.md
index 03ba41c6d2..d6073f10c0 100644
--- a/windows/application-management/app-v/appv-dynamic-configuration.md
+++ b/windows/application-management/app-v/appv-dynamic-configuration.md
@@ -2,14 +2,14 @@
title: About App-V Dynamic Configuration (Windows 10/11)
description: Learn how to create or edit an existing Application Virtualization (App-V) dynamic configuration file.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 09/27/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# About App-V dynamic configuration
diff --git a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
index 9c19cab0aa..39c355141c 100644
--- a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
@@ -2,8 +2,8 @@
title: How to enable only administrators to publish packages by using an ESD
description: Learn how to enable only administrators to publish packages by bsing an electronic software delivery (ESD).
author: aczechowski
-ms.prod: windows-client
-ms.technology: itpro-apps
+ms.service: windows-client
+ms.subservice: itpro-apps
ms.date: 05/02/2022
ms.reviewer:
manager: aaroncz
diff --git a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
index cc71b17cb7..757e57fbf2 100644
--- a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
+++ b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
@@ -2,14 +2,14 @@
title: How to Enable Reporting on the App-V Client by Using Windows PowerShell (Windows 10/11)
description: How to Enable Reporting on the App-V Client by Using Windows PowerShell
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to Enable Reporting on the App-V Client by Using Windows PowerShell
diff --git a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
index 5b65a93ac1..7622c5c8dd 100644
--- a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
+++ b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
@@ -2,14 +2,14 @@
title: Enable the App-V in-box client (Windows 10/11)
description: Learn how to enable the Microsoft Application Virtualization (App-V) in-box client installed with Windows 10/11.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Enable the App-V in-box client
diff --git a/windows/application-management/app-v/appv-evaluating-appv.md b/windows/application-management/app-v/appv-evaluating-appv.md
index 6874ebc260..78f237a692 100644
--- a/windows/application-management/app-v/appv-evaluating-appv.md
+++ b/windows/application-management/app-v/appv-evaluating-appv.md
@@ -2,13 +2,13 @@
title: Evaluating App-V (Windows 10/11)
description: Learn how to evaluate App-V for Windows 10/11 in a lab environment before deploying into a production environment.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Evaluating App-V
diff --git a/windows/application-management/app-v/appv-for-windows.md b/windows/application-management/app-v/appv-for-windows.md
index ecb4183907..b2ded1f268 100644
--- a/windows/application-management/app-v/appv-for-windows.md
+++ b/windows/application-management/app-v/appv-for-windows.md
@@ -2,14 +2,14 @@
title: Application Virtualization (App-V) (Windows 10/11)
description: See various articles that can help you administer Application Virtualization (App-V) and its components.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 09/27/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Application Virtualization (App-V) for Windows client overview
diff --git a/windows/application-management/app-v/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md
index f851ca2a85..aab10ec1a4 100644
--- a/windows/application-management/app-v/appv-getting-started.md
+++ b/windows/application-management/app-v/appv-getting-started.md
@@ -2,14 +2,14 @@
title: Getting Started with App-V (Windows 10/11)
description: Get started with Microsoft Application Virtualization (App-V) for Windows 10/11. App-V for Windows client devices delivers Win32 applications to users as virtual applications.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Getting started with App-V for Windows client
diff --git a/windows/application-management/app-v/appv-high-level-architecture.md b/windows/application-management/app-v/appv-high-level-architecture.md
index 437b20eeb1..1757dca790 100644
--- a/windows/application-management/app-v/appv-high-level-architecture.md
+++ b/windows/application-management/app-v/appv-high-level-architecture.md
@@ -2,14 +2,14 @@
title: High-level architecture for App-V (Windows 10/11)
description: Use the information in this article to simplify your Microsoft Application Virtualization (App-V) deployment.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# High-level architecture for App-V
diff --git a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
index acc244a595..4f706ec7eb 100644
--- a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
+++ b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
@@ -2,13 +2,13 @@
title: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell (Windows 10/11)
description: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
index ae2e2b56c3..ba5480496d 100644
--- a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
+++ b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
@@ -2,14 +2,14 @@
title: How to Install the Management and Reporting Databases on separate computers from the Management and Reporting Services (Windows 10/11)
description: How to install the Management and Reporting Databases on separate computers from the Management and Reporting Services.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to Install the Management and Reporting Databases on separate computers from the Management and Reporting Services
diff --git a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
index 5b258437f3..a9263f3cba 100644
--- a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
+++ b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
@@ -2,14 +2,14 @@
title: How to install the Management Server on a Standalone Computer and Connect it to the Database (Windows 10/11)
description: How to install the Management Server on a Standalone Computer and Connect it to the Database
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to install the Management Server on a Standalone Computer and Connect it to the Database
diff --git a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
index 7457b54f82..b25c54796c 100644
--- a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
+++ b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
@@ -2,14 +2,14 @@
title: Install the Publishing Server on a Remote Computer (Windows 10/11)
description: Use the procedures in this article to install the Microsoft Application Virtualization (App-V) publishing server on a separate computer.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to install the publishing server on a remote computer
diff --git a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md
index f5335dd5f0..39075f56f3 100644
--- a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md
+++ b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md
@@ -2,14 +2,14 @@
title: How to install the Reporting Server on a standalone computer and connect it to the database (Windows 10/11)
description: How to install the App-V Reporting Server on a Standalone Computer and Connect it to the Database
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to install the reporting server on a standalone computer and connect it to the database
diff --git a/windows/application-management/app-v/appv-install-the-sequencer.md b/windows/application-management/app-v/appv-install-the-sequencer.md
index 2fdd2ec28d..2f756b549e 100644
--- a/windows/application-management/app-v/appv-install-the-sequencer.md
+++ b/windows/application-management/app-v/appv-install-the-sequencer.md
@@ -2,14 +2,14 @@
title: Install the App-V Sequencer (Windows 10/11)
description: Learn how to install the App-V Sequencer to convert Win32 applications into virtual packages for deployment to user devices.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Install the App-V Sequencer
diff --git a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
index 2170f1e25b..9ce856129d 100644
--- a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
+++ b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
@@ -2,14 +2,14 @@
title: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help (Windows 10/11)
description: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 09/27/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to load the Windows PowerShell cmdlets for App-V and get cmdlet help
diff --git a/windows/application-management/app-v/appv-maintaining-appv.md b/windows/application-management/app-v/appv-maintaining-appv.md
index fb3a0ccc4e..0b04a038f5 100644
--- a/windows/application-management/app-v/appv-maintaining-appv.md
+++ b/windows/application-management/app-v/appv-maintaining-appv.md
@@ -2,14 +2,14 @@
title: Maintaining App-V (Windows 10/11)
description: After you have deployed App-V for Windows 10/11, you can use the following information to maintain the App-V infrastructure.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 09/27/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Maintaining App-V
diff --git a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
index e125255c83..55a855d2eb 100644
--- a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
+++ b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
@@ -5,14 +5,14 @@ author: aczechowski
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 09/24/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to manage App-V packages running on a stand-alone computer by using Windows PowerShell
diff --git a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
index c870425b03..1a6a1de125 100644
--- a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
+++ b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
@@ -2,13 +2,13 @@
title: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell (Windows 10/11)
description: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell
diff --git a/windows/application-management/app-v/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md
index d65f100109..e985d4a918 100644
--- a/windows/application-management/app-v/appv-managing-connection-groups.md
+++ b/windows/application-management/app-v/appv-managing-connection-groups.md
@@ -2,13 +2,13 @@
title: Managing Connection Groups (Windows 10/11)
description: Connection groups can allow administrators to manage packages independently and avoid having to add the same application multiple times to a client computer.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Managing Connection Groups
diff --git a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
index b5ca6b5e48..c42f3ed0f6 100644
--- a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
+++ b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
@@ -2,13 +2,13 @@
title: Migrating to App-V from a Previous Version (Windows 10/11)
description: Learn how to migrate to Microsoft Application Virtualization (App-V) for Windows 10/11 from a previous version.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Migrating to App-V from previous versions
diff --git a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
index db81d9833c..b9d7da75f0 100644
--- a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
+++ b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
@@ -2,13 +2,13 @@
title: How to Modify an Existing Virtual Application Package (Windows 10/11)
description: Learn how to modify an existing virtual application package and add a new application to an existing virtual application package.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to Modify an Existing Virtual Application Package
diff --git a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
index 6e0950dbf8..24187f7a7d 100644
--- a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
+++ b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
@@ -2,13 +2,13 @@
title: How to Modify Client Configuration by Using Windows PowerShell (Windows 10/11)
description: Learn how to modify the Application Virtualization (App-V) client configuration by using Windows PowerShell.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to Modify Client Configuration by Using Windows PowerShell
diff --git a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
index 4b844f29a5..9aa55c680d 100644
--- a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
+++ b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
@@ -2,13 +2,13 @@
title: How to Move the App-V Server to Another Computer (Windows 10/11)
description: Learn how to create a new management server console in your environment and learn how to connect it to the App-V database.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to move the App-V server to another computer
diff --git a/windows/application-management/app-v/appv-operations.md b/windows/application-management/app-v/appv-operations.md
index 7b2ef74380..8af6d33a4d 100644
--- a/windows/application-management/app-v/appv-operations.md
+++ b/windows/application-management/app-v/appv-operations.md
@@ -2,14 +2,14 @@
title: Operations for App-V (Windows 10/11)
description: Learn about the various types of App-V administration and operating tasks that are typically performed by an administrator.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Operations for App-V
diff --git a/windows/application-management/app-v/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md
index cb7e615a02..d05eec841b 100644
--- a/windows/application-management/app-v/appv-performance-guidance.md
+++ b/windows/application-management/app-v/appv-performance-guidance.md
@@ -2,13 +2,13 @@
title: Performance Guidance for Application Virtualization
description: Learn how to configure App-V for optimal performance, optimize virtual app packages, and provide a better user experience with RDS and VDI.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Performance Guidance for Application Virtualization
diff --git a/windows/application-management/app-v/appv-planning-checklist.md b/windows/application-management/app-v/appv-planning-checklist.md
index c391399dd5..76f89eae1f 100644
--- a/windows/application-management/app-v/appv-planning-checklist.md
+++ b/windows/application-management/app-v/appv-planning-checklist.md
@@ -2,14 +2,14 @@
title: App-V Planning Checklist (Windows 10/11)
description: Learn about the recommended steps and items to consider when planning an Application Virtualization (App-V) deployment.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# App-V Planning Checklist
diff --git a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
index 04e30a407c..1045a49e6e 100644
--- a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
+++ b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
@@ -2,14 +2,14 @@
title: Planning to Use Folder Redirection with App-V (Windows 10/11)
description: Learn about folder redirection with App-V. Folder redirection enables users and administrators to redirect the path of a folder to a new location.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Planning to Use Folder Redirection with App-V
diff --git a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
index 6d1dfd402c..9d934729e0 100644
--- a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
+++ b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
@@ -2,14 +2,14 @@
title: Planning for the App-V Server Deployment (Windows 10/11)
description: Learn what you need to know so you can plan for the Microsoft Application Virtualization (App-V) 5.1 server deployment.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Planning for the App-V server deployment
diff --git a/windows/application-management/app-v/appv-planning-for-appv.md b/windows/application-management/app-v/appv-planning-for-appv.md
index e0bf768b4b..e4fcf0c5ad 100644
--- a/windows/application-management/app-v/appv-planning-for-appv.md
+++ b/windows/application-management/app-v/appv-planning-for-appv.md
@@ -2,14 +2,14 @@
title: Planning for App-V (Windows 10/11)
description: Use the information in this article to plan to deploy App-V without disrupting your existing network or user experience.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Planning for App-V
diff --git a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
index 3f800f36de..cb1db35d6e 100644
--- a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
+++ b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
@@ -2,14 +2,14 @@
title: Planning for High Availability with App-V Server
description: Learn what you need to know so you can plan for high availability with Application Virtualization (App-V) server.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Planning for high availability with App-V Server
diff --git a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
index 61f49df9b6..2ba0a00feb 100644
--- a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
+++ b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
@@ -2,14 +2,14 @@
title: Planning for the App-V Sequencer and Client Deployment (Windows 10/11)
description: Learn what you need to do to plan for the App-V Sequencer and Client deployment, and where to find additional information about the deployment process.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Planning for the App-V Sequencer and Client Deployment
diff --git a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
index 02914cd55b..6bdba43ddf 100644
--- a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
+++ b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
@@ -2,14 +2,14 @@
title: Planning for Deploying App-V with Office (Windows 10/11)
description: Use the information in this article to plan how to deploy Office within Microsoft Application Virtualization (App-V).
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Planning for deploying App-V with Office
diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
index 478b1f8523..0649249186 100644
--- a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
@@ -2,14 +2,14 @@
title: Planning to Deploy App-V with an Electronic Software Distribution System (Windows 10/11)
description: Planning to Deploy App-V with an Electronic Software Distribution System
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Planning to Deploy App-V with an electronic software distribution system
diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv.md b/windows/application-management/app-v/appv-planning-to-deploy-appv.md
index 5cfdf7b332..64468df388 100644
--- a/windows/application-management/app-v/appv-planning-to-deploy-appv.md
+++ b/windows/application-management/app-v/appv-planning-to-deploy-appv.md
@@ -2,14 +2,14 @@
title: Planning to Deploy App-V (Windows 10/11)
description: Learn about the different deployment configurations and requirements to consider before you deploy App-V for Windows 10.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Planning to Deploy App-V for Windows client
diff --git a/windows/application-management/app-v/appv-preparing-your-environment.md b/windows/application-management/app-v/appv-preparing-your-environment.md
index 95fad14736..3268e9610e 100644
--- a/windows/application-management/app-v/appv-preparing-your-environment.md
+++ b/windows/application-management/app-v/appv-preparing-your-environment.md
@@ -1,7 +1,7 @@
---
title: Preparing Your Environment for App-V (Windows 10/11)
description: Use this info to prepare for deployment configurations and prerequisites for Microsoft Application Virtualization (App-V).
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
author: aczechowski
@@ -9,7 +9,7 @@ manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Preparing your environment for App-V
diff --git a/windows/application-management/app-v/appv-prerequisites.md b/windows/application-management/app-v/appv-prerequisites.md
index 9df6ba5e4c..38af8e2364 100644
--- a/windows/application-management/app-v/appv-prerequisites.md
+++ b/windows/application-management/app-v/appv-prerequisites.md
@@ -2,14 +2,14 @@
title: App-V Prerequisites (Windows 10/11)
description: Learn about the prerequisites you need before you begin installing Application Virtualization (App-V).
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# App-V for Windows client prerequisites
diff --git a/windows/application-management/app-v/appv-publish-a-connection-group.md b/windows/application-management/app-v/appv-publish-a-connection-group.md
index 2a86b56aff..de2ecd3c81 100644
--- a/windows/application-management/app-v/appv-publish-a-connection-group.md
+++ b/windows/application-management/app-v/appv-publish-a-connection-group.md
@@ -2,14 +2,14 @@
title: How to Publish a Connection Group (Windows 10/11)
description: Learn how to publish a connection group to computers that run the Application Virtualization (App-V) client.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 09/27/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to Publish a Connection Group
diff --git a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
index 8d1b3b7041..0d5526bb14 100644
--- a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
@@ -2,14 +2,14 @@
title: How to publish a package by using the Management console (Windows 10/11)
description: Learn how the Management console in App-V can help you enable admin controls as well as publish App-V packages.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 09/27/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to publish a package by using the Management console
diff --git a/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md b/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md
index 2c82592252..0af2304c46 100644
--- a/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md
@@ -2,13 +2,13 @@
title: How to Register and Unregister a Publishing Server by Using the Management Console (Windows 10/11)
description: How to Register and Unregister a Publishing Server by Using the Management Console
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to Register and Unregister a Publishing Server by Using the Management Console
diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
index f2df77ee92..68b2efeb3a 100644
--- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
+++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
@@ -2,13 +2,13 @@
title: Release Notes for App-V for Windows 10 version 1703 (Windows 10/11)
description: A list of known issues and workarounds for App-V running on Windows 10 version 1703 and Windows 11.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Release Notes for App-V for Windows 10 version 1703 and later
diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
index 00fd89be8c..e9f6d97139 100644
--- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
+++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
@@ -2,13 +2,13 @@
title: Release Notes for App-V for Windows 10, version 1607 (Windows 10)
description: A list of known issues and workarounds for App-V running on Windows 10, version 1607.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Release Notes for App-V for Windows 10, version 1607
diff --git a/windows/application-management/app-v/appv-reporting.md b/windows/application-management/app-v/appv-reporting.md
index 0108207c9e..2e05013ad9 100644
--- a/windows/application-management/app-v/appv-reporting.md
+++ b/windows/application-management/app-v/appv-reporting.md
@@ -2,14 +2,14 @@
title: About App-V Reporting (Windows 10/11)
description: Learn how the App-V reporting feature collects information about computers running the App-V client and virtual application package usage.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/16/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# About App-V reporting
diff --git a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
index ce0c73c061..f37849f3a0 100644
--- a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
+++ b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
@@ -2,13 +2,13 @@
title: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications (Windows 10/11)
description: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 03/08/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications
diff --git a/windows/application-management/app-v/appv-security-considerations.md b/windows/application-management/app-v/appv-security-considerations.md
index 5c13af93a6..77bc48c66f 100644
--- a/windows/application-management/app-v/appv-security-considerations.md
+++ b/windows/application-management/app-v/appv-security-considerations.md
@@ -2,14 +2,14 @@
title: App-V Security Considerations (Windows 10/11)
description: Learn about accounts and groups, log files, and other security-related considerations for Microsoft Application Virtualization (App-V).
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/16/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# App-V security considerations
diff --git a/windows/application-management/app-v/appv-sequence-a-new-application.md b/windows/application-management/app-v/appv-sequence-a-new-application.md
index a19c89cc1c..1af6a22f42 100644
--- a/windows/application-management/app-v/appv-sequence-a-new-application.md
+++ b/windows/application-management/app-v/appv-sequence-a-new-application.md
@@ -2,14 +2,14 @@
title: Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11)
description: Learn how to manually sequence a new app by using the App-V Sequencer that's included with the Windows ADK.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/16/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer)
diff --git a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
index 1b289057fe..9754332e13 100644
--- a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
+++ b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
@@ -2,13 +2,13 @@
title: How to sequence a package by using Windows PowerShell (Windows 10/11)
description: Learn how to sequence a new Microsoft Application Virtualization (App-V) package by using Windows PowerShell.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to Sequence a Package by using Windows PowerShell
diff --git a/windows/application-management/app-v/appv-supported-configurations.md b/windows/application-management/app-v/appv-supported-configurations.md
index 059ef24c65..f96111505d 100644
--- a/windows/application-management/app-v/appv-supported-configurations.md
+++ b/windows/application-management/app-v/appv-supported-configurations.md
@@ -2,14 +2,14 @@
title: App-V Supported Configurations (Windows 10/11)
description: Learn the requirements to install and run App-V supported configurations in your Windows 10/11 environment.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/16/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.topic: article
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# App-V Supported Configurations
diff --git a/windows/application-management/app-v/appv-technical-reference.md b/windows/application-management/app-v/appv-technical-reference.md
index 5feee6e5a9..ec23d191b4 100644
--- a/windows/application-management/app-v/appv-technical-reference.md
+++ b/windows/application-management/app-v/appv-technical-reference.md
@@ -2,13 +2,13 @@
title: Technical Reference for App-V (Windows 10/11)
description: Learn strategy and context for many performance optimization practices in this technical reference for Application Virtualization (App-V).
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Technical Reference for App-V
diff --git a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md
index 6ad489e6d0..1a4d09cc2f 100644
--- a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md
@@ -2,13 +2,13 @@
title: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console (Windows 10/11)
description: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console
diff --git a/windows/application-management/app-v/appv-troubleshooting.md b/windows/application-management/app-v/appv-troubleshooting.md
index 8e916937ed..020e46ea24 100644
--- a/windows/application-management/app-v/appv-troubleshooting.md
+++ b/windows/application-management/app-v/appv-troubleshooting.md
@@ -2,13 +2,13 @@
title: Troubleshooting App-V (Windows 10/11)
description: Learn how to find information about troubleshooting Application Virtualization (App-V) and information about other App-V articles.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Troubleshooting App-V
diff --git a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
index d9769d9ac3..48842df8a4 100644
--- a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
+++ b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
@@ -2,13 +2,13 @@
title: Upgrading to App-V for Windows 10/11 from an existing installation (Windows 10/11)
description: Learn about upgrading to Application Virtualization (App-V) for Windows 10/11 from an existing installation.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Upgrading to App-V for Windows client from an existing installation
diff --git a/windows/application-management/app-v/appv-using-the-client-management-console.md b/windows/application-management/app-v/appv-using-the-client-management-console.md
index 3cdd99110d..84af8ed135 100644
--- a/windows/application-management/app-v/appv-using-the-client-management-console.md
+++ b/windows/application-management/app-v/appv-using-the-client-management-console.md
@@ -2,13 +2,13 @@
title: Using the App-V Client Management Console (Windows 10/11)
description: Learn how to use the Application Virtualization (App-V) client management console to manage packages on the computer running the App-V client.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Using the App-V Client Management Console
diff --git a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md
index 92b64eb2ec..82665691aa 100644
--- a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md
@@ -2,13 +2,13 @@
title: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console (Windows 10/11)
description: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console
diff --git a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
index ed8de7183d..c2d47380bf 100644
--- a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
+++ b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
@@ -2,13 +2,13 @@
title: Viewing App-V Server Publishing Metadata (Windows 10/11)
description: Use this procedure to view App-V Server publishing metadata, which can help you resolve publishing-related issues.
author: aczechowski
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
-ms.technology: itpro-apps
+ms.subservice: itpro-apps
---
# Viewing App-V Server Publishing Metadata
diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json
index 93921e2c5b..f9544bebe7 100644
--- a/windows/application-management/docfx.json
+++ b/windows/application-management/docfx.json
@@ -40,7 +40,8 @@
"tier2"
],
"uhfHeaderId": "MSDocsHeader-Windows",
- "ms.technology": "itpro-apps",
+ "ms.service": "windows-client",
+ "ms.subservice": "itpro-apps",
"ms.topic": "article",
"feedback_system": "Standard",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md
index 1ed95c362a..2a00963aef 100644
--- a/windows/application-management/enterprise-background-activity-controls.md
+++ b/windows/application-management/enterprise-background-activity-controls.md
@@ -6,8 +6,8 @@ ms.author: aaroncz
manager: aaroncz
ms.date: 10/03/2017
ms.topic: article
-ms.prod: windows-client
-ms.technology: itpro-apps
+ms.service: windows-client
+ms.subservice: itpro-apps
ms.localizationpriority: medium
ms.collection: tier2
ms.reviewer:
diff --git a/windows/application-management/includes/app-v-end-life-statement.md b/windows/application-management/includes/app-v-end-life-statement.md
index f9844e71b1..932390fc2d 100644
--- a/windows/application-management/includes/app-v-end-life-statement.md
+++ b/windows/application-management/includes/app-v-end-life-statement.md
@@ -4,9 +4,7 @@ ms.author: aaroncz
manager: aaroncz
ms.date: 09/20/2021
ms.topic: include
-ms.prod: w10
-ms.collection: tier1
-ms.reviewer:
+ms.service: windows-client
---
Application Virtualization will be [end of life in April 2026](/lifecycle/announcements/mdop-extended). We recommend looking at Azure Virtual Desktop with MSIX app attach. For more information, see [What is Azure Virtual Desktop?](/azure/virtual-desktop/overview) and [Set up MSIX app attach with the Azure portal](/azure/virtual-desktop/app-attach-azure-portal).
diff --git a/windows/application-management/includes/applies-to-windows-client-versions.md b/windows/application-management/includes/applies-to-windows-client-versions.md
index 35084641c6..f4b2934ded 100644
--- a/windows/application-management/includes/applies-to-windows-client-versions.md
+++ b/windows/application-management/includes/applies-to-windows-client-versions.md
@@ -5,8 +5,8 @@ manager: aaroncz
ms.date: 09/28/2021
manager: aaroncz
ms.topic: include
-ms.prod: windows-client
-ms.technology: itpro-apps
+ms.service: windows-client
+ms.subservice: itpro-apps
ms.localizationpriortiy: medium
ms.collection: tier1
ms.reviewer:
diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml
index 46ff46e15f..371bc58a37 100644
--- a/windows/application-management/index.yml
+++ b/windows/application-management/index.yml
@@ -11,7 +11,8 @@ metadata:
manager: aaroncz
ms.date: 08/18/2023
ms.topic: landing-page
- ms.prod: windows-client
+ ms.service: windows-client
+ ms.subservice: itpro-apps
ms.collection:
- tier1
@@ -40,7 +41,7 @@ landingContent:
- text: Changes to Service Host grouping in Windows 10
url: svchost-service-refactoring.md
- - title: Application Virtualization (App-V)
+ - title: Application Virtualization (App-V)
linkLists:
- linkListType: overview
links:
diff --git a/windows/application-management/overview-windows-apps.md b/windows/application-management/overview-windows-apps.md
index 1c54d148ce..ab58f88f99 100644
--- a/windows/application-management/overview-windows-apps.md
+++ b/windows/application-management/overview-windows-apps.md
@@ -6,8 +6,8 @@ ms.author: aaroncz
manager: aaroncz
ms.date: 08/28/2023
ms.topic: overview
-ms.prod: windows-client
-ms.technology: itpro-apps
+ms.service: windows-client
+ms.subservice: itpro-apps
ms.localizationpriority: medium
ms.collection: tier2
appliesto:
diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md
index 2ea7628c2f..9e6cefb8ae 100644
--- a/windows/application-management/per-user-services-in-windows.md
+++ b/windows/application-management/per-user-services-in-windows.md
@@ -6,8 +6,8 @@ ms.author: aaroncz
manager: aaroncz
ms.date: 12/22/2023
ms.topic: how-to
-ms.prod: windows-client
-ms.technology: itpro-apps
+ms.service: windows-client
+ms.subservice: itpro-apps
ms.localizationpriority: medium
ms.collection: tier2
appliesto:
diff --git a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
index cb4377d22d..90281afcd3 100644
--- a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
+++ b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
@@ -6,8 +6,8 @@ ms.author: aaroncz
manager: aaroncz
ms.date: 04/04/2023
ms.topic: article
-ms.prod: windows-client
-ms.technology: itpro-apps
+ms.service: windows-client
+ms.subservice: itpro-apps
ms.localizationpriority: medium
ms.collection: tier2
ms.reviewer: amanh
diff --git a/windows/application-management/remove-provisioned-apps-during-update.md b/windows/application-management/remove-provisioned-apps-during-update.md
index 23b08e028e..84cf6dc297 100644
--- a/windows/application-management/remove-provisioned-apps-during-update.md
+++ b/windows/application-management/remove-provisioned-apps-during-update.md
@@ -6,8 +6,8 @@ ms.author: aaroncz
manager: aaroncz
ms.date: 05/25/2018
ms.topic: how-to
-ms.prod: windows-client
-ms.technology: itpro-apps
+ms.service: windows-client
+ms.subservice: itpro-apps
ms.localizationpriority: medium
ms.collection: tier1
appliesto:
diff --git a/windows/application-management/sideload-apps-in-windows.md b/windows/application-management/sideload-apps-in-windows.md
index f962fed76e..3779938afc 100644
--- a/windows/application-management/sideload-apps-in-windows.md
+++ b/windows/application-management/sideload-apps-in-windows.md
@@ -6,8 +6,8 @@ ms.author: aaroncz
manager: aaroncz
ms.date: 12/22/2023
ms.topic: how-to
-ms.prod: windows-client
-ms.technology: itpro-apps
+ms.service: windows-client
+ms.subservice: itpro-apps
ms.localizationpriority: medium
ms.collection: tier2
appliesto:
diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md
index 7bc1bcf117..5d7b3a998c 100644
--- a/windows/application-management/svchost-service-refactoring.md
+++ b/windows/application-management/svchost-service-refactoring.md
@@ -6,8 +6,8 @@ ms.author: aaroncz
manager: aaroncz
ms.date: 07/20/2017
ms.topic: concept-article
-ms.prod: windows-client
-ms.technology: itpro-apps
+ms.service: windows-client
+ms.subservice: itpro-apps
ms.localizationpriority: medium
ms.colletion: tier2
appliesto:
diff --git a/windows/client-management/azure-active-directory-integration-with-mdm.md b/windows/client-management/azure-active-directory-integration-with-mdm.md
index efb65c5991..27c5fb235c 100644
--- a/windows/client-management/azure-active-directory-integration-with-mdm.md
+++ b/windows/client-management/azure-active-directory-integration-with-mdm.md
@@ -1,7 +1,7 @@
---
title: Microsoft Entra integration with MDM
description: Microsoft Entra ID is the world's largest enterprise cloud identity management service.
-ms.topic: article
+ms.topic: conceptual
ms.collection:
- highpri
- tier2
diff --git a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
index e1c894e2c5..ab7c3e0a1c 100644
--- a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
+++ b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
@@ -1,7 +1,7 @@
---
title: Automatic MDM enrollment in the Intune admin center
description: Automatic MDM enrollment in the Intune admin center
-ms.topic: article
+ms.topic: conceptual
ms.date: 08/10/2023
---
diff --git a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md
index 522b5d05b6..d9938c6409 100644
--- a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md
+++ b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md
@@ -1,7 +1,7 @@
---
title: Bulk enrollment
description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices.
-ms.topic: article
+ms.topic: conceptual
ms.date: 08/10/2023
---
diff --git a/windows/client-management/certificate-authentication-device-enrollment.md b/windows/client-management/certificate-authentication-device-enrollment.md
index c1ab833e1c..e53a80cc55 100644
--- a/windows/client-management/certificate-authentication-device-enrollment.md
+++ b/windows/client-management/certificate-authentication-device-enrollment.md
@@ -1,7 +1,7 @@
---
title: Certificate authentication device enrollment
description: This section provides an example of the mobile device enrollment protocol using certificate authentication policy.
-ms.topic: article
+ms.topic: conceptual
ms.date: 08/10/2023
---
diff --git a/windows/client-management/certificate-renewal-windows-mdm.md b/windows/client-management/certificate-renewal-windows-mdm.md
index 233a34e3dc..573cbe71b2 100644
--- a/windows/client-management/certificate-renewal-windows-mdm.md
+++ b/windows/client-management/certificate-renewal-windows-mdm.md
@@ -1,7 +1,7 @@
---
title: Certificate Renewal
description: Learn how to find all the resources that you need to provide continuous access to client certificates.
-ms.topic: article
+ms.topic: conceptual
ms.date: 08/10/2023
---
diff --git a/windows/client-management/client-tools/administrative-tools-in-windows.md b/windows/client-management/client-tools/administrative-tools-in-windows.md
index 7c30da23de..1e319e16a4 100644
--- a/windows/client-management/client-tools/administrative-tools-in-windows.md
+++ b/windows/client-management/client-tools/administrative-tools-in-windows.md
@@ -3,10 +3,11 @@ title: Windows Tools/Administrative Tools
description: The folders for Windows Tools and Administrative Tools are folders in the Control Panel that contain tools for system administrators and advanced users.
ms.localizationpriority: medium
ms.date: 08/10/2023
-ms.topic: article
+ms.topic: conceptual
ms.collection:
- highpri
- tier2
+- essentials-manage
---
# Windows Tools/Administrative Tools
diff --git a/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md b/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md
index 1bcd9ff753..685f872e8a 100644
--- a/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md
+++ b/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md
@@ -2,7 +2,7 @@
title: Windows default media removal policy
description: In Windows 10 and later, the default removal policy for external storage media changed from Better performance to Quick removal.
ms.date: 08/10/2023
-ms.topic: article
+ms.topic: conceptual
ms.localizationpriority: medium
---
diff --git a/windows/client-management/client-tools/connect-to-remote-aadj-pc.md b/windows/client-management/client-tools/connect-to-remote-aadj-pc.md
index 2e3e741284..b47fad81ee 100644
--- a/windows/client-management/client-tools/connect-to-remote-aadj-pc.md
+++ b/windows/client-management/client-tools/connect-to-remote-aadj-pc.md
@@ -3,7 +3,7 @@ title: Connect to remote Microsoft Entra joined device
description: Learn how to use Remote Desktop Connection to connect to a Microsoft Entra joined device.
ms.localizationpriority: medium
ms.date: 08/10/2023
-ms.topic: article
+ms.topic: conceptual
ms.collection:
- highpri
- tier2
diff --git a/windows/client-management/client-tools/manage-device-installation-with-group-policy.md b/windows/client-management/client-tools/manage-device-installation-with-group-policy.md
index 8efcf24c66..0aaf41776d 100644
--- a/windows/client-management/client-tools/manage-device-installation-with-group-policy.md
+++ b/windows/client-management/client-tools/manage-device-installation-with-group-policy.md
@@ -2,7 +2,7 @@
title: Manage Device Installation with Group Policy
description: Find out how to manage Device Installation Restrictions with Group Policy.
ms.date: 08/10/2023
-ms.topic: article
+ms.topic: conceptual
---
# Manage Device Installation with Group Policy
diff --git a/windows/client-management/client-tools/manage-settings-app-with-group-policy.md b/windows/client-management/client-tools/manage-settings-app-with-group-policy.md
index afc00a6203..bf19bb6ad7 100644
--- a/windows/client-management/client-tools/manage-settings-app-with-group-policy.md
+++ b/windows/client-management/client-tools/manage-settings-app-with-group-policy.md
@@ -2,7 +2,7 @@
title: Manage the Settings app with Group Policy
description: Find out how to manage the Settings app with Group Policy so you can hide specific pages from users.
ms.date: 08/10/2023
-ms.topic: article
+ms.topic: conceptual
---
# Manage the Settings app with Group Policy
diff --git a/windows/client-management/client-tools/mandatory-user-profile.md b/windows/client-management/client-tools/mandatory-user-profile.md
index 5c867f498d..78e358f1fd 100644
--- a/windows/client-management/client-tools/mandatory-user-profile.md
+++ b/windows/client-management/client-tools/mandatory-user-profile.md
@@ -2,7 +2,7 @@
title: Create mandatory user profiles
description: A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users.
ms.date: 08/10/2023
-ms.topic: article
+ms.topic: conceptual
ms.collection:
- highpri
- tier2
diff --git a/windows/client-management/client-tools/quick-assist.md b/windows/client-management/client-tools/quick-assist.md
index 58eceea5e1..f902b92204 100644
--- a/windows/client-management/client-tools/quick-assist.md
+++ b/windows/client-management/client-tools/quick-assist.md
@@ -2,7 +2,7 @@
title: Use Quick Assist to help users
description: Learn how IT Pros can use Quick Assist to help users.
ms.date: 08/10/2023
-ms.topic: article
+ms.topic: conceptual
ms.localizationpriority: medium
ms.collection:
- highpri
diff --git a/windows/client-management/client-tools/windows-libraries.md b/windows/client-management/client-tools/windows-libraries.md
index 43666505af..3486649f20 100644
--- a/windows/client-management/client-tools/windows-libraries.md
+++ b/windows/client-management/client-tools/windows-libraries.md
@@ -1,7 +1,7 @@
---
title: Windows Libraries
description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures.
-ms.topic: article
+ms.topic: conceptual
ms.date: 08/10/2023
---
diff --git a/windows/client-management/client-tools/windows-version-search.md b/windows/client-management/client-tools/windows-version-search.md
index a9ff816f27..2bb838cf72 100644
--- a/windows/client-management/client-tools/windows-version-search.md
+++ b/windows/client-management/client-tools/windows-version-search.md
@@ -2,7 +2,7 @@
title: What version of Windows am I running?
description: Discover which version of Windows you're running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or General Availability Channel.
ms.date: 08/10/2023
-ms.topic: article
+ms.topic: conceptual
---
# What version of Windows am I running?
diff --git a/windows/client-management/config-lock.md b/windows/client-management/config-lock.md
index 443c29c949..30b905a41d 100644
--- a/windows/client-management/config-lock.md
+++ b/windows/client-management/config-lock.md
@@ -1,7 +1,7 @@
---
title: Secured-core configuration lock
description: A secured-core PC (SCPC) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration.
-ms.topic: article
+ms.topic: conceptual
ms.date: 08/10/2023
appliesto:
- ✅ Windows 11
diff --git a/windows/client-management/device-update-management.md b/windows/client-management/device-update-management.md
index e6c914668a..c298893a3a 100644
--- a/windows/client-management/device-update-management.md
+++ b/windows/client-management/device-update-management.md
@@ -1,7 +1,7 @@
---
title: Mobile device management MDM for device updates
description: Windows provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management.
-ms.topic: article
+ms.topic: conceptual
ms.date: 08/10/2023
ms.collection:
- highpri
diff --git a/windows/client-management/disconnecting-from-mdm-unenrollment.md b/windows/client-management/disconnecting-from-mdm-unenrollment.md
index 00e2645545..612dd07651 100644
--- a/windows/client-management/disconnecting-from-mdm-unenrollment.md
+++ b/windows/client-management/disconnecting-from-mdm-unenrollment.md
@@ -1,7 +1,7 @@
---
title: Disconnecting from the management infrastructure (unenrollment)
description: Disconnecting is initiated either locally by the user using a phone or remotely by the IT admin using management server.
-ms.topic: article
+ms.topic: conceptual
ms.date: 08/10/2023
---
diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json
index aea6640ea0..d099e4731e 100644
--- a/windows/client-management/docfx.json
+++ b/windows/client-management/docfx.json
@@ -41,10 +41,10 @@
"zone_pivot_group_filename": "resources/zone-pivot-groups.json",
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-Windows",
- "ms.technology": "itpro-manage",
"audience": "ITPro",
- "ms.prod": "windows-client",
- "ms.topic": "article",
+ "ms.service": "windows-client",
+ "ms.subservice": "itpro-manage",
+ "ms.topic": "conceptual",
"ms.author": "vinpa",
"author": "vinaypamnani-msft",
"manager": "aaroncz",
@@ -85,6 +85,9 @@
"✅ Windows 11",
"✅ Windows 10"
]
+ },
+ "ms.topic": {
+ "mdm/*.md": "reference"
}
},
"template": [],
diff --git a/windows/client-management/enable-admx-backed-policies-in-mdm.md b/windows/client-management/enable-admx-backed-policies-in-mdm.md
index bd41f63d4d..00618845b9 100644
--- a/windows/client-management/enable-admx-backed-policies-in-mdm.md
+++ b/windows/client-management/enable-admx-backed-policies-in-mdm.md
@@ -1,7 +1,7 @@
---
title: Enable ADMX policies in MDM
description: Use this step-by-step guide to configure a selected set of Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM).
-ms.topic: article
+ms.topic: conceptual
ms.localizationpriority: medium
ms.date: 08/10/2023
---
diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
index 853f60c4dd..f9ccd5cc0a 100644
--- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -1,7 +1,7 @@
---
title: Enroll a Windows device automatically using Group Policy
description: Learn how to use a Group Policy to trigger autoenrollment to MDM for Active Directory (AD) domain-joined devices.
-ms.topic: article
+ms.topic: conceptual
ms.date: 08/10/2023
ms.collection:
- highpri
diff --git a/windows/client-management/enterprise-app-management.md b/windows/client-management/enterprise-app-management.md
index 976b340e5a..b6e975a1c8 100644
--- a/windows/client-management/enterprise-app-management.md
+++ b/windows/client-management/enterprise-app-management.md
@@ -1,7 +1,7 @@
---
title: Enterprise app management
description: This article covers one of the key mobile device management (MDM) features for managing the lifecycle of apps across Windows devices.
-ms.topic: article
+ms.topic: conceptual
ms.date: 08/10/2023
---
diff --git a/windows/client-management/federated-authentication-device-enrollment.md b/windows/client-management/federated-authentication-device-enrollment.md
index a96b2ed7e3..ecb42e8160 100644
--- a/windows/client-management/federated-authentication-device-enrollment.md
+++ b/windows/client-management/federated-authentication-device-enrollment.md
@@ -1,7 +1,7 @@
---
title: Federated authentication device enrollment
description: This section provides an example of the mobile device enrollment protocol using federated authentication policy.
-ms.topic: article
+ms.topic: conceptual
ms.date: 08/10/2023
---
diff --git a/windows/client-management/images/bing-chat-enterprise-chat-provider.png b/windows/client-management/images/bing-chat-enterprise-chat-provider.png
deleted file mode 100644
index 6213a99d16..0000000000
Binary files a/windows/client-management/images/bing-chat-enterprise-chat-provider.png and /dev/null differ
diff --git a/windows/client-management/images/copilot-commercial-data-protection-chat-provider.png b/windows/client-management/images/copilot-commercial-data-protection-chat-provider.png
new file mode 100644
index 0000000000..a7db0da381
Binary files /dev/null and b/windows/client-management/images/copilot-commercial-data-protection-chat-provider.png differ
diff --git a/windows/client-management/images/work-toggle-graph-grounded-chat.png b/windows/client-management/images/work-toggle-graph-grounded-chat.png
new file mode 100644
index 0000000000..6b54325f3a
Binary files /dev/null and b/windows/client-management/images/work-toggle-graph-grounded-chat.png differ
diff --git a/windows/client-management/implement-server-side-mobile-application-management.md b/windows/client-management/implement-server-side-mobile-application-management.md
index ae35a82630..e9c0ab5ecc 100644
--- a/windows/client-management/implement-server-side-mobile-application-management.md
+++ b/windows/client-management/implement-server-side-mobile-application-management.md
@@ -1,7 +1,7 @@
---
title: Support for Windows Information Protection (WIP) on Windows
description: Learn about implementing the Windows version of Windows Information Protection (WIP), which is a lightweight solution for managing company data access and security on personal devices.
-ms.topic: article
+ms.topic: conceptual
ms.date: 08/10/2023
---
diff --git a/windows/client-management/includes/mdm-enrollment-error-codes.md b/windows/client-management/includes/mdm-enrollment-error-codes.md
index 017a48153f..186805615f 100644
--- a/windows/client-management/includes/mdm-enrollment-error-codes.md
+++ b/windows/client-management/includes/mdm-enrollment-error-codes.md
@@ -1,7 +1,7 @@
---
author: vinaypamnani-msft
ms.author: vinpa
-ms.prod: windows
+ms.service: windows-client
ms.topic: include
ms.date: 04/06/2023
---
diff --git a/windows/client-management/index.yml b/windows/client-management/index.yml
index 40f4cb654f..860eb04bfe 100644
--- a/windows/client-management/index.yml
+++ b/windows/client-management/index.yml
@@ -7,15 +7,13 @@ metadata:
title: Manage Windows client # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Learn about the administrative tools, tasks, and best practices for managing Windows clients across your enterprise. # Required; article description that is displayed in search results. < 160 chars.
ms.topic: landing-page
- ms.prod: windows-client
- ms.technology: itpro-manage
ms.collection:
- highpri
- tier1
author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
- ms.date: 09/26/2023
+ ms.date: 01/18/2024
localization_priority: medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
index 7129573f55..cc6af7d11f 100644
--- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
+++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
@@ -3,7 +3,7 @@ title: Manage Windows devices in your organization - transitioning to modern man
description: This article offers strategies for deploying and managing Windows devices, including deploying Windows in a mixed environment.
ms.localizationpriority: medium
ms.date: 08/10/2023
-ms.topic: article
+ms.topic: conceptual
---
# Manage Windows devices in your organization - transitioning to modern management
diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md
index 1b811341cb..2e90b5b053 100644
--- a/windows/client-management/manage-windows-copilot.md
+++ b/windows/client-management/manage-windows-copilot.md
@@ -2,19 +2,20 @@
title: Manage Copilot in Windows
description: Learn how to manage Copilot in Windows for commercial environments using MDM and group policy. Learn about the chat providers available to Copilot in Windows.
ms.topic: conceptual
-ms.technology: itpro-windows-copilot
-ms.date: 11/06/2023
+ms.subservice: windows-copilot
+ms.date: 02/05/2024
ms.author: mstewart
-author: mestew
+author: mestew
appliesto:
- ✅ Windows 11, version 22H2 or later
---
# Manage Copilot in Windows
+
>**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0).
-Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to help your users get things done in Windows. Copilot in Windows can perform common tasks in Windows like changing Windows settings, which makes it different from the browser-based [Copilot in Edge](/bing-chat-enterprise/edge). However, both user experiences, Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since it is possible for users to copy and paste sensitive information into the chat provider.
+Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop and is designed to help users get things done in Windows. Copilot in Windows can perform common tasks in Windows like changing Windows settings, which makes it different from the browser-based [Copilot in Edge](/copilot/edge). However, both user experiences, Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since it's possible for users to copy and paste sensitive information into the chat.
> [!Note]
> - Copilot in Windows is currently available as a preview. We will continue to experiment with new ideas and methods using your feedback.
@@ -39,62 +40,81 @@ Organizations that aren't ready to use Copilot in Windows can disable it until t
## Chat provider platforms for Copilot in Windows
-Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat provider platform. The chat provider platform is the underlying service that Copilot in Windows uses to communicate with the user. The chat provider platform that Copilot in Windows uses is important because it is possible for users to copy and paste sensitive information into the chat provider. Each chat provider platform has different privacy and security protections.
+Copilot in Windows can use either Microsoft Copilot, Copilot with commercial data protection, or Copilot with Graph-grounded chat as its chat provider platform. The chat provider platform is the underlying service that Copilot in Windows uses to communicate with the user. The chat provider platform is important because it's possible for users to copy and paste sensitive information into the chat. Each chat provider platform has different privacy and security protections.
-**Bing Chat**:
+### Copilot
-[Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it) is a consumer experience and if a user isn't signed in with their Microsoft account, the number of chat queries per user has a daily limit. Bing Chat doesn't offer the same commercial data protection as Bing Chat Enterprise does. The following privacy and security protections apply for Bing Chat:
- - [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/3e265e82-fc76-4d0a-afc0-4a0de528b73a)
- - The privacy statement for using Bing Chat follows the [Microsoft privacy statement](https://privacy.microsoft.com/privacystatement) including the product specific guidance in the Microsoft privacy statement for **Bing** under the **Search, Microsoft Edge, and artificial intelligence** section.
+Copilot is a consumer experience and has a daily limit on the number of chat queries per user when not signed in with a Microsoft account. It doesn't offer the same data protection as Copilot with commercial data protection.
+- [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/3e265e82-fc76-4d0a-afc0-4a0de528b73a)
+- The privacy statement for using Copilot follows the [Microsoft privacy statement](https://privacy.microsoft.com/privacystatement) including the product specific guidance in the Microsoft privacy statement for **Bing** under the **Search, Microsoft Edge, and artificial intelligence** section.
-**Bing Chat Enterprise**:
+ > [!Note]
+ > Copilot doesn't have access to Microsoft 365 Apps data, such as email, calendar, or files using Microsoft Graph, unlike [Copilot for Microsoft 365](/microsoft-365-copilot/microsoft-365-copilot-overview) which can be used in the Microsoft 365 apps.
-[Bing Chat Enterprise](/bing-chat-enterprise/overview) is intended for commercial use scenarios and offers commercial data protection. The following privacy and security protections apply for Bing Chat Enterprise:
+### Copilot with commercial data protection
-- With [Bing Chat Enterprise](/bing-chat-enterprise/overview), user and organizational data is protected, chat data isn't saved, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. Bing Chat Enterprise is accessible from mobile browsers, including Edge mobile on iOS and Android. Review the Bing Chat Enterprise [privacy statement](/bing-chat-enterprise/privacy-and-protections).
-- Bing Chat Enterprise is available, at no additional cost, for the following licenses:
+[Copilot with commercial data protection](/copilot/overview) is intended for commercial use scenarios and offers commercial data protection. The following privacy and security protections apply for Copilot with commercial data protection:
+
+- User and organizational data is protected, chat data isn't saved, and your data isn't used to train the underlying large language models (LLMs). Because of this protection, chat history, 3rd-party plugins, and the Bing app for iOS or Android aren't currently supported. Copilot with commercial data protection is accessible from mobile browsers, including Edge mobile on iOS and Android. Review the Copilot with commercial data protection [privacy statement](/copilot/privacy-and-protections).
+- Copilot with commercial data protection is available, at no additional cost, for the following licenses:
- Microsoft 365 E3 or E5
- - Microsoft 365 A3 or A5 for faculty
+ - Microsoft 365 F3
+ - Microsoft 365 A1, A3, or A5
+ - Copilot with comercial data protection is limited to faculty and higher education students over 18 years of age
+ - Office 365 A1, A3, or A5
+ - Copilot with comercial data protection is limited to faculty and higher education students over 18 years of age
- Microsoft 365 Business Standard
- Microsoft 365 Business Premium
> [!Note]
- > Bing Chat Enterprise and Bing Chat don't have access to Microsoft Graph, unlike [Microsoft 365 Copilot](/microsoft-365-copilot/microsoft-365-copilot-overview) which can be used in the Microsoft 365 apps. This means that Bing Chat Enterprise and Bing Chat can't access Microsoft 365 Apps data, such as email, calendar, or files.
+ > Copilot with commercial data protection doesn't have access to Microsoft 365 Apps data, such as email, calendar, or files using Microsoft Graph, unlike [Copilot for Microsoft 365](/microsoft-365-copilot/microsoft-365-copilot-overview) which can be used in the Microsoft 365 apps.
+
+### Microsoft Copilot with Graph-grounded chat
+
+Copilot with Graph-grounded chat enables you to use your work content and context in Copilot for Windows. With Graph-grounded chat, you can draft content and get answers to questions, all securely grounded in your Microsoft Graph data such as user documents, emails, calendar, chats, meetings, and contacts. When you use the **Work** toggle in Copilot in Windows to query Graph-grounded chat, the following high-level privacy and security protections apply:
+
+- Prompts, responses, and data accessed through Microsoft Graph aren't used to train foundational LLMs.
+- It only surfaces organizational data to which individual users have at least view permissions.
+- The information contained within your prompts, the data retrieved, and the generated responses remain within your tenant's service boundary. For more information about privacy and security for Graph-grounded chat, see [Data, Privacy, and Security for Microsoft Copilot for Microsoft 365](/microsoft-365-copilot/microsoft-365-copilot-privacy)
+- Copilot with Graph-grounded chat is part of Copilot for Microsoft 365. Copilot for Microsoft 365 is an add-on plan. For more information about prerequisites and license requirements, see [Microsoft Copilot for Microsoft 365 requirements](/microsoft-365-copilot/microsoft-365-copilot-requirements#license-requirements).
## Configure the chat provider platform that Copilot in Windows uses
-Configuring the correct chat provider platform for Copilot in Windows is important because it is possible for users to copy and paste sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. Once you have selected the chat provider platform that you want to use for Copilot in Windows, ensure it's configured for your organization's users. The following sections describe how to configure the chat provider platform that Copilot in Windows uses.
+Configuring the correct chat provider platform for Copilot in Windows is important because it's possible for users to copy and paste sensitive information into the chat. Each chat provider platform has different privacy and security protections. Once you select the chat provider platform that you want to use for Copilot in Windows, ensure it's configured for your organization's users. The following sections describe how to configure the chat provider platform that Copilot in Windows uses.
-### Bing Chat as the chat provider platform
+### Microsoft Copilot as the chat provider platform
-Bing Chat is used as the default chat provider platform for Copilot in Windows when any of the following conditions occur:
+Copilot is used as the default chat provider platform for Copilot in Windows when any of the following conditions occur:
-- Bing Chat Enterprise isn't configured for the user
-- The user isn't assigned a license that includes Bing Chat Enterprise
-- Bing Chat Enterprise is [turned off](/bing-chat-enterprise/manage)
-- The user isn't signed in with a Microsoft Entra account that's licensed for Bing Chat Enterprise
+- Commercial data protection isn't configured for the user.
+- Commercial data protection is [turned off](/copilot/manage).
+- The user isn't assigned a license that includes Copilot with commercial data protection.
+- The user isn't signed in with a Microsoft Entra account that's licensed for Copilot with commercial data protection.
-### Bing Chat Enterprise as the chat provider platform (recommended for commercial environments)
+### Copilot with commercial data protection as the chat provider platform (recommended for commercial environments)
-To verify that Bing Chat Enterprise is enabled for the user as the chat provider platform for Copilot in Windows, use the following instructions:
+To verify that Copilot with commercial data protection is enabled for the user as the chat provider platform for Copilot in Windows, use the following instructions:
1. Sign into the [Microsoft 365 admin center](https://admin.microsoft.com/).
-1. In the admin center, select **Users** > **Active users** and verify that users are assigned a license that includes Bing Chat Enterprise. Bing Chat Enterprise is included and enabled by default for users that are assigned one of the following licenses:
+1. In the admin center, select **Users** > **Active users** and verify that users are assigned a license that includes **Copilot**. Copilot with commercial data protection is included and enabled by default for users that are assigned one of the following licenses:
- Microsoft 365 E3 or E5
- - Microsoft 365 A3 or A5 for faculty
- - Currently, Microsoft 365 A3 and A5 for faculty requires additional configuration. For more information, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage).
+ - Microsoft 365 F3
+ - Microsoft 365 A1, A3, or A5
+ - Copilot with comercial data protection is limited to faculty and higher education students over 18 years of age
+ - Office 365 A1, A3, or A5
+ - Copilot with comercial data protection is limited to faculty and higher education students over 18 years of age
- Microsoft 365 Business Standard
- Microsoft 365 Business Premium
-1. To verify that Bing Chat Enterprise is enabled for the user, select the user's **Display name** to open the flyout menu.
+1. To verify that commercial data protection is enabled for the user, select the user's **Display name** to open the flyout menu.
1. In the flyout, select the **Licenses & apps** tab, then expand the **Apps** list.
-1. Verify that **Bing Chat Enterprise** is enabled for the user.
-1. If you prefer to view a user's licenses from the [Azure portal](https://portal.azure.com), you will find it under **Microsoft Entra ID** > **Users**. Select the user's name, then **Licenses**. Select a license that includes Bing Chat Enterprise, and verify that it's listed as **On**.
+1. Verify that **Copilot** is enabled for the user.
+1. If you prefer to view a user's licenses from the [Azure portal](https://portal.azure.com), you'll find it under **Microsoft Entra ID** > **Users**. Select the user's name, then **Licenses**. Select a license that includes **Copilot**, and verify that it's listed as **On**.
> [!Note]
- > If you previously disabled Bing Chat Enterprise using the URL, `https://aka.ms/TurnOffBCE`, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage) for verifying that Bing Chat Enterprise is enabled for your users.
+ > If you previously disabled Copilot with commercial data protection (formerly Bing Chat Enterprise) using the URL, `https://aka.ms/TurnOffBCE`, see [Manage Copilot](/copilot/manage) for verifying that commercial data protection is enabled for your users.
-The following sample PowerShell script connects to Microsoft Graph and lists which users that have Bing Chat Enterprise enabled and disabled:
+The following sample PowerShell script connects to Microsoft Graph and lists which users that have Copilot with commercial data protection enabled and disabled:
```powershell
# Install Microsoft Graph module
@@ -108,20 +128,28 @@ Connect-MgGraph -Scopes 'User.Read.All'
# Get all users
$users = Get-MgUser -All -ConsistencyLevel eventual -Property Id, DisplayName, Mail, UserPrincipalName, AssignedPlans
-# Users with Bing Chat Enterprise enabled
+# Users with Copilot with commercial data protection enabled
$users | Where-Object { $_.AssignedPlans -and $_.AssignedPlans.Service -eq "Bing" -and $_.AssignedPlans.CapabilityStatus -eq "Enabled" } | Format-Table
-# Users without Bing Chat Enterprise enabled
+# Users without Copilot with commercial data protection enabled
$users | Where-Object { -not $_.AssignedPlans -or ($_.AssignedPlans.Service -eq "Bing" -and $_.AssignedPlans.CapabilityStatus -ne "Enabled") } | Format-Table
```
-When Bing Chat Enterprise is the chat provider platform, the user experience clearly states that **Your personal and company data are protected in this chat**. There's also a shield symbol labeled **Protected** at the top of the Copilot in Windows sidebar and the provider is listed under the Copilot logo when the sidebar is first opened. The following image shows the message that's displayed when Bing Chat Enterprise is the chat provider platform for Copilot in Windows:
+When Copilot with commercial data protection is the chat provider platform, the user experience clearly states that **Your personal and company data are protected in this chat**. There's also a shield symbol labeled **Protected** at the top of the Copilot in Windows sidebar and the provider is listed under the Copilot logo when the sidebar is first opened. The following image shows the message that's displayed in this scenario:
-:::image type="content" source="images/bing-chat-enterprise-chat-provider.png" alt-text="Screenshot of the Copilot in Windows user experience when Bing Chat Enterprise is the chat provider." lightbox="images/bing-chat-enterprise-chat-provider.png":::
+:::image type="content" source="images/copilot-commercial-data-protection-chat-provider.png" alt-text="Screenshot of the Copilot in Windows user experience when Copilot with commercial data protection is the chat provider." lightbox="images/copilot-commercial-data-protection-chat-provider.png":::
+
+
+### Copilot with Graph-grounded chat as the chat provider platform
+
+
+When users are assigned [Microsoft Copilot for Microsoft 365](/microsoft-365-copilot/microsoft-365-copilot-setup) licenses, they're automatically presented with a **Work** toggle in Copilot for Windows. When **Work** is selected, Copilot with Graph-grounded chat is the chat provider platform used by Copilot in Windows. When using Graph-grounded chat, user prompts can securely access Microsoft Graph content, such as emails, chats, and documents.
+
+:::image type="content" source="images/work-toggle-graph-grounded-chat.png" alt-text="Screenshot of the Copilot in Windows user experience when the work toggle is selected and the chart provider is Copilot with Graph-grounded chat." lightbox="images/work-toggle-graph-grounded-chat.png":::
## Ensure the Copilot in Windows user experience is enabled
-Once you've configured the chat provider platform that Copilot in Windows uses, you need to ensure that the Copilot in Windows user experience is enabled. Ensuring the Copilot in Windows user experience is enabled varies by the Windows version.
+Once you've configured the chat provider platform that Copilot in Windows uses, you need to ensure that the Copilot in Windows user experience is enabled. Ensuring the Copilot in Windows user experience is enabled varies by the Windows version.
### Enable the Copilot in Windows user experience for Windows 11, version 22H2 clients
@@ -130,7 +158,7 @@ Copilot in Windows isn't technically enabled by default for managed Windows 11,
To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you need to enable features under temporary enterprise control for these devices. Since enabling features behind [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) can be impactful, you should test this change before deploying it broadly. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions:
1. Verify that the user accounts have the correct chat provider platform configured for Copilot in Windows. For more information, see the [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) section.
-1. Apply a policy to enable features under temporary enterprise control for managed clients. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later:
+1. Apply a policy to enable features under temporary enterprise control for managed clients. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later:
- **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\\**Enable features introduced via servicing that are off by default**
- **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol)
@@ -142,7 +170,7 @@ To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you n
- **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\\**Allow updates to Windows optional features**
- **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowOptionalUpdates](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalupdates)
- In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow optional updates** under the **Windows Update for Business** category.
-
+
The optional updates policy applies to Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later. When setting policy for [optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates), ensure you select one of the following options that includes CFRs:
- Automatically receive optional updates (including CFRs)
- This selection places devices into an early CFR phase
@@ -152,9 +180,9 @@ To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you n
### Enable the Copilot in Windows user experience for Windows 11, version 23H2 clients
-Once a managed device installs the version 23H2 update, the [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) for Copilot in Windows will be removed. This means that Copilot in Windows will be enabled by default for these devices.
+Once a managed device installs the version 23H2 update, the [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) for Copilot in Windows is removed. This means that Copilot in Windows is enabled by default for these devices.
-While the user experience for Copilot in Windows is enabled by default, you still need to verify that the correct chat provider platform configured for Copilot in Windows. While every effort has been made to ensure that Bing Chat Enterprise is the default chat provider for commercial organizations, it's still possible that Bing Chat might still be used if the configuration is incorrect, or if other settings are affecting Copilot in Windows. For more information, see:
+While the user experience for Copilot in Windows is enabled by default, you still need to verify that the correct chat provider platform configured for Copilot in Windows. While every effort is made to ensure that Copilot with commercial data protection is the default chat provider for commercial organizations, it's still possible that Copilot might still be used if the configuration is incorrect, or if other settings are affecting Copilot in Windows. For more information, see:
- [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses)
- [Other settings that might affect Copilot in Windows and its underlying chat provider](#other-settings-that-might-affect-copilot-in-windows-and-its-underlying-chat-provider)
@@ -165,25 +193,26 @@ Organizations that aren't ready to use Copilot in Windows can disable it until t
## Other settings that might affect Copilot in Windows and its underlying chat provider
-Copilot in Windows and [Copilot in Edge](/bing-chat-enterprise/edge), can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and Copilot in Edge can also affect Copilot in Windows. The following common settings might affect Copilot in Windows and its underlying chat provider:
+Copilot in Windows and [Copilot in Edge](/copilot/edge), can share the same underlying chat provider platform. This also means that some settings that affect Copilot, Copilot with commercial data protection, and Copilot in Edge can also affect Copilot in Windows. The following common settings might affect Copilot in Windows and its underlying chat provider:
### Bing settings
-- If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8fb8f1814) is enabled for Bing, it can block chat providers for Copilot in Windows. The following network changes block the chat providers for Copilot in Windows and Copilot in Edge:
- - mapping `www.bing.com` to `strict.bing.com`
- - mapping `edgeservices.bing.com` to `strict.bing.com`
- - blocking `bing.com`
+- If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8fb8f1814) is enabled for Bing, it can block chat providers for Copilot in Windows. The following network changes block the chat providers for Copilot in Windows and Edge:
-- If Bing Chat Enterprise is turned on for your organization, users will be able to access it through Edge mobile when signed in with their work account. If you would like to remove the Bing Chat button from the Edge mobile interface, you can use an [Intune Mobile Application Management (MAM) policy for Microsoft Edge](/mem/intune/apps/manage-microsoft-edge) to remove it:
+ - Mapping `www.bing.com` to `strict.bing.com`
+ - Mapping `edgeservices.bing.com` to `strict.bing.com`
+ - Blocking `bing.com`
- |Key |Value |
- |:---------|:------------|
- |com.microsoft.intune.mam.managedbrowser.Chat| **true** (default) shows the interface **false** hides the interface |
+- If Copilot with commercial data protection is turned on for your organization, users can access it through Edge mobile when signed in with their work account. If you would like to remove the Bing Chat button from the Edge mobile interface, you can use an [Intune Mobile Application Management (MAM) policy for Microsoft Edge](/mem/intune/apps/manage-microsoft-edge) to remove it:
+
+ | Key | Value |
+ |:---------------------------------------------|:---------------------------------------------------------------------------|
+ | com.microsoft.intune.mam.managedbrowser.Chat | **true** (default) shows the interface **false** hides the interface |
### Microsoft Edge policies
- If [HubsSidebarEnabled](/deployedge/microsoft-edge-policies#hubssidebarenabled) is set to `disabled`, it blocks Copilot in Edge from being displayed.
-- If [DiscoverPageContextEnabled](/deployedge/microsoft-edge-policies#discoverpagecontextenabled) is set to `disabled`, it blocks Bing Chat and Bing Chat Enterprise from reading the current webpage context. The chat providers need access to the current webpage context for providing page summarizations and sending user selected strings from the webpage into the chat provider.
+- If [DiscoverPageContextEnabled](/deployedge/microsoft-edge-policies#discoverpagecontextenabled) is set to `disabled`, it blocks Copilot from reading the current webpage context. The chat providers need access to the current webpage context for providing page summarizations and sending user selected strings from the webpage into the chat provider.
### Search settings
diff --git a/windows/client-management/mdm-collect-logs.md b/windows/client-management/mdm-collect-logs.md
index 5756913331..bc39a4ceb7 100644
--- a/windows/client-management/mdm-collect-logs.md
+++ b/windows/client-management/mdm-collect-logs.md
@@ -1,7 +1,7 @@
---
title: Collect MDM logs
description: Learn how to collect MDM logs. Examining these logs can help diagnose enrollment or device management issues in Windows devices managed by an MDM server.
-ms.topic: article
+ms.topic: conceptual
ms.date: 08/10/2023
ms.collection:
- highpri
diff --git a/windows/client-management/mdm-diagnose-enrollment.md b/windows/client-management/mdm-diagnose-enrollment.md
index c3dd757bb5..1d2c92bd1f 100644
--- a/windows/client-management/mdm-diagnose-enrollment.md
+++ b/windows/client-management/mdm-diagnose-enrollment.md
@@ -1,7 +1,7 @@
---
title: Diagnose MDM enrollment failures
description: Learn how to diagnose enrollment failures for Windows devices
-ms.topic: article
+ms.topic: conceptual
ms.date: 08/10/2023
---
diff --git a/windows/client-management/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm-enrollment-of-windows-devices.md
index ef09eea68f..c3140fd86d 100644
--- a/windows/client-management/mdm-enrollment-of-windows-devices.md
+++ b/windows/client-management/mdm-enrollment-of-windows-devices.md
@@ -1,7 +1,7 @@
---
title: MDM enrollment of Windows devices
description: Learn about mobile device management (MDM) enrollment of Windows devices to simplify access to your organization's resources.
-ms.topic: article
+ms.topic: conceptual
ms.collection:
- highpri
- tier2
diff --git a/windows/client-management/mdm-known-issues.md b/windows/client-management/mdm-known-issues.md
index 3b715665e0..10bd7ebaa1 100644
--- a/windows/client-management/mdm-known-issues.md
+++ b/windows/client-management/mdm-known-issues.md
@@ -1,7 +1,7 @@
---
title: Known issues in MDM
description: Learn about known issues for Windows devices in MDM
-ms.topic: article
+ms.topic: conceptual
ms.date: 08/10/2023
---
diff --git a/windows/client-management/mdm-overview.md b/windows/client-management/mdm-overview.md
index 4777c1d28c..7b31fe006a 100644
--- a/windows/client-management/mdm-overview.md
+++ b/windows/client-management/mdm-overview.md
@@ -2,7 +2,7 @@
title: Mobile Device Management overview
description: Windows provides an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy.
ms.date: 08/10/2023
-ms.topic: article
+ms.topic: conceptual
ms.localizationpriority: medium
ms.collection:
- highpri
diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md
index 25ff8939c4..f4e01b842c 100644
--- a/windows/client-management/mdm/Language-pack-management-csp.md
+++ b/windows/client-management/mdm/Language-pack-management-csp.md
@@ -1,14 +1,7 @@
---
title: LanguagePackManagement CSP
description: Learn more about the LanguagePackManagement CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md
index 4fdc019a91..55180da611 100644
--- a/windows/client-management/mdm/accountmanagement-csp.md
+++ b/windows/client-management/mdm/accountmanagement-csp.md
@@ -1,14 +1,7 @@
---
title: AccountManagement CSP
description: Learn more about the AccountManagement CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/29/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/accountmanagement-ddf.md b/windows/client-management/mdm/accountmanagement-ddf.md
index 7589b07ab4..06093b49ae 100644
--- a/windows/client-management/mdm/accountmanagement-ddf.md
+++ b/windows/client-management/mdm/accountmanagement-ddf.md
@@ -1,14 +1,7 @@
---
title: AccountManagement DDF file
description: View the XML file containing the device description framework (DDF) for the AccountManagement configuration service provider.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/29/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md
index 86ff222dcc..e32ee78e33 100644
--- a/windows/client-management/mdm/accounts-csp.md
+++ b/windows/client-management/mdm/accounts-csp.md
@@ -1,14 +1,7 @@
---
title: Accounts CSP
description: The Accounts configuration service provider (CSP) is used by the enterprise to rename devices, and create local Windows accounts & join them to a group.
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 03/27/2020
-ms.reviewer:
-manager: aaroncz
---
# Accounts CSP
diff --git a/windows/client-management/mdm/accounts-ddf-file.md b/windows/client-management/mdm/accounts-ddf-file.md
index 330218b819..9fb71bd404 100644
--- a/windows/client-management/mdm/accounts-ddf-file.md
+++ b/windows/client-management/mdm/accounts-ddf-file.md
@@ -1,14 +1,7 @@
---
title: Accounts DDF file
description: View the XML file containing the device description framework (DDF) for the Accounts configuration service provider.
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 04/17/2018
-ms.reviewer:
-manager: aaroncz
---
# Accounts DDF file
diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md
index 842d9225c2..8d862c057a 100644
--- a/windows/client-management/mdm/activesync-csp.md
+++ b/windows/client-management/mdm/activesync-csp.md
@@ -1,14 +1,7 @@
---
title: ActiveSync CSP
description: Learn more about the ActiveSync CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/activesync-ddf-file.md b/windows/client-management/mdm/activesync-ddf-file.md
index c187d411e2..b32ae659db 100644
--- a/windows/client-management/mdm/activesync-ddf-file.md
+++ b/windows/client-management/mdm/activesync-ddf-file.md
@@ -1,14 +1,7 @@
---
title: ActiveSync DDF file
description: View the XML file containing the device description framework (DDF) for the ActiveSync configuration service provider.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 12/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/alljoynmanagement-csp.md b/windows/client-management/mdm/alljoynmanagement-csp.md
index c87f85294d..a7df16f516 100644
--- a/windows/client-management/mdm/alljoynmanagement-csp.md
+++ b/windows/client-management/mdm/alljoynmanagement-csp.md
@@ -1,13 +1,6 @@
---
title: AllJoynManagement CSP
description: The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 06/26/2017
---
diff --git a/windows/client-management/mdm/alljoynmanagement-ddf.md b/windows/client-management/mdm/alljoynmanagement-ddf.md
index 32030275e8..a3ef6dc003 100644
--- a/windows/client-management/mdm/alljoynmanagement-ddf.md
+++ b/windows/client-management/mdm/alljoynmanagement-ddf.md
@@ -1,13 +1,6 @@
---
title: AllJoynManagement DDF
description: Learn the OMA DM device description framework (DDF) for the AllJoynManagement configuration service provider.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 12/05/2017
---
diff --git a/windows/client-management/mdm/application-csp.md b/windows/client-management/mdm/application-csp.md
index c53a080791..b20e289a43 100644
--- a/windows/client-management/mdm/application-csp.md
+++ b/windows/client-management/mdm/application-csp.md
@@ -1,13 +1,6 @@
---
title: APPLICATION CSP
description: Learn how the APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 06/26/2017
---
diff --git a/windows/client-management/mdm/applicationcontrol-csp-ddf.md b/windows/client-management/mdm/applicationcontrol-csp-ddf.md
index 6bb9fd8585..6b5054eb37 100644
--- a/windows/client-management/mdm/applicationcontrol-csp-ddf.md
+++ b/windows/client-management/mdm/applicationcontrol-csp-ddf.md
@@ -1,14 +1,7 @@
---
title: ApplicationControl DDF file
description: View the XML file containing the device description framework (DDF) for the ApplicationControl configuration service provider.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 12/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/31/2024
---
@@ -47,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the A
[64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619091)|
-|Ralink|Wireless-G PCI Adapter|pci\ven_1814&dev_0301&subsys_00551737&rev_00|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619092) [64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619093)|
-|Ralink|Turbo Wireless LAN Card|pci\ven_1814&dev_0301&subsys_25611814&rev_00|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619094) [64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619095)|
-|Ralink|Wireless LAN Card V1|pci\ven_1814&dev_0302&subsys_3a711186&rev_00|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619097) [64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619098)|
-|Ralink|D-Link AirPlus G DWL-G510 Wireless PCI Adapter(rev.C)|pci\ven_1814&dev_0302&subsys_3c091186&rev_00|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619099) [64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619100)|
-
-IT administrators that want to target Windows To Go images for specific systems should test their images to ensure that the necessary system drivers are in the image, especially for critical functionality like Wi-Fi that isn't supported by class drivers. Some consumer devices require OEM-specific driver packages, which may not be available on Windows Update. For more information on how to add a driver to a Windows Image, please refer to the [Basic Windows Deployment Step-by-Step Guide](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825212(v=win.10)).
-
-### Application installation and domain join
-
-Unless you're using a customized Windows image that includes unattended installation settings, the initial Windows To Go workspace won't be domain joined and won't contain applications. This is exactly like a new installation of Windows on a desktop or laptop computer. When planning your deployment, you should develop methods to join Windows to Go drives to the domain and install the standard applications that users in your organization require. These methods probably will be similar to the ones used for setting up desktop and laptop computers with domain privileges and applications
-
-### Management of Windows To Go using Group Policy
-
-In general, management of Windows To Go workspaces is same as that for desktop and laptop computers. There are Windows To Go specific Group Policy settings that should be considered as part of Windows To Go deployment. Windows To Go Group Policy settings are located at `\\Computer Configuration\Administrative Templates\Windows Components\Portable Operating System\` in the Local Group Policy Editor.
-
-The use of the Store on Windows To Go workspaces that are running Windows 8 can also be controlled by Group Policy. This policy setting is located at `\\Computer Configuration\Administrative Templates\Windows Components\Store\` in the Local Group Policy Editor. The policy settings have specific implications for Windows To Go that you should be aware of when planning your deployment:
-
-**Settings for workspaces**
-
-- **Allow hibernate (S4) when started from a Windows To Go workspace**
-
- This policy setting specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go workspace. By default, hibernation is disabled when using Windows To Go workspace, so enabling this setting explicitly turns this ability back on. When a computer enters hibernation, the contents of memory are written to disk. When the disk is resumed, it's important that the hardware attached to the system, and the disk itself, are unchanged. This is inherently incompatible with roaming between PC hosts. Hibernation should only be used when the Windows To Go workspace isn't being used to roam between host PCs.
-
- > [!IMPORTANT]
- > For the host-PC to resume correctly when hibernation is enabled the Windows To Go workspace must continue to use the same USB port.
-
-- **Disallow standby sleep states (S1-S3) when starting from a Windows To Go workspace**
-
- This policy setting specifies whether the PC can use standby sleep states (S1–S3) when started from a Windows To Go workspace. The Sleep state also presents a unique challenge to Windows To Go users. When a computer goes to sleep, it appears as if it's shut down. It could be easy for a user to think that a Windows To Go workspace in sleep mode was actually shut down and they could remove the Windows To Go drive and take it home. Removing the Windows To Go drive in this scenario is equivalent to an unclean shutdown, which may result in the loss of unsaved user data or the corruption on the drive. Moreover, if the user now boots the drive on another PC and brings it back to the first PC, which still happens to be in the sleep state, it will lead to an arbitrary crash and eventually corruption of the drive and result in the workspace becoming unusable. If you enable this policy setting, the Windows To Go workspace can't use the standby states to cause the PC to enter sleep mode. If you disable or don't configure this policy setting, the Windows To Go workspace can place the PC in sleep mode.
-
-**Settings for host PCs**
-
-- **Windows To Go Default Startup Options**
-
- This policy setting controls whether the host computer will boot to Windows To Go if a USB device containing a Windows To Go workspace is connected, and controls whether users can make changes using the **Windows To Go Startup Options** settings dialog. If you enable this policy setting, booting to Windows To Go when a USB device is connected will be enabled and users won't be able to make changes using the **Windows To Go Startup Options** settings dialog. If you disable this policy setting, booting to Windows To Go when a USB device is connected won't be enabled unless a user configures the option manually in the firmware. If you don't configure this policy setting, users who are members of the local Administrators group can enable or disable booting from USB using the **Windows To Go Startup Options** settings dialog.
-
- > [!IMPORTANT]
- > Enabling this policy setting will cause PCs running Windows to attempt to boot from any USB device that is inserted into the PC before it is started.
-
-## Supporting booting from USB
-
-The biggest hurdle for a user wanting to use Windows To Go is configuring their computer to boot from USB. This is traditionally done by entering the firmware and configuring the appropriate boot order options. To ease the process of making the firmware modifications required for Windows To Go, Windows includes a feature named **Windows To Go Startup Options** that allows a user to configure their computer to boot from USB from within Windows—without ever entering their firmware, as long as their firmware supports booting from USB.
-
-> [!NOTE]
-> Enabling a system to always boot from USB first has implications that you should consider. For example, a USB device that includes malware could be booted inadvertently to compromise the system, or multiple USB drives could be plugged in to cause a boot conflict. For this reason, the Windows To Go startup options are disabled by default. In addition, administrator privileges are required to configure Windows To Go startup options.
-
-If you're going to be using a Windows 7 computer as a host-PC, see the wiki article [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkID=618951).
-
-### Roaming between different firmware types
-
-Windows supports two types of PC firmware: Unified Extensible Firmware Interface (UEFI), which is the new standard, and legacy BIOS firmware, which was used in most PCs shipping with Windows 7 or earlier version of Windows. Each firmware type has completely different Windows boot components that are incompatible with each other. Beyond the different boot components, Windows supports different partition styles and layout requirements for each type of firmware as shown in the following diagrams.
-
-
-
-This presented a unique challenge for Windows To Go because the firmware type isn't easily determined by end users—a UEFI computer looks just like a legacy BIOS computer and Windows To Go must boot on both types of firmware.
-
-To enable booting Windows To Go on both types of firmware, a new disk layout is provided for Windows 8 or later that contains both sets of boot components on a FAT32 system partition and a new command-line option was added to bcdboot.exe to support this configuration. The **/f** option is used with the **bcdboot /s** command to specify the firmware type of the target system partition by appending either **UEFI**, **BIOS** or **ALL**. When creating Windows To Go drives manually, you must use the **ALL** parameter to provide the Windows To Go drive the ability to boot on both types of firmware. For example, on volume H: (your Windows To Go USB drive letter), you would use the command **bcdboot C:\\windows /s H: /f ALL**. The following diagram illustrates the disk layout that results from that command:
-
-
-
-This is the only supported disk configuration for Windows To Go. With this disk configuration, a single Windows To Go drive can be booted on computers with UEFI and legacy BIOS firmware.
-
-### Configure Windows To Go startup options
-
-Windows To Go Startup Options is a setting available on Windows 10-based PCs that enables the computer to be booted from a USB without manually changing the firmware settings of the PC. To configure Windows To Go Startup Options, you must have administrative rights on the computer and the **Windows To Go Default Startup Options** Group Policy setting must not be configured.
-
-**To configure Windows To Go startup options**
-
-1. On the Start screen, type, type **Windows To Go Startup Options**, click **Settings** and, then press Enter.
-
- 
-
-2. Select **Yes** to enable the startup options.
-
- > [!TIP]
- > If your computer is part of a domain, the Group Policy setting can be used to enable the startup options instead of the dialog.
-
-3. Click **Save Changes**. If the User Account Control dialog box is displayed, confirm that the action it displays is what you want, and then click **Yes**.
-
-### Change firmware settings
-
-If you choose to not use the Windows To Go startup options or are using a PC running Windows 7 as your host computer, you'll need to manually configure the firmware settings. The process used to accomplish this will depend on the firmware type and manufacturer. If your host computer is protected by BitLocker and running Windows 7, you should suspend BitLocker before making the change to the firmware settings. After the firmware settings have been successfully reconfigured, resume BitLocker protection. If you don't suspend BitLocker first, BitLocker will assume that the computer has been tampered with and will boot into BitLocker recovery mode.
-
-## Related topics
-
-[Windows To Go: feature overview](windows-to-go-overview.md) `Deferral + Deadline + Reporting Period = service level objective` `Grace Period + Reporting period = service level objective` For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
-Your environment is now ready to collect your hardware inventory and review the sample reports.
-
-### Collect your hardware inventory using the MOF Editor with a .MOF import file
-You can collect your hardware inventory using the MOF Editor and a .MOF import file.
-
- **To collect your inventory**
-
-1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**.
-
-2. Click **Import**, choose the MOF file from the downloaded package we provided, and click **Open**.
-
-3. Pick the inventory items to install, and then click **Import**.
-
-4. Click **OK** to close the default windows.
-Your environment is now ready to collect your hardware inventory and review the sample reports.
-
-### Collect your hardware inventory using the SMS\DEF.MOF file (Configuration Manager 2007 only)
-You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option.
-
-**To collect your inventory**
-
-1. Using a text editor like Notepad, open the SMS\DEF.MOF file, located in your `
Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md).
-
-3. Click **OK** to close the **Bulk add sites to the list** menu.
-
-## Turn off data collection on your client devices
-After you’ve collected your data, you’ll need to turn Enterprise Site Discovery off.
-
-**To stop collecting data, using PowerShell**
-
-- On your client computer, start Windows PowerShell in elevated mode (using admin privileges) and run `IETelemetrySetUp.ps1`, using this command: `powershell -ExecutionPolicy Bypass .\IETelemetrySetUp.ps1 –IEFeatureOff`.
-
- >**Note**
Turning off data collection only disables the Enterprise Site Discovery feature – all data already written to WMI stays on your employee’s computer.
-
-
-**To stop collecting data, using Group Policy**
-
-1. Open your Group Policy editor, go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output`, and click **Off**.
-
-2. Go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output`, and clear the file path location.
-
-### Delete already stored data from client computers
-You can completely remove the data stored on your employee’s computers.
-
-**To delete all existing data**
-
-- On the client computer, start PowerShell in elevated mode (using admin privileges) and run these four commands:
-
- - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IEURLInfo`
-
- - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IESystemInfo`
-
- - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IECountInfo`
-
- - `Remove-Item -Path 'HKCU:\Software\Microsoft\Internet Explorer\WMITelemetry'`
-
-## Related topics
-* [Enterprise Mode Site List Manager (schema v.2) download](https://go.microsoft.com/fwlink/?LinkId=746562)
-* [Enterprise Mode for Internet Explorer 11 (IE11)](enterprise-mode-overview-for-ie11.md)
-
-
-
-
diff --git a/browsers/enterprise-mode/configure-settings-enterprise-mode-portal.md b/browsers/enterprise-mode/configure-settings-enterprise-mode-portal.md
deleted file mode 100644
index 807cc8d2c8..0000000000
--- a/browsers/enterprise-mode/configure-settings-enterprise-mode-portal.md
+++ /dev/null
@@ -1,97 +0,0 @@
----
-ms.localizationpriority: low
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Details about how the Administrator can use the Settings page to set up Groups and roles, the Enterprise Mode Site List Portal environment, and the freeze dates for production changes.
-author: dansimp
-ms.prod: ie11
-title: Use the Settings page to finish setting up the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
----
-
-# Use the Settings page to finish setting up the Enterprise Mode Site List Portal
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-The **Settings** page lets anyone with Administrator rights set up groups and roles, set up the Enterprise Mode Site List Portal environment, and choose the freeze dates for production changes.
-
-## Use the Environment settings area
-This area lets you specify the location of your production and pre-production environments, where to store your attachments, your settings location, and the website domain for email notifications.
-
-**To add location info**
-1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page.
-
- The **Settings** page appears.
-
-2. In the **Environment settings** area of the page, provide the info for your **Pre-production environment**, your **Production environment**, your **Attachments location**, your **Settings location**, and your **Website domain for email notifications**.
-
-3. Click **Credentials** to add the appropriate domain, user name, and password for each location, and then click **OK**.
-
-## Use the Group and role settings area
-After you set up your email credentials, you'll be able to add or edit your Group info, along with picking which roles must be Approvers for the group.
-
-**To add a new group and determine the required change request Approvers**
-1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page.
-
- The **Settings** page appears.
-
-2. In the **Group and role settings** area of the page, click **Group details**.
-
- The **Add or edit group names** box appears.
-
-3. Click the **Add group** tab, and then add the following info:
-
- - **New group name.** Type name of your new group.
-
- - **Group head email.** Type the email address for the primary contact for the group.
-
- - **Group head name.** This box automatically fills, based on the email address.
-
- - **Active.** Click the check box to make the group active in the system. If you want to keep the group in the system, but you want to prevent access, clear this check box.
-
-4. Click **Save**.
-
-
-**To set a group's required Approvers**
-1. In the **Group and role settings** area of the page, choose the group name you want to update with Approvers from the **Group name** box.
-
-2. In the **Required approvers** area, choose which roles are required to approve a change request for the group. You can choose one or many roles.
-
- - **App Manager.** All employees in the selected group must get change request approval by someone assigned this role.
-
- You can change the name of this role by clicking the pencil icon and providing a new name in the **Edit role name** box.
-
- - **Group Head.** All employees in the selected group must get change request approval by someone assigned this role.
-
- You can change the name of this role by clicking the pencil icon and providing a new name in the **Edit role name** box.
-
- - **Administrator.** All employees in the selected group must get change request approval by someone assigned this role.
-
-## Use the Freeze production changes area
-This optional area lets you specify a period when your employees must stop adding changes to the current Enterprise Mode Site List. This must include both a start and an end date.
-
-**To add the start and end dates**
-1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page.
-
- The **Settings** page appears.
-
-2. In the **Freeze production changes** area of the page, use the calendars to provide the **Freeze start date** and the **Freeze end date**. Your employees can't add apps to the production Enterprise Mode Site List during this span of time.
-
-3. Click **Save**.
-
-## Related topics
-- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)
-
-- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)
-
-- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md)
diff --git a/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md b/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md
deleted file mode 100644
index 867bb143b8..0000000000
--- a/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md
+++ /dev/null
@@ -1,73 +0,0 @@
----
-ms.localizationpriority: low
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Details about how to create a change request within the Enterprise Mode Site List Portal.
-author: dansimp
-ms.prod: ie11
-title: Create a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
----
-
-# Create a change request using the Enterprise Mode Site List Portal
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-Employees assigned to the Requester role can create a change request. A change request is used to tell the Approvers and the Administrator that a website needs to be added or removed from the Enterprise Mode Site List. The employee can navigate to each stage of the process by using the workflow links provided at the top of each page of the portal.
-
-> [!Important]
-> Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
-
-**To create a new change request**
-1. The Requester (an employee that has been assigned the Requester role) signs into the Enterprise Mode Site List Portal, and clicks **Create new request**.
-
- The **Create new request** page appears.
-
-2. Fill out the required fields, based on the group and the app, including:
-
- - **Group name.** Select the name of your group from the dropdown box.
-
- - **App name.** Type the name of the app you want to add, delete, or update in the Enterprise Mode Site List.
-
- - **Search all apps.** If you can't remember the name of your app, you can click **Search all apps** and search the list.
-
- - **Add new app.** If your app isn't listed, you can click **Add new app** to add it to the list.
-
- - **Requested by.** Automatically filled in with your name.
-
- - **Description.** Add descriptive info about the app.
-
- - **Requested change.** Select whether you want to **Add to EMIE**, **Delete from EMIE**, or **Update to EMIE**.
-
- - **Reason for request.** Select the best reason for why you want to update, delete, or add the app.
-
- - **Business impact (optional).** An optional area where you can provide info about the business impact of this app and the change.
-
- - **App location (URL).** The full URL location to the app, starting with https:// or https://.
-
- - **App best viewed in.** Select the best browser experience for the app. This can be Internet Explorer 5 through Internet Explorer 11 or one of the IE7Enterprise or IE8Enterprise modes.
-
- - **Is an x-ua tag used?** Select **Yes** or **No** whether an x-ua-compatible tag is used by the app. For more info about x-ua-compatible tags, see the topics in [Defining document compatibility](https://msdn.microsoft.com/library/cc288325(v=vs.85).aspx).
-
-4. Click **Save and continue** to save the request and get the app info sent to the pre-production environment site list for testing.
-
- A message appears that the request was successful, including a **Request ID** number, saying that the change is being made to the pre-production environment site list.
-
-5. The Requester gets an email with a batch script, that when run, configures their test machine for the pre-production environment, along with the necessary steps to make sure the changed info is correct.
-
- - **If the change is correct.** The Requester asks the approvers to approve the change request by selecting **Successful** and clicking **Send for approval**.
-
- - **If the change is incorrect.** The Requester can rollback the change in pre-production or ask for help from the Administrator.
-
-## Next steps
-After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md).
diff --git a/browsers/enterprise-mode/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
deleted file mode 100644
index ad225f2556..0000000000
--- a/browsers/enterprise-mode/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-ms.localizationpriority: low
-description: Delete a single site from your global Enterprise Mode site list.
-ms.pagetype: appcompat
-ms.mktglfcycl: deploy
-author: dansimp
-ms.prod: ie11
-ms.assetid: 41413459-b57f-48da-aedb-4cbec1e2981a
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-title: Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-
- **To delete a single site from your global Enterprise Mode site list**
-
-- From the Enterprise Mode Site List Manager, pick the site you want to delete, and then click **Delete**.
-The site is permanently removed from your list.
-
-If you delete a site by mistake, you’ll need to manually add it back using the instructions in the following topics, based on operating system.
-
-- [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md)
-
-- [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md)
-
-## Related topics
-- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
-- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
-- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
-
-
-
-
-
-
diff --git a/browsers/enterprise-mode/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
deleted file mode 100644
index 403690d64f..0000000000
--- a/browsers/enterprise-mode/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
+++ /dev/null
@@ -1,53 +0,0 @@
----
-ms.localizationpriority: low
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: You can use Internet Explorer 11 and the Enterprise Mode Site List Manager to change whether page rendering should use Enterprise Mode or the default Internet Explorer browser configuration. You can also add, remove, or delete associated comments.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 76aa9a85-6190-4c3a-bc25-0f914de228ea
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-title: Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-You can use Internet Explorer 11 and the Enterprise Mode Site List Manager to change whether page rendering should use Enterprise Mode or the default Internet Explorer browser configuration. You can also add, remove, or delete associated comments.
-
-If you need to edit a lot of websites, you probably don’t want to do it one at a time. Instead, you can edit your saved XML or TXT file and add the sites back again. For information about how to do this, depending on your operating system and schema version, see [Add multiple sites to the Enterprise Mode site list using a file and Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md).
-
- **To change how your page renders**
-
-1. In the Enterprise Mode Site List Manager, double-click the site you want to change.
-
-2. Change the comment or the compatibility mode option.
-
-3. Click **Save** to validate your changes and to add the updated information to your site list.
-If your change passes validation, it’s added to the global site list. If the update doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the update or ignore the validation problem and add it to your list anyway. For more information about fixing validation issues, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md).
-
-4. On the **File** menu, click **Save to XML**, and save the updated file.
-You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
-
-## Related topics
-- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
-- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
-- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
-
-
-
-
-
-
diff --git a/browsers/enterprise-mode/enterprise-mode-and-enterprise-site-list-include.md b/browsers/enterprise-mode/enterprise-mode-and-enterprise-site-list-include.md
deleted file mode 100644
index a8f90c3697..0000000000
--- a/browsers/enterprise-mode/enterprise-mode-and-enterprise-site-list-include.md
+++ /dev/null
@@ -1,50 +0,0 @@
-## Enterprise Mode and the Enterprise Mode Site List XML file
-The Enterprise Mode Site List is an XML document that specifies a list of sites, their compat mode, and their intended browser. Using [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853), you can automatically start a webpage using a specific browser. In the case of IE11, the webpage can also be launched in a specific compat mode, so it always renders correctly. Your employees can easily view this site list by typing _about:compat_ in either Microsoft Edge or IE11.
-
-Starting with Windows 10, version 1511 (also known as the Anniversary Update), you can also [restrict IE11 to only the legacy web apps that need it](https://blogs.windows.com/msedgedev/2016/05/19/edge14-ie11-better-together/), automatically sending sites not included in the Enterprise Mode Site List to Microsoft Edge.
-
-### Site list xml file
-
-This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compat mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location.
-
-```xml
-
-Make sure that you don't specify a protocol when adding your URLs. Using a URL like `
**Example** <rules version="205">
<emie>
<domain>contoso.com</domain>
</emie>
</rules> |Internet Explorer 11 and Microsoft Edge |
-|<emie> |The parent node for the Enterprise Mode section of the schema. All <domain> entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied.
**Example** <rules version="205">
<emie>
<domain>contoso.com</domain>
</emie>
</rules>
For IPv6 ranges:
<rules version="205">
<emie>
<domain>[10.122.34.99]:8080</domain>
</emie>
</rules>
**or**
For IPv4 ranges:<rules version="205">
<emie>
<domain>[10.122.34.99]:8080</domain>
</emie>
</rules> | Internet Explorer 11 and Microsoft Edge |
-|<docMode> |The parent node for the document mode section of the section. All <domain> entries will get IE5 - IE11 document modes applied. If there's a <domain> element in the docMode section that uses the same value as a <domain> element in the emie section, the emie element is applied.
**Example**
<rules version="205">
<docmode>
<domain docMode="7">contoso.com</domain>
</docmode>
</rules> |Internet Explorer 11 |
-|<domain> |A unique entry added for each site you want to put on the Enterprise Mode site list. The first <domain> element will overrule any additional <domain> elements that use the same value for the section. You can use port numbers for this element.
**Example**
<emie>
<domain>contoso.com:8080</domain>
</emie> |Internet Explorer 11 and Microsoft Edge |
-|<path> |A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The <path> element is a child of the <domain> element. Additionally, the first <path> element will overrule any additional <path> elements in the schema section.
**Example**
<emie>
<domain exclude="false">fabrikam.com
<path exclude="true">/products</path>
</domain>
</emie>
Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does. |Internet Explorer 11 and Microsoft Edge |
-
-### Schema attributes
-This table includes the attributes used by the Enterprise Mode schema.
-|Attribute|Description|Supported browser|
-|--- |--- |--- |
-|<version>|Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <rules> element.|Internet Explorer 11 and Microsoft Edge|
-|<exclude>|Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the
**Example** <emie>
<domain exclude="false">fabrikam.com
<path exclude="true">/products</path>
</domain>
</emie>
**Example**<docMode>
<domain exclude="false">fabrikam.com
<path docMode="7">/products</path>
</domain>
</docMode>|Internet Explorer 11|
-
-### Using Enterprise Mode and document mode together
-If you want to use both Enterprise Mode and document mode together, you need to be aware that <emie> entries override <docMode> entries for the same domain.
-
-For example, say you want all of the sites in the contoso.com domain to open using IE8 Enterprise Mode, except test.contoso.com, which needs to open in document mode 11. Because Enterprise Mode takes precedence over document mode, if you want test.contoso.com to open using document mode, you'll need to explicitly add it as an exclusion to the <emie> parent node.
-
-```xml
-<docMode> |
<domain docMode="5">contoso.com</domain>
<domain docMode="9">info.contoso.com</domain>
<docMode>
|
-|You can specify exact URLs by listing the full path. |<emie>|
<domain exclude="false">bing.com</domain>
<domain exclude="false" forceCompatView="true">contoso.com</domain>
<emie>
|
-|You can nest paths underneath domains. |<emie> |
<domain exclude="true">contoso.com
<path exclude="false">/about</path>
<path exclude="true">
/about/business</path>
</domain>
</emie>
|
-|You can’t add a path underneath a path. The file will still be parsed, but the sub-path will be ignored. |<emie> |
<domain exclude="true">contoso.com
<path>/about
<path exclude="true">/business</path>
</path>
</domain>
</emie>
|
diff --git a/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md b/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md
deleted file mode 100644
index fcdaa18eee..0000000000
--- a/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md
+++ /dev/null
@@ -1,139 +0,0 @@
----
-ms.localizationpriority: low
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Use the Enterprise Mode Site List Manager to create and update your Enterprise Mode site list for devices running Windows 10.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 909ca359-5654-4df9-b9fb-921232fc05f5
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-title: Enterprise Mode schema v.2 guidance (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 12/04/2017
----
-
-
-# Enterprise Mode schema v.2 guidance
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-
-Use the Enterprise Mode Site List Manager to create and update your site list for devices running Windows 7, Windows 8.1, and Windows 10, using the version 2.0 (v.2) of the Enterprise Mode schema. If you don't want to use the Enterprise Mode Site List Manager, you also have the option to update your XML schema using Notepad, or any other XML-editing app.
-
-**Important**
-If you're running Windows 7 or Windows 8.1 and you've been using the version 1.0 (v.1) of the schema, you can continue to do so, but you won't get the benefits that come with the updated schema. For info about the v.1 schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
-
-## Enterprise Mode schema v.2 updates
-Because of the schema changes, you can't combine the old version (v.1) with the new version (v.2) of the schema. If you look at your XML file, you can tell which version you're using by:
-
-- <rules>. If your schema root node includes this key, you're using the v.1 version of the schema.
-
-- <site-list>. If your schema root node includes this key, you're using the v.2 version of the schema.
-
-You can continue to use the v.1 version of the schema on Windows 10, but you won't have the benefits of the new v.2 version schema updates and new features. Additionally, saving the v.1 version of the schema in the new Enterprise Mode Site List Manager (schema v.2) automatically updates the file to use the v.2 version of the schema.
-
-### Enterprise Mode v.2 schema example
-The following is an example of the v.2 version of the Enterprise Mode schema.
-
-**Important**
-Make sure that you don't specify a protocol when adding your URLs. Using a URL like `
**Example**
<site-list version="205">
| Internet Explorer 11 and Microsoft Edge |
-|<site> |A unique entry added for each site you want to put on the Enterprise Mode site list. The first <site> element will overrule any additional <site> elements that use the same value for the <url> element.
<site url="contoso.com">
<compat-mode>IE8Enterprise</compat-mode>
<open-in>IE11</open-in>
</site>
</site-list>
**Example** <site url="contoso.com">
<compat-mode>default</compat-mode>
<open-in>none</open-in>
</site>
**or** For IPv4 ranges:
<site url="10.122.34.99:8080">
<compat-mode>IE8Enterprise</compat-mode>
<site>
**or** For IPv6 ranges:<site url="[10.122.34.99]:8080">
<compat-mode>IE8Enterprise</compat-mode>
<site>
You can also use the self-closing version, <url="contoso.com" />, which also sets:
**Example**
**or**
<site url="contoso.com">
<compat-mode>IE8Enterprise</compat-mode>
</site>
For IPv4 ranges:<site url="10.122.34.99:8080">
<compat-mode>IE8Enterprise</compat-mode>
<site><site url="[10.122.34.99]:8080">
<compat-mode>IE8Enterprise</compat-mode>
<site>
This element is required for sites included in the **EmIE** section of the v.1 schema and is needed to load in IE8 Enterprise Mode.
This element is required for sites included in the **EmIE** section of the v.1 schema and is needed to load in IE7 Enterprise Mode
This tag replaces the combination of the `"forceCompatView"="true"` attribute and the list of sites specified in the EmIE section of the v.1 version of the schema.
**Examples**<site url="contoso.com">
<open-in>none</open-in>
</site>
Where
**Example**<site url="contoso.com/travel">
In this example, if [https://contoso.com/travel](https://contoso.com/travel) is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer.| Internet Explorer 11 and Microsoft Edge|
-|version |Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element. | Internet Explorer 11 and Microsoft Edge|
-|url|Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
<open-in allow-redirect="true">IE11 </open-in>
</site>
**Note**
Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both [https://contoso.com](https://contoso.com) and [https://contoso.com](https://contoso.com).
**Example**<site url="contoso.com:8080">
In this example, going to [https://contoso.com:8080](https://contoso.com:8080) using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. | Internet Explorer 11 and Microsoft Edge|
-
-### Deprecated attributes
-These v.1 version schema attributes have been deprecated in the v.2 version of the schema:
-
-|Deprecated attribute|New attribute|Replacement example|
-|--- |--- |--- |
-|<forceCompatView>|<compat-mode>|Replace <forceCompatView="true"> with <compat-mode>IE7Enterprise</compat-mode>|
-|<docMode>|<compat-mode>|Replace <docMode="IE5"> with <compat-mode>IE5</compat-mode>|
-|<doNotTransition>|<open-in>|Replace:
<compat-mode>IE8Enterprise</compat-mode>
<open-in>IE11</open-in>
</site>
<doNotTransition="true"> with <open-in>none</open-in>|
-|<domain> and <path>|<site>|Replace:<emie>
With:
<domain exclude="false">contoso.com</domain>
</emie><site url="contoso.com"/>
**-AND-**
<compat-mode>IE8Enterprise</compat-mode>
</site>
Replace:<emie>
<domain exclude="true">contoso.com
<path exclude="false" forceCompatView="true">/about</path>
</domain>
</emie>
With:<site url="contoso.com/about">
<compat-mode>IE7Enterprise</compat-mode>
</site>|
-
-While the old, replaced attributes aren't supported in the v.2 version of the schema, they'll continue to work in the v.1 version of the schema. If, however, you're using the v.2 version of the schema and these attributes are still there, the v.2 version schema takes precedence. We don’t recommend combining the two schemas, and instead recommend that you move to the v.2 version of the schema to take advantage of the new features.
-
-**Important**
-Saving your v.1 version of the file using the new Enterprise Mode Site List Manager (schema v.2) automatically updates the XML to the new v.2 version of the schema.
-
-### What not to include in your schema
-We recommend that you not add any of the following items to your schema because they can make your compatibility list behave in unexpected ways:
-
-- Don’t use protocols. For example, https://, https://, or custom protocols. They break parsing.
-- Don’t use wildcards.
-- Don’t use query strings, ampersands break parsing.
-
-## Related topics
-- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
-
-
-
-
diff --git a/browsers/enterprise-mode/enterprise-mode-site-list-mgr-portal-tools-include.md b/browsers/enterprise-mode/enterprise-mode-site-list-mgr-portal-tools-include.md
deleted file mode 100644
index f1c67006ba..0000000000
--- a/browsers/enterprise-mode/enterprise-mode-site-list-mgr-portal-tools-include.md
+++ /dev/null
@@ -1,36 +0,0 @@
-## Enterprise Mode Site List Manager and the Enterprise Mode Site List Portal tools
-You can build and manage your Enterprise Mode Site List is by using any generic text editor. However, we’ve also provided a couple tools that can make that process even easier.
-
-### Enterprise Mode Site List Manager
-This tool helps you create error-free XML documents with simple n+1 versioning and URL verification. We recommend using this tool if your site list is relatively small. For more info about this tool, see the [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics.
-
-There are 2 versions of this tool, both supported on Windows 7, Windows 8.1, and Windows 10:
-
-- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501). This is an older version of the schema that you must use if you want to create and update your Enterprise Mode Site List for devices running the v.1 version of the schema.
-
- We strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md).
-
-- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974). The updated version of the schema, including new functionality. You can use this version of the schema to create and update your Enterprise Mode Site List for devices running the v.2 version of the schema.
-
- If you open a v.1 version of your Enterprise Mode Site List using this version, it will update the schema to v.2, automatically. For more info, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
-
-If your list is too large to add individual sites, or if you have more than one person managing the site list, we recommend using the Enterprise Site List Portal.
-
-### Enterprise Mode Site List Portal
-The [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management.
-
-In addition to all the functionality of the Enterprise Mode Site List Manager tool, the Enterprise Mode Site List Portal helps you:
-
-- Manage site lists from any device supporting Windows 7 or greater.
-
-- Submit change requests.
-
-- Operate offline through an on-premise solution.
-
-- Provide role-based governance.
-
-- Test configuration settings before releasing to a live environment.
-
-Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later.
-
-Because the tool is open-source, the source code is readily available for examination and experimentation. We encourage you to [fork the code, submit pull requests, and send us your feedback](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)! For more info about the Enterprise Mode Site List Portal, see the [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics.
\ No newline at end of file
diff --git a/browsers/enterprise-mode/enterprise-mode-site-list-mgr-versions-include.md b/browsers/enterprise-mode/enterprise-mode-site-list-mgr-versions-include.md
deleted file mode 100644
index 4ead83795d..0000000000
--- a/browsers/enterprise-mode/enterprise-mode-site-list-mgr-versions-include.md
+++ /dev/null
@@ -1,7 +0,0 @@
-## Enterprise Mode Site List Manager versions
-There are currently two versions of the Enterprise Site List Manager, both based on your schema and operating system. Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) or the [Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) tool, based on your operating system.
-
-|Schema version |Operating system |Enterprise Site List Manager version |
-|-----------------|---------------|------------------------------------|
-|Enterprise Mode schema, version 2 (v.2) |Windows 10
-OR-
Windows 8.1
-OR-
Windows 7|Uses the Enterprise Mode Site List Manager (schema v.2) and the v.2 version of the schema. If you import a v.1 version schema into the Enterprise Mode Site List Manager (schema v.2), the XML is saved into the v.2 version of the schema.
For more info about the v.2 version of the schema, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md).|
-|Enterprise Mode schema, version 1 (v.1) |Windows 10
-OR-
Windows 8.1
-OR-
Windows 7|Uses the Enterprise Mode Site List Manager (schema v.1) and the v.1 version of the schema.
For more info about the v.1 version of the schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md)|
\ No newline at end of file
diff --git a/browsers/enterprise-mode/enterprise-mode.md b/browsers/enterprise-mode/enterprise-mode.md
deleted file mode 100644
index 2c433182a9..0000000000
--- a/browsers/enterprise-mode/enterprise-mode.md
+++ /dev/null
@@ -1,57 +0,0 @@
----
-ms.localizationpriority: low
-ms.mktglfcycl: deploy
-ms.pagetype: security
-description: Use this section to learn about how to turn on Enterprise Mode.
-author: dansimp
-ms.author: dansimp
-ms.prod: edge
-ms.assetid:
-ms.reviewer:
-manager: dansimp
-title: Enterprise Mode for Microsoft Edge
-ms.sitesec: library
-ms.date: 07/17/2018
----
-
-# Enterprise Mode for Microsoft Edge
-Enterprise Mode, a compatibility mode that runs on Internet Explorer 11 on Windows 10, Windows 8.1, and Windows 7 devices, lets websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8. Running in this mode helps to avoid many of the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
-
-Many customers identify web app compatibility as a significant cost to upgrading because web apps need to be tested and upgraded before adopting a new browser. The improved compatibility provided by Enterprise Mode can help give customers the confidence to upgrade to IE11, letting customers benefit from modern web standards, increased performance, improved security, and better reliability.
-
-## Available dual-browser experiences
-
-
-## Enterprise Mode features
-
-
-
-
-## Enterprise Mode Site List management tools
-...description of what you can do with these tools; also specify if you must use both or if each tool works independently and no dependencies on the other tool... I think these tools are for two different scenarios...
-
-You can build and manage your Enterprise Mode Site List is by using any generic text editor. However, we’ve also provided a couple of tools that can make that process even easier.
-
-| | |
-|---------|---------|
-|Enterprise Mode Site List Manager |Use if your site list is relatively small. |
-|Enterprise Mode Site List Portal |Use if your site list is too large to add individual sites, or if you have more than one person managing the sites. |
-
-### Enterprise Mode Site List Manager
-
-
-### Enterprise Mode Site List Portal
-
-
-
-## Enterprise Mode Site List XML file
-[!INCLUDE [enterprise-mode-and-enterprise-site-list-include](enterprise-mode-and-enterprise-site-list-include.md)]
-
-
-## Turn on Enterprise Mode
-
-
-### Add a single site to the site list
-
-
-### Add multiple sites to the site list
diff --git a/browsers/enterprise-mode/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
deleted file mode 100644
index 4f4cbb32bb..0000000000
--- a/browsers/enterprise-mode/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-ms.localizationpriority: low
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: After you create your Enterprise Mode site list in the Enterprise Mode Site List Manager, you can export the contents to an Enterprise Mode (.EMIE) file.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 9ee7c13d-6fca-4446-bc22-d23a0213a95d
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-title: Export your Enterprise Mode site list from the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Export your Enterprise Mode site list from the Enterprise Mode Site List Manager
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-After you create your Enterprise Mode site list in the Enterprise Mode Site List Manager, you can export the contents to an Enterprise Mode (.EMIE) file. This file includes all of your URLs, including your compatibility mode selections and should be stored somewhere safe. If your list gets deleted by mistake you can easily import this file and return everything back to when this file was last saved.
-
-**Important**
-This file is not intended for distribution to your managed devices. Instead, it is only for transferring data and comments from one manager to another. For example, if one administrator leaves and passes the existing data to another administrator. Internet Explorer doesn’t read this file.
-
- **To export your compatibility list**
-
-1. On the **File** menu of the Enterprise Mode Site List Manager, click **Export**.
-
-2. Export the file to your selected location. For example, `C:\Users\
The changes described in this topic only impact sites added to a local Enterprise Mode site list and not the list of sites deployed to all employees by an administrator. Employees can't delete sites added to the list by an administrator.
-
- **To remove single sites from a local Enterprise Mode site list**
-
-1. Open Internet Explorer 11 and go to the site you want to remove.
-
-2. Click **Tools**, and then click **Enterprise Mode**.
If the site is removed by mistake, it can be added back by clicking **Enterprise Mode** again.
-
- **To remove all sites from a local Enterprise Mode site list**
-
-1. Open IE11, click **Tools**, and then click **Internet options**.
-
-2. Click the **Delete** button from the **Browsing history** area.
-
-3. Click the box next to **Cookies and website data**, and then click **Delete**.
-
-**Note**
This removes all of the sites from a local Enterprise Mode site list.
-
-
-
-
-
-
-
-
-
diff --git a/browsers/enterprise-mode/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
deleted file mode 100644
index 2cb578171f..0000000000
--- a/browsers/enterprise-mode/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
+++ /dev/null
@@ -1,46 +0,0 @@
----
-ms.localizationpriority: low
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: You can save your current Enterprise Mode compatibility site list as an XML file, for distribution and use by your managed systems.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 254a986b-494f-4316-92c1-b089ee8b3e0a
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-title: Save your site list to XML in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Save your site list to XML in the Enterprise Mode Site List Manager
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-You can save your current Enterprise Mode compatibility site list as an XML file, for distribution and use by your managed systems.
-
- **To save your list as XML**
-
-1. On the **File** menu of the Enterprise Mode Site List Manager, click **Save to XML**.
-
-2. Save the file to the location you specified in your Enterprise Mode registry key, set up when you turned on Enterprise Mode for use in your company. For information about the Enterprise Mode registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
If you decide to manually change the registry key, you can change the **Enable** setting to `[deployment url]/api/records/`, which automatically sends your reports to this page.
-
-### Setting up, collecting, and viewing reports
-For logging, you’re going to need a valid URL that points to a server that can be listened to for updates to a user’s registry key. This means you need to set up an endpoint server for the incoming POST messages, which are sent every time the user turns Enterprise Mode on or off from the **Tools** menu. These POST messages go into your database, aggregating the report data by URL, giving you the total number of reports where users turned on Enterprise Mode, the total number of reports where users turned off Enterprise Mode, and the date of the last report.
-
- **To set up the sample**
-
-1. Set up a server to collect your Enterprise Mode information from your users.
-
-2. Go to the Internet Explorer/[EMIE-Data_Collection_Sample](https://go.microsoft.com/fwlink/p/?LinkId=507401) page on GitHub and tap or click the **Download ZIP** button to download the complete project.
-
-3. Open Microsoft Visual Studio 2013 with Update 2, and then open the PhoneHomeSample.sln file.
-
-4. On the **Build** menu, tap or click **Build Solution**.
- Make sure you have a database associated with your publishing target. Otherwise, your reports won’t be collected and you’ll have problems deploying the website.
-
- 
-
- After you finish the publishing process, you need to test to make sure the app deployed successfully.
-
- **To test, deploy, and use the app**
-
-1. Open a registry editor on the computer where you deployed the app, go to the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode` key, and change the **Enable** string to:
-
- ``` "Enable"="https://
-Turning off both of these features turns off Enterprise Mode for your company. Turning off Enterprise Mode also causes any websites included in your employee’s manual site lists to not appear in Enterprise Mode.
-
- **To turn off the site list using Group Policy**
-
-1. Open your Group Policy editor, like Group Policy Management Console (GPMC).
-
-2. Go to the **Use the Enterprise Mode IE website list** setting, and then click **Disabled**.
-The `https://www.emieposturl.com/api/records` example will only work if you’ve downloaded the sample discussed in the [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) topic. If you don’t have the sample, you won’t have the web API.
-- **Local network location (like, https://*emieposturl*/)**. IE sends a POST message to your specified local network location every time a change is made to Enterprise Mode from the **Tools** menu.
-- **Empty string**. If you leave the **Value data** box blank; your employees will be able to turn Enterprise Mode on and off from the **Tools** menu, but you won’t collect any logging data.
-
-For information about how to collect the data provided when your employees turn Enterprise Mode on or off from the **Tools** menu, see [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md).
-
-
-
-
-
-
-
diff --git a/browsers/enterprise-mode/use-the-enterprise-mode-portal.md b/browsers/enterprise-mode/use-the-enterprise-mode-portal.md
deleted file mode 100644
index 010448c58d..0000000000
--- a/browsers/enterprise-mode/use-the-enterprise-mode-portal.md
+++ /dev/null
@@ -1,84 +0,0 @@
----
-ms.localizationpriority: low
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Portal.
-ms.prod: ie11
-title: Use the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-author: dansimp
----
-
-# Use the Enterprise Mode Site List Portal
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
-
-The Enterprise Mode Site List Portal is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later.
-
-You can use IE11 and the Enterprise Mode Site List Portal to manage your Enterprise Mode Site List, hosted by the app, with multiple users.
-
-## Minimum system requirements for portal and test machines
-Some of the components in this table might also need additional system resources. Check the component's documentation for more information.
-
-|Item |Description |
-|-----|------------|
-|Operating system |Windows 7 or later |
-|Memory |16 GB RAM |
-|Hard drive space |At least 8 GB of free space, formatted using the NTFS file system for better security |
-|Active Directory (AD) |Devices must be domain-joined |
-|SQL Server |Microsoft SQL Server Enterprise Edition 2012 or later |
-|Visual Studio |Visual Studio 2015 or later |
-|Node.js® package manager |npm Developer version or higher |
-|Additional server infrastructure |Internet Information Service (IIS) 6.0 or later |
-
-## Role assignments and available actions
-Admins can assign roles to employees for the Enterprise Mode Site List Portal, allowing the employees to perform specific actions, as described in this table.
-
-|Role assignment |Available actions |
-|----------------|------------------|
-|Requester |
|
-|Approver
(includes the App Manager and Group Head roles) |
|
-|Administrator |
|
-
-## Enterprise Mode Site List Portal workflow by employee role
-The following workflow describes how to use the Enterprise Mode Site List Portal.
-
-1. [The Requester submits a change request for an app](create-change-request-enterprise-mode-portal.md)
-
-2. [The Requester tests the change request info, verifying its accuracy](verify-changes-preprod-enterprise-mode-portal.md)
-
-3. [The Approver(s) group accepts the change request](approve-change-request-enterprise-mode-portal.md)
-
-4. [The Requester schedules the change for the production environment](schedule-production-change-enterprise-mode-portal.md)
-
-5. [The change is verified against the production site list and signed off](verify-changes-production-enterprise-mode-portal.md)
-
-
-## Related topics
-- [Set up the Enterprise Mode Site List Portal](set-up-enterprise-mode-portal.md)
-
-- [Workflow-based processes for employees using the Enterprise Mode Site List Portal](workflow-processes-enterprise-mode-portal.md)
-
-- [How to use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md)
-
-- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)
-
-- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)
-
-
-
-
-
-
diff --git a/browsers/enterprise-mode/use-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/use-the-enterprise-mode-site-list-manager.md
deleted file mode 100644
index f68c42ca3c..0000000000
--- a/browsers/enterprise-mode/use-the-enterprise-mode-site-list-manager.md
+++ /dev/null
@@ -1,64 +0,0 @@
----
-ms.localizationpriority: low
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Manager.
-author: dansimp
-ms.prod: ie11
-ms.assetid: f4dbed4c-08ff-40b1-ab3f-60d3b6e8ec9b
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-title: Use the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 12/04/2017
----
-
-
-# Use the Enterprise Mode Site List Manager
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
-
-You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode.
-
-[!INCLUDE [enterprise-mode-site-list-mgr-versions-include](../../enterprise-mode/enterprise-mode-site-list-mgr-versions-include.md)]
-
-## Using the Enterprise Mode Site List Manager
-The following topics give you more information about the things that you can do with the Enterprise Mode Site List Manager.
-
-|Topic |Description |
-|------|------------|
-|[Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md) |How to add websites to your site list using the Enterprise Mode Site List Manager (schema v.2). |
-|[Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md) |How to add websites to your site list using the Enterprise Mode Site List Manager (schema v.1). |
-|[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) |How to add several websites to your site list at the same time, using a text or XML file and the Enterprise Mode Site List Manager (schema v.2). |
-|[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) |How to add several websites to your site list at the same time, using a text or XML file and the WEnterprise Mode Site List Manager (schema v.1). |
-|[Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager](edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md) |How to edit the compatibility mode for specific websites.
-Because we’ve added the IE7 Enterprise Mode option, we’ve had to rename the original functionality of Enterprise Mode to be IE8 Enterprise Mode. We’ve also replaced Edge Mode with IE11 Document Mode, so you can explicitly use IE11 on Windows 10.
-
-## Turning on and using IE7 Enterprise Mode or IE8 Enterprise Mode
-For instructions about how to add IE7 Enterprise Mode or IE8 Enterprise Mode to your webpages and apps, see:
-
-- [Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md)
-
-- [Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md)
-
-- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md)
-
-- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md)
-
-For instructions and more info about how to fix your compatibility issues using Enterprise Mode, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
-
-## Related topics
-- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
-- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
-- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
-
-
-
-
-
-
diff --git a/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md b/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md
deleted file mode 100644
index 3e06b8b806..0000000000
--- a/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-ms.localizationpriority: low
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Details about how to make sure your change request info is accurate within the pre-production environment of the Enterprise Mode Site List Portal.
-author: dansimp
-ms.prod: ie11
-title: Verify your changes using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
----
-
-# Verify your changes using the Enterprise Mode Site List Portal
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-> [!Important]
-> This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
-
-The Requester successfully submits a change request to the Enterprise Mode Site List Portal and then gets an email, including:
-
-- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List.
-
-- **Test steps**. The suggested steps about how to test the change request details to make sure they're accurate in the pre-production environment.
-
-- **EMIE_Reset**. A batch file that when run, reverts the changes made to the pre-production registry.
-
-## Verify and send the change request to Approvers
-The Requester tests the changes and then goes back into the Enterprise Mode Site List Portal, **Pre-production verification** page to verify whether the testing was successful.
-
-**To verify changes and send to the Approver(s)**
-1. On the **Pre-production verification** page, the Requester clicks **Successful** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the change request and testing results.
-
-2. The Requester reviews the pre-defined Approver(s), and then clicks **Send for approval**.
-
- The Requester, the Approver group, and the Administrator group all get an email, stating that the change request is waiting for approval.
-
-
-**To rollback your pre-production changes**
-1. On the **Pre-production verification** page, the Requester clicks **Failed** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the change request and testing results.
-
-2. Add a description about the issue into the **Issue description** box, and then click **Send failure details**.
-
- The change request and issue info are sent to the Administrators.
-
-3. The Requester clicks **Roll back** to roll back the changes in the pre-production environment.
-
- After the Requester rolls back the changes, the request can be updated and re-submitted.
-
-
-## View rolled back change requests
-The original Requester and the Administrator(s) group can view the rolled back change requests.
-
-**To view the rolled back change request**
-
-- In the Enterprise Mode Site List Portal, click **Rolled back** from the left pane.
-
- All rolled back change requests appear, with role assignment determining which ones are visible.
-
-## Next steps
-If the change request is certified as successful, the Requester must next send it to the Approvers for approval. For the Approver-related steps, see the [Approve a change request using the Enterprise Mode Site List Portal](approve-change-request-enterprise-mode-portal.md) topic.
diff --git a/browsers/enterprise-mode/verify-changes-production-enterprise-mode-portal.md b/browsers/enterprise-mode/verify-changes-production-enterprise-mode-portal.md
deleted file mode 100644
index 8387697841..0000000000
--- a/browsers/enterprise-mode/verify-changes-production-enterprise-mode-portal.md
+++ /dev/null
@@ -1,45 +0,0 @@
----
-ms.localizationpriority: low
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Details about how the Requester makes sure that the change request update is accurate within the production environment using the Enterprise Mode Site List Portal.
-author: dansimp
-ms.prod: ie11
-title: Verify the change request update in the production environment using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
----
-
-# Verify the change request update in the production environment using the Enterprise Mode Site List Portal
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-## Verify and sign off on the update in the production environment
-The Requester tests the changes in the production environment and then goes back into the Enterprise Mode Site List Portal, **Production verification** page to verify whether the testing was successful.
-
-**To verify the changes and sign off**
-- On the **Production verification** page, the Requester clicks **Successful**, optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the testing results, optionally includes a description of the change, and then clicks **Sign off**.
-
- The Requester, Approver group, and Administrator group all get an email, stating that the change request has been signed off.
-
-
-**To rollback production changes**
-1. On the **Production verification** page, the Requester clicks **Failed** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the testing results.
-
-2. Add a description about the issue into the **Change description** box, and then click **Send failure details**.
-
- The info is sent to the Administrators.
-
-3. The Requester clicks **Roll back** to roll back the changes in the production environment.
-
- After the Requester rolls back the changes, the request is automatically handled in the production and pre-production environment site lists.
-
diff --git a/browsers/enterprise-mode/view-apps-enterprise-mode-site-list.md b/browsers/enterprise-mode/view-apps-enterprise-mode-site-list.md
deleted file mode 100644
index 6ae2c865ea..0000000000
--- a/browsers/enterprise-mode/view-apps-enterprise-mode-site-list.md
+++ /dev/null
@@ -1,41 +0,0 @@
----
-ms.localizationpriority: low
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Details about how to view the active Enterprise Mode Site List from the Enterprise Mode Site List Portal.
-author: dansimp
-ms.prod: ie11
-title: View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
----
-
-# View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-Any employee with access to the Enterprise Mode Site List Portal can view the apps included in the current Enterprise Mode Site List.
-
-**To view the active Enterprise Mode Site List**
-1. Open the Enterprise Mode Site List Portal and click the **Production sites list** icon in the upper-right area of the page.
-
- The **Production sites list** page appears, with each app showing its URL, the compatibility mode to use, and the assigned browser to open the site.
-
-2. Click any URL to view the actual site, using the compatibility mode and opening in the correct browser.
-
-
-**To export the active Enterprise Mode Site List**
-1. On the **Production sites list** page, click **Export**.
-
-2. Save the ProductionSiteList.xlsx file.
-
- The Excel file includes all apps in the current Enterprise Mode Site List, including URL, compatibility mode, and assigned browser.
diff --git a/browsers/enterprise-mode/what-is-enterprise-mode-include.md b/browsers/enterprise-mode/what-is-enterprise-mode-include.md
deleted file mode 100644
index b10897a3d3..0000000000
--- a/browsers/enterprise-mode/what-is-enterprise-mode-include.md
+++ /dev/null
@@ -1,7 +0,0 @@
----
-ms.date: 07/17/2018
----
-## What is Enterprise Mode?
-Enterprise Mode, a compatibility mode that runs on Internet Explorer 11 on Windows 10, Windows 8.1, and Windows 7 devices, lets websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8. Running in this mode helps to avoid many of the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
-
-Many customers identify web app compatibility as a significant cost to upgrading because web apps need to be tested and upgraded before adopting a new browser. The improved compatibility provided by Enterprise Mode can help give customers confidence to upgrade to IE11, letting customers benefit from modern web standards, increased performance, improved security, and better reliability.
diff --git a/browsers/includes/available-duel-browser-experiences-include.md b/browsers/includes/available-duel-browser-experiences-include.md
deleted file mode 100644
index e506d779b2..0000000000
--- a/browsers/includes/available-duel-browser-experiences-include.md
+++ /dev/null
@@ -1,22 +0,0 @@
----
-author: eavena
-ms.author: eravena
-ms.date: 10/02/2018
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.prod: edge
-ms.topic: include
----
-
-## Available dual-browser experiences
-Based on the size of your legacy web app dependency, determined by the data collected with [Windows Upgrade Analytics](https://blogs.windows.com/windowsexperience/2016/09/26/new-windows-10-and-office-365-features-for-the-secure-productive-enterprise/), there are several options from which you can choose to configure your enterprise browsing environment:
-
-- Use Microsoft Edge as your primary browser.
-
-- Use Microsoft Edge as your primary browser and use Enterprise Mode to open sites in Internet Explorer 11 (IE11) that use IE proprietary technologies.
-
-- Use Microsoft Edge as your primary browser and open all intranet sites in IE11.
-
-- Use IE11 as your primary browser and use Enterprise Mode to open sites in Microsoft Edge that use modern web technologies.
-
-For more info about when to use which option, and which option is best for you, see the [Continuing to make it easier for Enterprise customers to upgrade to Internet Explorer 11 — and Windows 10](https://blogs.windows.com/msedgedev/2015/11/23/windows-10-1511-enterprise-improvements) blog.
diff --git a/browsers/includes/helpful-topics-include.md b/browsers/includes/helpful-topics-include.md
deleted file mode 100644
index 21e15f6d8d..0000000000
--- a/browsers/includes/helpful-topics-include.md
+++ /dev/null
@@ -1,38 +0,0 @@
----
-author: eavena
-ms.author: eravena
-ms.date: 10/02/2018
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.prod: edge
-ms.topic: include
----
-
-
-## Helpful information and additional resources
-- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)
-
-- [Technical guidance, tools, and resources on Enterprise browsing](https://technet.microsoft.com/ie)
-
-- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501)
-
-- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974)
-
-- [Use the Enterprise Mode Site List Manager](../enterprise-mode/use-the-enterprise-mode-site-list-manager.md)
-
-- [Collect data using Enterprise Site Discovery](../enterprise-mode/collect-data-using-enterprise-site-discovery.md)
-
-- [Web Application Compatibility Lab Kit](https://technet.microsoft.com/microsoft-edge/mt612809.aspx)
-
-- [Microsoft Services Support](https://www.microsoft.com/microsoftservices/support.aspx)
-
-- [Find a Microsoft partner on Pinpoint](https://partnercenter.microsoft.com/pcv/search)
-
-
-
-
-
-- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/browser/mt612809.aspx)
-- [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=290956)
-- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](https://go.microsoft.com/fwlink/p/?LinkId=760646)
-- [Fix web compatibility issues using document modes and the Enterprise Mode site list](/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list)
diff --git a/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md b/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md
deleted file mode 100644
index 31961c97a1..0000000000
--- a/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md
+++ /dev/null
@@ -1,23 +0,0 @@
----
-author: eavena
-ms.author: eravena
-ms.date: 10/02/2018
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.prod: edge
-ms.topic: include
----
-
-If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager.
-
-> [!IMPORTANT]
-> Importing your file overwrites everything that’s currently in the tool, so make sure it’s what want to do.
-
-1. In the Enterprise Mode Site List Manager, click **File \> Import**.
-
-2. Go to the exported .EMIE file.
ActiveX control installation requires administrator-level permissions.
-
-## Group Policy for the ActiveX Installer Service
-
-You use the ActiveX Installer Service (AXIS) and Group Policy to manage your ActiveX control deployment. The AXIS-related settings can be changed using either the Group Policy Management Console (GPMC) or the Local Group Policy Editor, and include:
-
-- **Approved Installation Sites for ActiveX Controls.** A list of approved installation sites used by AXIS to determine whether it can install a particular ActiveX control.
-
-- **ActiveX installation policy for sites in trusted zones.** Identifies how AXIS should behave when a website tries to install an ActiveX control. First, AXIS looks to see if the site appears in either the list of approved installation sites or in the **Trusted sites** zone. If the does, then AXIS checks to make sure the control meets your company's policy requirements. If the ActiveX control meets all of these requirements, the control is installed.
-
-For more information about the ActiveX Installer Service, see [Administering the ActiveX Installer Service in Windows 7](/previous-versions/windows/it-pro/windows-7/dd631688(v=ws.10)).
-
-
-
-
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md
deleted file mode 100644
index 455bae28bd..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md
+++ /dev/null
@@ -1,72 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Details about how to add employees to the Enterprise Mode Site List Portal.
-author: dansimp
-ms.prod: ie11
-title: Add employees to the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
----
-
-# Add employees to the Enterprise Mode Site List Portal
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-After you get the Enterprise Mode Site List Portal up and running, you must add your employees. During this process, you'll also assign roles and groups.
-
-The available roles are:
-
-- **Requester.** The primary role to assign to employees that need to access the Enterprise Mode Site List Portal. The Requester can create change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal change requests, and sign off and close personal change requests.
-
-- **App Manager.** This role is considered part of the Approvers group. The App Manager can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests.
-
-- **Group Head.** This role is considered part of the Approvers group. The Group Head can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests.
-
-- **Administrator.** The role with the highest-level rights; we recommend limiting the number of employees you grant this role. The Administrator can perform any task that can be performed by the other roles, in addition to adding employees to the portal, assigning employee roles, approving registrations to the portal, configuring portal settings (for example, determining the freeze schedule, determining the pre-production and production XML paths, and determining the attachment upload location), and using the standalone Enterprise Mode Site List Manager page.
-
-**To add an employee to the Enterprise Mode Site List Portal**
-1. Open the Enterprise Mode Site List Portal and click the **Employee Management** icon in the upper-right area of the page.
-
- The **Employee management** page appears.
-
-2. Click **Add a new employee**.
-
- The **Add a new employee** page appears.
-
-3. Fill out the fields for each employee, including:
-
- - **Email.** Add the employee's email address.
-
- - **Name.** This box autofills based on the email address.
-
- - **Role.** Pick a single role for the employee, based on the list above.
-
- - **Group name.** Pick the name of the employee's group. The group association also assigns a group of Approvers.
-
- - **Comments.** Add optional comments about the employee.
-
- - **Active.** Click the check box to make the employee active in the system. If you want to keep the employee in the system, but you want to prevent access, clear this check box.
-
-4. Click **Save**.
-
-**To export all employees to an Excel spreadsheet**
-1. On the **Employee management** page, click **Export to Excel**.
-
-2. Save the EnterpriseModeUsersList.xlsx file.
-
- The Excel file includes all employees with access to the Enterprise Mode Site List Portal, including user name, email address, role, and group name.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
deleted file mode 100644
index 57c8991c7d..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
+++ /dev/null
@@ -1,116 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the Bulk add from file area of the Enterprise Mode Site List Manager.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 20aF07c4-051a-451f-9c46-5a052d9Ae27c
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 8.1
-- Windows 7
-
-You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the **Bulk add from file** area of the Enterprise Mode Site List Manager. You can only add specific URLs, not Internet or Intranet Zones.
-
-If you want to add your websites one at a time, see Add sites to the [Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md).
-
-## Create an Enterprise Mode site list (TXT) file
-You can create and use a custom text file to add multiple sites to your Enterprise Mode site list at the same time.
This text file is only lets you add multiple sites at the same time. You can’t use this file to deploy Enterprise Mode into your company.
-
-You must separate each site using commas or carriage returns. For example:
-
-```
-microsoft.com, bing.com, bing.com/images
-```
-**-OR-**
-
-```
-microsoft.com
-bing.com
-bing.com/images
-```
-
-## Create an Enterprise Mode site list (XML) file using the v.1 version of the Enterprise Mode schema
-You can create and use a custom XML file with the Enterprise Mode Site List Manager to add multiple sites to your Enterprise Mode site list at the same time. For more info about the v.1 version of the Enterprise Mode schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
-
-Each XML file must include:
-
-- **Version number.** This number must be incremented with each version of the Enterprise Mode site list, letting Internet Explorer know whether the list is new. Approximately 65 seconds after Internet Explorer 11 starts, it compares your site list version to the stored version number. If your file has a higher number, the newer version is loaded.
After this check, IE11 won’t look for an updated list again until you restart the browser.
-
-- **<emie> tag.** This tag specifies the domains and domain paths that must be rendered using IE7 Enterprise Mode, IE8 Enterprise Mode, or the default IE11 browser environment.
If you decide a site requires IE7 Enterprise Mode, you must add `forceCompatView=”true”` to your XML file. That code tells Enterprise Mode to check for a `DOCTYPE` tag on the specified webpage. If there is, the site renders using Windows Internet Explorer 7. If there’s no tag, the site renders using Microsoft Internet Explorer 5.
-
-- <docMode> tag.This tag specifies the domains and domain paths that need either to appear using the specific doc mode you assigned to the site. Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
-
-### Enterprise Mode v.1 XML schema example
-The following is an example of what your XML file should look like when you’re done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
-
-```
-
If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Enterprise Mode Site List Manager (.
-
-## Add multiple sites to the Enterprise Mode Site List Manager (schema v.1)
-After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.1).
-
- **To add multiple sites**
-
-1. In the Enterprise Mode Site List Manager (schema v.1), click **Bulk add from file**.
-
-2. Go to your site list (either .txt or .xml) to add the included sites to the tool, and then click **Open**.
This text file is only lets you add multiple sites at the same time. You can’t use this file to deploy Enterprise Mode into your company.
-
-You must separate each site using commas or carriage returns. For example:
-
-```
-microsoft.com, bing.com, bing.com/images
-```
-**-OR-**
-
-```
-microsoft.com
-bing.com
-bing.com/images
-```
-
-## Create an Enterprise Mode site list (XML) file using the v.2 version of the Enterprise Mode schema
-
-You can create and use a custom XML file with the Enterprise Mode Site List Manager (schema v.2) to add multiple sites to your Enterprise Mode site list at the same time.
-
-Each XML file must include:
-
-- **site-list version number**. This number must be incremented with each version of the Enterprise Mode site list, letting Internet Explorer know whether the list is new. Approximately 65 seconds after Internet Explorer 11 starts, it compares your site list version to the stored version number. If your file has a higher number, the newer version is loaded.
After this check, IE11 won’t look for an updated list again until you restart the browser.
-
-- **<compat-mode> tag.** This tag specifies what compatibility setting are used for specific sites or domains.
-
-- **<open-in> tag.** This tag specifies what browser opens for each sites or domain.
-
-### Enterprise Mode v.2 XML schema example
-
-The following is an example of what your XML file should look like when you’re done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md).
-
-```xml
-
If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Enterprise Mode Site List Manager (schema v.2).
-
-## Add multiple sites to the Enterprise Mode Site List Manager (schema v.2)
-After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.2).
-
- **To add multiple sites**
-
-1. In the Enterprise Mode Site List Manager (schema v.2), click **Bulk add from file**.
-
-2. Go to your site list (either .txt or .xml) to add the included sites to the tool, and then click **Open**.
You can only add specific URLs, not Internet or Intranet Zones.
-
-
If you need to include a lot of sites, instead of adding them one at a time, you can create a list of websites and add them all at the same time. For more information, see Add multiple sites to the Enterprise Mode site list using a file and the Windows 7 and 8.1 Enterprise Mode Site List Manager.
-
-## Adding a site to your compatibility list
-You can add individual sites to your compatibility list by using the Enterprise Mode Site List Manager.
-
If you're using the v.2 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2).
-
- **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.1)**
-
-1. In the Enterprise Mode Site List Manager (schema v.1), click **Add**.
-
-2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.
You can only add specific URLs, not Internet or Intranet Zones.
-
-
If you need to include a lot of sites, instead of adding them one at a time, you can create a list of websites and add them all at the same time. For more information, see the Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2) or the Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) topic, based on your operating system.
-
-## Adding a site to your compatibility list
-You can add individual sites to your compatibility list by using the Enterprise Mode Site List Manager.
If you're using the v.1 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see [Add sites to the Enterprise Mode site list using the WEnterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md).
-
- **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.2)**
-
-1. In the Enterprise Mode Site List Manager (schema v.2), click **Add**.
-
-2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.
Your Group Policy tools use the ADMX files in your store, ignoring any local copies. For more information about creating a central store, see Scenario 1: Editing the Local GPO Using ADMX Files.
-
-## Administrative Templates-related Group Policy settings
-When you install Internet Explorer 11, it updates the local administrative files, Inetres.admx and Inetres.adml, both located in the **PolicyDefinitions** folder.
-
You won't see the new policy settings if you try to view or edit your policy settings on a computer that isn't running IE11. To fix this, you can either install IE11, or you can copy the updated Inetres.admx and Inetres.adml files from another computer to the PolicyDefinitions folder on this computer.
-
-IE11 provides these new policy settings, which are editable in the Local Group Policy Editor, and appear in the following policy paths:
-
-- Computer Configuration\\Administrative Templates\\Windows Components\\
-
-- User Configuration\\Administrative Templates\\Windows Components\\
-
-
-|Catalog |Description |
-| ------------------------------------------------ | --------------------------------------------|
-|IE |Turns standard IE configuration on and off. |
-|Internet Explorer\Accelerators |Sets up and manages Accelerators. |
-|Internet Explorer\Administrator Approved Controls |Turns ActiveX controls on and off. |
-|Internet Explorer\Application Compatibility |Turns the **Cut**, **Copy**, or **Paste** operations on or off. This setting also requires that `URLACTION_SCRIPT_PASTE` is set to **Prompt**. |
-|Internet Explorer\Browser Menus |Shows or hides the IE menus and menu options.|
-|Internet Explorer\Corporate Settings |Turns off whether you specify the code download path for each computer. |
-|Internet Explorer\Delete Browsing History |Turns the **Delete Browsing History** settings on and off. |
-|Internet Explorer\Internet Control Panel |Turns pages on and off in the **Internet Options** dialog box. Also turns on and off the subcategories that manage settings on the **Content**, **General**, **Security** and **Advanced** pages. |
-|Internet Explorer\Internet Settings |Sets up and manages the **Advanced settings**, **AutoComplete**, **Display Settings**, and **URL Encoding** options. |
-|Internet Explorer\Persistence Behavior |Sets up and manages the file size limits for Internet security zones. |
-|Internet Explorer\Privacy |Turns various privacy-related features on and off. |
-|Internet Explorer\Security Features |Turns various security-related features on and off in the browser, Windows Explorer, and other applications. |
-|Internet Explorer\Toolbars |Turns on and off the ability for users to edit toolbars in the browser. You can also set the default toolbar buttons here. |
-|RSS Feeds |Sets up and manages RSS feeds in the browser. |
-
-
-## Editing Group Policy settings
-Regardless which tool you're using to edit your Group Policy settings, you'll need to follow one of these guides for step-by-step editing instructions:
-
-- **If you're using the Group Policy Management Console (GPMC) or the Local Group Policy Editor.** See [Edit Administrative Template Policy Settings](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771479(v=ws.11)) for step-by-step instructions about editing your Administrative Templates.
-
-- **If you're using GPMC with Advanced Group Policy Management (AGPM).** See [Checklist: Create, Edit, and Deploy a GPO](/microsoft-desktop-optimization-pack/agpm/checklist-create-edit-and-deploy-a-gpo-agpm40) for step-by-step instructions about how to check out a GPO from the AGPM archive, edit it, and request deployment.
-
-## Related topics
-- [Administrative templates (.admx) for Windows 10 April 2018 Update](https://www.microsoft.com/download/details.aspx?id=56880)
-- [Administrative templates (.admx) for Windows 10 October 2018 Update](https://www.microsoft.com/download/details.aspx?id=57576)
-- [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580)
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md
deleted file mode 100644
index 07687792a3..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md
+++ /dev/null
@@ -1,66 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Details about how Approvers can approve open change requests in the Enterprise Mode Site List Portal.
-author: dansimp
-ms.prod: ie11
-title: Approve a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
----
-
-# Approve a change request using the Enterprise Mode Site List Portal
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-After a change request is successfully submitted to the pre-defined Approver(s), employees granted the role of **App Manager**, **Group Head**, or **Administrator**, they must approve the changes.
-
-## Approve or reject a change request
-The Approvers get an email stating that a Requester successfully opened, tested, and submitted the change request to the Approvers group. The Approvers can accept or reject a change request.
-
-**To approve or reject a change request**
-1. The Approver logs onto the Enterprise Mode Site List Portal, **All Approvals** page.
-
- The Approver can also get to the **All Approvals** page by clicking **Approvals Pending** from the left pane.
-
-2. The Approver clicks the expander arrow (**\/**) to the right side of the change request, showing the list of Approvers and the **Approve** and **Reject** buttons.
-
-3. The Approver reviews the change request, making sure it's correct. If the info is correct, the Approver clicks **Approve** to approve the change request. If the info seems incorrect, or if the app shouldn't be added to the site list, the Approver clicks **Reject**.
-
- An email is sent to the Requester, the Approver(s) group, and the Administrator(s) group, with the updated status of the request.
-
-
-## Send a reminder to the Approver(s) group
-If the change request is sitting in the approval queue for too long, the Requester can send a reminder to the group.
-
-- From the **My Approvals** page, click the checkbox next to the name of each Approver to be reminded, and then click **Send reminder**.
-
- An email is sent to the selected Approver(s).
-
-
-## View rejected change requests
-The original Requester, the Approver(s) group, and the Administrator(s) group can all view the rejected change request.
-
-**To view the rejected change request**
-
-- In the Enterprise Mode Site List Portal, click **Rejected** from the left pane.
-
- All rejected change requests appear, with role assignment determining which ones are visible.
-
-
-## Next steps
-After an Approver approves the change request, it must be scheduled for inclusion in the production Enterprise Mode Site List. For the scheduling steps, see the [Schedule approved change requests for production using the Enterprise Mode Site List Portal](schedule-production-change-enterprise-mode-portal.md) topic.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
deleted file mode 100644
index f87e4e9cc9..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
+++ /dev/null
@@ -1,62 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: networking
-description: Auto configuration and auto proxy problems with Internet Explorer 11
-author: dansimp
-ms.prod: ie11
-ms.assetid: 3fbbc2c8-859b-4b2e-abc3-de2c299e0938
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Auto configuration and auto proxy problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Auto configuration and auto proxy problems with Internet Explorer 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-You might experience some problems using automatic configuration and auto-proxy with Internet Explorer 11.
-
-## Branding changes aren't distributed using automatic configuration
-If you've turned on the **Disable external branding of Internet Explorer** Group Policy Object, you won't be able to use automatic configuration to distribute your branding changes to your users' computers. When this object is turned on, it prevents the branding of IE by a non-Microsoft company or entity, such as an Internet service provider or Internet content provider. For more information about automatic configuration, see [Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md) and [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md). For more information about Group Policy settings, see [Group policy objects and Internet Explorer 11 (IE11)](group-policy-objects-and-ie11.md).
-
-## Proxy server setup issues
-If you experience issues while setting up your proxy server, you can try these troubleshooting steps:
-
-- Check to make sure the proxy server address is right.
-
-- Check that both **Automatically detect settings** and **Automatic configuration** are turned on in the browser.
-
-- Check that the browser is pointing to the right automatic configuration script location.
-
- **To check your proxy server address**
-
-1. On the **Tools** menu, click **Internet Options**, and then **Connections**.
-
-2. Click **Settings** or **LAN Settings**, and then look at your proxy server address.
-
-3. If you have multiple proxy servers, click **Advanced** to look at all of the additional addresses.
If IE11 uses a proxy server for local IP addresses, regardless whether you turned on the **Bypass Proxy Server for Local Addresses** option, see [Internet Explorer Uses Proxy Server for Local IP Address Even if the "Bypass Proxy Server for Local Addresses" Option Is Turned On](/troubleshoot/browsers/internet-explorer-uses-proxy-server-local-ip-address).
-
- **To check that you've turned on the correct settings**
-
-4. On the **Tools** menu, click **Internet Options**, and then click **Connections**.
-
-5. Click **Settings** or **LAN Settings**.
-
-6. In the **Automatic configuration** area, check that you've clicked the **Automatically detect settings** box. If you've turned on automatic configuration, check to make sure that you've also clicked the **Use automatic configuration script** box.
If at this point everything is set up correctly, but the proxy server still isn't behaving properly, click the **Detect my network settings** box in the **Error** dialog box to try to detect the proxy server, again.
-
- **To check that you're pointing to the correct automatic configuration script location**
-
-7. On the **Tools** menu, click **Internet Options**, and then click **Connections**.
-
-8. Click **Settings** or **LAN Settings**.
-
-9. In the **Automatic configuration** area, check that you've chosen the **Use automatic configuration script** box, and that it has the correct location to your automatic configuration script or for your automatic proxy URL.
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
deleted file mode 100644
index 10ff22508d..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
+++ /dev/null
@@ -1,74 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: networking
-description: Auto configuration settings for Internet Explorer 11
-author: dansimp
-ms.prod: ie11
-ms.assetid: 90308d59-45b9-4639-ab1b-497e5ba19023
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Auto configuration settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Auto configuration settings for Internet Explorer 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Automatic configuration lets you apply custom branding and graphics to your internal Internet Explorer installations, running on Windows 8.1 or Windows Server 2012 R2. For more information about adding custom branding and graphics to your IE package, see [Customize the toolbar button and Favorites List icons using IEAK 11](../ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md).
You'll only see and be able to use the **IE Customization Wizard 11 - Automatic Configuration** page if you're creating an internal IE installation package. For more information about the **IE Customization Wizard 11 - Automatic Configuration** page, see [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md).
-
-## Adding the automatic configuration registry key
-For custom graphics and branding, add the `FEATURE\AUTOCONFIG\BRANDING` registry key to your IE installation package.
Follow these directions carefully because serious problems can occur if you update your registry incorrectly. For added protection, back up your registry so you can restore it if a problem occurs.
-
- **To add the registry key**
-
-1. On the **Start** screen, type **regedit**, and then click **Regedit.exe**.
-
-2. Right-click the `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl` subkey, point to **New**, and then click **Key**.
-
-3. Enter the new key name, `FEATURE\AUTOCONFIG\BRANDING`, and then press Enter.
-
-4. Right-click `FEATURE\AUTOCONFIG\BRANDING`, point to **New**, and then click **DWORD (32-bit) Value**.
-
-5. Enter the new DWORD value name, **iexplore.exe**, and then press Enter.
-
-6. Right-click **iexplore.exe**, and then click **Modify**.
-
-7. In the **Value data** box, enter **1**, and then click **OK**.
-
-8. Exit the registry editor.
-
-## Updating your automatic configuration settings
-After adding the `FEATURE\AUTOCONFIG\BRANDING` registry key, you can change your automatic configuration settings to pick up the updated branding.
-
Your branding changes won't be added or updated if you've previously chosen the Disable external branding of IE setting in the User Configuration\Administrative Templates\Windows Components\Internet Explorer Group Policy object. This setting is intended to prevent branding by a third-party, like an Internet service or content provider. For more information about Group Policy, including videos and the latest technical documentation, see the Group Policy TechCenter.
-
- **To update your settings**
-
-1. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page.
-
-2. Choose the **Automatically detect configuration settings** check box to allow automatic detection of browser settings.
-
-3. Choose the **Enable Automatic Configuration** box to let you change the rest of the configuration options, including:
-
- - **Automatically configure every box:** Type how often IE should check for configuration updates. Typing **0** (zero), or not putting in any number, means that automatic configuration only happens when the computer restarts.
-
- - **Automatic Configuration URL (.INS file) box:** Type the location of your automatic configuration script.
-
- - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script.
Internet Explorer 11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `https://share/test.ins`.
-
-If your branding changes aren't correctly deployed after running through this process, see [Auto configuration and auto proxy problems with Internet Explorer 11](auto-configuration-and-auto-proxy-problems-with-ie11.md).
-
-## Locking your automatic configuration settings
-You have two options to restrict your users' ability to override the automatic configuration settings, based on your environment.
-
-- **Using Microsoft Active Directory.** Choose **Disable changing Automatic Configuration settings** from the Administrative Templates setting.
-
-- **Not Using Active Directory.** Choose the **Disable changing Automatic Configuration settings** setting in the `User Configuration\Administrative Templates\Windows Components\Internet Explorer` Group Policy object.
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
deleted file mode 100644
index bf9f448755..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
+++ /dev/null
@@ -1,55 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: networking
-description: Auto detect settings Internet Explorer 11
-author: dansimp
-ms.prod: ie11
-ms.assetid: c6753cf4-3276-43c5-aae9-200e9e82753f
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Auto detect settings Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Auto detect settings Internet Explorer 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-After you specify the specific settings related to automatic detection on your Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) servers, you can set up your users' browser settings from a central location.
-
-Automatic detection works even if the browser wasn't originally set up or installed by the administrator.
-
-- **Using DHCP servers:** For local area network (LAN)-based users. This server type lets you specify your global and subnet TCP/IP parameters centrally, defining your users' parameters by using reserved addresses. By doing it this way, a computer can move between subnets, automatically reconfiguring for TCP/IP when it starts.
-
-- **Using DNS servers:** For users on dial-up connections. This server type uses a set of protocols and services on a TCP/IP network, which lets users search for other computers by using hierarchical, user-friendly names (hosts), instead of numeric IP addresses.
DHCP has a higher priority than DNS for automatic configuration. If DHCP provides the URL to a .pac, .jvs, .js, or .ins configuration file, the process stops and the DNS lookup doesn't happen.
-
-## Updating your automatic detection settings
-To use automatic detection, you have to set up your DHCP and DNS servers.
Your DHCP servers must support the `DHCPINFORM` message, to obtain the DHCP options.
-
- **To turn on automatic detection for DHCP servers**
-
-1. Open the Internet Explorer Customization Wizard 11, and go to the **Automatic Configuration** page.
-
-2. Choose the **Automatically detect configuration settings** box to automatically detect your browser settings. For more information about the **Automatic Configuration** page, see [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md).
-
-3. Open the [DHCP Administrative Tool](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd145324(v=ws.10)), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](/previous-versions/tn-archive/bb794881(v=technet.10)).
-
- **To turn on automatic detection for DNS servers**
-
-4. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page.
-
-5. Choose the **Automatically detect configuration settings** box to automatically detect your browser settings.
-
-6. In your DNS database file, create a host record named, **WPAD**. This record has the IP address of the web server storing your automatic configuration (.js, .jvs, .pac, or .ins) file.
For more information about creating a **WPAD** entry, see [Creating a WPAD entry in DNS](/previous-versions/tn-archive/cc995062(v=technet.10)).
-
-7. After the database file propagates to the server, the DNS name, `wpad.
Internet Explorer 11 creates a default URL template based on the host name, **wpad**. For example, `https://wpad.
IE11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `https://share/test.ins`.
-
-## Locking your auto-proxy settings
-You have two options to restrict your users' ability to override the automatic configuration settings, based on your environment.
-
-- **Using Microsoft Active Directory.** Choose **Disable changing proxy settings** from the Administrative Templates setting.
-
-- **Not Using Active Directory.** Choose the **Prevent changing proxy settings** setting in the `User Configuration\Administrative Templates\Windows Components\Internet Explorer` Group Policy object. For more information about Group Policy, see the [Group Policy TechCenter](/windows/deployment/deploy-whats-new).
-
-
-
-
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md b/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md
deleted file mode 100644
index 17f6488e0a..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md
+++ /dev/null
@@ -1,47 +0,0 @@
----
-title: Blocked out-of-date ActiveX controls
-description: This page is periodically updated with new ActiveX controls blocked by this feature.
-author: dansimp
-ms.author: dansimp
-audience: itpro
-manager: dansimp
-ms.date: 05/10/2018
-ms.topic: article
-ms.prod: ie11
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: security
-ms.assetid: ''
-ms.reviewer:
-ms.sitesec: library
----
-
-# Blocked out-of-date ActiveX controls
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-ActiveX controls are small apps that let websites provide content, like videos and games, and let you interact with content, like toolbars. Unfortunately, because many ActiveX controls aren't automatically updated, they can become outdated as new versions are released. It's very important that you keep your ActiveX controls up to date because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. To help avoid this situation, Internet Explorer includes a security feature called _out-of-date ActiveX control blocking_.
-
-We'll periodically update this page with new ActiveX controls blocked by this feature. We'll typically provide one month's advance notice before adding new controls to the list.
-
-You will receive a notification if a webpage tries to load one of the following of ActiveX control versions:
-
-**Java**
-
-| Java 2 Platform, Standard Edition (J2SE) 1.4, everything below (but not including) update 43 |
-|----------------------------------------------------------------------------------------------|
-| J2SE 5.0, everything below (but not including) update 99 |
-| Java SE 6, everything below (but not including) update 181 |
-| Java SE 7, everything below (but not including) update 171 |
-| Java SE 8, everything below (but not including) update 161 |
-| Java SE 9, everything below (but not including) update 4 |
-
-**Silverlight**
-
-
-| Everything below (but not including) Silverlight 5.1.50907.0 |
-|--------------------------------------------------------------|
-| |
-
-For more information, see [Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md) and [Internet Explorer begins blocking out-of-date ActiveX controls](https://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx). You can also view Microsoft's complete list of out-of-date ActiveX controls in the XML-based [version list](https://go.microsoft.com/fwlink/?LinkId=403864).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md b/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
deleted file mode 100644
index 3fc8a84465..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
+++ /dev/null
@@ -1,39 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: performance
-description: Browser cache changes and roaming profiles
-author: dansimp
-ms.prod: ie11
-ms.assetid: 85f0cd01-6f82-4bd1-9c0b-285af1ce3436
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Browser cache changes and roaming profiles (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 10/16/2017
----
-
-
-# Browser cache changes and roaming profiles
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-We’ve redesigned the browser cache to improve the performance, flexibility, reliability, and scalability of Internet Explorer and the apps that rely on the Windows Internet (WinINet) cache. Our new database design stops multiple clients from simultaneously accessing and using cached information, while also providing a higher level of data integrity.
-
-You won’t notice any changes to the management of your roaming profile data if you use our new database implementation in conjunction with the [roaming user profile guidelines](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj649079(v=ws.11)). This means that IE data that’s stored in the `AppData\Roaming` user profile folder is still be uploaded to your normal profile storage location after a user successfully logs off.
Cookies in a roaming profile can only be set by Internet Explorer for the desktop, with Enhanced Protected Mode turned off. Cookies set by the immersive version of IE or by Microsoft Store apps, can’t be part of a roaming profile. For more information about persistent cookies and roaming, see [Persistent cookies are not roamed in Internet Explorer](https://go.microsoft.com/fwlink/p/?LinkId=401545).
-
-To get the best results while using roaming profiles, we strongly recommend the following:
-
-- Create a separate roaming repository for each domain account that uses roaming.
-
-- Restrict roaming user profiles so they work on only one computer at a time. Using a single roaming profile on multiple computers isn’t supported (via console or Remote Desktop) and can cause unpredictable results, including cookie loss.
-
-- Allow all computers that let users sign-on with a roaming profile have identical IE cookie policies and settings.
-
-- Make sure to delete the user’s local roaming profile at sign off for any computer using user profile roaming. You can do this by turning on the **Delete cached copies of roaming profiles** Group Policy Object.
-
-
-
-
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
deleted file mode 100644
index 1617af18d5..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
+++ /dev/null
@@ -1,60 +0,0 @@
----
-ms.localizationpriority: medium
-title: Change history for Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros)
-description: This topic lists new and updated topics in the Internet Explorer 11 Deployment Guide documentation for Windows 10.
-ms.mktglfcycl: deploy
-ms.prod: windows-client
-ms.sitesec: library
-author: dansimp
-ms.date: 07/27/2017
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
----
-
-
-# Change history for Internet Explorer 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-This topic lists new and updated topics in the Internet Explorer 11 documentation for Windows 10.
-
-## April 2017
-|New or changed topic | Description |
-|----------------------|-------------|
-|[Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md)|Updates to the Enterprise Mode section to include info about the Enterprise Mode Site List Portal. |
-
-## March 2017
-|New or changed topic | Description |
-|----------------------|-------------|
-|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated to add the Allow VBScript to run in Internet Explorer and the Hide the button (next to the New Tab button) that opens Microsoft Edge settings. |
-
-## November 2016
-|New or changed topic | Description |
-|----------------------|-------------|
-|[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md) |Updated the DocMode reason section to correct Code 8 and to add Code 9.|
-
-## August 2016
-|New or changed topic | Description |
-|----------------------|-------------|
-|[Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) |Updated to remove the IP range restrictions and to add code examples for both IPv4 and IPv6 addresses. |
-|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) |Updated to remove the IP range restrictions and to add code examples for both IPv4 and IPv6 addresses. |
-|[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md)|Added the Understanding the returned reason codes section to the topic. |
-
-## July 2016
-|New or changed topic | Description |
-|----------------------|-------------|
-|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated to include the comprehensive list of Group Policies that were added with Internet Explorer 11. |
-
-## June 2016
-|New or changed topic | Description |
-|----------------------|-------------|
-|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated with 2 new policies, Send all sites not included in the Enterprise Mode Site List to Microsoft Edge and Show message when opening sites in Microsoft Edge using Enterprise Mode. |
-
-
-## May 2016
-|New or changed topic | Description |
-|----------------------|-------------|
-|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) | Added info about using <emie> and <docMode> together. |
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md b/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
deleted file mode 100644
index 9b4b3e6f1f..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
+++ /dev/null
@@ -1,55 +0,0 @@
----
-title: Check for a new Enterprise Mode site list xml file (Internet Explorer 11 for IT Pros)
-description: You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode.
-ms.assetid: 2bbc7017-622e-4baa-8981-c0bbda10e9df
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-ms.sitesec: library
-author: dansimp
-ms.author: dansimp
-ms.date: 08/14/2017
-ms.localizationpriority: medium
----
-
-
-# Check for a new Enterprise Mode site list xml file
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode. You can add and remove sites from your XML list as frequently as you want, changing which sites should render in Enterprise Mode for your employees. For information about turning on Enterprise Mode and using site lists, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
-
-The information in this topic only covers HTTPS protocol. We strongly recommend that you use HTTPS protocol instead of file protocol due to increased performance.
-
-**How Internet Explorer 11 looks for an updated site list**
-
-1. Internet Explorer starts up and looks for an updated site list in the following places:
-
- 1. **In the cache container.** IE first checks the cache container to see if it finds your XML site list.
-
- 2. **In the local cache.** If there’s nothing in the cache container, IE checks your local cache for the site list.
-
- 3. **On the server.** Based on standard IE caching rules, IE might look for a copy of your site list in the location you put specified in the **SiteList** value of the registry.
-
-2. If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.
If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.
-
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md
deleted file mode 100644
index 810264c501..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md
+++ /dev/null
@@ -1,35 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Choose how to deploy Internet Explorer 11 (IE11)
-author: dansimp
-ms.prod: ie11
-ms.assetid: 21b6a301-c222-40bc-ad0b-27f66fc54d9d
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Choose how to deploy Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Choose how to deploy Internet Explorer 11 (IE11)
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-In this section, you can learn about how to deploy your custom version of Internet Explorer using Automatic Version Synchronization (AVS) or using your software distribution tools.
-
-## In this section
-
-| Topic | Description |
-|------------------------------------------------------------- | ------------------------------------------------------ |
-|[Deploy IE11 using Automatic Version Synchronization (AVS)](deploy-ie11-using-automatic-version-synchronization-avs.md) |Guidance about how to deploy your custom browser packages using Automatic Version Synchronization (AVS). |
-|[Deploy IE11 using software distribution tools](deploy-ie11-using-software-distribution-tools.md) |Guidance about how to deploy your custom browser packages using System Center 2012 R2, Windows Server Update Services (WSUS), Group Policy software installation, or Microsoft Deployment toolkit (MDT). |
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
deleted file mode 100644
index 0175cb7bbe..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
+++ /dev/null
@@ -1,38 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Choose how to install Internet Explorer 11 (IE11)
-author: dansimp
-ms.prod: ie11
-ms.assetid: 9572f5f1-5d67-483e-bd63-ffea95053481
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Choose how to install Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Choose how to install Internet Explorer 11 (IE11)
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Before you install Internet Explorer 11, you should:
-
-- **Migrate Group Policy Objects.** Decide if your Group Policy Objects should migrate to the new version.
-
-- **Check vendor support for updated functionality.** Check whether third-party vendors have new versions or updates to necessary add-ons, apps, or code libraries.
-
-- **Choose the right version of Internet Explorer.** IE11 comes pre-installed on Windows 8.1 and Windows Server 2012 R2 or you can download it for Windows 7 SP1 or Windows Server 2008 R2 with Service Pack 1 (SP1) from the [Internet Explorer Downloads](https://go.microsoft.com/fwlink/p/?LinkId=214251) site.
-
-- **Choose how you'll deploy your installation package.** Your deployment method should be based on whether you're installing to computers already running Windows, or if you're deploying IE11 as part of a Windows installation.
-
- - **Existing computers running Windows.** Use Configuration Manager, System Center Essentials 2010, Windows Server Updates Services (WSUS), or Microsoft Intune to deploy IE11. For more information about how to use these systems, see [Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)), [System Center Essentials 2010](https://go.microsoft.com/fwlink/p/?LinkId=395200), [Windows Server Update Services](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852345(v=ws.11)), and [Microsoft Intune Overview](https://www.microsoft.com/cloud-platform/microsoft-intune).
-
- - **As part of a Windows deployment.** Update your Windows images to include IE11, and then add the update to your MDT deployment share or to your Windows image. For instructions about how to create and use Windows images, see [Create and Manage a Windows Image Using DISM](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825251(v=win.10)). For general information about deploying IE, see [Microsoft Deployment Toolkit (MDT)](/mem/configmgr/mdt/), [Windows ADK Overview](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825486(v=win.10)).
-
-
-
-
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
deleted file mode 100644
index 961f15218c..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
+++ /dev/null
@@ -1,446 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7.
-author: dansimp
-ms.prod: windows-client
-ms.assetid: a145e80f-eb62-4116-82c4-3cc35fd064b6
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Collect data using Enterprise Site Discovery
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-# Collect data using Enterprise Site Discovery
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7 with Service Pack 1 (SP1)
-
-Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades.
-
->**Upgrade Readiness and Windows upgrades**
->You can use Upgrade Readiness to help manage your Windows 10 upgrades on devices running Windows 8.1 and Windows 7 (SP1). You can also use Upgrade Readiness to review several site discovery reports. For more information, see [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness).
-
-
-## Before you begin
-Before you start, you need to make sure you have the following:
-
-- Latest cumulative security update (for all supported versions of Internet Explorer):
-
- 1. Go to the [Microsoft Security Bulletin](/security-updates/) page, and change the filter to **Windows Internet Explorer 11**.
-
- 
-
- 2. Click the title of the latest cumulative security update, and then scroll down to the **Affected software** table.
-
- 
-
- 3. Click the link that represents both your operating system version and Internet Explorer 11, and then follow the instructions in the **How to get this update** section.
-
-- [Setup and configuration package](https://go.microsoft.com/fwlink/p/?LinkId=517719), including:
-
- - Configuration-related PowerShell scripts
-
- - IETelemetry.mof file
-
- - Sample System Center 2012 report templates
-
- You must use System Center 2012 R2 Configuration Manager or later for these samples to work.
-
-Both the PowerShell script and the Managed Object Format (.MOF) file need to be copied to the same location on the client device, before you run the scripts.
-
-## What data is collected?
-Data is collected on the configuration characteristics of IE and the sites it browses, as shown here.
-
-|Data point |IE11 |IE10 |IE9 |IE8 |Description |
-|------------------------|-----|-----|-----|-----|------------------------------------------------------------------------|
-|URL | ✔️ | ✔️ | ✔️ | ✔️ |URL of the browsed site, including any parameters included in the URL. |
-|Domain | ✔️ | ✔️ | ✔️ | ✔️ |Top-level domain of the browsed site. |
-|ActiveX GUID | ✔️ | ✔️ | ✔️ | ✔️ |GUID of the ActiveX controls loaded by the site. |
-|Document mode | ✔️ | ✔️ | ✔️ | ✔️ |Document mode used by IE for a site, based on page characteristics. |
-|Document mode reason | ✔️ | ✔️ | | |The reason why a document mode was set by IE. |
-|Browser state reason | ✔️ | ✔️ | | |Additional information about why the browser is in its current state. Also called, browser mode. |
-|Hang count | ✔️ | ✔️ | ✔️ | ✔️ |Number of visits to the URL when the browser hung. |
-|Crash count | ✔️ | ✔️ | ✔️ | ✔️ |Number of visits to the URL when the browser crashed. |
-|Most recent navigation failure (and count) | ✔️ | ✔️ | ✔️ | ✔️ |Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened. |
-|Number of visits | ✔️ | ✔️ | ✔️ | ✔️ |Number of times a site has been visited. |
-|Zone | ✔️ | ✔️ | ✔️ | ✔️ |Zone used by IE to browse sites, based on browser settings. |
-
-
->**Important**
By default, IE doesn’t collect this data; you have to turn this feature on if you want to use it. After you turn on this feature, data is collected on all sites visited by IE, except during InPrivate sessions. Additionally, the data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements.
-
-### Understanding the returned reason codes
-The following tables provide more info about the Document mode reason, Browser state reason, and the Zone codes that are returned as part of your data collection.
-
-#### DocMode reason
-The codes in this table can tell you what document mode was set by IE for a webpage.
These codes only apply to Internet Explorer 10 and Internet Explorer 11.
-
-|Code |Description |
-|-----|------------|
-|3 |Page state is set by the `FEATURE_DOCUMENT_COMPATIBLE_MODE` feature control key.|
-|4 |Page is using an X-UA-compatible meta tag. |
-|5 |Page is using an X-UA-compatible HTTP header. |
-|6 |Page appears on an active **Compatibility View** list. |
-|7 |Page is using native XML parsing. |
-|8 |Page is using a special Quirks Mode Emulation (QME) mode that uses the modern layout engine, but the quirks behavior of Internet Explorer 5. |
-|9 |Page state is set by the browser mode and the page's DOCTYPE.|
-
-#### Browser state reason
-The codes in this table can tell you why the browser is in its current state. Also called “browser mode”.
These codes only apply to Internet Explorer 10 and Internet Explorer 11.
-
-|Code |Description |
-|-----|------------|
-|1 |Site is on the intranet, with the **Display intranet sites in Compatibility View** box checked. |
-|2 |Site appears on an active **Compatibility View** list, created in Group Policy. |
-|3 |Site appears on an active **Compatibility View** list, created by the user. |
-|4 |Page is using an X-UA-compatible tag. |
-|5 |Page state is set by the **Developer** toolbar. |
-|6 |Page state is set by the `FEATURE_BROWSER_EMULATION` feature control key. |
-|7 |Site appears on the Microsoft **Compatibility View (CV)** list. |
-|8 |Site appears on the **Quirks** list, created in Group Policy. |
-|11 |Site is using the default browser. |
-
-#### Zone
-The codes in this table can tell you what zone is being used by IE to browse sites, based on browser settings.
These codes apply to Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.
-
-|Code |Description |
-|-----|------------|
-|-1 |Internet Explorer is using an invalid zone. |
-|0 |Internet Explorer is using the Local machine zone. |
-|1 |Internet Explorer is using the Local intranet zone. |
-|2 |Internet Explorer is using the Trusted sites zone. |
-|3 |Internet Explorer is using the Internet zone. |
-|4 |Internet Explorer is using the Restricted sites zone. |
-
-## Where is the data stored and how do I collect it?
-The data is stored locally, in an industry-standard WMI class, .MOF file or in an XML file, depending on your configuration. This file remains on the client computer until it’s collected. To collect the files, we recommend:
-
-- **WMI file**. Use Microsoft Configuration Manager or any agent that can read the contents of a WMI class on your computer.
-
-- **XML file**. Any agent that works with XML can be used.
-
-## WMI Site Discovery suggestions
-We recommend that you collect your data for at most a month at a time, to capture a user’s typical workflow. We don’t recommend collecting data longer than that because the data is stored in a WMI provider and can fill up your computer’s hard drive. You may also want to collect data only for pilot users or a representative sample of people, instead of turning this feature on for everyone in your company.
-
-On average, a website generates about 250bytes of data for each visit, causing only a minor impact to Internet Explorer’s performance. Over the course of a month, collecting data from 20 sites per day from 1,000 users, you’ll get about 150MB of data:
The data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements.
-
-## Getting ready to use Enterprise Site Discovery
-Before you can start to collect your data, you must run the provided PowerShell script (IETelemetrySetUp.ps1) on your client devices to start generating the site discovery data and to set up a place to store this data locally. Then, you must start collecting the site discovery data from the client devices, using one of these three options:
-
-- Collect your hardware inventory using the MOF Editor, while connecting to a client device.
You must run this script if you’re using WMI as your data output. It's not necessary if you're using XML as your data output.
-
-**To set up Enterprise Site Discovery**
-
-- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1 by by-passing the PowerShell execution policy, using this command: `powershell -ExecutionPolicy Bypass .\IETelemetrySetUp.ps1`. For more info, see [about Execution Policies](/powershell/module/microsoft.powershell.core/about/about_execution_policies).
-
-### WMI only: Set up your firewall for WMI data
-If you choose to use WMI as your data output, you need to make sure that your WMI data can travel through your firewall for the domain. If you’re sure, you can skip this section; otherwise, follow these steps:
-
-**To set up your firewall**
-
-1. In **Control Panel**, click **System and Security**, and then click **Windows Firewall**.
-
-2. In the left pane, click **Allow an app or feature through Windows Firewall** and scroll down to check the box for **Windows Management Instrumentation (WMI)**.
-
-3. Restart your computer to start collecting your WMI data.
-
-## Use PowerShell to finish setting up Enterprise Site Discovery
-You can determine which zones or domains are used for data collection, using PowerShell. If you don’t want to use PowerShell, you can do this using Group Policy. For more info, see [Use Group Policy to finish setting up Enterprise Site Discovery](#use-group-policy-to-finish-setting-up-enterprise-site-discovery).
-
->**Important**
The .ps1 file updates turn on Enterprise Site Discovery and WMI collection for all users on a device.
-
-- **Domain allow list.** If you have a domain allow list, a comma-separated list of domains that should have this feature turned on, you should use this process.
-
-- **Zone allow list.** If you have a zone allow list, a comma-separated list of zones that should have this feature turned on, you should use this process.
-
-**To set up data collection using a domain allow list**
-
-- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -SiteAllowList sharepoint.com,outlook.com,onedrive.com`.
-
- >**Important**
Wildcards, like \*.microsoft.com, aren’t supported.
-
-**To set up data collection using a zone allow list**
-
-- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites`.
-
- >**Important**
Only Computer, Intranet, TrustedSites, Internet, and RestrictedSites are supported.
-
-## Use Group Policy to finish setting up Enterprise Site Discovery
-You can use Group Policy to finish setting up Enterprise Site Discovery. If you don’t want to use Group Policy, you can do this using PowerShell. For more info, see [Use Powershell to finish setting up Enterprise Site Discovery](#use-powershell-to-finish-setting-up-enterprise-site-discovery).
-
->**Note**
All of the Group Policy settings can be used individually or as a group.
-
- **To set up Enterprise Site Discovery using Group Policy**
-
-- Open your Group Policy editor, and go to these new settings:
-
- |Setting name and location |Description |Options |
- |---------------------------|-------------|---------|
- |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output |Writes collected data to a WMI class, which can be aggregated using a client-management solution like Configuration Manager. |
|
- |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output |Writes collected data to an XML file, which is stored in your specified location. |
|
- |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by Zone |Manages which zone can collect data. |To specify which zones can collect data, you must include a binary number that represents your selected zones, based on this order:
0 – Internet zone
0 – Trusted Sites zone
0 – Local Intranet zone
0 – Local Machine zone
0 – Internet zone
0 – Trusted Sites zone
1 – Local Intranet zone
0 – Local Machine zone
0 – Internet zone
1 – Trusted Sites zone
1 – Local Intranet zone
1 – Local Machine zone |
- |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by domain |Manages which domains can collect data |To specify which domains can collect data, you must include your selected domains, one domain per line, in the provided box. It should look like:
outlook.com
onedrive.com
timecard.contoso.com
LOBApp.contoso.com |
-
-### Combining WMI and XML Group Policy settings
-You can use both the WMI and XML settings individually or together:
-
-**To turn off Enterprise Site Discovery**
-
-|Setting name|Option|
-|--- |--- |
-|Turn on Site Discovery WMI output|Off|
-|Turn on Site Discovery XML output|Blank|
-
-**Turn on WMI recording only**
-
-|Setting name|Option|
-|--- |--- |
-|Turn on Site Discovery WMI output|On|
-|Turn on Site Discovery XML output|Blank|
-
-**To turn on XML recording only**
-
-|Setting name|Option|
-|--- |--- |
-|Turn on Site Discovery WMI output|Off|
-|Turn on Site Discovery XML output|XML file path|
-
-**To turn on both WMI and XML recording**
-
-|Setting name|Option|
-|--- |--- |
-|Turn on Site Discovery WMI output|On|
-|Turn on Site Discovery XML output|XML file path|
-
-## Use Configuration Manager to collect your data
-After you’ve collected your data, you’ll need to get the local files off of your employee’s computers. To do this, use the hardware inventory process in Configuration Manager, using one of these options:
-
-- Collect your hardware inventory using the MOF Editor, while connecting to a client device.
-Your environment is now ready to collect your hardware inventory and review the sample reports.
-
-### Collect your hardware inventory using the MOF Editor with a .MOF import file
-You can collect your hardware inventory using the MOF Editor and a .MOF import file.
-
- **To collect your inventory**
-
-1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**.
-
-2. Click **Import**, choose the MOF file from the downloaded package we provided, and click **Open**.
-
-3. Pick the inventory items to install, and then click **Import**.
-
-4. Click **OK** to close the default windows.
-Your environment is now ready to collect your hardware inventory and review the sample reports.
-
-### Collect your hardware inventory using the SMS\DEF.MOF file (Configuration Manager 2007 only)
-You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option.
-
-**To collect your inventory**
-
-1. Using a text editor like Notepad, open the SMS\DEF.MOF file, located in your `
Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md).
-
-3. Click **OK** to close the **Bulk add sites to the list** menu.
-
-## Turn off data collection on your client devices
-After you’ve collected your data, you’ll need to turn Enterprise Site Discovery off.
-
-**To stop collecting data, using PowerShell**
-
-- On your client computer, start Windows PowerShell in elevated mode (using admin privileges) and run `IETelemetrySetUp.ps1`, using this command: `powershell -ExecutionPolicy Bypass .\IETelemetrySetUp.ps1 –IEFeatureOff`.
-
- >**Note**
Turning off data collection only disables the Enterprise Site Discovery feature – all data already written to WMI stays on your employee’s computer.
-
-
-**To stop collecting data, using Group Policy**
-
-1. Open your Group Policy editor, go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output`, and click **Off**.
-
-2. Go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output`, and clear the file path location.
-
-### Delete already stored data from client computers
-You can completely remove the data stored on your employee’s computers.
-
-**To delete all existing data**
-
-- On the client computer, start PowerShell in elevated mode (using admin privileges) and run these four commands:
-
- - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IEURLInfo`
-
- - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IESystemInfo`
-
- - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IECountInfo`
-
- - `Remove-Item -Path 'HKCU:\Software\Microsoft\Internet Explorer\WMITelemetry'`
-
-## Related topics
-* [Enterprise Mode Site List Manager (schema v.2) download](https://go.microsoft.com/fwlink/?LinkId=746562)
-* [Enterprise Mode for Internet Explorer 11 (IE11)](enterprise-mode-overview-for-ie11.md)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md
deleted file mode 100644
index db62af6aab..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md
+++ /dev/null
@@ -1,101 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Details about how the Administrator can use the Settings page to set up Groups and roles, the Enterprise Mode Site List Portal environment, and the freeze dates for production changes.
-author: dansimp
-ms.prod: ie11
-title: Use the Settings page to finish setting up the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
----
-
-# Use the Settings page to finish setting up the Enterprise Mode Site List Portal
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-The **Settings** page lets anyone with Administrator rights set up groups and roles, set up the Enterprise Mode Site List Portal environment, and choose the freeze dates for production changes.
-
-## Use the Environment settings area
-This area lets you specify the location of your production and pre-production environments, where to store your attachments, your settings location, and the website domain for email notifications.
-
-**To add location info**
-1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page.
-
- The **Settings** page appears.
-
-2. In the **Environment settings** area of the page, provide the info for your **Pre-production environment**, your **Production environment**, your **Attachments location**, your **Settings location**, and your **Website domain for email notifications**.
-
-3. Click **Credentials** to add the appropriate domain, user name, and password for each location, and then click **OK**.
-
-## Use the Group and role settings area
-After you set up your email credentials, you'll be able to add or edit your Group info, along with picking which roles must be Approvers for the group.
-
-**To add a new group and determine the required change request Approvers**
-1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page.
-
- The **Settings** page appears.
-
-2. In the **Group and role settings** area of the page, click **Group details**.
-
- The **Add or edit group names** box appears.
-
-3. Click the **Add group** tab, and then add the following info:
-
- - **New group name.** Type name of your new group.
-
- - **Group head email.** Type the email address for the primary contact for the group.
-
- - **Group head name.** This box automatically fills, based on the email address.
-
- - **Active.** Click the check box to make the group active in the system. If you want to keep the group in the system, but you want to prevent access, clear this check box.
-
-4. Click **Save**.
-
-
-**To set a group's required Approvers**
-1. In the **Group and role settings** area of the page, choose the group name you want to update with Approvers from the **Group name** box.
-
-2. In the **Required approvers** area, choose which roles are required to approve a change request for the group. You can choose one or many roles.
-
- - **App Manager.** All employees in the selected group must get change request approval by someone assigned this role.
-
- You can change the name of this role by clicking the pencil icon and providing a new name in the **Edit role name** box.
-
- - **Group Head.** All employees in the selected group must get change request approval by someone assigned this role.
-
- You can change the name of this role by clicking the pencil icon and providing a new name in the **Edit role name** box.
-
- - **Administrator.** All employees in the selected group must get change request approval by someone assigned this role.
-
-## Use the Freeze production changes area
-This optional area lets you specify a period when your employees must stop adding changes to the current Enterprise Mode Site List. This must include both a start and an end date.
-
-**To add the start and end dates**
-1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page.
-
- The **Settings** page appears.
-
-2. In the **Freeze production changes** area of the page, use the calendars to provide the **Freeze start date** and the **Freeze end date**. Your employees can't add apps to the production Enterprise Mode Site List during this span of time.
-
-3. Click **Save**.
-
-## Related topics
-- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)
-
-- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)
-
-- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
deleted file mode 100644
index cffb48a00d..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
+++ /dev/null
@@ -1,78 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Details about how to create a change request within the Enterprise Mode Site List Portal.
-author: dansimp
-ms.prod: ie11
-title: Create a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
----
-
-# Create a change request using the Enterprise Mode Site List Portal
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-Employees assigned to the Requester role can create a change request. A change request is used to tell the Approvers and the Administrator that a website needs to be added or removed from the Enterprise Mode Site List. The employee can navigate to each stage of the process by using the workflow links provided at the top of each page of the portal.
-
-> [!Important]
-> Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
-
-**To create a new change request**
-1. The Requester (an employee that has been assigned the Requester role) signs into the Enterprise Mode Site List Portal, and clicks **Create new request**.
-
- The **Create new request** page appears.
-
-2. Fill out the required fields, based on the group and the app, including:
-
- - **Group name.** Select the name of your group from the dropdown box.
-
- - **App name.** Type the name of the app you want to add, delete, or update in the Enterprise Mode Site List.
-
- - **Search all apps.** If you can't remember the name of your app, you can click **Search all apps** and search the list.
-
- - **Add new app.** If your app isn't listed, you can click **Add new app** to add it to the list.
-
- - **Requested by.** Automatically filled in with your name.
-
- - **Description.** Add descriptive info about the app.
-
- - **Requested change.** Select whether you want to **Add to EMIE**, **Delete from EMIE**, or **Update to EMIE**.
-
- - **Reason for request.** Select the best reason for why you want to update, delete, or add the app.
-
- - **Business impact (optional).** An optional area where you can provide info about the business impact of this app and the change.
-
- - **App location (URL).** The full URL location to the app, starting with https:// or https://.
-
- - **App best viewed in.** Select the best browser experience for the app. This can be Internet Explorer 5 through Internet Explorer 11 or one of the IE7Enterprise or IE8Enterprise modes.
-
- - **Is an x-ua tag used?** Select **Yes** or **No** whether an x-ua-compatible tag is used by the app. For more info about x-ua-compatible tags, see the topics in [Defining document compatibility](/previous-versions/windows/internet-explorer/ie-developer/compatibility/cc288325(v=vs.85)).
-
-4. Click **Save and continue** to save the request and get the app info sent to the pre-production environment site list for testing.
-
- A message appears that the request was successful, including a **Request ID** number, saying that the change is being made to the pre-production environment site list.
-
-5. The Requester gets an email with a batch script, that when run, configures their test machine for the pre-production environment, along with the necessary steps to make sure the changed info is correct.
-
- - **If the change is correct.** The Requester asks the approvers to approve the change request by selecting **Successful** and clicking **Send for approval**.
-
- - **If the change is incorrect.** The Requester can rollback the change in pre-production or ask for help from the Administrator.
-
-## Next steps
-
-After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md).
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md b/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
deleted file mode 100644
index 395703b43d..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
+++ /dev/null
@@ -1,47 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Create packages for multiple operating systems or languages
-author: dansimp
-ms.prod: ie11
-ms.assetid: 44051f9d-63a7-43bf-a427-d0a0a1c717da
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Create packages for multiple operating systems or languages (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Create packages for multiple operating systems or languages
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-You'll create multiple versions of your custom browser package if:
-
-- You support more than 1 version of Windows®.
-
-- You support more than 1 language.
-
-- You have custom installation packages with only minor differences. Like, having a different phone number.
-
- **To create a new package**
-
-1. Create an installation package using the Internet Explorer Customization Wizard 11, as described in the [Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options](../ie11-ieak/ieak11-wizard-custom-options.md) topic.
-
-2. Go to your **CIE/Custom** folder and rename the `Install.ins`file. For example, if you need a version for employees in Texas, rename the file to Texas.ins.
-
-3. Run the wizard again, using the Custom folder as the destination directory.
-Except for the **Title bar** text, **Favorites**, **Links bar**, **Home page**, and **Search bar**, keep all of your wizard settings the same for all of your build computers.
-
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
deleted file mode 100644
index ddaef22325..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
+++ /dev/null
@@ -1,45 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Customize Internet Explorer 11 installation packages
-author: dansimp
-ms.prod: windows-client
-ms.assetid: 10a14a09-673b-4f8b-8d12-64036135e7fd
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Customize Internet Explorer 11 installation packages (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Customize Internet Explorer 11 installation packages
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-You can customize Internet Explorer 11 to support various browser behaviors, multiple operating system versions and languages, and Setup information (.inf) files.
-
-|Topic |Description |
-|------------------------------------------------------------------------|----------------------------------------------------|
-|[Using IEAK 11 to create packages](using-ieak11-to-create-install-packages.md) |How to use the Internet Explorer Administration Kit 11 (IEAK 11) and the IE Customization Wizard 11 to set up, configure, deploy, and maintain IE11. |
-|[Create packages for multiple operating systems or languages](create-install-packages-for-multiple-operating-systems-or-languages.md) |How to create multiple versions of your custom installation package, to support multiple operating systems or languages. |
-|[Using .INF files to create packages](using-inf-files-to-create-install-packages.md) |How to use the Microsoft® Windows Setup Engine to automate setup tasks and customize your component installations. |
-
-
-
-In addition, you can configure IE before, during, or after deployment, using these tools:
-
-- **IE Administration Kit 11 (IEAK 11)**. Creates customized installation packages that can be deployed through your software distribution system. For more information about the IEAK 11, see [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md).
-
-- **Group Policy**. Configures and enforces IE11 settings. For more information about settings and configuration options, see [Group policy objects and Internet Explorer 11 (IE11)](group-policy-objects-and-ie11.md).
-
-- **Unattend.xml**. Customizes some of the IE settings during your Windows installation. This option only applies if you're updating a Windows image with IE11.
-You'll only see the new IE11 Unattend.xml settings if your Unattend.xml file's associated with a Windows image that includes the IE11 update. For more information about editing and using the Unattend.xml file, see [Unattended Windows Setup Reference](/previous-versions/windows/it-pro/windows-8.1-and-8/ff699026(v=win.10)). For more information about using the Windows System Image Manager, see [Windows System Image Manager Technical Reference](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824929(v=win.10)).
-
-
-
-
-
-
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
deleted file mode 100644
index 843d917596..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ /dev/null
@@ -1,53 +0,0 @@
----
-ms.localizationpriority: medium
-description: Delete a single site from your global Enterprise Mode site list.
-ms.pagetype: appcompat
-ms.mktglfcycl: deploy
-author: dansimp
-ms.prod: ie11
-ms.assetid: 41413459-b57f-48da-aedb-4cbec1e2981a
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-
- **To delete a single site from your global Enterprise Mode site list**
-
-- From the Enterprise Mode Site List Manager, pick the site you want to delete, and then click **Delete**.
-The site is permanently removed from your list.
-
-If you delete a site by mistake, you’ll need to manually add it back using the instructions in the following topics, based on operating system.
-
-- [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md)
-
-- [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md)
-
-## Related topics
-- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
-- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
-- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md
deleted file mode 100644
index 0f0c56de35..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md
+++ /dev/null
@@ -1,39 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: You can deploy Internet Explorer 11 to your users' computers by using your custom browser packages and Automatic Version Synchronization (AVS).
-author: dansimp
-ms.prod: ie11
-ms.assetid: f51224bd-3371-4551-821d-1d62310e3384
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Deploy Internet Explorer 11 using Automatic Version Synchronization (AVS) (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-# Deploy Internet Explorer 11 using Automatic Version Synchronization (AVS)
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-You can deploy Internet Explorer 11 to your users' computers by using your custom browser packages and Automatic Version Synchronization (AVS).
-
-## What is Automatic Version Synchronization?
-Automatic Version Synchronization (AVS) lets you use the Internet Explorer Administration Kit 11 (IEAK 11) to synchronize the IE11 setup files on a local computer with the latest setup files on the web.
-
-You must synchronize the setup files at least once on the local computer, for each language and operating system combination, before proceeding through the rest of the wizard. If your packages have more than one version of IE, you need to keep the versions in separate component download folders, which can be pointed to from the **File Locations** page of the IEAK 11. For more information about using the AVS feature, see [Use the Automatic Version Synchronization page in the IEAK 11 Wizard](../ie11-ieak/auto-version-sync-ieak11-wizard.md)
-.
-
-## Related topics
-- [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md)
-- [Customize Internet Explorer 11 installation packages](customize-ie11-install-packages.md)
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
deleted file mode 100644
index 7eaac18e22..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
+++ /dev/null
@@ -1,34 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Deploy Internet Explorer 11 using software distribution tools
-author: dansimp
-ms.prod: ie11
-ms.assetid: fd027775-651a-41e1-8ec3-d32eca876d8a
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Deploy Internet Explorer 11 using software distribution tools (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Deploy Internet Explorer 11 using software distribution tools
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-If you already manage software distribution and updates on your network through software distribution tools, you can also use these tools for ongoing deployments of Internet Explorer. Software distribution tools include:
-
-- **Configuration Manager** Deploy and install Internet Explorer 11 on your user's computers through a software distribution package. For more information about using this tool, see [Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)).
-
-- **Windows Server Update Services (WSUS).** Download a single copy of the IE11 updates, caching them to local servers so your users' computers can receive the updates directly from the WSUS servers, instead of through Windows Update. For more information about using this tool, see [Windows Server Update Services](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852345(v=ws.11)).
-
-- **Group Policy Software Installation.** Deploy and install IE11 on your user's computers through a combination of Group Policy and Microsoft Active Directory. For more information about using this tool, see [Group Policy Software Installation overview](/previous-versions/windows/it-pro/windows-server-2003/cc738858(v=ws.10)).
-
-- **Microsoft Deployment Toolkit (MDT).** Add the IE11 update to your deployment share, using MDT to update your previously-deployed Windows image. For more information about using this tool, see [Microsoft Deployment Toolkit (MDT)](/mem/configmgr/mdt/).
-
-
-
-
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
deleted file mode 100644
index 513e6e6b22..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
+++ /dev/null
@@ -1,122 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: You can pin websites to the Windows 8.1 taskbar for quick access using the Microsoft Deployment Toolkit (MDT) 2013.
-author: dansimp
-ms.prod: windows-client
-ms.assetid: 24f4dcac-9032-4fe8-bf6d-2d712d61cb0c
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-You can pin websites to the Windows 8.1 taskbar for quick access. You pin a website simply by dragging its tab to the taskbar. Some websites can also extend the icon’s Jump List.
-
-The ability to pin websites to the Windows 8.1 taskbar can help make end users in businesses more productive. As an IT professional, for example, you can pin intranet and SharePoint websites to the taskbar to make them immediately available to users. In this article, you learn how to deploy pinned websites by using Lite Touch Installation in the [Microsoft Deployment Toolkit (MDT) 2013](/mem/configmgr/mdt/).
-
-## Deploying pinned websites in MDT 2013
-This topic requires that you have a complete MDT 2013 deployment share that contains Windows 8.1 which comes with Internet Explorer 11. If you’re deploying to Windows 7 clients and need to learn how to add IE11 to an MDT 2013 deployment share as an update, see [Installing Internet Explorer 11 using Microsoft Deployment Toolkit (MDT)](./install-ie11-using-operating-system-deployment-systems.md) in the TechNet library.
-
-Deploying pinned websites in MDT 2013 is a 4-step process:
-
-1. Create a .website file for each website that you want to deploy. When you pin a website to the taskbar, Windows 8.1 creates a .website file that describes how the icon should look and feel.
-
-2. Copy the .website files to your deployment share.
-
-3. Copy the .website files to your target computers.
-
-4. Edit the task sequence of your Unattend.xml answer files to pin the websites to the taskbar. In particular, you want to add each .website file to the **TaskbarLinks** item in Unattend.xml during oobeSystem phase. You can add up to six .website files to the **TaskbarLinks** item.
-
-Pinned websites are immediately available to every user who logs on to the computer although the user must click each icon to populate its Jump List.
-
-**Important**
-To follow the examples in this topic, you’ll need to pin the Bing (https://www.bing.com/) and MSN (https://www.msn.com/) websites to the taskbar.
-
-### Step 1: Creating .website files
-The first step is to create a .website file for each website that you want to pin to the Windows 8.1 taskbar during deployment. A .website file is like a shortcut, except it’s a plain text file that describes not only the website’s URL but also how the icon looks.
-
- **To create each .website file**
-
-1. Open the website in IE11.
-
-2. Drag the website’s tab and drop it on the Windows 8.1 taskbar.
-
-3. Go to `%USERPROFILE%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar` in Windows Explorer, and copy the bing.website and msn.website files to your desktop.
-
-### Step 2: Copying the .website files to the deployment share
-Next, you must enable your deployment share to copy the bing.website and msn.website files to the **Start** menu on each target computer.
-
- **To copy .website files to the deployment share**
-
-1. Open your MDT 2013 deployment share in Windows Explorer.
-
-2. In the `$OEM$` folder, create the path `$1\Users\Public\Public Links`. If the `$OEM$` folder doesn’t exist, create it at the root of your deployment share.
-
-3. Copy the bing.website and msn.website files from your desktop to `$OEM$\$1\Users\Public\Public Links` in your deployment share.
-
-### Step 3: Copying .website files to target computers
-After your operating system is installed on the target computer, you need to copy the .website files over so they can be pinned to the taskbar.
-
- **To copy .website files to target computers**
-
-1. In the **Deployment Workbench** of MDT 2013, open the deployment share containing the task sequence during which you want to deploy pinned websites, and then click **Task Sequences**.
-
-2. In the right pane of the **Deployment Workbench**, right-click your task sequence (create a new one if you don’t have one yet), and click **Properties**.
-
-3. In the **Task Sequence** tab, click the **Postinstall** folder, click **General** from the **Add** button, and then click **Run Command Line**.
-
-4. Rename the newly created item to *Copy Files* and move it up to the top of the **Postinstall** folder.
-
-5. In the **Command Line** box enter the following text, `xcopy "%DEPLOYROOT%\$OEM$\$1" "%OSDisk%\" /yqe`.
-
-6. Click the **Apply** button to save your changes.
-
-### Step 4: Pinning .website files to the Taskbar
-With the .website files ready to copy to the **Public Links** folder on target computers for all users, the last step is to edit the Unattend.xml answer files to pin those .website files to the taskbar. You will need to complete the following steps for each task sequence during which you want to pin these websites to the taskbar.
-
- **To pin .website files to the Taskbar**
-
-1. Open the Windows System Image Manager (Windows SIM).
-
-2. On the **OS Info** tab, click **Edit Unattend.xml** to open the Unattend.xml file.
-
-2. In the **Windows Image** pane, under **Components** and then **Microsoft-Windows-Shell-Setup**, right-click **TaskbarLinks**, and then click **Add Setting to Pass 7 oobeSystem**.
-
-3. In the **TaskbarLinks Properties** pane, add the relative path to the target computer’s (not the deployment share’s) .website files that you created earlier. You can add up to six links to the **TaskbarLinks** item. For example, `%PUBLIC%\Users\Public\Public Links\Bing.website` and `%PUBLIC%\Users\Public\Public Links\MSN.website`
-
-4. On the **File** menu, click **Save Answer File**, and then close Windows SIM.
-
-5. To close the task sequence, click **OK**.
-
-## Updating intranet websites for pinning
-The MDT 2013 deployment share and task sequences are now ready to pin websites to the taskbar during deployment. This pinning feature can include intranet sites important in your organization.
-
-You can make your intranet websites act more like applications by extending them to fully support the Windows 8.1 taskbar. This includes creating custom Jump Lists, thumbnail previews, and notifications. For info about extending your intranet websites, see [Pinned Sites Developer Documentation](/previous-versions/windows/internet-explorer/ie-developer/samples/gg491731(v=vs.85)) on MSDN. For more ideas about what to pin, see [Add-ons](https://go.microsoft.com/fwlink/p/?LinkId=398483) in the Internet Explorer Gallery.
-
-## Related topics
-- [Unattended Windows Setup Reference](/previous-versions/windows/it-pro/windows-8.1-and-8/ff699026(v=win.10))
-- [Windows System Image Manager Technical Reference](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824929(v=win.10))
-- [Microsoft Deployment Toolkit (MDT)](/mem/configmgr/mdt/)
-- [Windows ADK Overview](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825486(v=win.10))
-
-
-
-
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
deleted file mode 100644
index 5cfa201d18..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
+++ /dev/null
@@ -1,65 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Windows Internet Explorer 8 introduced document modes as a way to move from the proprietary coding of web features to a more standardized type of coding that could run on multiple browsers and devices.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 00cb1f39-2b20-4d37-9436-62dc03a6320b
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Deprecated document modes and Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-# Deprecated document modes and Internet Explorer 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-Windows Internet Explorer 8 introduced document modes as a way to move from the proprietary coding of web features to a more standardized type of coding that could run on multiple browsers and devices. Starting with Windows 10, we’re deprecating document modes.
-
-This means that while Internet Explorer 11 will continue to support document modes, Microsoft Edge won’t. And because of that, it also means that if you want to use Microsoft Edge, you’re going to have to update your legacy webpages and apps to support modern features, browsers, and devices.
-
->**Note**
->For specific details about the technologies and APIs that are no longer supported in Microsoft Edge, see [A break from the past, part 2: Saying goodbye to ActiveX, VBScript, attachEvent](https://go.microsoft.com/fwlink/p/?LinkId=615953).
-
-## What is document mode?
-Each release after Internet Explorer 8 has helped with the transition by introducing additional document modes that emulated previously supported versions, while also introducing support for features defined by industry standards. During this time, numerous websites and apps were updated to the latest and greatest industry standards, while many other sites and apps continued to simply rely on document modes to work properly.
-
-Because our goal with Microsoft Edge is to give users the best site and app viewing experience possible, we’ve decided to stop support for document modes. All websites and apps using legacy features and code will need to be updated to rely on the new modern standards and practices.
-
-If you have legacy sites and apps that can’t be updated to modern standards, you can continue to use IE11 and document modes. We recommend that you use the **IE11 Standards document mode** because it represents the highest support available for modern standards. You should also use the HTML5 document type declaration to turn on the latest supported standards while using IE11:``.
-
-## Document modes and IE11
-The compatibility improvements made in IE11 lets older websites just work in the latest standards mode, by default, without requiring emulation of the previous browser behavior. Because older websites are now just working, we’ve decided that Internet Explorer 10 document mode will be the last new document mode. Instead, developers will need to move to using the IE11 document mode going forward.
-
-## Document mode selection flowchart
-This flowchart shows how IE11 works when document modes are used.
-
-
-[Click this link to enlarge image](img-ie11-docmode-lg.md)
-
-## Known Issues with Internet Explorer 8 document mode in Enterprise Mode
-The default document mode for Enterprise Mode is Internet Explorer 8. While this mode provides a strong emulation of that browser, it isn’t an exact match. For example, Windows Internet Explorer 9 fundamentally changed how document modes work with iframes and document modes can’t undo architectural changes. It’s also a known issue that Windows 10 supports GDI font rendering while using Enterprise Mode, but uses natural metrics once outside of Enterprise Mode.
-
-## Related topics
-- [Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md)
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
deleted file mode 100644
index 29574ab860..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
+++ /dev/null
@@ -1,57 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: You can use Internet Explorer 11 and the Enterprise Mode Site List Manager to change whether page rendering should use Enterprise Mode or the default Internet Explorer browser configuration. You can also add, remove, or delete associated comments.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 76aa9a85-6190-4c3a-bc25-0f914de228ea
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-You can use Internet Explorer 11 and the Enterprise Mode Site List Manager to change whether page rendering should use Enterprise Mode or the default Internet Explorer browser configuration. You can also add, remove, or delete associated comments.
-
-If you need to edit a lot of websites, you probably don’t want to do it one at a time. Instead, you can edit your saved XML or TXT file and add the sites back again. For information about how to do this, depending on your operating system and schema version, see [Add multiple sites to the Enterprise Mode site list using a file and Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md).
-
- **To change how your page renders**
-
-1. In the Enterprise Mode Site List Manager, double-click the site you want to change.
-
-2. Change the comment or the compatibility mode option.
-
-3. Click **Save** to validate your changes and to add the updated information to your site list.
-If your change passes validation, it’s added to the global site list. If the update doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the update or ignore the validation problem and add it to your list anyway. For more information about fixing validation issues, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md).
-
-4. On the **File** menu, click **Save to XML**, and save the updated file.
-You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
-
-## Related topics
-- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
-- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
-- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
deleted file mode 100644
index e21f3e41ed..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
+++ /dev/null
@@ -1,114 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: security
-description: Enable and disable add-ons using administrative templates and group policy
-ms.author: dansimp
-author: dansimp
-ms.prod: ie11
-ms.assetid: c6fe1cd3-0bfc-4d23-8016-c9601f674c0b
-ms.reviewer:
-audience: itpro
-manager: dansimp
-title: Enable and disable add-ons using administrative templates and group policy (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 4/12/2018
----
-
-
-# Enable and disable add-ons using administrative templates and group policy
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Add-ons let your employees personalize Internet Explorer. You can manage IE add-ons using Group Policy and Group Policy templates.
-
-There are four types of add-ons:
-
-- **Search Providers.** Type a term and see suggestions provided by your search provider.
-
-- **Accelerators.** Highlight text on a web page and then click the blue **Accelerator** icon to email, map, search, translate, or do many other tasks.
-
-- **Web Slices.** Subscribe to parts of a website to get real-time information on the Favorites bar.
-
-- **Toolbars.** Add features (like stock tickers) to your browser.
-
-## Using the Local Group Policy Editor to manage group policy objects
-You can use the Local Group Policy Editor to change how add-ons work in your organization.
-
- **To manage add-ons**
-
-1. In the Local Group Policy Editor, go to `Computer Configuration\Administrative Templates\Windows Components\Internet Explorer`.
-
-2. Change any or all of these settings to match your company’s policy and requirements.
-
- - Turn off add-on performance notifications
-
- - Automatically activate newly installed add-ons
-
- - Do not allow users to enable or disable add-ons
-
-3. Go into the **Internet Control Panel\\Advance Page** folder, where you can change:
-
- - Do not allow resetting IE settings
-
- - Allow third-party browser extensions
-
-4. Go into the **Security Features\\Add-on Management** folder, where you can change:
-
- - Add-on List
-
- - Deny all add-ons unless specifically allowed in the Add-on List
-
- - Turn off Adobe Flash in IE and prevent applications from using IE technology to instantiate Flash objects
-
-5. Close the Local Group Policy Editor when you’re done.
-
-## Using the CLSID and Administrative Templates to manage group policy objects
-Every add-on has a Class ID (CLSID) that you use to enable and disable specific add-ons, using Group Policy and Administrative Templates.
-
- **To manage add-ons**
-
-1. Get the CLSID for the add-on you want to enable or disable:
-
- 1. Open IE, click **Tools**, and then click **Manage Add-ons**.
-
- 2. Double-click the add-on you want to change.
-
- 3. In the More Information dialog, click **Copy** and then click **Close**.
-
- 4. Open Notepad and paste the information for the add-on.
-
- 5. On the Manage Add-ons windows, click **Close**.
-
- 6. On the Internet Options dialog, click **Close** and then close IE.
-
-2. From the copied information, select and copy just the **Class ID** value.
-
- > [!NOTE]
- > You want to copy the curly brackets as well as the CLSID: **{47833539-D0C5-4125-9FA8-0819E2EAAC93}**.
-
-3. Open the Group Policy Management Editor and go to: Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management.
-
**-OR-**
-Open the Local Group Policy Editor and go to: User Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management.
-
-4. Open the **Add-on List** Group Policy Object, select **Enabled**, and then click **Show**.
The Show Contents dialog appears.
-
-6. In **Value Name**, paste the Class ID for your add-on, for example, **{47833539-D0C5-4125-9FA8-0819E2EAAC93}**.
-
-6. In **Value**, enter one of the following:
-
- - **0**. The add-on is disabled and your employees can’t change it.
-
- - **1**. The add-on is enabled and your employees can’t change it.
-
- - **2**. The add-on is enabled and your employees can change it.
-
-7. Close the Show Contents dialog.
-
-7. In the Group Policy editor, go to: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer.
-
-8. Double-click **Automatically activate/enable newly installed add-ons** and select **Enabled**.
Enabling turns off the message prompting you to Enable or Don't enable the add-on.
-
-7. Click **OK** twice to close the Group Policy editor.
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
deleted file mode 100644
index e284e24e3f..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
+++ /dev/null
@@ -1,31 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: security
-description: Enhanced Protected Mode problems with Internet Explorer
-author: dansimp
-ms.prod: windows-client
-ms.assetid: 15890ad1-733d-4f7e-a318-10399b389f45
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Enhanced Protected Mode problems with Internet Explorer (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Enhanced Protected Mode problems with Internet Explorer
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Enhanced Protected Mode further restricts Protected Mode to deny potential attackers access to sensitive or personal information. If this feature is turned on, users might start to see errors asking them to turn it off, like **This webpage wants to run "npctrl.dll. If you trust this site, you can disable Enhanced Protected Mode for this site to run the control**. If your users click the **Disable** box, Enhanced Protected Mode is turned off for only the single visit to that specific site. After the user leaves the site, Enhanced Protected Mode is automatically turned back on.
-
-You can use your company’s Group Policy to turn Enhanced Protected Mode on or off for all users. For more information, see the [Group policy objects and Internet Explorer 11 (IE11)](group-policy-objects-and-ie11.md) information in this guide.
-
-For more information about Enhanced Protected Mode, see the [Enhanced Protected Mode](https://go.microsoft.com/fwlink/p/?LinkId=267512) post on IEBlog, and both the [Understanding Enhanced Protected Mode](/archive/blogs/ieinternals/understanding-enhanced-protected-mode) and the [Enhanced Protected Mode and Local Files](https://go.microsoft.com/fwlink/p/?LinkId=282663) blog posts on IEInternals.
-
-
-
-
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md
deleted file mode 100644
index e5e3c31095..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md
+++ /dev/null
@@ -1,59 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Use the topics in this section to learn how to set up and use Enterprise Mode, Enterprise Mode Site List Manager, and the Enterprise Mode Site List Portal for your company.
-author: dansimp
-ms.prod: ie11
-ms.assetid: d52ba8ba-b3c7-4314-ba14-0610e1d8456e
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Enterprise Mode for Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Enterprise Mode for Internet Explorer 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-Use the topics in this section to learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company.
-
-## In this section
-
-|Topic |Description |
-|---------------------------------------------------------------|-----------------------------------------------------------------------------------|
-|[Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)|Includes descriptions of the features of Enterprise Mode. |
-|[Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) |Guidance about how to turn on local control of Enterprise Mode and how to use ASP or the GitHub sample to collect data from your local computers. |
-|[Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md) |Guidance about how to turn on Enterprise Mode and set up a site list, using Group Policy or the registry. |
-|[Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) |Guidance about how to write the XML for your site list, including what not to include, how to use trailing slashes, and info about how to target specific sites. |
-|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) |Guidance about how to write the XML for your site list, including what not to include, how to use trailing slashes, and info about how to target specific sites. |
-|[Check for a new Enterprise Mode site list xml file](check-for-new-enterprise-mode-site-list-xml-file.md) |Guidance about how the Enterprise Mode functionality looks for your updated site list. |
-|[Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md) |Guidance about how to turn on local control of Enterprise Mode, using Group Policy or the registry.|
-|[Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) |Guidance about how to use the Enterprise Mode Site List Manager, including how to add and update sites on your site list. |
-|[Use the Enterprise Mode Site List Portal](use-the-enterprise-mode-portal.md) |Guidance about how to set up and use the Enterprise Mode Site List Manager, including how to add and update sites on your site list. |
-|[Using Enterprise Mode](using-enterprise-mode.md) |Guidance about how to turn on either IE7 Enterprise Mode or IE8 Enterprise Mode. |
-|[Fix web compatibility issues using document modes and the Enterprise Mode Site List](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md) |Guidance about how to decide and test whether to use document modes or Enterprise Mode to help fix compatibility issues. |
-|[Remove sites from a local Enterprise Mode site list](remove-sites-from-a-local-enterprise-mode-site-list.md) |Guidance about how to remove websites from a device's local Enterprise Mode site list. |
-|[Remove sites from a local compatibility view list](remove-sites-from-a-local-compatibililty-view-list.md) |Guidance about how to remove websites from a device's local compatibility view list. |
-|[Turn off Enterprise Mode](turn-off-enterprise-mode.md) |Guidance about how to stop using your site list and how to turn off local control, using Group Policy or the registry. |
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
deleted file mode 100644
index e486ed248d..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
+++ /dev/null
@@ -1,133 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Use the Enterprise Mode Site List Manager to create and update your Enterprise Mode site list for devices running Windows 7 or Windows 8.1 Update.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 17c61547-82e3-48f2-908d-137a71938823
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Enterprise Mode schema v.1 guidance (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Enterprise Mode schema v.1 guidance
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-
-Use the Enterprise Mode Site List Manager (schema v.1) to create and update your Enterprise Mode site list for devices running the v.1 version of the schema, or the Enterprise Mode Site List Manager (schema v.2) to create and update your Enterprise Mode site list for devices running the v.2 version of the schema. We strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md).
-
-If you don't want to use the Enterprise Mode Site List Manager, you also have the option to update your XML schema using Notepad, or any other XML-editing app.
-
-## Enterprise Mode schema v.1 example
-The following is an example of the Enterprise Mode schema v.1. This schema can run on devices running Windows 7 and Windows 8.1.
-
-> [!IMPORTANT]
-> Make sure that you don't specify a protocol when adding your URLs. Using a URL like `
**Example** <rules version="205">
<emie>
<domain>contoso.com</domain>
</emie>
</rules> |Internet Explorer 11 and Microsoft Edge |
-|<emie> |The parent node for the Enterprise Mode section of the schema. All <domain> entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied.
**Example** <rules version="205">
<emie>
<domain>contoso.com</domain>
</emie>
</rules>
For IPv6 ranges:
<rules version="205">
<emie>
<domain>[10.122.34.99]:8080</domain>
</emie>
</rules>
**or**
For IPv4 ranges:<rules version="205">
<emie>
<domain>[10.122.34.99]:8080</domain>
</emie>
</rules> | Internet Explorer 11 and Microsoft Edge |
-|<docMode> |The parent node for the document mode section of the section. All <domain> entries will get IE5 - IE11 document modes applied. If there's a <domain> element in the docMode section that uses the same value as a <domain> element in the emie section, the emie element is applied.
**Example**
<rules version="205">
<docmode>
<domain docMode="7">contoso.com</domain>
</docmode>
</rules> |Internet Explorer 11 |
-|<domain> |A unique entry added for each site you want to put on the Enterprise Mode site list. The first <domain> element will overrule any additional <domain> elements that use the same value for the section. You can use port numbers for this element.
**Example**
<emie>
<domain>contoso.com:8080</domain>
</emie> |Internet Explorer 11 and Microsoft Edge |
-|<path> |A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The <path> element is a child of the <domain> element. Additionally, the first <path> element will overrule any additional <path> elements in the schema section.
**Example**
<emie>
<domain exclude="true">fabrikam.com
<path exclude="false">/products</path>
</domain>
</emie>
Where `https://fabrikam.com` doesn't use IE8 Enterprise Mode, but `https://fabrikam.com/products` does. |Internet Explorer 11 and Microsoft Edge |
-
-### Schema attributes
-This table includes the attributes used by the Enterprise Mode schema.
-
-|Attribute|Description|Supported browser|
-|--- |--- |--- |
-|version|Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <rules> element.|Internet Explorer 11 and Microsoft Edge|
-|exclude|Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the <domain> and <path> elements.
**Example** <emie>
<domain exclude="false">fabrikam.com
<path exclude="true">/products</path>
</domain>
</emie>
**Example**<docMode>
<domain exclude="false">fabrikam.com
<path docMode="9">/products</path>
</domain>
</docMode>|Internet Explorer 11|
-|doNotTransition| Specifies that the page should load in the current browser, otherwise it will open in IE11. This attribute is supported on all <domain> or <path> elements. If this attribute is absent, it defaults to false.
**Example**<emie>
<domain doNotTransition="false">fabrikam.com
<path doNotTransition="true">/products</path>
</domain>
</emie>
**Example**<emie>
<domain exclude="true">fabrikam.com
<path forcecompatview="true">/products</path>
</domain>
</emie><docMode> |
<domain docMode="5">contoso.com</domain>
<domain docMode="9">info.contoso.com</domain>
<docMode>
|
-|You can specify exact URLs by listing the full path. |<emie>|
<domain exclude="false">bing.com</domain>
<domain exclude="false" forceCompatView="true">contoso.com</domain>
<emie>
|
-|You can nest paths underneath domains. |<emie> |
<domain exclude="true">contoso.com
<path exclude="false">/about</path>
<path exclude="true">
/about/business</path>
</domain>
</emie>
|
-|You can’t add a path underneath a path. The file will still be parsed, but the sub-path will be ignored. |<emie> |
<domain exclude="true">contoso.com
<path>/about
<path exclude="true">/business</path>
</path>
</domain>
</emie>
|
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
deleted file mode 100644
index 5af6fab521..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
+++ /dev/null
@@ -1,139 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Use the Enterprise Mode Site List Manager to create and update your Enterprise Mode site list for devices running Windows 10.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 909ca359-5654-4df9-b9fb-921232fc05f5
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Enterprise Mode schema v.2 guidance (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 12/04/2017
----
-
-
-# Enterprise Mode schema v.2 guidance
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-
-Use the Enterprise Mode Site List Manager to create and update your site list for devices running Windows 7, Windows 8.1, and Windows 10, using the version 2.0 (v.2) of the Enterprise Mode schema. If you don't want to use the Enterprise Mode Site List Manager, you also have the option to update your XML schema using Notepad, or any other XML-editing app.
-
-> [!IMPORTANT]
-> If you're running Windows 7 or Windows 8.1 and you've been using the version 1.0 (v.1) of the schema, you can continue to do so, but you won't get the benefits that come with the updated schema. For info about the v.1 schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
-
-## Enterprise Mode schema v.2 updates
-Because of the schema changes, you can't combine the old version (v.1) with the new version (v.2) of the schema. If you look at your XML file, you can tell which version you're using by:
-
-- <rules>. If your schema root node includes this key, you're using the v.1 version of the schema.
-
-- <site-list>. If your schema root node includes this key, you're using the v.2 version of the schema.
-
-You can continue to use the v.1 version of the schema on Windows 10, but you won't have the benefits of the new v.2 version schema updates and new features. Additionally, saving the v.1 version of the schema in the new Enterprise Mode Site List Manager (schema v.2) automatically updates the file to use the v.2 version of the schema.
-
-### Enterprise Mode v.2 schema example
-The following is an example of the v.2 version of the Enterprise Mode schema.
-
-> [!IMPORTANT]
-> Make sure that you don't specify a protocol when adding your URLs. Using a URL like `
**Example**
<site-list version="205">
| Internet Explorer 11 and Microsoft Edge |
-|<site> |A unique entry added for each site you want to put on the Enterprise Mode site list. The first <site> element will overrule any additional <site> elements that use the same value for the <url> element.
<site url="contoso.com">
<compat-mode>IE8Enterprise</compat-mode>
<open-in>IE11</open-in>
</site>
</site-list>
**Example** <site url="contoso.com">
<compat-mode>default</compat-mode>
<open-in>none</open-in>
</site>
**or** For IPv4 ranges:
<site url="10.122.34.99:8080">
<compat-mode>IE8Enterprise</compat-mode>
<site>
**or** For IPv6 ranges:<site url="[10.122.34.99]:8080">
<compat-mode>IE8Enterprise</compat-mode>
<site>
You can also use the self-closing version, <url="contoso.com" />, which also sets:
**Example**
**or**
<site url="contoso.com">
<compat-mode>IE8Enterprise</compat-mode>
</site>
For IPv4 ranges:<site url="10.122.34.99:8080">
<compat-mode>IE8Enterprise</compat-mode>
<site><site url="[10.122.34.99]:8080">
<compat-mode>IE8Enterprise</compat-mode>
<site>
This element is required for sites included in the **EmIE** section of the v.1 schema and is needed to load in IE8 Enterprise Mode.
This element is required for sites included in the **EmIE** section of the v.1 schema and is needed to load in IE7 Enterprise Mode
This tag replaces the combination of the `"forceCompatView"="true"` attribute and the list of sites specified in the EmIE section of the v.1 version of the schema.
**Examples**<site url="contoso.com">
<open-in>none</open-in>
</site>
Where
**Example**<site url="contoso.com/travel">
In this example, if `https://contoso.com/travel` is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer. | Internet Explorer 11 and Microsoft Edge|
-|version |Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element. | Internet Explorer 11 and Microsoft Edge|
-|url|Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
<open-in allow-redirect="true">IE11 </open-in>
</site>
**Note**
Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both `http://contoso.com` and `https://contoso.com`.
**Example**<site url="contoso.com:8080">
In this example, going to `https://contoso.com:8080` using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. | Internet Explorer 11 and Microsoft Edge|
-
-### Deprecated attributes
-These v.1 version schema attributes have been deprecated in the v.2 version of the schema:
-
-|Deprecated attribute|New attribute|Replacement example|
-|--- |--- |--- |
-|forceCompatView|<compat-mode>|Replace <forceCompatView="true"> with <compat-mode>IE7Enterprise</compat-mode>|
-|docMode|<compat-mode>|Replace <docMode="IE5"> with <compat-mode>IE5</compat-mode>|
-|doNotTransition|<open-in>|Replace:
<compat-mode>IE8Enterprise</compat-mode>
<open-in>IE11</open-in>
</site>
<doNotTransition="true"> with <open-in>none</open-in>|
-|<domain> and <path>|<site>|Replace:<emie>
With:
<domain>contoso.com</domain>
</emie><site url="contoso.com"/>
**-AND-**
<compat-mode>IE8Enterprise</compat-mode>
<open-in>IE11</open-in>
</site>
Replace:<emie>
<domain exclude="true" donotTransition="true">contoso.com
<path forceCompatView="true">/about</path>
</domain>
</emie>
With:<site url="contoso.com/about">
<compat-mode>IE7Enterprise</compat-mode>
<open-in>IE11</open-in>
</site>|
-
-While the old, replaced attributes aren't supported in the v.2 version of the schema, they'll continue to work in the v.1 version of the schema. If, however, you're using the v.2 version of the schema and these attributes are still there, the v.2 version schema takes precedence. We don’t recommend combining the two schemas, and instead recommend that you move to the v.2 version of the schema to take advantage of the new features.
-
-> [!IMPORTANT]
-> Saving your v.1 version of the file using the new Enterprise Mode Site List Manager (schema v.2) automatically updates the XML to the new v.2 version of the schema.
-
-### What not to include in your schema
-We recommend that you not add any of the following items to your schema because they can make your compatibility list behave in unexpected ways:
-
-- Don’t use protocols. For example, `http://`, `https://`, or custom protocols. They break parsing.
-- Don’t use wildcards.
-- Don’t use query strings, ampersands break parsing.
-
-## Related topics
-- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
deleted file mode 100644
index 602eeb31b1..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
+++ /dev/null
@@ -1,53 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: After you create your Enterprise Mode site list in the Enterprise Mode Site List Manager, you can export the contents to an Enterprise Mode (.EMIE) file.
-author: dansimp
-ms.prod: windows-client
-ms.assetid: 9ee7c13d-6fca-4446-bc22-d23a0213a95d
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Export your Enterprise Mode site list from the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Export your Enterprise Mode site list from the Enterprise Mode Site List Manager
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-After you create your Enterprise Mode site list in the Enterprise Mode Site List Manager, you can export the contents to an Enterprise Mode (.EMIE) file. This file includes all of your URLs, including your compatibility mode selections and should be stored somewhere safe. If your list gets deleted by mistake you can easily import this file and return everything back to when this file was last saved.
-
-**Important**
-This file is not intended for distribution to your managed devices. Instead, it is only for transferring data and comments from one manager to another. For example, if one administrator leaves and passes the existing data to another administrator. Internet Explorer doesn’t read this file.
-
- **To export your compatibility list**
-
-1. On the **File** menu of the Enterprise Mode Site List Manager, click **Export**.
-
-2. Export the file to your selected location. For example, `C:\Users\
-Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual.
-
-### When do I use document modes versus Enterprise Mode?
-While the `
-If that doesn’t work, continue down to the next lowest document mode, stopping as soon as you find a document mode that fixes your problems. For more information about the Emulation tool, see [Emulate browsers, screen sizes, and GPS locations](/previous-versions/windows/internet-explorer/ie-developer/samples/dn255001(v=vs.85)).
-
-3. If none of the document modes fix your issue, change the **Browser Profile** to **Enterprise**, pick the mode you want to test with starting with **8** (IE8 Enterprise Mode), and then test your broken scenario.
-
-### Add your site to the Enterprise Mode site list
-After you’ve figured out the document mode that fixes your compatibility problems, you can add the site to your Enterprise Mode site list.
-
-**Note**
-There are two versions of the Enterprise Mode site list schema and the Enterprise Mode Site List Manager, based on your operating system. For more info about the schemas, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) or [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). For more info about the different site list management tools, see [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md).
-
- **To add your site to the site list**
-
-1. Open the Enterprise Mode Site List Manager, and click **Add**.
-
- 
-
-2. Add the **URL** and pick the document mode from the **Launch in** box. This should be the same document mode you found fixed your problems while testing the site.
-Similar to Enterprise Mode, you can specify a document mode for a particular web path—such as contoso.com/ERP—or at a domain level. In the above, the entire contoso.com domain loads in Enterprise Mode, while microsoft.com is forced to load into IE8 Document Mode and bing.com loads in IE11.
-
-**Note**
-For more information about Enterprise Mode, see [What is Enterprise Mode?](what-is-enterprise-mode.md) For more information about the Enterprise Mode Site List Manager and how to add sites to your site list, see [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md).
-
-
-### Review your Enterprise Mode site list
-Take a look at your Enterprise Mode site list and make sure everything is the way you want it. The next step will be to turn the list on and start to use it in your company. The Enterprise Mode Site List Manager will look something like:
-
-
-
-And the underlying XML code will look something like:
-
-``` xml
-
-Another possibility is that redirection happens multiple times, with an intermediary site experiencing compatibility issues. For example, an employee types a short URL that then redirects multiple times, finally ending up on a non-intranet site. In this situation, you might want to add the intermediary URLs to your Enterprise Mode site list, in case there’s logic in one of them that has compatibility issues.
-
-## Related topics
-- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
-- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
-- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
deleted file mode 100644
index 93486e7113..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
+++ /dev/null
@@ -1,47 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: security
-description: Overview about Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11
-author: dansimp
-ms.prod: ie11
-ms.assetid: 63a7ef4a-6de2-4d08-aaba-0479131e3406
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Advanced Group Policy Management (AGPM) is an add-on license that available for the Microsoft Desktop Optimization Pack (MDOP). This license gives you change control and a role assignment-model that helps optimize Group Policy management and reduce the risk of widespread failures.
-
-From AGPM you can:
-
-- **Edit GPOs outside of your production environment.** Your GPOs are stored in an outside archive for editing, reviewing, and approving. Then, when you deploy, AGPM moves the GPOs to your production environment.
-
-- **Assign roles to your employees.** You can assign 3 roles to your employees or groups, including:
-
- - **Reviewer.** Can view and compare GPOs in the archive. This role can't edit or deploy GPOs.
-
- - **Editor.** Can view, compare, check-in and out, and edit GPOs in the archive. This role can also request GPO deployment.
-
- - **Approver.** Can approve GPO creation and deployment to the production environment.
-
-- **Manage your GPO lifecycle with change control features.** You can use the available version-control, history, and auditing features to help you manage your GPOs while moving through your archive, to your editing process, and finally to your GPO deployment.
-
-**Note**
-For more information about AGPM, and to get the license, see [Advanced Group Policy Management 4.0 Documents](https://www.microsoft.com/download/details.aspx?id=13975).
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
deleted file mode 100644
index b56fd8d946..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: security
-description: Overview about Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11
-author: dansimp
-ms.prod: windows-client
-ms.assetid: ae3d227d-3da7-46b8-8a61-c71bfeae0c63
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-A Microsoft Management Console (MMC)-based tool that uses scriptable interfaces to manage Group Policy. The 32-bit and 64-bit versions are included with Windows Server R2 with Service Pack 1 (SP1) and Windows Server 2012 R2.
-
-## Why use the GPMC?
-The GPMC lets you:
-
-- Import, export, copy, paste, backup and restore GPOs.
-
-- Search for existing GPOs.
-
-- Create reports, including providing the Resultant Set of Policy (RSoP) data in HTML reports that you can save and print.
-
-- Use simulated RSoP data to prototype your Group Policy before implementing it in the production environment.
-
-- Obtain RSoP data to view your GPO interactions and to troubleshoot your Group Policy deployment.
-
-- Create migration tables to let you import and copy GPOs across domains and across forests. Migration tables are files that map references to users, groups, computers, and Universal Naming Convention (UNC) paths in the source GPO to new values in the destination GPO.
-
-- Create scriptable interfaces to support all of the operations available within the GPMC. You can't use scripts to edit individual policy settings in a GPO.
-
-For more information about the GPMC, see [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11)) on TechNet.
-
-## Searching for Group Policy settings
-To search for Group Policy settings in the Group Policy Management Console (GPMC), use the [Group Policy Search tool](https://go.microsoft.com/fwlink/p/?LinkId=279857). To find the Group Policy settings, click **Windows Components**, and then click **Internet Explorer**.
-
-
-
-
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md
deleted file mode 100644
index 7e8c419582..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md
+++ /dev/null
@@ -1,52 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: security
-description: Use the topics in this section to learn about Group Policy and how to use it to manage Internet Explorer.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 50383d3f-9ac9-4a30-8852-354b6eb9434a
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Group Policy and Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Group Policy and Internet Explorer 11 (IE11)
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-Use the topics in this section to learn about Group Policy and how to use it to manage Internet Explorer.
-
-## In this section
-
-|Topic |Description |
-|----------------------------------------------------|-----------------------------------------------------------------|
-|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Info about many of the new group policy settings added for Internet Explorer 11. |
-|[Group Policy management tools](group-policy-objects-and-ie11.md) |Guidance about how to use Microsoft Active Directory Domain Services (AD DS) to manage your Group Policy settings. |
-|[ActiveX installation using group policy](activex-installation-using-group-policy.md) |Info about using the ActiveX Installer Service (AXIS) and Group Policy to manage your ActiveX control deployment. |
-|[Group Policy and compatibility with Internet Explorer 11](group-policy-compatibility-with-ie11.md) |Our Group Policy recommendations for security, performance, and compatibility with previous versions of IE, regardless of which Zone the website is in. |
-|[Group policy preferences and Internet Explorer 11](group-policy-preferences-and-ie11.md) |Info about Group Policy preferences, as compared to Group Policy settings. |
-|[Administrative templates and Internet Explorer 11](administrative-templates-and-ie11.md) |Info about Administrative Templates, including where to store them and the related Group Policy settings. |
-|[Enable and disable add\-ons using administrative templates and group policy](enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md) |Guidance about how to use your local Group Policy editor or the CLSID and Administrative Templates to manage your Group Policy objects.
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
deleted file mode 100644
index c3a615888f..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
+++ /dev/null
@@ -1,37 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: security
-description: Group Policy, the Local Group Policy Editor, and Internet Explorer 11
-author: dansimp
-ms.prod: ie11
-ms.assetid: 6fc30e91-efac-4ba5-9ee2-fa77dcd36467
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Group Policy, the Local Group Policy Editor, and Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Group Policy, the Local Group Policy Editor, and Internet Explorer 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-A Microsoft Management Console (MMC)-based tool that manages both computer and user-related configurations for an individual computer policy. This tool is included with Windows® 7 Service Pack 1 (SP1) and Windows 8.1.
-
-Here's a list of the policy settings you can use, based on the configuration type. For more info, see [Local Group Policy Editor](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725970(v=ws.11)).
-
-|Computer configuration |User configuration |
-|-----------------------|-------------------|
-|Windows settings:
|Windows settings:
|
-|Administrative templates:
|Administrative templates:
|
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatibility-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatibility-with-ie11.md
deleted file mode 100644
index 12b360b126..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatibility-with-ie11.md
+++ /dev/null
@@ -1,42 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: security
-description: Group Policy suggestions for compatibility with Internet Explorer 11
-author: dansimp
-ms.prod: ie11
-ms.assetid: 7482c99f-5d79-4344-9e1c-aea9f0a68e18
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Group Policy and compatibility with Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Group Policy and compatibility with Internet Explorer 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Internet Explorer 11 has many Group Policy entries that can be configured for keeping your environment managed and safe. This table includes all of our recommendations around security, performance, and compatibility with the previous versions of Internet Explorer, regardless of which Zone the website is in.
-
-|Activity |Location |Setting the policy object |
-|---------------------------------|----------------------------------------------|-------------------------------------------------------------------------|
-|Turn on Compatibility View for all intranet zones |`Administrative Templates\Windows Components\Internet Explorer\Compatibility View` |Double-click **Turn on IE Standards Mode for local intranet** , and then click **Disabled**. |
-|Turn on Compatibility View for selected websites, using Group Policy |`Administrative Templates\Windows Components\Internet Explorer\Compatibility View` |Double-click **Use Policy List of Windows Internet Explorer 7 sites** , and then click **Enabled**.Users will be able to add or remove sites manually to their local Compatibility View list, but they won’t be able to remove the sites you specifically added. |
-|Turn on Quirks mode for selected websites, using Group Policy |`Administrative Templates\Windows Components\Internet Explorer\Compatibility View` |Double-click **Use Policy List of Quirks Mode sites**, and then click **Enabled**. |
-|Ensure your users are using the most up-to-date version of Microsoft’s compatibility list. |`Administrative Templates\Windows Components\Internet Explorer\Compatibility View` |Double-click **Include updated Web site lists from Microsoft**, and then click **Enabled**. |
-|Restrict users from making security zone configuration changes. |`Administrative Templates\ Windows Components\Internet Explorer\Internet Control Panel` |Double-click **Disable the Security Page**, and then click **Enabled**. |
-|Control which security zone settings are applied to specific websites. |`Administrative Templates\ Windows Components\Internet Explorer\Internet Control Panel\Security Page` |Double-click **Site to Zone Assignment List**, click **Enabled**, and then enter your list of websites and their applicable security zones. |
-|Turn off Data Execution Prevention (DEP). |`Administrative Templates\ Windows Components\Internet Explorer\Security Features` |Double-click **Turn off Data Execution Prevention**, and then click **Enabled**. |
-
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
deleted file mode 100644
index 4e6daed0d1..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
+++ /dev/null
@@ -1,55 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: security
-description: Overview of the available Group Policy management tools
-author: dansimp
-ms.prod: windows-client
-ms.assetid: e33bbfeb-6b80-4e71-8bba-1d0369a87312
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Group Policy management tools (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Group Policy management tools
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Group Policy, based on Microsoft Active Directory Domain Services (AD DS), lets you manage your organization's computer and user settings as part of your Group Policy objects (GPOs), which are added and changed in the Group Policy Management Console (GPMC). GPOs can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. The most effective way to target a specific GPO is to use Windows Management Instrumentation (WMI) filters. Like, creating a WMI filter that applies a GPO only to computers with a specific make and model.
-
-By using Group Policy, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple Internet Explorer 11 security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain.
-
-**Note**
-For more information about Group Policy, see the [Group Policy TechCenter](/windows/deployment/deploy-whats-new). This site provides links to the latest technical documentation, videos, and downloads for Group Policy.
-
-## Managing settings with GPOs
-After deploying IE11 to your organization, you can continue to manage the browser settings by using Active Directory Domain Services (AD DS) together with the following Group Policy-related setting management groups:
-
-- [Administrative templates and Internet Explorer 11](administrative-templates-and-ie11.md). Used to manage registry-based policies and options.
-
-- [Group policy preferences and Internet Explorer 11](group-policy-preferences-and-ie11.md). Used to set up and manage options that can be changed by the user after installation.
-
-**Note**
-Whenever possible, we recommend that you manage IE11 using Administrative Templates, because these settings are always written to secure policy branches in the registry. In addition, we recommend that you deploy using standard user accounts instead of letting your users log on to their computers as administrators. This helps to prevent your users from making unwanted changes to their systems or overriding Group Policy settings.
-
-
-Users won't be able to use the IE11 user interface or the registry to change any managed settings on their computers. However, they will be able to change many of the preferences associated with the settings you set up using the Internet Explorer Administration Kit 11 (IEAK 11).
-
-## Which GPO tool should I use?
-You can use any of these tools to create, manage, view, and troubleshoot Group Policy objects (GPOs). For information about each, see:
-
-- [Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11](group-policy-and-group-policy-mgmt-console-ie11.md). Provides a single location to manage all GPOs, WMI filters, and Group Policy–related permissions across multiple forests in an organization.
-
-- [Group Policy, the Local Group Policy Editor, and Internet Explorer 11](group-policy-and-local-group-policy-editor-ie11.md). Provides a user interface that lets you edit settings within individual GPOs.
-
-- [Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11](group-policy-and-advanced-group-policy-mgmt-ie11.md). An add-on license for the Microsoft Desktop Optimization Pack (MDOP) that helps to extend Group Policy for Software Assurance customers.
-
-- [Group Policy, Windows Powershell, and Internet Explorer 11](group-policy-windows-powershell-ie11.md). A command-line shell and scripting language that helps automate Windows and application administration on a single computer locally, or across many computers remotely.
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md
deleted file mode 100644
index b30e90d746..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md
+++ /dev/null
@@ -1,42 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: security
-description: Info about Group Policy preferences versus Group Policy settings
-author: dansimp
-ms.prod: ie11
-ms.assetid: f2264c97-7f09-4f28-bb5c-58ab80dcc6ee
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Group policy preferences and Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Group policy preferences and Internet Explorer 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Group Policy preferences are less strict than Group Policy settings, based on:
-
-| Type |Group Policy preferences |Group Policy settings |
-|-----|-------------------------|----------------------|
-|Enforcement |
|
|
-|Flexibility |Lets you create preference items for registry settings, files, and folders. |
|
-|Local Group Policy |Not available |Available
-|Awareness |Supports apps that aren't Group Policy-aware |Requires apps to be Group Policy-aware |
-|Storage |
|
|
-|Targeting and filtering |
|
|
-
-
-For more information about Group Policy preferences, see the [Group Policy Settings Reference for Windows and Windows Server](https://go.microsoft.com/fwlink/p/?LinkId=279876).
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
deleted file mode 100644
index 8cec1052e4..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
+++ /dev/null
@@ -1,30 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: security
-description: Links to troubleshooting topics and log files that can help address Group Policy problems with Internet Explorer 11.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 0da0d9a9-200c-46c4-96be-630e82de017b
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Group Policy problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Group Policy problems with Internet Explorer 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-If you're having problems with Group Policy and Internet Explorer 11, or if you're looking for high-level information about the concepts and techniques used to troubleshoot Group Policy, as well as links to detailed reference topics, procedures, and troubleshooting scenario guides, see [Group Policy Analysis and Troubleshooting Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj134223(v=ws.11)).
-
-## Group Policy Object-related Log Files
-You can use the Event Viewer to review Group Policy-related messages in the **Windows Logs**, **System** file. All of the Group Policy-related events are shown with a source of **GroupPolicy**
-
-
-
-
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
deleted file mode 100644
index 8a23dbf697..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
+++ /dev/null
@@ -1,50 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: security
-description: Instructions about how to create and configure shortcut preference extensions to file system objects, URLs, and shell objects.
-author: dansimp
-ms.prod: ie11
-ms.assetid: c6fbf990-13e4-4be7-9f08-5bdd43179b3b
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Group Policy, Shortcut Extensions, and Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Group Policy, Shortcut Extensions, and Internet Explorer 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Group Policy includes the Shortcuts preference extension, which lets you configure shortcuts to:
-
-- **File system objects.** Traditional shortcuts that link to apps, files, folders, drives, shares, or computers. For example, linking a shortcut to an app from the **Start** screen.
-
-- **URLs.** Shortcuts to webpages or FTP sites. For example, a link to your intranet site from your employee's **Favorites** folder.
-
-- **Shell objects.** Shortcuts to objects that appear in the shell namespace, such as printers, desktop items, Control Panel items, the Recycle Bin, and so on.
-
-## How do I configure shortcuts?
-You can create and configure shortcuts for any domain-based Group Policy Object (GPO) in the Group Policy Management Console (GPMC).
-
- **To create a new Shortcut preference item**
-
-1. Open GPMC, right-click the Group Policy object that needs the new shortcut extension, and click **Edit**.
-
-2. From **Computer Configuration** or **User Configuration**, go to **Preferences**, and then go to **Windows Settings**.
-
-3. Right-click **Shortcuts**, click **New**, and then choose **Shortcut**.
-
-4. Choose what the shortcut should do, including **Create**, **Delete**, **Replace**, or **Update**.
-
-5. Type the required shortcut settings and your comments into the **Description** box, and click **OK**.
-
-For more information about shortcut extensions, including step-by-step guidance, see [Shortcuts Extension](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc730592(v=ws.11)) and [Configure a Shortcut Item](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753580(v=ws.11)).
-
-
-
-
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
deleted file mode 100644
index c3f3970e4d..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
+++ /dev/null
@@ -1,39 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: security
-description: Overview about how Group Policy works with Windows Powershell and Internet Explorer 11
-author: dansimp
-ms.prod: windows-client
-ms.assetid: e3607cde-a498-4e04-9daa-b331412967fc
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Group Policy, Windows Powershell, and Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Group Policy, Windows Powershell, and Internet Explorer 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Your domain-joined Group Policy Objects (GPOs) can use any of Group Policy-related “cmdlets” that run within Windows PowerShell.
-
-Each cmdlet is a single-function command-line tool that can:
-
-- Create, edit, remove, back up, and import GPOs.
-
-- Create, update, and remove Group Policy links.
-
-- Set inheritance flags and permissions on organizational units (OU) and domains.
-
-- Configure registry-based policy settings and registry settings for Group Policy preferences.
-
-For more info about PowerShell and Group Policy management, see [Use Windows PowerShell to Manage Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759177(v=ws.11)).
-
-
-
-
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
deleted file mode 100644
index c8b17e2ff9..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
+++ /dev/null
@@ -1,144 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: support
-ms.pagetype: security
-description: A high-level overview of the delivery process and your options to control deployment of Internet Explorer through automatic updates.
-author: dansimp
-ms.author: dansimp
-ms.manager: dansimp
-ms.prod: ie11
-ms.assetid:
-ms.reviewer:
-audience: itpro
-manager: dansimp
-title: Internet Explorer 11 delivery through automatic updates
-ms.sitesec: library
-ms.date: 05/22/2018
----
-
-# Internet Explorer 11 delivery through automatic updates
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Internet Explorer 11 makes browsing the web faster, easier, safer, and more reliable than ever. To help customers become more secure and up-to-date, Microsoft will distribute Internet Explorer 11 through Automatic Updates and the Windows Update and Microsoft Update sites. Internet Explorer 11 will be available for users of the 32-bit and 64-bit versions of Windows 7 Service Pack 1 (SP1), and 64-bit version of Windows Server 2008 R2 SP1. This article provides an overview of the delivery process and options available for IT administrators to control how and when Internet Explorer 11 is deployed to their organization through Automatic Updates.
-
-- [Automatic updates delivery process](#automatic-updates-delivery-process)
-
-- [Internet Explorer 11 automatic upgrades](#internet-explorer-11-automatic-upgrades)
-
-- [Options for blocking automatic delivery](#options-for-blocking-automatic-delivery)
-
-- [Prevent automatic installation of Internet Explorer 11 with WSUS](#prevent-automatic-installation-of-internet-explorer-11-with-wsus)
-
-## Automatic updates delivery process
-
-Internet Explorer 11 only downloads and installs if it’s available for delivery through Automatic Updates; and Automatic Updates only offer Internet Explorer 11
-to users with local administrator accounts. User’s without local administrator accounts won’t be prompted to install the update and will continue using their
-current version of Internet Explorer.
-
-Internet Explorer 11 replaces Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10. If you decide you don’t want Internet Explorer 11, and you’re running Windows 7 SP1 or Windows Server 2008 R2 with SP1, you can uninstall it from the **View installed updates** section of the **Uninstall an update** page of the Control Panel.
-
-> [!NOTE]
-> If a user installs Internet Explorer 11 and then removes it, it won’t be re-offered to that computer through Automatic Updates. Instead, the user will have to manually re-install the app.
-
-## Internet Explorer 11 automatic upgrades
-
-Internet Explorer 11 is offered through Automatic Updates and Windows Update as an Important update. Users running Windows 7 SP1, who have chosen to download and install updates automatically through Windows Update, are automatically upgraded to Internet Explorer 11.
-
-Users who were automatically upgraded to Internet Explorer 11 can decide to uninstall Internet Explorer 11. However, Internet Explorer 11 will still appear as an optional update through Windows Update.
-
-## Options for blocking automatic delivery
-
-If you use Automatic Updates in your company, but want to stop your users from automatically getting Internet Explorer 11, do one of the following:
-
-- **Download and use the Internet Explorer 11 Blocker Toolkit.** Includes a Group Policy template and a script that permanently blocks Internet Explorer 11 from being offered by Windows Update or Microsoft Update as a high-priority update. You can download this kit from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722).
-
- > [!NOTE]
- > The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-ie11-blocker-toolkit.yml).
-
-- **Use an update management solution to control update deployment.**
- If you already use an update management solution, like [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [Microsoft Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)), you should use that instead of the Internet Explorer Blocker Toolkit.
-
- > [!NOTE]
- > If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company.
-
-Additional information on Internet Explorer 11, including a Readiness Toolkit, technical overview, in-depth feature summary, and Internet Explorer 11 download is available on the [Internet Explorer 11 page of the Microsoft Edge IT Center](https://technet.microsoft.com/microsoft-edge/dn262703.aspx).
-
-## Availability of Internet Explorer 11
-
-Automatic Updates will start to distribute Internet Explorer 11 shortly after the final release of the product and will distribute it through the Microsoft Configuration Manager and WSUS.
-
-## Prevent automatic installation of Internet Explorer 11 with WSUS
-
-Internet Explorer 11 will be released to WSUS as an Update Rollup package. Therefore, if you’ve configured WSUS to “auto-approve” Update Rollup packages, it’ll be automatically approved and installed. To stop Internet Explorer 11 from being automatically approved for installation, you need to:
-
-1. Click **Start**, click **Administrative Tools**, and then click **Microsoft
- Windows Server Update Services 3.0**.
-
-2. Expand *ComputerName*, and then click **Options**.
-
-3. Click **Automatic Approvals**.
-
-4. Click the rule that automatically approves an update that is classified as
- Update Rollup, and then click **Edit.**
-
- > [!NOTE]
- > If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else.
-
-5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section.
-
- > [!NOTE]
- > The properties for this rule will resemble the following:
-
-6. Clear the **Update Rollup** check box, and then click **OK**.
-
-7. Click **OK** to close the **Automatic Approvals** dialog box.
-Because this content isn't intended to be a step-by-step guide, not all of the steps are necessary to deploy IE11.
-
-## In this guide
-|Topic |Description |
-|------|------------|
-|[Change history for Internet Explorer 11](change-history-for-internet-explorer-11.md) |Lists new and updated topics in the Internet Explorer 11 documentation for Windows 10. |
-|[System requirements and language support for Internet Explorer 11 (IE11)](system-requirements-and-language-support-for-ie11.md) |IE11 is available for a number of systems and languages. This topic provides info about the minimum system requirements and language support. |
-|[List of updated features and tools - Internet Explorer 11 (IE11)](updated-features-and-tools-with-ie11.md) |IE11 includes several new features and tools. This topic includes high-level info about the each of them. |
-|[Install and Deploy Internet Explorer 11 (IE11)](install-and-deploy-ie11.md) |Use the topics in this section to learn how to customize your Internet Explorer installation package, how to choose the right method for installation, and how to deploy IE into your environment. You can also find more info about your virtualization options for legacy apps. |
-|[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md) |Use IE to collect data on computers running Windows Internet Explorer 8 through IE11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades. |
-|[Enterprise Mode for Internet Explorer 11 (IE11)](enterprise-mode-overview-for-ie11.md) |Use the topics in this section to learn how to set up and use Enterprise Mode, the Enterprise Mode Site List Manager, and the Enterprise Mode Site List Portal in your company. |
-|[Group Policy and Internet Explorer 11 (IE11)](group-policy-and-ie11.md) |Use the topics in this section to learn about Group Policy and how to use it to manage IE. |
-|[Manage Internet Explorer 11](manage-ie11-overview.md) |Use the topics in this section to learn about how to auto detect your settings, auto configure your configuration settings, and auto configure your proxy configuration settings for IE. |
-|[Troubleshoot Internet Explorer 11 (IE11)](troubleshoot-ie11.md) |Use the topics in this section to learn how to troubleshoot several of the more common problems experienced with IE. |
-|[Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md) |ActiveX controls are small apps that let websites provide content, like videos, games, and let you interact with content like toolbars. Unfortunately, because many ActiveX controls aren’t automatically updated, they can become outdated as new versions are released. It’s important that you keep your ActiveX controls up-to-date because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. To help avoid this situation, IE includes a new security feature, called out-of-date ActiveX control blocking. |
-|[Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md) |Internet Explorer 8 introduced document modes as a way to move from the proprietary coding of web features to a more standardized type of coding that could run on multiple browsers and devices. Starting with Windows 10, we’re deprecating document modes.
For specific details about the technologies and APIs that are no longer supported in Microsoft Edge, see [A break from the past, part 2: Saying goodbye to ActiveX, VBScript, attachEvent](https://go.microsoft.com/fwlink/p/?LinkId=615953). |
-|[What is the Internet Explorer 11 Blocker Toolkit?](what-is-the-internet-explorer-11-blocker-toolkit.md) |The IE11 Blocker Toolkit lets you turn off the automatic delivery of IE11 through the Automatic Updates feature of Windows Update. |
-|[Missing Internet Explorer Maintenance (IEM) settings for Internet Explorer 11](missing-internet-explorer-maintenance-settings-for-ie11.md) |The Internet Explorer Maintenance (IEM) settings have been deprecated in favor of Group Policy preferences, Administrative Templates (.admx), and the Internet Explorer Administration Kit 11 (IEAK 11).
Ignore any warnings that say, "Skipping invalid CAB file". This shows up because the **Import OS Packages** wizard skips the IE11\_Support.cab file, which isn't an actual update file.
-
-4. After the import finishes, click **Finish**.
-
-### Offline servicing with MDT
-
-You can add the IE11 update while you're performing offline servicing, or slipstreaming, of your Windows images. This method lets you deploy IE11 without needing any additional installation after you've deployed Windows.
-
-These articles have step-by-step details about adding packages to your Windows images:
-
-- For Windows 8.1, see [Add or Remove Packages Offline Using DISM](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824838(v=win.10)).
-
-- For Windows 7 SP1, see [Add or Remove Packages Offline](/previous-versions/windows/it-pro/windows-7/dd744559(v=ws.10)).
-
-
-
-
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
deleted file mode 100644
index b8083e1f8d..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
+++ /dev/null
@@ -1,39 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: How to install the Internet Explorer 11 update using System Center 2012 R2 Configuration Manager
-author: dansimp
-ms.prod: windows-client
-ms.assetid: 9ede9722-29b3-4cb7-956d-ffa91e7bedbd
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Install Internet Explorer 11 (IE11) using System Center 2012 R2 Configuration Manager (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Install Internet Explorer 11 (IE11) using System Center 2012 R2 Configuration Manager
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-You can install Internet Explorer 11 (IE11) by using [System Center R2 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)). Complete these steps for each operating system and platform combination.
-
- **To install IE11**
-
-1. Download and approve the [System requirements and language support for Internet Explorer 11 (IE11)](system-requirements-and-language-support-for-ie11.md).
-
-2. Create a software distribution package that includes the IE11 installation package.
-
-3. Create a program that includes the command-line needed to run the IE11 installation package. To run the package silently, without restarting and without checking the Internet for updates, use:`ie11_package.exe /quiet /norestart /update-no`.
-
-4. Move the installation package to your distribution points, and then advertise the package.
-
-You can also use System Center Essentials 2010 to deploy IE11 installation packages. For info, see [System Center Essentials 2010](https://go.microsoft.com/fwlink/p/?linkid=395200) and the [System Center Essentials 2010 Operations Guide](https://go.microsoft.com/fwlink/p/?LinkId=214266).
-
-
-
-
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
deleted file mode 100644
index d0d9d17be1..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
+++ /dev/null
@@ -1,46 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to install the Internet Explorer 11 update using your network
-author: dansimp
-ms.prod: ie11
-ms.assetid: 85f6429d-947a-4031-8f93-e26110a35828
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Install Internet Explorer 11 (IE11) using your network (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Install Internet Explorer 11 (IE11) using your network
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-You can install Internet Explorer 11 (IE11) over your network by putting your custom IE11 installation package in a shared network folder and letting your employees run the Setup program on their own computers. You can create the network folder structure manually, or you can run Internet Explorer Administration Kit 11 (IEAK 11).
-
-**Note**
If you support multiple architectures and operating systems, create a subfolder for each combination. If you support multiple languages, create a subfolder for each localized installation file.
-
- **To manually create the folder structure**
-
-- Copy your custom IE11 installation file into a folder on your network, making sure it's available to your employees.
-
- **To create the folder structure using IEAK 11**
-
-- Run the Internet Explorer Customization Wizard 11 in IEAK 11, using the **Full Installation Package** option.
Use the localized versions of the IE Customization Wizard 11 to create localized IE11 installation packages.
-
-## Related topics
-- [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md)
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md
deleted file mode 100644
index d593de27c6..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to install the Internet Explorer 11 update using third-party tools and command-line options.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 30190c66-49f7-4ca4-8b57-a47656aa0c7e
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Install Internet Explorer 11 (IE11) using third-party tools (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Install Internet Explorer 11 (IE11) using third-party tools
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-You can install Internet Explorer 11 (IE11) using third-party electronic software distribution (ESD) systems and these command-line options:
-
-## Setup Modes
-
-|Command-line options |Description |
-|---------------------|------------------------------------------------------|
-|`/passive` |Installs without customer involvement. |
-|`/quiet` |Installs without customer involvement and without showing the UI. |
-
-## Setup Options
-
-|Command-line options |Description |
-|---------------------|------------------------------------------------------|
-|`/update-no` |Installs without checking for updates.
If you don't use this option, you'll need an Internet connection to finish your installation. |
-|`/no-default` |Installs without making IE11 the default web browser. |
-|`/closeprograms` |Automatically closes running programs. |
-
-
-## Restart Options
-
-|Command-line options |Description |
-|---------------------|------------------------------------------------------|
-|`/norestart` |Installs without restarting the computer. |
-|`/forcerestart` |Installs and restarts after installation. |
-
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
deleted file mode 100644
index 07b0485309..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
+++ /dev/null
@@ -1,52 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to install the Internet Explorer 11 update using Windows Server Update Services (WSUS)'
-author: dansimp
-ms.prod: ie11
-ms.assetid: 6cbd6797-c670-4236-8423-e0919478f2ce
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Install Internet Explorer 11 (IE11) using Windows Server Update Services (WSUS) (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Install Internet Explorer 11 (IE11) using Windows Server Update Services (WSUS)
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Windows Server Update Services (WSUS) lets you download a single copy of the Microsoft product update and cache it on your local WSUS servers. You can then configure your computers to get the update from your local servers instead of Windows Update. For more information about WSUS, see [Windows Server Update Services](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852345(v=ws.11)).
-
- **To import from Windows Update to WSUS**
-
-1. Open your WSUS admin site. For example, `https://
|On the **Browser User Interface** page of IEAK 11, click **Add**, type your new toolbar caption, action, and icon, and if the button should appear by default, and then click **OK**. You can also edit, remove, or delete an existing toolbar button from this page. |
-|Custom logo and animated bitmaps |Lets you replace the static and animated logos in the upper-right corner of the IE window with customized logos. |This setting isn't available anymore. |
-
-
-### Connection replacements
-
-|IEM setting |Description |Replacement tool |
-|------------|------------|-----------------|
-|Connection settings|Lets you import your connection settings from a previously set up computer. These settings define how your employees interact with the connection settings on the **System Polices and Restrictions** page. You can also remove old dial-up connections settings from your employee's computers.|In the **Internet Settings Group Policy Preferences** dialog box, click the **Connections** tab, and set up your proxy settings.
Advanced IEM Settings were shown under **Programs** and only available when running in **Preference** mode.
-
-|IEM setting |Description |Replacement tool |
-|------------|------------|-----------------|
-|Corporate settings |Specifies the location of the file with the settings you use to make IE work best in your organization. |On the Additional Settings page of IEAK 11, expand Corporate Settings, and then customize how your organization handles temporary Internet files, code downloads, menu items, and toolbar buttons. |
-|Internet settings |Specifies the location of the file that includes your default IE settings. |In the Internet Settings Group Policy Preferences dialog box, click the Advanced tab, and then update your Internet-related settings, as required
This functionality is only available in Internet Explorer for the desktop.
-
- **To change your Compatibility View settings**
-
-1. Open Internet Explorer for the desktop, click **Tools**, and then click **Compatibility View settings**.
-
-2. In the **Compatibility View Settings** box, add the problematic website URL, and then click **Add**.
We've replaced the SPDY/3 protocol with the HTTP2 protocol in Windows 10. You can configure the HTTP2 protocol by using the **Allow IE to use the HTTP2 network protocol** setting. |
-| Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10 | This policy setting allows IE to provide enhanced suggestions as the user types in the Address bar. To provide enhanced suggestions, the user’s keystrokes are sent to Microsoft through Microsoft services.
| IE11 in Windows 10 | This policy setting determines whether users can run the Tabular Data Control (TDC) ActiveX control, based on security zone. By default, the TDC ActiveX Control is disabled in the **Internet** and **Restricted Sites** security zones.
By default, SSL 3.0 is disabled. If you choose to enable SSL 3.0, we recommend that you disable or don't configure this setting to help mitigate potential man-in-the-middle attacks. |
-| Allow VBScript to run in Internet Explorer |
| Internet Explorer 11 | This policy setting lets you decide whether VBScript can run on pages in specific Internet Explorer zones.
If you disable this policy setting, IE only sends the Do Not Track header if a Tracking Protection List is enabled or inPrivate Browsing mode is used.
If you disable this policy setting, IE only sends the Do Not Track header if inPrivate Browsing mode is used.
(Internet, Restricted Zones) |
| IE11 on Windows 10 | This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
(Intranet, Trusted, Local Machine Zones) |
| IE11 on Windows 10 | This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
If you disable or don’t configure this setting, the notification will be shown. |
-| Hide the button (next to the New Tab button) that opens Microsoft Edge | User Configuration\Administrative Templates\Windows Components/Internet Explorer\Internet Settings\Advanced Settings\Browsing\ | IE11 on Windows 10, version 1703 | This policy setting lets you decide whether employees can see the open Microsoft Edge button, which appears next to the New Tab button.
You can use this setting in conjunction with the other settings that control the Internet Explorer Site Discovery Toolkit. |
-| Limit Site Discovery output by Zone | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to control which zones are included in the discovery function of the Internet Explorer Site Discovery Toolkit.
**Example 1:** Include only the Local Intranet zone (binary representation: 00010), based on:
**Example 2:** Include only the Restricted Sites, Trusted Sites, and Local Intranet zones (binary representation: 10110), based on:
You can use this setting in conjunction with the other settings that control the Internet Explorer Site Discovery Toolkit. |
-| Prevent deleting ActiveX Filtering, Tracking Protection and Do Not Track data | Administrative Templates\Windows Components\Internet Explorer\Delete Browsing History | At least Windows Internet Explorer 9 | **In Internet Explorer 9 and Internet Explorer 10:**
This policy setting prevents users from deleting ActiveX Filtering and Tracking Protection data, which includes the list of websites for which the user has chosen to disable ActiveX Filtering or Tracking Protection. In addition, Tracking Protection data is also collected if users turn on the **Personalized Tracking Protection List**, which blocks third-party items while the user is browsing.
This policy setting prevents users from deleting ActiveX Filtering, Tracking Protection data, and Do Not Track exceptions, stored in the **Delete Browsing History** dialog box, for visited websites.
If you’ve also enabled the Administrative Templates\Windows Components\Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting, then all intranet sites will continue to open in Internet Explorer 11. |
-| Show message when opening sites in Microsoft Edge using Enterprise Mode | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10, version 1607 | This policy setting lets you decide whether employees see an additional page in Internet Explorer 11, stating that a site has been opened using Microsoft Edge with Enterprise Mode.
Stopping this file from updating breaks the out-of-date ActiveX control blocking feature, potentially compromising the security of the device. For more info, see the Out-of-Date ActiveX Control Blocking (
Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn’t available for Internet Explorer for the desktop. |
-| Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | IE11 on Windows 10 | This policy setting determines whether IE11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.
When using 64-bit processes, some ActiveX controls and toolbars might not be available. |
-| Turn on Site Discovery WMI output | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site Discovery Toolkit.
Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
-| Turn on Site Discovery XML output | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to manage the XML output functionality of the Internet Explorer Site Discovery Toolkit.
Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
-| Use the Enterprise Mode IE website list | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10, version 1511 | This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode, instead of Standard mode, because of compatibility issues. Users can’t edit this list.
Microsoft Edge doesn't support ActiveX controls. |
-|Windows 8.1 and Windows 8.1 Update |All supported versions of IE |
-|Windows 7 SP1 |All supported versions of IE |
-|Windows Server 2012 |All supported versions of IE |
-|Windows Server 2008 R2 SP1 |All supported versions of IE |
-|Windows Server 2008 SP2 |Windows Internet Explorer 9 only |
-|Windows Vista SP2 |Windows Internet Explorer 9 only |
-
-For more info about this new feature, see the [Internet Explorer begins blocking out-of-date ActiveX controls](https://go.microsoft.com/fwlink/p/?LinkId=507691) blog. To see the complete list of out-of-date Active controls blocked by this feature, see [Blocked out-of-date ActiveX controls](blocked-out-of-date-activex-controls.md).
-
-
-## What does the out-of-date ActiveX control blocking notification look like?
-When IE blocks an outdated ActiveX control, you’ll see a notification bar similar to this, depending on your version of IE:
-
-**Internet Explorer 9 through Internet Explorer 11**
-
-
-
-**Windows Internet Explorer 8**
-
-
-
-Out-of-date ActiveX control blocking also gives you a security warning that tells you if a webpage tries to launch specific outdated apps, outside of IE:
-
-
-
-
-## How do I fix an outdated ActiveX control or app?
-From the notification about the outdated ActiveX control, you can go to the control’s website to download its latest version.
-
- **To get the updated ActiveX control**
-
-1. From the notification bar, tap or click **Update**.
If you don’t fully trust a site, you shouldn’t allow it to load an outdated ActiveX control. However, although we don’t recommend it, you can view the missing webpage content by tapping or clicking **Run this time**. This option runs the ActiveX control without updating or fixing the problem. The next time you visit a webpage running the same outdated ActiveX control, you’ll get the notification again.
-
- **To get the updated app**
-
-1. From the security warning, tap or click **Update** link.
If you don’t fully trust a site, you shouldn’t allow it to launch an outdated app. However, although we don’t recommend it, you can let the webpage launch the app by tapping or clicking **Allow**. This option opens the app without updating or fixing the problem. The next time you visit a webpage running the same outdated app, you’ll get the notification again.
-
-## How does IE decide which ActiveX controls to block?
-IE uses Microsoft’s versionlist.xml or versionlistWin7.xml file to determine whether an ActiveX control should be stopped from loading. These files are updated with newly-discovered out-of-date ActiveX controls, which IE automatically downloads to your local copy of the file.
-
-You can see your copy of the file here `%LOCALAPPDATA%\Microsoft\Internet Explorer\VersionManager\versionlist.xml` or you can view Microsoft’s version, based on your operating system and version of IE, here:
-- [Internet Explorer 11 on Windows 7 SP1 or Windows Server 2008 R2](https://go.microsoft.com/fwlink/p/?LinkId=798230)
-- [All other configurations](https://go.microsoft.com/fwlink/p/?LinkId=403864)
-
-**Security Note:**
Although we strongly recommend against it, if you don’t want your computer to automatically download the updated version list from Microsoft, run the following command from a command prompt:
-
-```
-reg add "HKCU\Software\Microsoft\Internet Explorer\VersionManager" /v DownloadVersionList /t REG_DWORD /d 0 /f
-```
-Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. Use this configuration option at your own risk.
-
-## Out-of-date ActiveX control blocking
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
- on managed devices
-Out-of-date ActiveX control blocking includes four new Group Policy settings that you can use to manage your web browser configuration, based on your domain controller. You can download the administrative templates, including the new settings, from the [Administrative templates (.admx) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=746579) page or the [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580) page, depending on your operating system.
-
-### Group Policy settings
-Here’s a list of the new Group Policy info, including the settings, location, requirements, and Help text strings. All of these settings can be set in either the Computer Configuration or User Configuration scope, but Computer Configuration takes precedence over User Configuration.
-
-**Important**
-Out-of-date ActiveX control blocking is turned off in the Local Intranet Zone and the Trusted Sites Zone; therefore, intranet websites and line-of-business apps will continue to use out-of-date ActiveX controls without disruption.
-
-|Setting |Category path |Supported on |Help text |
-|--------|--------------|-------------|----------|
-|Turn on ActiveX control logging in IE |`Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management` |Internet Explorer 8 through IE11 |This setting determines whether IE saves log information for ActiveX controls.
|
-|Remove **Run this time** button for outdated ActiveX controls in IE |`reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" /v RunThisTimeEnabled /t REG_DWORD /d 0 /f`
|
-|Turn off blocking of outdated ActiveX controls for IE on specific domains |reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\Domain" /v contoso.com /t REG_SZ /f
|
-|Turn off blocking of outdated ActiveX controls for IE |`reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" /v VersionCheckEnabled /t REG_DWORD /d 0 /f`
|
-|Remove the **Update** button in the out-of-date ActiveX control blocking notification for IE |`reg add "HKCU\Software\Microsoft\Internet Explorer\VersionManager" /v UpdateEnabled /t REG_DWORD /d 0 /f`
-
-## Inventory your ActiveX controls
-You can inventory the ActiveX controls being used in your company, by turning on the **Turn on ActiveX control logging in IE** setting:
-
-- **Windows 10:** Through a comma-separated values (.csv) file or through a local Windows Management Instrumentation (WMI) class.
-
-- **All other versions of Microsoft Windows:** Through a .csv file only.
-
-
-### Inventory your ActiveX controls by using a .CSV file
-If you decide to inventory the ActiveX controls being used in your company by turning on the **Turn on ActiveX control logging in IE** setting, IE logs the ActiveX control information to the `%LOCALAPPDATA%\Microsoft\Internet Explorer\AuditMode\VersionAuditLog.csv` file.
-
-Here’s a detailed example and description of what’s included in the VersionAuditLog.csv file.
-
-|Source URI |File path |Product version |File version |Allowed/Blocked |Reason |EPM-compatible |
-|-----------|----------|----------------|-------------|----------------|-------|---------------|
-|`https://contoso.com/test1.html` |C:\Windows\System32\Macromed\Flash\Flash.ocx |14.0.0.125 |14.0.0.125 |Allowed |Not in blocklist |EPM-compatible |
-|`https://contoso.com/test2.html` |C:\Program Files\Java\jre6\bin\jp2iexp.dll |6.0.410.2 |6.0.410.2 |Blocked |Out of date |Not EPM-compatible |
-
-**Where:**
-- **Source URI.** The URL of the page that loaded the ActiveX control.
-
-- **File path.** The location of the binary that implements the ActiveX control.
-
-- **Product version.** The product version of the binary that implements the ActiveX control.
-
-- **File version.** The file version of the binary that implements the ActiveX control.
-
-- **Allowed/Blocked** Whether IE blocked the ActiveX control.
-
-- **Enhanced Protected Mode (EPM)-compatible.** Whether the loaded ActiveX control is compatible with [Enhanced Protected Mode](/troubleshoot/browsers/enhanced-protected-mode-add-on-compatibility).
Enhanced Protected Mode isn’t supported on Internet Explorer 9 or earlier versions of IE. Therefore, if you’re using Internet Explorer 8 or Internet Explorer 9, all ActiveX controls will always be marked as not EPM-compatible.
-
-- **Reason.** The ActiveX control can be blocked or allowed for any of these reasons:
-
-|Reason |Corresponds to |Description |
-|-------------------------|---------------|-------------------------------------------------|
-|Version not in blocklist |Allowed |The version of the loaded ActiveX control is explicitly allowed by the IE version list. |
-|Trusted domain |Allowed |The ActiveX control was loaded on a domain listed in the **Turn off blocking of outdated ActiveX controls for IE on specific domains** setting. |
-|File doesn’t exist |Allowed |The loaded ActiveX control is missing required binaries to run correctly. |
-|Out-of-date |Blocked |The loaded ActiveX control is explicitly blocked by the IE version list because it is out-of-date. |
-|Not in blocklist |Allowed |The loaded ActiveX control isn’t in the IE version list. |
-|Managed by policy |Allowed |The loaded ActiveX control is managed by a Group Policy setting that isn’t listed here, and will be managed in accordance with that Group Policy setting. |
-|Trusted Site Zone or intranet |Allowed |The ActiveX control was loaded in the Trusted Sites Zone or the Local Intranet Zone. |
-|Hardblocked |Blocked |The loaded ActiveX control is blocked in IE because it contains known security vulnerabilities. |
-|Unknown |Allowed or blocked |None of the above apply. |
-
-### Inventory your ActiveX controls by using a local WMI class
-For Windows 10 you also have the option to log your inventory info to a local WMI class. Info logged to this class includes all of info you get from the .csv file, plus the CLSID of the loaded ActiveX control or the name of any apps started from an ActiveX control.
-
-#### Before you begin
-Before you can use WMI to inventory your ActiveX controls, you need to [download the configuration package (.zip file)](https://go.microsoft.com/fwlink/p/?LinkId=616971), which includes:
-
-- **ConfigureWMILogging.ps1**. A Windows PowerShell script.
-
-- **ActiveXWMILogging.mof**. A managed object file.
-
-Before running the PowerShell script, you must copy both the .ps1 and .mof file to the same directory location, on the client computer.
-
- **To configure IE to use WMI logging**
-
-1. Open your Group Policy editor and turn on the `Administrative Templates\Windows Components\Internet Explorer\Turn on ActiveX control logging in IE` setting.
-
-2. On the client device, start PowerShell in elevated mode (using admin privileges) and run `ConfigureWMILogging.ps1` by by-passing the PowerShell execution policy, using this command:
- ```
- powershell –ExecutionPolicy Bypass .\ConfigureWMILogging.ps1
- ```
- For more info, see [about_Execution_Policies](/powershell/module/microsoft.powershell.core/about/about_execution_policies).
-
-3. **Optional:** Set up your domain firewall for WMI data. For more info, see [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md).
-
-The inventory info appears in the WMI class, `IEAXControlBlockingAuditInfo`, located in the WMI namespace, *root\\cimv2\\IETelemetry*. To collect the inventory info from your client computers, we recommend using System Center 2012 R2 Configuration Manager or any agent that can access the WMI data. For more info, see [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md).
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
deleted file mode 100644
index 41a67c1f65..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
+++ /dev/null
@@ -1,77 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: support
-description: Possible solutions to the problems you might encounter after installing IE11, such as crashing or seeming slow, getting into an unusable state, or problems with adaptive streaming and DRM playback.
-author: dansimp
-ms.prod: windows-client
-ms.assetid: c4b75ad3-9c4a-4dd2-9fed-69f776f542e6
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Problems after installing Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 10/16/2017
----
-
-
-# Problems after installing Internet Explorer 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-After you install Internet Explorer 11 in your organization, you might run into the following issues. By following these suggestions, you should be able to fix them.
-
-## Internet Explorer is in an unusable state
-If IE11 gets into an unusable state on an employee's computer, you can use the **Reset Internet Explorer Settings (RIES)** feature to restore the default settings for many of the browser features, including:
-
-- Search scopes
-
-- Appearance settings
-
-- Toolbars
-
-- ActiveX® controls (resets to the opt-in state, unless they're pre-approved)
-
-- Branding settings created with IEAK 11
-
-RIES does not:
-
-- Clear the Favorites list, RSS feeds, or Web slices.
-
-- Reset connection or proxy settings.
-
-- Affect the applied Administrative Template Group Policy settings.
-
-RIES turns off all custom toolbars, browser extensions, and customizations installed with IE11. If you change your mind, you can turn each of the customizations back on through the **Manage Add-ons** dialog box. For more information about resetting IE settings, see [How to Reset Internet Explorer Settings](https://support.microsoft.com/windows/change-or-reset-internet-explorer-settings-2d4bac50-5762-91c5-a057-a922533f77d5).
-
-## IE is crashing or seems slow
-If you notice that CPU usage is running higher than normal, or that IE is frequently crashing or slowing down, you should check your browser add-ons and video card. By default, IE11 uses graphics processing unit (GPU) rendering mode. However, some outdated video cards and video drivers don't support GPU hardware acceleration. If IE11 determines that your current video card or video driver doesn't support GPU hardware acceleration, it'll use Software Rendering mode.
-
- **To check your browser add-ons**
-
-1. Start IE11 in **No Add-ons mode** by running the **Run** command from the **Start** menu, and then typing `iexplore.exe -extoff` into the box.
-
-2. Check if IE still crashes.
If you decide to manually change the registry key, you can change the **Enable** setting to `[deployment url]/api/records/`, which automatically sends your reports to this page.
-
-### Setting up, collecting, and viewing reports
-For logging, you’re going to need a valid URL that points to a server that can be listened to for updates to a user’s registry key. This means you need to set up an endpoint server for the incoming POST messages, which are sent every time the user turns Enterprise Mode on or off from the **Tools** menu. These POST messages go into your database, aggregating the report data by URL, giving you the total number of reports where users turned on Enterprise Mode, the total number of reports where users turned off Enterprise Mode, and the date of the last report.
-
- **To set up the sample**
-
-1. Set up a server to collect your Enterprise Mode information from your users.
-
-2. Go to the Internet Explorer/[EMIE-Data_Collection_Sample](https://go.microsoft.com/fwlink/p/?LinkId=507401) page on GitHub and tap or click the **Download ZIP** button to download the complete project.
-
-3. Open Microsoft Visual Studio 2013 with Update 2, and then open the PhoneHomeSample.sln file.
-
-4. On the **Build** menu, tap or click **Build Solution**.
- Make sure you have a database associated with your publishing target. Otherwise, your reports won’t be collected and you’ll have problems deploying the website.
-
- 
-
- After you finish the publishing process, you need to test to make sure the app deployed successfully.
-
- **To test, deploy, and use the app**
-
-7. Open a registry editor on the computer where you deployed the app, go to the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode` key, and change the **Enable** string to:
-
- ``` "Enable"="https://
-IE11 isn't supported on Windows 8 or Windows Server 2012.
-
-Some of the components in this table might also need additional system resources. Check the component's documentation for more information.
-
-
-| Item | Minimum requirements |
-|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Computer/processor | 1 gigahertz (GHz) 32-bit (x86) or 64-bit (x64) |
-| Operating system |
|
-| Memory |
|
-| Hard drive space | |
-| Drive | CD-ROM drive (if installing from a CD-ROM) |
-| Display | Super VGA (800 x 600) or higher-resolution monitor with 256 colors |
-| Peripherals | Internet connection and a compatible pointing device |
-
-## Support for .NET Framework
-You might experience start up issues where IE11 fails to launch an application that uses managed browser hosting controls with your legacy apps. This is because, starting with Internet Explorer 10, the browser started blocking legacy apps from using the .NET Framework 1.1 and 2.0. To fix this problem, see [.NET Framework problems with Internet Explorer 11](net-framework-problems-with-ie11.md).
-
-## Support for multiple languages
-IE11 is available in 108 languages for Windows 8.1 and Windows 10 and in 97 languages for Windows 7 with SP1. For the list of languages and download links, see [Available language packs based on operating system](https://go.microsoft.com/fwlink/p/?LinkId=281818).
-
-Computers running localized versions of Windows should run the same version of IE11. For example, if your employees use the Spanish edition of Windows, you should deploy the Spanish version of IE11. On the other hand, if your employees use multiple localized versions of Windows, like Spanish, French, and Catalan, you should install IE11 in one of the languages, and then install language packs for the others.
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
deleted file mode 100644
index ec77071c73..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
+++ /dev/null
@@ -1,139 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Find out how to achieve better backward compatibility for your legacy web applications with the Enterprise Mode Site List.
-author: dansimp
-ms.author: dansimp
-ms.prod: ie11
-ms.assetid:
-ms.reviewer:
-audience: itpro
-manager: dansimp
-title: Tips and tricks to manage Internet Explorer compatibility
-ms.sitesec: library
-ms.date: 05/10/2018
----
-
-# Tips and tricks to manage Internet Explorer compatibility
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-Find out how to achieve better backward compatibility for your legacy web applications with the Enterprise Mode Site List.
-
-Jump to:
-- [Tips for IT professionals](#tips-for-it-professionals)
-- [Tips for web developers](#tips-for-web-developers)
-
-[Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md) can be very effective in providing backward compatibility for older web apps. The Enterprise Mode Site List includes the ability to put any web app in any document mode, include IE8 and IE7 Enterprise Modes, without changing a single line of code on the website.
-
-
-
-Sites in the \
-Turning off both of these features turns off Enterprise Mode for your company. Turning off Enterprise Mode also causes any websites included in your employee’s manual site lists to not appear in Enterprise Mode.
-
- **To turn off the site list using Group Policy**
-
-1. Open your Group Policy editor, like Group Policy Management Console (GPMC).
-
-2. Go to the **Use the Enterprise Mode IE website list** setting, and then click **Disabled**.HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode.
-
-4. Edit the `SiteList` registry key to point to where you want to keep your Enterprise Mode site list file. For example:
-
- 
-
- - **HTTPS location**: `"SiteList"="https://localhost:8080/sites.xml"`
-
- - **Local network:** `"SiteList"="\\network\shares\sites.xml"`
-
- - **Local file:** `"SiteList"="file:///c:\\Users\\
|
-|Approver
(includes the App Manager and Group Head roles) |
|
-|Administrator |
|
-
-## Enterprise Mode Site List Portal workflow by employee role
-The following workflow describes how to use the Enterprise Mode Site List Portal.
-
-1. [The Requester submits a change request for an app](create-change-request-enterprise-mode-portal.md)
-
-2. [The Requester tests the change request info, verifying its accuracy](verify-changes-preprod-enterprise-mode-portal.md)
-
-3. [The Approver(s) group accepts the change request](approve-change-request-enterprise-mode-portal.md)
-
-4. [The Requester schedules the change for the production environment](schedule-production-change-enterprise-mode-portal.md)
-
-5. [The change is verified against the production site list and signed off](verify-changes-production-enterprise-mode-portal.md)
-
-
-## Related topics
-- [Set up the Enterprise Mode Site List Portal](set-up-enterprise-mode-portal.md)
-
-- [Workflow-based processes for employees using the Enterprise Mode Site List Portal](workflow-processes-enterprise-mode-portal.md)
-
-- [How to use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md)
-
-- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)
-
-- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
deleted file mode 100644
index cbfcfecf93..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
+++ /dev/null
@@ -1,76 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Manager.
-author: dansimp
-ms.prod: ie11
-ms.assetid: f4dbed4c-08ff-40b1-ab3f-60d3b6e8ec9b
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Use the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 12/04/2017
----
-
-
-# Use the Enterprise Mode Site List Manager
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that's designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
-
-You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode.
-
-## Enterprise Mode Site List Manager versions
-There are currently two versions of the Enterprise Site List Manager, both based on your schema and operating system. Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) or the [Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) tool, based on your operating system.
-
-|Schema version |Operating system |Enterprise Site List Manager version |
-|-----------------|---------------|------------------------------------|
-|Enterprise Mode schema, version 2 (v.2) |Windows 10
-OR-
Windows 8.1
-OR-
Windows 7|Uses the Enterprise Mode Site List Manager (schema v.2) and the v.2 version of the schema. If you import a v.1 version schema into the Enterprise Mode Site List Manager (schema v.2), the XML is saved into the v.2 version of the schema.
For more info about the v.2 version of the schema, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md).|
-|Enterprise Mode schema, version 1 (v.1) |Windows 10
-OR-
Windows 8.1
-OR-
Windows 7|Uses the Enterprise Mode Site List Manager (schema v.1) and the v.1 version of the schema.
For more info about the v.1 version of the schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md)|
-
-## Using the Enterprise Mode Site List Manager
-The following topics give you more information about the things that you can do with the Enterprise Mode Site List Manager.
-
-|Topic |Description |
-|------|------------|
-|[Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md) |How to add websites to your site list using the Enterprise Mode Site List Manager (schema v.2). |
-|[Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md) |How to add websites to your site list using the Enterprise Mode Site List Manager (schema v.1). |
-|[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) |How to add several websites to your site list at the same time, using a text or XML file and the Enterprise Mode Site List Manager (schema v.2). |
-|[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) |How to add several websites to your site list at the same time, using a text or XML file and the WEnterprise Mode Site List Manager (schema v.1). |
-|[Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager](edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md) |How to edit the compatibility mode for specific websites.
-Because we’ve added the IE7 Enterprise Mode option, we’ve had to rename the original functionality of Enterprise Mode to be IE8 Enterprise Mode. We’ve also replaced Edge Mode with IE11 Document Mode, so you can explicitly use IE11 on Windows 10.
-
-## Turning on and using IE7 Enterprise Mode or IE8 Enterprise Mode
-For instructions about how to add IE7 Enterprise Mode or IE8 Enterprise Mode to your webpages and apps, see:
-
-- [Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md)
-
-- [Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md)
-
-- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md)
-
-- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md)
-
-For instructions and more info about how to fix your compatibility issues using Enterprise Mode, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
-
-## Related topics
-- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
-- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
-- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
deleted file mode 100644
index 2090ed72ef..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use IEAK 11 while planning, customizing, and building the custom installation package.
-author: dansimp
-ms.prod: ie11
-ms.assetid: af93742f-f955-44ab-bfa2-7bf0c99045d3
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Using Internet Explorer Administration Kit 11 (IEAK 11) to create packages (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Using Internet Explorer Administration Kit 11 (IEAK 11) to create packages
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Internet Explorer Administration Kit 11 (IEAK 11) helps you set up, deploy, and maintain Internet Explorer 11.
-
-**Note**
IEAK 11 works in network environments, with or without Microsoft Active Directory.
-
-
-
-## Plan, Customize, and Build with the IEAK 11
-Consider these activities while planning, customizing, and building the custom installation package.
-
-### Plan
-Before you begin, you should:
-
-- **Check the operating system requirements.** Check that the requirements for the computer you're building your installation package from, and the computers you're installing IE11 to, all meet the system requirements for IEAK 11 and IE11. For Internet Explorer requirements, see [System requirements and language support for Internet Explorer 11 (IE11)](system-requirements-and-language-support-for-ie11.md). For IEAK 11 requirements, see [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md).
-
-- **Decide on your distribution method.** Decide how to distribute your custom installation package: Windows Update, Microsoft Configuration Manager, or your network.
-
-- **Gather URLs and branding and custom graphics.** Collect the URLs for your company's own **Home**, **Search**, and **Support** pages, plus any custom branding and graphic files for the browser toolbar button and the **Favorites** list icons.
-
-- **Identify trusted network servers.** Decide which servers your employees should use to install the custom IE package. These servers need to be listed as trusted sites.
-
-- **Set up automatic detection and configuration settings.** Decide whether to automatically customize IE11 the first time it's started.
-
-- **Identify custom components for uninstallation.** Decide whether to include any custom uninstallation programs. Uninstallation programs let your employees remove your custom components through **Uninstall or change a program** in the Control Panel.
-
-- **Identify ActiveX controls.** Decide if you'll use ActiveX controls in your company. If you already use ActiveX, you should get an inventory of your active controls.
-
-### Customize and build
-After installing IE11 and the IEAK 11, you should:
-
-- **Prepare your build computer.** Create your build environment on the computer you're using to build the custom package.
-
-- **Create your branding and custom graphics.** If you don't have any, create custom branding and graphic files for the browser toolbar button and icons in your **Favorites** list.
-
-- **Specify your servers as trusted sites.** Identify your installation servers as trusted sites, in the **Trusted sites zone** of the **Internet Options** box.
-
-- **Turn on automatic detection and configuration settings (Optional).** Set up your network so that IE is automatically customized the first time it's started.
-
-- **Set up custom components for uninstallation.** Create the custom .inf file you'll use to register your custom uninstallation programs.
-
-- **Set up ActiveX controls.** Add any new ActiveX controls to the Axaa.adm file, using a text editor.
-
-- **Create a custom browser package.** Create your custom installation package, using IE Customization Wizard 11. For more information about using the wizard, see [Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options](../ie11-ieak/ieak11-wizard-custom-options.md).
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
deleted file mode 100644
index 0f65a6f4ac..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
+++ /dev/null
@@ -1,45 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use Setup Information (.inf) files to create installation packages.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 04fa2ba8-8d84-4af6-ab99-77e4f1961b0e
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Using Setup Information (.inf) files to create packages (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Using Setup Information (.inf) files to create install packages
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-IEAK 11 uses Setup information (.inf) files to provide uninstallation instructions. Uninstallation instructions let your employees remove components, like files, registry entries, or shortcuts, through the **Uninstall or change a program** box. For details about .inf files, see [INF File Sections and Directives](/windows-hardware/drivers/install/).
-
- **To add uninstallation instructions to the .inf files**
-
-- Open the Registry Editor (regedit.exe) and add these registry keys:
- ```
- HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\app-name,"DisplayName",,"description"
- HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\app-name,"UninstallString",,"command-line"
- ```
- Where **"description"** is the name that shows up in the **Uninstall or change a program** box and **"command-line"** is the command that runs after the component is picked.
-
- Make sure your script removes the uninstallation registry key, too. Otherwise, the component name will continue to show up in the Uninstall or change a program.
-
-## Limitations
-.Inf files have limitations:
-
-- You can't delete directories.
-
-- You can't use **RenFiles** to move a file to a different location, it only lets you rename a file in its existing location. For detailed information, see [INF RenFiles Directive](/windows-hardware/drivers/install/inf-renfiles-directive).
-
-- You can't use **CopyFiles** to copy a file to another place on your hard drive, it can only copy files from the source disk to the destination directory. For information, see [INF CopyFiles Directive](/windows-hardware/drivers/install/inf-copyfiles-directive).
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
deleted file mode 100644
index a31c831abd..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
+++ /dev/null
@@ -1,74 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Details about how to make sure your change request info is accurate within the pre-production environment of the Enterprise Mode Site List Portal.
-author: dansimp
-ms.prod: ie11
-title: Verify your changes using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
----
-
-# Verify your changes using the Enterprise Mode Site List Portal
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-> [!Important]
-> This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
-
-The Requester successfully submits a change request to the Enterprise Mode Site List Portal and then gets an email, including:
-
-- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List.
-
-- **Test steps**. The suggested steps about how to test the change request details to make sure they're accurate in the pre-production environment.
-
-- **EMIE_Reset**. A batch file that when run, reverts the changes made to the pre-production registry.
-
-## Verify and send the change request to Approvers
-The Requester tests the changes and then goes back into the Enterprise Mode Site List Portal, **Pre-production verification** page to verify whether the testing was successful.
-
-**To verify changes and send to the Approver(s)**
-1. On the **Pre-production verification** page, the Requester clicks **Successful** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the change request and testing results.
-
-2. The Requester reviews the pre-defined Approver(s), and then clicks **Send for approval**.
-
- The Requester, the Approver group, and the Administrator group all get an email, stating that the change request is waiting for approval.
-
-
-**To rollback your pre-production changes**
-1. On the **Pre-production verification** page, the Requester clicks **Failed** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the change request and testing results.
-
-2. Add a description about the issue into the **Issue description** box, and then click **Send failure details**.
-
- The change request and issue info are sent to the Administrators.
-
-3. The Requester clicks **Roll back** to roll back the changes in the pre-production environment.
-
- After the Requester rolls back the changes, the request can be updated and re-submitted.
-
-
-## View rolled back change requests
-The original Requester and the Administrator(s) group can view the rolled back change requests.
-
-**To view the rolled back change request**
-
-- In the Enterprise Mode Site List Portal, click **Rolled back** from the left pane.
-
- All rolled back change requests appear, with role assignment determining which ones are visible.
-
-## Next steps
-If the change request is certified as successful, the Requester must next send it to the Approvers for approval. For the Approver-related steps, see the [Approve a change request using the Enterprise Mode Site List Portal](approve-change-request-enterprise-mode-portal.md) topic.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md
deleted file mode 100644
index 1ccd3e4d0c..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Details about how the Requester makes sure that the change request update is accurate within the production environment using the Enterprise Mode Site List Portal.
-author: dansimp
-ms.prod: ie11
-title: Verify the change request update in the production environment using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
----
-
-# Verify the change request update in the production environment using the Enterprise Mode Site List Portal
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-## Verify and sign off on the update in the production environment
-The Requester tests the changes in the production environment and then goes back into the Enterprise Mode Site List Portal, **Production verification** page to verify whether the testing was successful.
-
-**To verify the changes and sign off**
-- On the **Production verification** page, the Requester clicks **Successful**, optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the testing results, optionally includes a description of the change, and then clicks **Sign off**.
-
- The Requester, Approver group, and Administrator group all get an email, stating that the change request has been signed off.
-
-
-**To rollback production changes**
-1. On the **Production verification** page, the Requester clicks **Failed** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the testing results.
-
-2. Add a description about the issue into the **Change description** box, and then click **Send failure details**.
-
- The info is sent to the Administrators.
-
-3. The Requester clicks **Roll back** to roll back the changes in the production environment.
-
- After the Requester rolls back the changes, the request is automatically handled in the production and pre-production environment site lists.
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md
deleted file mode 100644
index 9aa736bacb..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md
+++ /dev/null
@@ -1,45 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Details about how to view the active Enterprise Mode Site List from the Enterprise Mode Site List Portal.
-author: dansimp
-ms.prod: ie11
-title: View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
----
-
-# View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-Any employee with access to the Enterprise Mode Site List Portal can view the apps included in the current Enterprise Mode Site List.
-
-**To view the active Enterprise Mode Site List**
-1. Open the Enterprise Mode Site List Portal and click the **Production sites list** icon in the upper-right area of the page.
-
- The **Production sites list** page appears, with each app showing its URL, the compatibility mode to use, and the assigned browser to open the site.
-
-2. Click any URL to view the actual site, using the compatibility mode and opening in the correct browser.
-
-
-**To export the active Enterprise Mode Site List**
-1. On the **Production sites list** page, click **Export**.
-
-2. Save the ProductionSiteList.xlsx file.
-
- The Excel file includes all apps in the current Enterprise Mode Site List, including URL, compatibility mode, and assigned browser.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md b/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md
deleted file mode 100644
index f2db72080d..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md
+++ /dev/null
@@ -1,57 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Details about how an Administrator can view the available Enterprise Mode reports from the Enterprise Mode Site List Portal.
-author: dansimp
-ms.prod: ie11
-title: View the available Enterprise Mode reports from the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
----
-
-# View the available Enterprise Mode reports from the Enterprise Mode Site List Portal
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-Administrators can view the Microsoft-provided Enterprise Mode reports from the Enterprise Mode Site List Portal.
-
-**To view the reports**
-1. Open the Enterprise Mode Site List Portal and click the **Enterprise Mode reports** icon in the upper-right area of the page.
-
- The **Enterprise Mode reports** page appears, with each app showing its URL, the compatibility mode to use, and the assigned browser to open the site.
-
-2. Use the calendars to provide the **From date** and **To date**, determining the span of time the report covers.
-
-3. Click **Apply**.
-
- The reports all change to reflect the appropriate timeframe and group, including:
-
- - **Total number of websites in the site list.** A box at the top of the reports page that tells you the total number of websites included in the Enterprise Mode Sit List.
-
- - **All websites by docmode.** Shows how many change requests exist, based on the different doc modes included in the **App best viewed in** field.
-
- - **All websites by browser.** Shows how many apps require which browser, including **IE11**, **MSEdge**, or **None**.
-
- - **All requests by status.** Shows how many change requests exist, based on each status.
-
- - **All requests by change type.** Shows how many change requests exist, based on the **Requested change** field.
-
- - **Request status by group.** Shows how many change requests exist, based on both group and status.
-
- - **Reasons for request.** Shows how many change request reasons exist, based on the **Reason for request** field.
-
- - **Requested changes by app name.** Shows what specific apps were **Added to site list**, **Deleted from site list**, or **Updated from site list**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
deleted file mode 100644
index 613d58863c..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
+++ /dev/null
@@ -1,37 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: virtualization
-description: Virtualization and compatibility with Internet Explorer 11
-author: dansimp
-ms.prod: ie11
-ms.assetid: b0388c04-2584-4b6d-a7a8-4e0476773a80
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Virtualization and compatibility with Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Virtualization and compatibility with Internet Explorer 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-If your company is considering upgrading to the latest version of Internet Explorer, but is hesitant because of a large number of web apps that need to be tested and moved, we recommend that you consider virtualization. Virtualization lets you set up a virtual environment where you can run earlier versions of IE.
-
-**Important**
-We strongly suggest that while you're using virtualization, you also update your web apps so they run natively in the newer version of IE. For more information about how to update your code, see the [Internet Explorer 11 Compatibility Cookbook (Windows)](/previous-versions//dn384049(v=vs.85)) to learn about the developer features that have been changed or deprecated since Internet Explorer 10.
-
-The Microsoft-supported options for virtualizing web apps are:
-
-- **Microsoft Enterprise Desktop Virtualization (MED-V).** Uses Microsoft Virtual PC to provide an enterprise solution for desktop virtualization. With MED-V, you can easily create, deliver, and manage corporate Virtual PC images on any Windows®-based desktop. For more information, see [MED-V](/microsoft-desktop-optimization-pack/medv-v2/).
-
-- **Client Hyper-V.** Uses the same virtualization technology previously available in Windows Server, but now installed for Windows 8.1. For more information, see [Client Hyper-V](/previous-versions/windows/it-pro/windows-8.1-and-8/hh857623(v=ws.11)).
-
-6. Clear the **Update Rollup** check box, and then click **OK**.
-
-7. Click **OK** to close the **Automatic Approvals** dialog box.
-
-After the new Internet Explorer 11 package is available for download, you should manually synchronize the new package to your WSUS server, so that when you re-enable auto-approval it won’t be automatically installed.
-
-1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**.
-
-2. Expand *ComputerName*, and then click **Synchronizations**.
-
-3. Click **Synchronize Now**.
-
-4. Expand *ComputerName*, expand **Updates**, and then click **All Updates**.
-
-5. Choose **Unapproved** in the **Approval**drop down box.
-
-6. Check to make sure that Microsoft Internet Explorer 11 is listed as an unapproved update.
-
-> [!NOTE]
-> There may be multiple updates, depending on the imported language and operating system updates.
-
-### Optional - Reset update rollups packages to auto-approve
-
-1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**.
-
-2. Expand *ComputerName*, and then click **Options**.
-
-3. Click **Automatic Approvals**.
-
-4. Click the rule that automatically approves updates of different classifications, and then click **Edit**.
-
-5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section.
-
-6. Check the **Update Rollups** check box, and then click **OK**.
-
-7. Click **OK** to close the **Automatic Approvals** dialog box.
-
-> [!NOTE]
-> Because auto-approval rules are only evaluated when an update is first imported into WSUS, turning this rule back on after the Internet Explorer 11 update has been imported and synchronized to the server won’t cause this update to be auto-approved.
-
-
-
-## Additional resources
-
-- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722)
-
-- [Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions](../ie11-faq/faq-ie11-blocker-toolkit.yml)
-
-- [Internet Explorer 11 FAQ for IT pros](../ie11-faq/faq-for-it-pros-ie11.yml)
-
-- [Internet Explorer 11 delivery through automatic updates](ie11-delivery-through-automatic-updates.md)
-
-- [Internet Explorer 11 deployment guide](./index.md)
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md
deleted file mode 100644
index dd8e3bcce6..0000000000
--- a/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md
+++ /dev/null
@@ -1,50 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Use the topics in this section to learn how to perform all of the workflow-related processes in the Enterprise Mode Site List Portal.
-author: dansimp
-ms.prod: ie11
-title: Workflow-based processes for employees using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
----
-
-
-# Workflow-based processes for employees using the Enterprise Mode Site List Portal
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-Use the topics in this section to learn how to perform the available Enterprise Mode Site List Portal processes, based on workflow.
-
-## In this section
-|Topic |Description |
-|---------------------------------------------------------------|-----------------------------------------------------------------------------------|
-|[Create a change request using the Enterprise Mode Site List Portal](create-change-request-enterprise-mode-portal.md)|Details about how the Requester creates a change request in the Enterprise Mode Site List Portal.|
-|[Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md)|Details about how the Requester tests a change request in the pre-production environment of the Enterprise Mode Site List Portal.|
-|[Approve a change request using the Enterprise Mode Site List Portal](approve-change-request-enterprise-mode-portal.md)|Details about how the Approver(s) approve a change request in the Enterprise Mode Site List Portal.|
-|[Schedule approved change requests for production using the Enterprise Mode Site List Portal](schedule-production-change-enterprise-mode-portal.md)|Details about how the Requester schedules the approved change request update in the Enterprise Mode Site List Portal.|
-|[Verify the change request update in the production environment using the Enterprise Mode Site List Portal](verify-changes-production-enterprise-mode-portal.md)|Details about how the Requester tests an update in the production environment of the Enterprise Mode Site List Portal.|
-|[View the apps currently on the Enterprise Mode Site List](view-apps-enterprise-mode-site-list.md)|Details about how anyone with access to the portal can review the apps already on the active Enterprise Mode Site List.|
-|[View the available Enterprise Mode reports from the Enterprise Mode Site List Portal](view-enterprise-mode-reports-for-portal.md) |Details about how the Administrator can view the view the Microsoft-provided Enterprise Mode reports from the Enterprise Mode Site List Portal. |
-
-
-## Related topics
-- [Set up the Enterprise Mode Site List Portal](set-up-enterprise-mode-portal.md)
-
-- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)
-
-- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)
diff --git a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.yml b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.yml
deleted file mode 100644
index 96fce41e4b..0000000000
--- a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.yml
+++ /dev/null
@@ -1,250 +0,0 @@
-### YamlMime:FAQ
-metadata:
- ms.localizationpriority: medium
- ms.mktglfcycl: explore
- description: Frequently asked questions about Internet Explorer 11 for IT Pros
- author: dansimp
- ms.prod: ie11
- ms.assetid: 140e7d33-584a-44da-8c68-6c1d568e1de3
- ms.reviewer:
- audience: itpro
- manager: dansimp
- ms.author: dansimp
- title: Internet Explorer 11 - FAQ for IT Pros (Internet Explorer 11 for IT Pros)
- ms.sitesec: library
- ms.date: 10/16/2017
- ms.topic: faq
-title: Internet Explorer 11 - FAQ for IT Pros
-summary: |
- [!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
- Answering frequently asked questions about Internet Explorer 11 (IE11) features, operating system support, integration with the Windows operating system, Group Policy, and general configuration.
-
-
-sections:
- - name: Ignored
- questions:
- - question: |
- What operating system does IE11 run on?
- answer: |
- - Windows 10
-
- - Windows 8.1
-
- - Windows Server 2012 R2
-
- - Windows 7 with Service Pack 1 (SP1)
-
- - Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-
- - question: |
- How do I install IE11 on Windows 10, Windows 8.1, or Windows Server 2012 R2?
- answer: |
- IE11 is preinstalled with Windows 8.1 and Windows Server 2012 R2. No additional action is required.
-
- - question: |
- How do I install IE11 on Windows 7 with SP1 or Windows Server 2008 R2 with SP1?
- answer: |
- You can install IE11 on computers running either Windows 7 with SP1 or Windows Server 2008 R2 with SP1. To download IE11, see the IE11 [home page](https://go.microsoft.com/fwlink/p/?LinkId=290956).
-
- - question: |
- How does IE11 integrate with Windows 8.1?
- answer: |
- IE11 is the default handler for the HTTP and HTTPS protocols and the default browser for Windows 8.1. There are two experiences in Windows 8.1: Internet Explorer and Internet Explorer for the desktop. IE is the default browser for touch-first, immersive experiences. Internet Explorer for the desktop provides a more traditional window and tab management experience. The underlying platform of IE11 is fully interoperable across both IE and the familiar Internet Explorer for the desktop, letting developers write the same markup for both experiences.
-
- - question: |
- What are the new or improved security features?
- answer: |
- IE11 offers improvements to Enhanced Protected Mode, password manager, and other security features. IE11 also turns on Transport Layer Security (TLS) 1.2 by default.
-
- - question: |
- How is Microsoft supporting modern web standards, such as WebGL?
- answer: |
- Microsoft is committed to providing an interoperable web by supporting modern web standards. Doing this lets developers use the same markup across web browsers, helping to reduce development and support costs.
- The preinstalled version of Adobe Flash isn't supported on IE11 running on either Windows 7 with SP1 or Windows Server 2008 R2 with SP1. However, you can still download and install the separate Adobe Flash plug-in.
-
- - question: |
- Can I replace IE11 on Windows 8.1 with an earlier version?
- answer: |
- No. Windows 8.1 doesn't support any of the previous versions of IE.
-
- - question: |
- Are there any new Group Policy settings in IE11?
- answer: |
- IE11 includes all of the previous Group Policy settings you've used to manage and control web browser configuration since Internet Explorer 9. It also includes the following new Group Policy settings, supporting new features:
-
- - Turn off Page Prediction
-
- - Turn on the swiping motion for Internet Explorer for the desktop
-
- - Allow Microsoft services to provide more relevant and personalized search results
-
- - Turn off phone number detection
-
- - Allow IE to use the SPDY/3 network protocol
-
- - Let users turn on and use Enterprise Mode from the **Tools** menu
-
- - Use the Enterprise Mode IE website list
-
- For more information, see [New group policy settings for IE11](../ie11-deploy-guide/new-group-policy-settings-for-ie11.md).
-
-
- - question: |
- Where can I get more information about IE11 for IT pros?
- answer: |
- Visit the [Springboard Series for Microsoft Browsers](https://go.microsoft.com/fwlink/p/?LinkId=313191) webpage on TechNet.
-
-
-
- - question: |
- Can I customize settings for IE on Windows 8.1?
- answer: |
- Settings can be customized in the following ways:
-
- - IE11 **Settings** charm.
-
- - IE11-related Group Policy settings.
-
- - IEAK 11 for settings shared by both IE and Internet Explorer for the desktop.
-
- - question: |
- Can I make Internet Explorer for the desktop my default browsing experience?
- answer: |
- Group Policy settings can be set to open either IE or Internet Explorer for the desktop as the default browser experience. Individual users can configure their own settings in the **Programs** tab of **Internet Options**. The following table shows the settings and results:
-The customizations you make on this page apply only to Internet Explorer for the desktop.
-
- **To use the Accelerators page**
-
-1. Click **Import** to automatically import your existing accelerators from your current version of IE into this list.
-
-2. Click **Add** to add more accelerators.
-ActiveX controls are supported in Internet Explorer for the desktop for Windows 7 and Windows 8.1. They are not supported on the immersive version of Internet Explorer for Windows 8.1.
-
-## Scenario 1: Limited Internet-only use of ActiveX controls
-While you might not care about your employees using ActiveX controls while on your intranet sites, you probably do want to limit ActiveX usage while your employee is on the Internet. By specifying and pre-approving a set of generic controls for use on the Internet, you’re able to let your employees use the Internet, but you can still limit your company’s exposure to potentially hazardous, non-approved ActiveX controls.
-
-For example, your employees need to access an important Internet site, such as for a business partner or service provider, but there are ActiveX controls on their page. To make sure the site is accessible and functions the way it should, you can visit the site to review the controls, adding them as new entries to your `
-This page only appears if you’re using the **Internal** version of the wizard.
-
-You can set your proxy settings using Internet setting (.ins) files. You can also configure and maintain your advanced proxy settings using JScript (.js), JavaScript (.jvs), or proxy auto-configuration (.pac) script files. When you provide an auto-proxy script, IE dynamically determines whether to connect directly to a host or to use a proxy server.
-
-You can use the Domain Name System (DNS) and the Dynamic Host Configuration Protocol (DHCP) naming systems to detect and change a browser’s settings automatically when the employee first starts IE on the network. For more info, see [Set up auto detection for DHCP or DNS servers using IEAK 11](auto-detection-dhcp-or-dns-servers-ieak11.md), or refer to the product documentation for your DNS and DHCP software packages.
-
-**To check the existing settings on your employee’s devices**
-
-1. Open IE, click **Tools**, click **Internet Options**, and then click the **Connections** tab.
-
-2. Click **LAN Settings** and make sure that the **Use automatic configuration script** box is selected, confirming the path and name of the file in the **Address** box.
-
-**To use the Automatic Configuration page**
-
-1. Check the **Automatically detect configuration settings** box to automatically detect browser settings.
-
-2. Check the **Enable Automatic Configuration** box if you plan to automatically change your IE settings after deployment, using configuration files. You can then:
-
- - Type the length of time (in minutes) for how often settings are to be applied in your company. Putting zero (**0**), or nothing, in this box will cause automatic configuration to only happen when the computer’s restarted.
-
- - Type the location to your .ins file. You can edit this file directly to make any necessary changes.
-
- The updates will take effect the next time your employee starts IE, or during your next scheduled update.
-
- - Type the location to your automatic proxy script file.
-
- **Note**
- If you specify URLs for both auto-config and auto-proxy, the auto-proxy URL will be incorporated into the .ins file. The correct form for the URL is `https://share/test.ins`.
-
-3. Click **Next** to go to the [Proxy Settings](proxy-settings-ieak11-wizard.md) page or **Back** to go to the [Connection Settings](connection-settings-ieak11-wizard.md) page.
-
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
deleted file mode 100644
index fadc8246a0..0000000000
--- a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
+++ /dev/null
@@ -1,65 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to set up automatic detection for DHCP or DNS servers using IEAK 11 in your organization.
-author: dansimp
-ms.prod: ie11
-ms.assetid: c6bfe7c4-f452-406f-b47e-b7f0d8c44ae1
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Set up auto detection for DHCP or DNS servers using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Set up auto detection for DHCP or DNS servers using IEAK 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Set up your network to automatically detect and customize Internet Explorer 11 when it’s first started. Automatic detection is supported on both Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS), letting your servers detect and set up your employee’s browser settings from a central location, using a configuration URL (.ins file) or a JavaScript proxy configuration file (.js, .jvs, or .pac).
-
-Before you can set up your environment to use automatic detection, you need to turn the feature on.
-
-**To turn on the automatic detection feature**
-
-- Open Internet Explorer Administration Kit 11 (IEAK 11), run the IE Customization Wizard 11 and on the **Automatic Configuration** page, check **Automatically detect configuration settings**. For more information, see [Use the Automatic Configuration page in the IEAK 11 Wizard](auto-config-ieak11-wizard.md).
-
-## Automatic detection on DHCP and DNS servers
-Automatic detection works even if the browser wasn't originally set up or installed by the administrator.
-
-- **Using DHCP servers:** For local area network (LAN)-based users. This server type lets you specify your global and subnet TCP/IP parameters centrally, defining your users' parameters by using reserved addresses. By doing it this way, a computer can move between subnets, automatically reconfiguring for TCP/IP when it starts.
-
- Your DHCP servers must support the DHCPINFORM message, to obtain the DHCP options.
-
-- **Using DNS servers:** For users on dial-up connections. This server type uses a set of protocols and services on a TCP/IP network, which lets users search for other computers by using hierarchical, user-friendly names (hosts), instead of numeric IP addresses. To use this, you have to set up either the host record or the CNAME alias record in the DNS database file.
-
- DHCP has a higher priority than DNS for automatic configuration. If DHCP provides the URL to a .pac, .jvs, .js, or .ins configuration file, the process stops and the DNS lookup doesn't happen.
-
-**To set up automatic detection for DHCP servers**
-
-- Open the [DHCP Administrative Tool](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd145324(v=ws.10)), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](/previous-versions/tn-archive/bb794881(v=technet.10)).
-
- **Examples:**
- `https://www.microsoft.com/webproxy.pac`
- `https://marketing/config.ins`
- `https://123.4.567.8/account.pac`
- `
- `corserv IN A 192.55.200.143`
- `nameserver2 IN A 192.55.200.2`
- `mailserver1 IN A 192.55.200.51`
-
For more info about creating a WPAD entry, see Creating a WPAD entry in DNS.
-
-2. After the database file propagates to the server, the DNS name, `wpad.
-IE11 creates a default URL template based on the host name,**wpad**. For example, `https://wpad.
-You must run the **Automatic Version Synchronization** page once for each operating system and language combination of IE.
-
-The **Automatic Version Synchronization** page tells you:
-
-- **Version available on your machine**. The version of IE11 that’s running on the computer that’s also running the IE Customization Wizard 11.
-
-- **Latest version available on web**. The most recently released version of the IE Customization Wizard 11. To get this value, the wizard compares the version of IE on your computer to the latest version of IE on the **Downloads** site. If the versions are different, you’ll be asked to update your version of IE.
-
-- **Disk space required**. The amount of space on your hard drive needed to update the browser.
-
-- **Disk space available**. The amount of hard drive space available on the computer that’s running the IE Customization Wizard 11.
-
-
-**To use the Automatic Version Synchronization page**
-
-1. Click **Synchronize**.
| Determines the default browser behavior. |
-|CMBitmapName | `
| Determines whether to use a custom Connection Manager profile. |
-|CompanyName |`
|Determines whether to encode the **[Favorites]** section for versions of IE earlier than 5.0. |
-|FavoritesDelete |*hexadecimal:* `0x89` |Lets you remove all existing Favorites and Quick Links. |
-|FavoritesOnTop |
|Determines whether to put new favorite items at the top of the menu. |
-|IE4 Welcome Msg |
|Determines whether a **Welcome** page appears. |
-|Language ID |`
|Determines whether to optimize the Active Setup Wizard for download. |
-|SilentInstall |
|Determines whether Windows Update Setup runs interactively on the employee’s computer.
This only appears for the **Internal** version of the IEAK 11. |
-|StealthInstall |
|Determines whether Windows Update Setup shows error messages and dialog boxes.
This only appears for the **Internal** version of the IEAK 11. |
-|Toolbar Bitmap |`
|The version of IEAK 11 being used. |
-|User Agent |`
|Determines whether the IE 4.x integrated shell is included in this package. |
-|Win32DownloadSite |`
The customizations you make on this page apply only to Internet Explorer for the desktop.
-
- **To use the Browser User Interface page**
-
-1. Check the **Customize Title Bars** box so you can add your custom text to the **Title Bar Text** box.
Only Administrators can use this option.
-
-3. Click **Add** to add new toolbar buttons.
|Determines whether to delete the existing custom toolbar buttons. |
-|HotIcon0 |`
|Determines whether to show the new button on the toolbar by default. |
-|ToolTipText0 |`
Using the options on the **Additional Settings** page of the wizard, you can let your employees change their connection settings. For more information see the [Additional Settings](additional-settings-ieak11-wizard.md) page. You can also customize additional connection settings using the **Automatic Configuration** page in the wizard. For more information see the [Automatic Configuration](auto-config-ieak11-wizard.md) page.
-
-**To view your current connection settings**
-
-1. Open IE, click the **Tools** menu, click **Internet Options**, and then click the **Connections** tab.
-
-2. Click **Settings** to view your dial-up settings and click **LAN Settings** to view your network settings.
-
-**To use the Connection Settings page**
-
-1. Decide if you want to customize your connection settings. You can pick:
-
- - **Do not customize Connection Settings.** Pick this option if you don’t want to preset your employee’s connection settings.
-
- - **Import the current Connection Settings from this machine.** Pick this option to import your connection settings from your computer and use them as the preset for your employee’s connection settings.
-
- **Note**
If you want to change any of your settings later, you can click **Modify Settings** to open the **Internet Properties** box, click the **Connection Settings** tab, and make your changes.
-
-2. Check the **Delete existing Dial-up Connection Settings** box to clear any existing settings on your employee’s computers.
-
-3. Click **Next** to go to the [Automatic Configuration](auto-config-ieak11-wizard.md) page or **Back** to go to the [Connection Manager](connection-mgr-ieak11-wizard.md) page.
-
diff --git a/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md
deleted file mode 100644
index 0e7777a64e..0000000000
--- a/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md
+++ /dev/null
@@ -1,30 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: plan
-description: Use the \[ConnectionSettings\] .INS file setting to specify the network connection settings needed to install your custom package.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 41410300-6ddd-43b2-b9e2-0108a2221355
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Use the ConnectionSettings .INS file to review the network connections for install (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the ConnectionSettings .INS file to review the network connections for install
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Info about the network connection settings used to install your custom package. This section creates a common configuration on all of your employee’s computers.
-
-|Name |Value |Description |
-|-----------|---------------------------|-------------|
-|ConnectName0 |`
|Determines whether to remove the existing connection settings during installation of your custom package. |
-|Option |
This only appears for the **Internal** version of the IEAK 11.
|Determines whether an employee can import connection settings into the Internet Explorer Customization Wizard. |
-
diff --git a/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md
deleted file mode 100644
index 0befbc922f..0000000000
--- a/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md
+++ /dev/null
@@ -1,28 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: plan
-description: How to create your folder structure on the computer that you’ll use to build your custom browser package.
-author: dansimp
-ms.prod: ie11
-ms.assetid: e0d05a4c-099f-4f79-a069-4aa1c28a1080
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Create the build computer folder structure using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Create the build computer folder structure using IEAK 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Create your build environment on the computer that you’ll use to build your custom browser package. Your license agreement determines your folder structure and which version of Internet Explorer Administration Kit 11 (IEAK 11) you’ll use: **Internal** or **External**.
-
-|Name |Version |Description |
-|-----------------|----------------------|---------------------------------------------------------|
-|`\
|
-|Prep your environment and get all of the info you'll need for running IEAK 11 |
|
-|Run the Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard |
|
-|Review your policy settings and create multiple versions of your install package. |
|
-|Review the general IEAK Customization Wizard 11 information, which applies throughout the process. |
For deployment instructions, additional troubleshooting, and post-installation management, see the [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md)
|
-
diff --git a/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md
deleted file mode 100644
index 5d88bfa81a..0000000000
--- a/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md
+++ /dev/null
@@ -1,42 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Steps to create multiple versions of your custom browser if you support more than 1 version of Windows, more than 1 language, or have different features in each package.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 4c5f3503-8c69-4691-ae97-1523091ab333
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Create multiple versions of your custom package using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Create multiple versions of your custom package using IEAK 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-You'll need to create multiple versions of your custom browser package if:
-
-- You support more than 1 version of the Windows operating system.
-
-- You support more than 1 language.
-
-- You have custom installation packages with only minor differences. For example, having a different phone number or a different set of URLs in the **Favorites** folder.
-
-The Internet Explorer Customization Wizard 11 stores your original settings in the Install.ins file and will show them each time you re-open the wizard. For more info about .ins files, see [Using Internet Settings (.INS) files with IEAK 11](using-internet-settings-ins-files.md).
-
-**To create multiple versions of your browser package**
-
-1. Use the Internet Explorer Customization Wizard 11 to create a custom browser package. For more info about how to run the wizard, start with the [Use the File Locations page in the IEAK 11 Wizard](file-locations-ieak11-wizard.md) topic.
-
-2. Go to the Cie\Custom folder and rename the Install.ins file to a name that reflects the version. Like, if you need a version for your employees in Texas, you could name the file Texas.ins.
-
-3. Run the wizard again, choosing the newly renamed folder as the destination directory for your output files.
Except for the **Title bar** text, **Favorites**, **Links bar**, **Home** page, and **Search bar**, we recommend that you keep all of your wizard settings the same for all of your build computers.
-
-4. Repeat this process until you’ve created a package for each version of your custom installation package.
-
diff --git a/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md b/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md
deleted file mode 100644
index ba3904ae39..0000000000
--- a/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md
+++ /dev/null
@@ -1,33 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Use Setup information (.inf) files to uninstall custom components from your custom browser packages.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 8257aa41-58de-4339-81dd-9f2ffcc10a08
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Use Setup information (.inf) files to uninstall custom components (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use uninstallation .INF files to uninstall custom components
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-The Internet Explorer Administration Kit 11 (IEAK 11) uses Setup information (.inf) files to provide installation instructions for your custom browser packages. You can also use this file to uninstall your custom components by removing the files, registry entries, and shortcuts, and adding your custom component to the list of programs that can be uninstalled from **Uninstall or change a program**.
-
-**To uninstall your custom components**
-
-1. Open the Registry Editor and add a new key and value to:
`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\app-name,"DisplayName",,"description"`
`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\app-name,"UninstallString”",,"command-line"`
You should sign any custom code that’s being downloaded over the Internet. The default settings of Internet Explorer 11 will automatically reject any unsigned code. For more info about digitally signing custom components, see [Security features and IEAK 11](security-and-ieak11.md).
-
-**To use the Custom Component page**
-
-1. Click **Add**.
You should install your component before IE if you need to run a batch file to configure your employee settings. You should install your component after IE if you plan to install software updates.
-
-4. Check the **Only install if IE is installed successfully** box if your component should only install if IE installs successfully. For example, if you’re installing a security update that requires IE.
-
-5. If your component is a .cab file, you must provide the extraction command into the **Command** box.
-
-6. If your component has its own globally unique identifier (GUID), replace the value in the **GUID** box. Otherwise, keep the automatically generated GUID.
-
-7. Describe your component using up to 511 characters in the **Description** box.
-
-8. Type any command-line options that need to run while installing your component into the **Parameters** box. For example, if you want your component to install silently, without prompts. For more info about using options, see [IExpress command-line options](iexpress-command-line-options.md).
-
-9. Type the value that Microsoft Update Setup uses to check that the component installed successfully into the **Uninstall Key** box. This check is done by comparing your value to the value in the `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ApplicationName` key.
-
-10. Type a numeric serial number for your component into the **Version** box, using this format: *xxxx*, *xxxxxx*, *xxxx*, *xxxx*.
-
-11. Click **Add**.
If you aren’t using IIS in your company, you’ll need to remap this URL to your script file’s location.
-
-2. On the **Additional Settings** page of the IEAK 11, click **Internet Settings**, and then click **Advanced Settings**.
-
-3. Go to the section labeled **Searching** and type *intranet* into the **Search Provider Keyword** box.
-
-**To redirect to a different site than the one provided by the search results**
-
-- In the **Advanced Settings** section, go to the section labeled **Searching** and change the **When searching from the address bar** setting to **Just go to the most likely site**.
-
-**To disable Automatic Search**
-
-- In the **Advanced Settings** section, go to the section labeled **Searching** and change the **When searching from the address bar** setting to **Do not search from the address bar**.
-
-### Automatic Search parameters
-You must replace the Automatic Search script file parameters, *%1* and *%2* so they’re part of the actual URL.
-
-|Parameter |Value |
-|----------|--------------------------------------------------------|
-|1% |The text string typed by an employee into the **Address** bar. |
-|2% |The type of search chosen by an employee. This can include:
|
-
-### Sample Automatic Search script
-This is a VBScript-based sample of an .asp Automatic Search script.
-
-```
-<%@ Language=VBScript %>
-<%
-' search holds the words typed in the Address bar
-' by the user, without the "go" or
-' "find" or any delimiters like
-' "+" for spaces.
-' If the user typed
-' "Apple pie," search = "Apple pie."
-' If the user typed
-' "find Apple pie," search = "Apple pie."
-
-search = Request.QueryString("MT")
-search = UCase(search)
-searchOption = Request.QueryString("srch")
-
-' This is a simple if/then/else
-' to redirect the browser to the site
-' of your choice based on what the
-' user typed.
-' Example: expense report is an intranet page
-' about filling out an expense report
-
-if (search = "NEW HIRE") then
-Response.Redirect("https://admin/hr/newhireforms.htm")
-elseif (search = "LIBRARY CATALOG") then
-Response.Redirect("https://library/catalog")
-elseif (search = "EXPENSE REPORT") then
-Response.Redirect("https://expense")
-elseif (search = "LUNCH MENU") then
-Response.Redirect("https://cafe/menu/")
-else
-
-' If there is not a match, use the
-' default IE autosearch server
-Response.Redirect("https://auto.search.msn.com/response.asp?MT="
-+ search + "&srch=" + searchOption +
-"&prov=&utf8")
-end if
-%>
-```
-
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md
deleted file mode 100644
index 7d0a2f9882..0000000000
--- a/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md
+++ /dev/null
@@ -1,32 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Use the \[ExtRegInf\] .INS file setting to specify your Setup information (.inf) files and the installation mode for your custom components.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 53148422-d784-44dc-811d-ef814b86a4c6
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Use the ExtRegInf .INS file to specify your installation files and mode (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the ExtRegInf .INS file to specify installation files and mode
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Info about how to specify your Setup information (.inf) files and the installation mode for your custom components.
-
-|Name |Value |Description |
-|-----------|---------|------------------------------------------------------------------------------------------------------------------|
-|Chat |*string* |The name of the .inf file and the install mode for components. For example, *,chat.inf,DefaultInstall. |
-|Conf |*string* |The name of the .inf file and the install mode for components. For example, *,conf.inf,DefaultInstall. |
-|Inetres |*string* |The name of the .inf file and the install mode for components. For example, *,inetres.inf,DefaultInstall. |
-|Inetset |*string* |The name of the .inf file and the install mode for components. For example, *,inetset.inf,DefaultInstall. |
-|Subs |*string* |The name of the .inf file and the install mode for components. For example, *,subs.inf,DefaultInstall. |
-|ConnectionSettings |*string* |The name of the .inf file and the install mode for components. For example, *,connect.inf,DefaultInstall. |
-
diff --git a/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
deleted file mode 100644
index 030dc054d2..0000000000
--- a/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
+++ /dev/null
@@ -1,113 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use the Favorites, Favorites Bar, and Feeds page in IEAK 11 Customization Wizard to add links, web slices, and feeds to your custom browser package.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 84afa831-5642-4b8f-b7df-212a53ec8fc7
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-The **Favorites, Favorites Bar, and Feeds** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you add:
-
-- **Links.** Used so your employees can quickly connect with your important websites. These links can appear in the **Links** folder or on the **Favorites Bar**.
-
-- **Web Slices.** Used so your employees can subscribe to a section of a webpage, tracking information as it changes, such as for weather reports, stock prices, or the progress of an auction item.
-
-- **Feeds.** Used so your employees can quickly access your recommended RSS feeds. While you can’t import a folder of RSS feeds, you can add new links.
-
-Although we provide default items in the **Favorites, Favorites Bar, and Feeds** area, you can remove any of the items, add more items, or add new folders and links as part of your custom package. The customizations you make on this page only apply to Internet Explorer for the desktop.
-
-**To work with Favorites**
-
-1. To import your existing folder of links, pick **Favorites**, and then click **Import**.
-
-2. Go to your existing link folder, most likely in the `
|Determines if the **Favorites** item is available for offline browsing. |
-|Title1 |`
Your choices on this page determine what wizard pages appear.
-
-**To use the Feature Selection page**
-
-1. Check the box next to each feature you want to include in your custom installation package.
-You can create a custom installation package on your hard drive and move it to an Internet or intranet server, or you can create it directly on a server. If you create the package on a web server that’s running from your hard drive, use the path to the web server as the destination folder location. Whatever location you choose, it must be protected by appropriate access control lists (ACLs). If the location is not protected, the custom package may be tampered with.
-
-**To use the File Locations page**
-
-1. Browse to the location where you’ll store your finished custom IE installation package and the related subfolders.
Subfolders are created for each language version, based on operating system and media type. For example, if your destination folder is `C:\Inetpub\Wwwroot\Cie\Dist`, then the English-language version is created as `C:\Inetpub\Wwwroot\Cie\Dist\Flat\Win32\En` subfolders.
-
-2. Click **Advanced Options**.
-You must run Automatic Version Synchronization at least once to check for updated components.
-
-4. Browse to your .ins file location, and then click **Open**.
You must never edit a .sed file. |
-|.spc |The software publishing certificate file, which includes:
|
-
diff --git a/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
deleted file mode 100644
index 9d6fe74f8a..0000000000
--- a/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
+++ /dev/null
@@ -1,48 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use the First Run Wizard and Welcome Page Options page in the IEAK 11 Customization Wizard to set what your employee’s see the first time they log on to IE, based on their operating system.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 85f856a6-b707-48a9-ba99-3a6e898276a9
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-The **First Run Wizard and Welcome Page Options** page of the Internet Explorer Customization Wizard 11 lets you decide what your employee’s see the first time they log on to IE, based on their operating system.
-
-- **Windows 8.1 Update and newer.** No longer includes a **Welcome** page, so if you pick the **Use Internet Explorer 11 Welcome Page** or the **Use a custom Welcome page** option, IEAK creates an initial **Home** page that loads before all other **Home** pages, as the first tab. This only applies to the Internet Explorer for the desktop.
-
-- **Windows 7 SP1.** You can disable the first run page for Windows 7 SP1 and then pick a custom **Welcome** page to show instead. If you don’t customize the settings on this page, your employees will see the default IE **Welcome** page.
-
-**To use the First Run Wizard and Welcome Page Options page**
-
-1. Check the **Use IE11 First Run wizard (recommended)** box to use the default First Run wizard in IE.
Check your license agreement to make sure this customization is available.
-
-|Graphic |Type and description |
-|-----------------------|----------------------------------------------------------------------|
-|Browser toolbar button |2 icon (.ico) files with color images for active and inactive states. |
-|Favorites List icons |1 icon (.ico) file for each new URL. |
-
-Your icons must use the .ico file extension, no other image file extension works.
-
diff --git a/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md b/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md
deleted file mode 100644
index 2da43b7f38..0000000000
--- a/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md
+++ /dev/null
@@ -1,56 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: plan
-description: List of supported hardware and software requirements for Internet Explorer 11 and the Internet Explorer Administration Kit 11.
-author: dansimp
-ms.prod: ie11
-ms.assetid: c50b86dc-7184-43d1-8daf-e750eb88dabb
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Hardware and software requirements for Internet Explorer 11 and the IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Hardware and software requirements for Internet Explorer 11 and the IEAK 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Before you can use the Internet Explorer Administration Kit 11 and the Internet Explorer Customization Wizard 11, you must first install Internet Explorer 11. For more info about installing IE11, see the [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md) page.
-
-## Hardware requirements
-Before you start the Internet Explorer Customization Wizard 11, you must check to see how much disk space you have on the drive you're going to use to build the IE11 install package. This drive can be on the same device as the one running the wizard; it just needs to have a secure destination folder.
-
-Before you start to create your install package, you must meet all of the [Internet Explorer 11 requirements](../ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md), plus:
-
-- Up to 100 megabytes (MB) of disk space, depending on how many components you include in the installation package.
-
-- An additional 100 MB of disk space for each custom installation package built. Different media types are considered separate packages.
-
-## Software requirements
-The device you're going to use to build your install packages must be running Internet Explorer 11, on one of these operating systems:
-
-- Windows 10
-The device you're going to use to run IEAK 11 must be running the same version of the operating system as the device where you'll build your install packages.
-
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md
deleted file mode 100644
index 6c46e306f3..0000000000
--- a/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md
+++ /dev/null
@@ -1,36 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Use the \[HideCustom\] .INS file setting to decide whether to hide the GUID for each custom component.
-author: dansimp
-ms.prod: ie11
-ms.assetid: e673f7b1-c3aa-4072-92b0-20c6dc3d9277
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Use the HideCustom .INS file to hide the GUID for each custom component (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the HideCustom .INS file to hide the GUID for each custom component
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Info about whether to hide the globally unique identifier (GUID) for each of your custom components.
-
-|Name |Value |Description |
-|------|-------------------------------------------------------------------------------------|-----------------------------------------------|
-|GUID |
|Determines whether this is a hidden component. |
-
-
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md b/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md
deleted file mode 100644
index c9d24160a9..0000000000
--- a/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md
+++ /dev/null
@@ -1,72 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Reference about the command-line options and return codes for Internet Explorer Setup.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 40c23024-cb5d-4902-ad1b-6e8a189a699f
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Internet Explorer Setup command-line options and return codes (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Internet Explorer Setup command-line options and return codes
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-You can use command-line options along with a tool like IExpress to package your custom version of Internet Explorer and to perform a batch installation across your organization.
-
-## IE Setup command-line options
-These command-line options work with IE Setup:
-
-`[/help] [/passive | /quiet] [/update-no] [/no-default] [/nobackup] [/ieak-full:
The employee cancelled Setup and is then asked to confirm:
If the cancellation is confirmed, Setup will quit as soon as all of the in-progress tasks are done, like copying or extracting files. |
-
-## Related topics
-- [IExpress Wizard for Windows Server 2008 R2 with SP1](iexpress-wizard-for-win-server.md)
-- [Express Wizard command-line options](iexpress-command-line-options.md)
-
diff --git a/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md b/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md
deleted file mode 100644
index 8a02248b90..0000000000
--- a/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md
+++ /dev/null
@@ -1,96 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: support
-ms.pagetype: security
-description: The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. Use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment.
-author: dansimp
-ms.author: dansimp
-ms.manager: dougkim
-ms.prod: ie11
-ms.assetid:
-ms.reviewer:
-audience: itpro
-manager: dansimp
-title: Internet Explorer Administration Kit (IEAK) information and downloads
-ms.sitesec: library
-ms.date: 05/10/2018
----
-
-# Internet Explorer Administration Kit (IEAK) information and downloads
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
->Applies to: Windows 10
-
-The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment. To find more information on the IEAK, see [What IEAK can do for you](what-ieak-can-do-for-you.md).
-
-
-## Internet Explorer Administration Kit 11 (IEAK 11)
-
-[IEAK 11 documentation](index.md)
-
-[IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md)
-
-[IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.yml)
-
-[Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](before-you-create-custom-pkgs-ieak11.md)
-
-## Download IEAK
-
-To download, choose to **Open** the download or **Save** it to your hard drive first.
-
-:::row:::
- :::column span="":::
- [English](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi)
-
- [Arabic](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi)
-
- [Chinese (Simplified)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi)
-
- [Chinese (Traditional)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi)
-
- [Czech](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi)
-
- [Danish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi)
-
- [Dutch](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi)
-
- [Finnish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi)
-:::column-end:::
- :::column span="":::
- [French](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi)
-
- [German](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi)
-
- [Greek](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi)
-
- [Hebrew](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi)
-
- [Hungarian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi)
-
- [Italian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi)
-
- [Japanese](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi)
-
- [Korean](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi)
-:::column-end:::
- :::column span="":::
- [Norwegian (Bokmål)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi)
-
- [Polish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi)
-
- [Portuguese (Brazil)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi)
-
- [Portuguese (Portugal)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi)
-
- [Russian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi)
-
- [Spanish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi)
-
- [Swedish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi)
-
- [Turkish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi)
-:::column-end:::
-:::row-end:::
-
diff --git a/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md b/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md
deleted file mode 100644
index 0aa9964807..0000000000
--- a/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md
+++ /dev/null
@@ -1,48 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: plan
-description: Review the options available to help you customize your browser install packages for deployment to your employee's devices.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 4b804da3-c3ac-4b60-ab1c-99536ff6e31b
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Use the Internet Explorer Administration Kit 11 (IEAK 11) and the Internet Explorer Customization Wizard 11 to customize your browser install packages for deployment to your employee's devices.
-
-## IE Customization Wizard 11 options
-IEAK 11 lets you customize a lot of Internet Explorer 11, including the IE and Internet Explorer for the desktop experiences. For more info about the experiences, see [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md). For info about which pages appear in the **Internal** or **External** version of IE Customization Wizard 11, see [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md).
-
-|Internet Explorer Customization Wizard 11 page |Browser experience |Description |
-|-----------------------------------------------|------------------------------------|-----------------------------|
-|[Custom Components](custom-components-ieak11-wizard.md) |Internet Explorer for the desktop |Add up to 10 additional components that your employees can install at the same time they install IE. |
-|[Internal install](internal-install-ieak11-wizard.md) |Internet Explorer for the desktop |Choose to set IE11 as the default browser.
This only applies to IE11 on Windows 7 SP1 |
-|[User Experience](user-experience-ieak11-wizard.md) |Internet Explorer for the desktop |Control the installation and restart experience for your employees.
You can turn off the entire **Suggested Sites** feature from this page. |
-|[Browsing Options](browsing-options-ieak11-wizard.md) |Doesn't apply. The choices that you make on this page affect only the items shown on the **Favorites, Favorites Bar, and Feeds** page. |Choose how to manage items in the **Favorites** folder, the **Favorites Bar**, and the **Feeds** folder. You can also turn off the Microsoft-default Favorites, Web slices, links, feeds, and accelerators. |
-|[First Run Wizard and Welcome Page Options](first-run-and-welcome-page-ieak11-wizard.md) |Internet Explorer for the desktop |Decide if the First Run wizard appears the first time an employee starts IE. You can also use the IE11 **Welcome** page, or link to a custom **Welcome** page. |
-|[Compatibility View](compat-view-ieak11-wizard.md) |No longer supported |This functionality has been removed for IE11. For more information, see [Missing the Compatibility View Button](../ie11-deploy-guide/missing-the-compatibility-view-button.md). |
-|[Connection Manager](connection-mgr-ieak11-wizard.md) |No longer supported |This functionality has been removed for IE11. |
-|[Connection Settings](connection-settings-ieak11-wizard.md) |Both |Choose whether to customize your connection settings. You can also choose to delete old dial-up connection settings. |
-|[Automatic Configuration](auto-config-ieak11-wizard.md) |Both |Choose whether to automatically detect configuration settings and whether to turn on and customize automatic configuration. |
-|[Proxy Settings](proxy-settings-ieak11-wizard.md) |Both |Turn on and set up your proxy servers.
We don't support Gopher Server anymore. |
-|[Add a Root Certification](add-root-certificate-ieak11-wizard.md) |No longer supported |This functionality has been removed for IE11. |
-|[Security and Privacy Settings](security-and-privacy-settings-ieak11-wizard.md) |The **Security Zones and Privacy** settings are supported by both experiences. The **Content Ratings** are only supported on Internet Explorer for the desktop. |Decide if you want to:
|
-|[Programs](programs-ieak11-wizard.md) |Internet Explorer for the desktop |Decide your default programs or import your current settings. |
-|[Additional Settings](additional-settings-ieak11-wizard.md) |Both |Decide how to set up multiple IE settings that appear in the **Internet Options** box. |
-
diff --git a/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md b/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
deleted file mode 100644
index 391784b8a4..0000000000
--- a/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
+++ /dev/null
@@ -1,45 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Reference about the command-line options for the IExpress Wizard.
-author: dansimp
-ms.prod: ie11
-ms.assetid: aa16d738-1067-403c-88b3-bada12cf9752
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: IExpress Wizard command-line options (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-# IExpress Wizard command-line options
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-
-**Applies to:**
-- Windows Server 2008 R2 with SP1
-
-Use command-line options with the IExpress Wizard (IExpress.exe) to control your Internet Explorer custom browser package extraction process.
-
-These command-line options work with IExpress:
-`Ie11setup
The customizations made on this page only apply to Internet Explorer for the desktop on Windows 7.
-
-**To use the Internal Install page**
-
-1. Pick either:
-
- - **Allow user to choose.** Lets your employees pick their own default browser.
Make sure that the language of your IEAK 11 installation matches the language of your custom IE11 package. If the languages don’t match, IEAK 11 won’t work properly.
-
-**To use the Language Selection page**
-
-1. Pick the language you want your custom IE11 installation package to use.
To keep your settings across multiple versions of the package, you can pick the same destination folder for all versions. The different language versions are then saved in separate subfolders within that destination folder. Like, for an English version, `C:\Cie\Build1\Flat\Win32_WIN8\en-US\` and for a German version, `C:\Cie\Build1\Flat\Win32_WIN8\de-DE\`.
-
-2. Click **Next** to go to the [Package Type Selection](pkg-type-selection-ieak11-wizard.md) page or **Back** to go to the [Platform Selection](platform-selection-ieak11-wizard.md) page.
-
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
deleted file mode 100644
index 9eba34b5e1..0000000000
--- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
+++ /dev/null
@@ -1,110 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: plan
-description: Learn about the version of the IEAK 11 you should run, based on your license agreement.
-author: dansimp
-ms.author: dansimp
-ms.prod: ie11
-ms.assetid: 69d25451-08af-4db0-9daa-44ab272acc15
-ms.reviewer:
-audience: itpro
-manager: dansimp
-title: Determine the licensing version and features to use in IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 10/23/2018
----
-
-
-# Determine the licensing version and features to use in IEAK 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-In addition to the Software License Terms for the Internet Explorer Administration Kit 11 (IEAK 11, referred to as the "software"), these Guidelines further define how you may and may not use the software to create versions of Internet Explorer 11 with optional customizations (referred to as the "customized browser") for internal use and distribution in accordance with the IEAK 11 Software License Terms. IEAK 11 is for testing purposes only and is not intended to be used in a production environment.
-
-During installation, you must pick a version of IEAK 11, either **External** or **Internal**, based on your license agreement. Your version selection decides the options you can chose, the steps you follow to deploy your Internet Explorer 11 package, and how you manage the browser after deployment.
-
-- **External Distribution as an Internet Service Provider (ISP), Internet Content Provider (ICP), or Developer.** If you are an ISP or an ICP, your license agreement also states that you must show the Internet Explorer logo on your packaging and promotional goods, as well as on your website.
- > [!IMPORTANT]
- > Original Equipment Manufacturers (OEMs) that install IEAK 11 as part of a Windows product, under an OEM license agreement with Microsoft, must use their appropriate Windows OEM Preinstallation document (OPD) as the guide for allowable customizations.
-
-- **Internal Distribution via a Corporate Intranet.** This version is for network admins that plan to directly deploy IE11 into a corporate environment.
-
-## Available features by version
-
-| Feature | Internal | External |
-|-------------------------------------------|:--------------------------------------------------------------------------------:|:------------------------------------------------------------------------------------:|
-| Welcome screen |  |  |
-| File locations |  |  |
-| Platform selection |  |  |
-| Language selection |  |  |
-| Package type selection |  |  |
-| Feature selection |  |  |
-| Automatic Version Synchronization (AVS) |  |  |
-| Custom components |  |  |
-| Internal install |  |  |
-| User experience |  |  |
-| Browser user interface |  |  |
-| Search providers |  |  |
-| Important URLs – Home page and support |  |  |
-| Accelerators |  |  |
-| Favorites, Favorites bar, and feeds |  |  |
-| Browsing options |  |  |
-| First Run wizard and Welcome page options |  |  |
-| Connection manager |  |  |
-| Connection settings |  |  |
-| Automatic configuration |  |  |
-| Proxy settings |  |  |
-| Security and privacy settings |  |  |
-| Add a root certificate |  |  |
-| Programs |  |  |
-| Additional settings |  |  |
-| Wizard complete |  |  |
-
----
-
-
-## Customization guidelines
-
-Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software.
-
-- **External Distribution**
- This mode is available to anyone who wants to create a customized browser for distribution outside their company (for example, websites, magazines, retailers, non-profit organizations, independent hardware vendors, independent software vendors, Internet service providers, Internet content providers, software developers, and marketers).
-
-- **Internal Distribution**
- This mode is available to companies for the creation and distribution of a customized browser only to their employees over a corporate intranet.
-
-The table below identifies which customizations you may or may not perform based on the mode you selected.
-
-| **Feature Name** | **External Distribution** | **Internal Distribution** |
-|---------------------------------|:--------------------:|:-------------------:|
-| **Custom Components** | Yes | Yes |
-| **Title Bar** | Yes | Yes |
-| **Favorites** | One folder, containing any number of links. | Any number of folders/links. |
-| **Search Provider URLs** | Yes | Yes |
-| **Search Guide URL** | No | Yes |
-| **Online Support URL** | Yes | Yes |
-| **Web Slice** | Suggested maximum five Web Slices. | Any number of Web Slices. |
-| **Accelerator** | Search provider Accelerator must be the same as the search provider set for the Search Toolbox. We recommend that Any number of Accelerators/Accelerator Categories. Feature Name External Internal Accelerator category not exceed seven total categories, and each Accelerator category must be unique. We recommend each Accelerator category not have more than two Accelerators. The Accelerator display name should follow the syntax of verb + noun, such as "Map with Bing." | Any number of Accelerators/Accelerator Categories. |
-| **Homepage URLs** | Can add a maximum of three. | Unlimited. |
-| **First Run Wizard and Welcome Page Options** | Cannot remove Internet Explorer 11 First Run wizard. Can customize **Welcome** page. | Customizable. |
-| **RSS Feeds** | One folder, containing any number of links. | Any number of folders/links. |
-| **Browsing Options** | No | Yes |
-| **Security and Privacy Settings** | No | Can add any number of sites. |
-| **Corporate Options** (Latest Updates, Default Browser, Uninstall Info, Additional Settings) | No | Yes |
-| **User Experience** (Setup/Restart) | No | Yes |
-| **User Agent String** | Yes | Yes |
-| **Compatibility View** | Yes | Yes |
-| **Connection Settings and Manage** | Yes | Yes |
-
-
-Support for some of the Internet Explorer settings on the wizard pages varies depending on your target operating system. For more information, see [Internet Explorer Customization Wizard 11 options](./ieak11-wizard-custom-options.md).
-
-## Distribution guidelines
-
-Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software.
-
-- **External Distribution**
- You shall use commercially reasonable efforts to maintain the quality of (i) any non-Microsoft software distributed with Internet Explorer 11, and (ii) any media used for distribution (for example, optical media, flash drives), at a level that meets or exceeds the highest industry standards. If you distribute add-ons with Internet Explorer 11, those add-ons must comply with the [Microsoft browser extension policy](/legal/microsoft-edge/microsoft-browser-extension-policy).
-
-- **Internal Distribution - corporate intranet**
- The software is solely for use by your employees within your company's organization and affiliated companies through your corporate intranet. Neither you nor any of your employees may permit redistribution of the software to or for use by third parties other than for third parties such as consultants, contractors, and temporary staff accessing your corporate intranet.
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md
deleted file mode 100644
index f628def610..0000000000
--- a/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md
+++ /dev/null
@@ -1,27 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Use the \[Media\] .INS file setting to specify the types of media on which your custom install package is available.
-author: dansimp
-ms.prod: ie11
-ms.assetid: c57bae60-d520-49a9-a77d-da43f7ebe5b8
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Use the Media .INS file to specify your install media (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the Media .INS file to specify your install media
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-The types of media on which your custom install package is available.
-
-|Name |Value |Description |
-|-----|------|-----------------|
-|Build_LAN |
|Determines whether you want to create a LAN-based installation package. |
-
diff --git a/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md
deleted file mode 100644
index ae7b3c6150..0000000000
--- a/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md
+++ /dev/null
@@ -1,43 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use the Package Type Selection page in the IEAK 11 Customization Wizard to pick the media type you’ll use to distribute your custom package.
-author: dansimp
-ms.prod: ie11
-ms.assetid: dd91f788-d05e-4f45-9fd5-d951abf04f2c
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Use the Package Type Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the Package Type Selection page in the IEAK 11 Wizard
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-The **Package Type Selection** page of the Internet Explorer Customization Wizard 11 lets you pick which type of media you’ll use to distribute your custom installation package. You can pick more than one type, if you need it.
-
-**Important**
You can't create a full installation package for deployment to Windows 10 computers. That option only works for computers running Windows 7 or Windows 8.1.
-
-**To use the File Locations page**
-
-1. Check the **Full Installation Package** box if you’re going to build your package on, or move your package to, a local area network (LAN). This media package includes the Internet Explorer 11 installation files, and is named **IE11-Setup-Full.exe**, in the `
You can’t include custom components in a configuration-only package.
-
-3. Click **Next** to go to the [Feature Selection](feature-selection-ieak11-wizard.md) page or **Back** to go to the [Language Selection](language-selection-ieak11-wizard.md) page.
-
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
deleted file mode 100644
index 67d9caac65..0000000000
--- a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
+++ /dev/null
@@ -1,38 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use the Platform Selection page in the IEAK 11 Customization Wizard to pick the specs for your employee devices that will get the install package.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 9cbf5abd-86f7-42b6-9810-0b606bbe8218
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-title: Use the Platform Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the Platform Selection page in the IEAK 11 Wizard
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-The **Platform Selection** page of the Internet Explorer Customization Wizard 11 lets you pick the operating system and architecture (32-bit or 64-bit) for the devices on which you’re going to install the custom installation package.
-
-**To use the Platform Selection page**
-
-1. Pick the operating system and architecture for the devices on which you’re going to install the custom package.
To keep your settings across several operating system packages, you can specify the same destination folder. Then, after running the wizard, you can reuse the resulting .ins file. Any additional changes to the .ins file are saved. For more info about using .ins files, see [Using Internet Settings (.INS) files with IEAK 11](using-internet-settings-ins-files.md). For more info about adding in your .ins file, see [Use the File Locations page in the IEAK 11 Wizard](file-locations-ieak11-wizard.md).
-
-2. Click **Next** to go to the [Language Selection](language-selection-ieak11-wizard.md) page or **Back** to go to the [File Locations](file-locations-ieak11-wizard.md) page.
-
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md b/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md
deleted file mode 100644
index 4720c446af..0000000000
--- a/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md
+++ /dev/null
@@ -1,39 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: plan
-description: Learn about what you need to do before you deploy your custom browser package using IEAK 11 over your network.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 2c66d22a-4a94-47cc-82ab-7274abe1dfd6
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Before you install your package over your network using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Before you install your package over your network using IEAK 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Employees can install the custom browser package using a network server. However, you must either lower the intranet security level or make the server a trusted site.
-
-**To lower your intranet security**
-
-1. In Internet Explorer 11, click **Tools**, **Internet Options**, and then the **Security** tab.
-
-2. Click **Local intranet**, and then **Sites**.
-
-3. Uncheck **Automatically detect intranet network**, uncheck **Include all network paths (UNC)**, and then click **OK**.
-
-**To make your server a trusted site**
-
-1. From the **Security** tab, click **Trusted sites**, and then **Sites**.
-
-2. Type the location of the server with the downloadable custom browser package, and then click **Add**.
-
-3. Repeat this step for every server that will include the custom browser package for download.
-
diff --git a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
deleted file mode 100644
index acfbbc74ae..0000000000
--- a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
+++ /dev/null
@@ -1,42 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use the Programs page in the IEAK 11 Customization Wizard to pick the default programs to use for Internet services.
-author: dansimp
-ms.prod: ie11
-ms.assetid: f715668f-a50d-4db0-b578-e6526fbfa1fc
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-title: Use the Programs page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the Programs page in the IEAK 11 Wizard
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-The **Programs** page of the Internet Explorer Customization Wizard 11 lets you pick the default programs to use for Internet services, like email, contact lists, and newsgroups, by importing settings from your computer.
-
-**Important**
The customizations you make on this page only apply to Internet Explorer for the desktop.
-
-**To use the Programs page**
-
-1. Determine whether you want to customize your connection settings. You can pick:
-
- - **Do not customize Program Settings.** Pick this option if you don’t want to set program associations for your employee’s devices.
If you want to change any of your settings, you can click **Modify Settings** to open the **Internet Properties** box, click **Set associations**, and make your changes.
-
-2. Click **Next** to go to the [Additional Settings](additional-settings-ieak11-wizard.md) page or **Back** to go to the [Add a Root Certificate](add-root-certificate-ieak11-wizard.md) page.
-
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md b/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
deleted file mode 100644
index 56a0823f9a..0000000000
--- a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
+++ /dev/null
@@ -1,185 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Learn about how to use a proxy auto-configuration (.pac) file to specify an automatic proxy URL.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 6c94708d-71bd-44bd-a445-7e6763b374ae
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Use proxy auto-configuration (.pac) files with IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use proxy auto-configuration (.pac) files with IEAK 11
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-These are various ways you can use a proxy auto-configuration (.pac) file to specify an automatic proxy URL. We've included some examples here to help guide you, but you'll need to change the proxy names, port numbers, and IP addresses to match your organization's info.
-
-Included examples:
-- [Example 1: Connect directly if the host is local](#example-1-connect-directly-if-the-host-is-local)
-- [Example 2: Connect directly if the host is inside the firewall](#example-2-connect-directly-if-the-host-is-inside-the-firewall)
-- [Example 3: Connect directly if the host name is resolvable](#example-3-connect-directly-if-the-host-name-is-resolvable)
-- [Example 4: Connect directly if the host is in specified subnet](#example-4-connect-directly-if-the-host-is-in-specified-subnet)
-- [Example 5: Determine the connection type based on the host domain](#example-5-determine-the-connection-type-based-on-the-host-domain)
-- [Example 6: Determine the connection type based on the protocol](#example-6-determine-the-connection-type-based-on-the-protocol)
-- [Example 7: Determine the proxy server based on the host name matching the IP address](#example-7-determine-the-proxy-server-based-on-the-host-name-matching-the-ip-address)
-- [Example 8: Connect using a proxy server if the host IP address matches the specified IP address](#example-8-connect-using-a-proxy-server-if-the-host-ip-address-matches-the-specified-ip-address)
-- [Example 9: Connect using a proxy server if there are periods in the host name](#example-9-connect-using-a-proxy-server-if-there-are-periods-in-the-host-name)
-- [Example 10: Connect using a proxy server based on specific days of the week](#example-10-connect-using-a-proxy-server-based-on-specific-days-of-the-week)
-
-
-## Example 1: Connect directly if the host is local
-In this example, if the host is local, it can connect directly. However, if the server isn't local, it must connect through a proxy server. Specifically, the `isPlainHostName` function looks to see if there are any periods (.) in the host name. If the function finds periods, it means the host isn’t local and it returns false. Otherwise, the function returns true.
-
-``` javascript
-function FindProxyForURL(url, host)
- {
- if (isPlainHostName(host))
- return "DIRECT";
- else
- return "PROXY proxy:80";
- }
-```
-## Example 2: Connect directly if the host is inside the firewall
-In this example, if the host is inside the firewall, it can connect directly. However, if the server is outside the firewall, it must connect through a proxy server. Specifically, the `localHostOrDomainIs` function only runs for URLs in the local domain. If the host domain name matches the provided domain information, the `dnsDomainIs` function returns true.
-
-``` javascript
-function FindProxyForURL(url, host)
- {
- if ((isPlainHostName(host) ||
- dnsDomainIs(host, ".company.com")) &&
- !localHostOrDomainIs(host, "www.company.com") &&
- !localHostOrDoaminIs(host, "home.company.com"))
- return "DIRECT";
- else
- return "PROXY proxy:80";
-}
-```
-## Example 3: Connect directly if the host name is resolvable
-In this example, if the host name can be resolved, it can connect directly. However, if the name can’t be resolved, the server must connect through a proxy server. Specifically, this function requests the DNS server to resolve the host name it's passed. If the name can be resolved, a direct connection is made. If it can't, the connection is made using a proxy. This is particularly useful when an internal DNS server is used to resolve all internal host names.
-
-**Important**
The `isResolvable` function queries a Domain Name System (DNS) server. References to Object Model objects, properties, or methods cause the proxy auto-configuration file to fail silently. For example, the references `window.open(...)`, `alert(...)`, and `password(...)` all cause the proxy auto-configuration file to fail.
-
-``` javascript
-function FindProxyForURL(url, host)
- {
- if (isResolvable(host))
- return "DIRECT";
- else
- return "PROXY proxy:80";
- }
-```
-
-## Example 4: Connect directly if the host is in specified subnet
-In this example, if the host is in a specified subnet, it can connect directly. However, if the server is outside of the specified subnet, it must connect through a proxy server. Specifically, the `isInNet` (host, pattern, mask) function returns true if the host IP address matches the specified pattern. The mask indicates which part of the IP address to match (255=match, 0=ignore).
-
-**Important**
The `isInNet` function queries a DNS server. References to Object Model objects, properties, or methods cause the proxy auto-configuration file to fail silently. For example, the references `window.open(...)`, `alert(...)`, and `password(...)` all cause the proxy auto-configuration file to fail.
-
-``` javascript
-function FindProxyForURL(url, host)
- {
- if (isInNet(host, "999.99.9.9", "255.0.255.0"))
- return "DIRECT";
- else
- return "PROXY proxy:80";
- }
-```
-## Example 5: Determine the connection type based on the host domain
-In this example, if the host is local, the server can connect directly. However, if the host isn’t local, this function determines which proxy to use based on the host domain. Specifically, the `shExpMatch(str, shexp)` function returns true if `str` matches the `shexp` using shell expression patterns. This is particularly useful when the host domain name is one of the criteria for proxy selection.
-
-``` javascript
-function FindProxyForURL(url, host)
- {
- if (isPlainHostName(host))
- return "DIRECT";
- else if (shExpMatch(host, "*.com"))
- return "PROXY comproxy:80";
- else if (shExpMatch(host, "*.edu"))
- return "PROXY eduproxy:80";
- else
- return "PROXY proxy";
- }
-```
-## Example 6: Determine the connection type based on the protocol
-In this example, the in-use protocol is extracted from the server and used to make a proxy selection. If no protocol match occurs, the server is directly connected. Specifically the `substring` function extracts the specified number of characters from a string. This is particularly useful when protocol is one of the criteria for proxy selection.
-
-``` javascript
-function FindProxyForURL(url, host)
- {
- if (url.substring(0, 5) == "http:") {
- return "PROXY proxy:80";
- }
- else if (url.substring(0, 4) == "ftp:") {
- return "PROXY fproxy:80";
- }
- else if (url.substring(0, 6) == "https:") {
- return "PROXY secproxy:8080";
- }
- else {
- return "DIRECT";
- }
- }
-```
-## Example 7: Determine the proxy server based on the host name matching the IP address
-In this example, the proxy server is selected by translating the host name into an IP address and then comparing the address to a specified string.
-
-**Important**
The `dnsResolve` function queries a DNS server. References to Object Model objects, properties, or methods cause the proxy auto-configuration file to fail silently. For example, the references `window.open(...)`, `alert(...)`, and `password(...)` all cause the proxy auto-configuration file to fail.
-
-``` javascript
-function FindProxyForURL(url, host)
- {
- if (dnsResolve(host) == "999.99.99.999") { // = https://secproxy
- return "PROXY secproxy:8080";
- }
- else {
- return "PROXY proxy:80";
- }
- }
-```
-## Example 8: Connect using a proxy server if the host IP address matches the specified IP address
-In this example, the proxy server is selected by explicitly getting the IP address and then comparing it to a specified string. If no protocol match occurs, the server makes a direct connection. Specifically, the `myIpAddress` function returns the IP address (in integer-period format) for the host that the browser is running on.
-
-``` javascript
-function FindProxyForURL(url, host)
- {
- if (myIpAddress() == "999.99.999.99") {
- return "PROXY proxy:80";
- }
- else {
- return "DIRECT";
- }
- }
-```
-## Example 9: Connect using a proxy server if there are periods in the host name
-In this example, the function looks to see if there are periods (.) in the host name. If there are any periods, the connection occurs using a proxy server. If there are no periods, a direct connection occurs. Specifically, the `dnsDomainLevels` function returns an integer equal to the number of periods in the host name.
-
-**Note**
This is another way to determine connection types based on host name characteristics.
-
-``` javascript
-function FindProxyForURL(url, host)
- {
- if (dnsDomainLevels(host) > 0) { // if the number of periods in host > 0
- return "PROXY proxy:80";
- }
- return "DIRECT";
- }
-```
-## Example 10: Connect using a proxy server based on specific days of the week
-In this example, the function decides whether to connect to a proxy server, based on the days of the week. Connecting on days that don’t fall between the specified date parameters let the server make a direct connection. Specifically the `weekdayRange(day1 [,day2] [,GMT] )` function returns whether the current system time falls within the range specified by the parameters `day1`, `day2`, and `GMT`. Only the first parameter is required. The GMT parameter presumes time values are in Greenwich Mean Time rather than the local time zone. This function is particularly useful for situations where you want to use a proxy server for heavy traffic times, but allow a direct connection when traffic is light.
-
-``` javascript
-function FindProxyForURL(url, host)
- {
- if(weekdayRange("WED", "SAT", "GMT"))
- return "PROXY proxy:80";
- else
- return "DIRECT";
- }
-```
-
diff --git a/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md
deleted file mode 100644
index 9def48f2d3..0000000000
--- a/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md
+++ /dev/null
@@ -1,34 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Use the \[Proxy\] .INS file setting to define whether to use a proxy server.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 30b03c2f-e3e5-48d2-9007-e3fd632f3c18
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Use the Proxy .INS file to specify a proxy server (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the Proxy .INS file to specify a proxy server
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Info about whether to use a proxy server. If yes, this also includes the host names for the proxy server.
-
-|Name |Value |Description |
-|-----|------|------------|
-|FTP_Proxy_Server |`
|Determines whether to use a proxy server. |
-|Proxy_Override |`
|Determines whether to use a single proxy server for all services. |
-
diff --git a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
deleted file mode 100644
index ba113af6cc..0000000000
--- a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
+++ /dev/null
@@ -1,59 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use the Proxy Settings page in the IEAK 11 Customization Wizard to pick the proxy servers used to connect to required services.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 1fa1eee3-e97d-41fa-a48c-4a6e0dc8b544
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Use the Proxy Settings page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the Proxy Settings page in the IEAK 11 Wizard
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-The **Proxy Settings** page of the Internet Explorer Customization Wizard 11 lets you pick the proxy servers used by your employees to connect for services required by the custom install package.
-
-Using a proxy server lets you limit access to the Internet. You can also use the **Additional Settings** page of the wizard to further restrict your employees from changing the proxy settings.
-
-**To use the Proxy Settings page**
-
-1. Check the **Enable proxy settings** box if you want to use proxy servers for any of your services.
-
-2. Type the address of the proxy server you want to use for your services into the **Address of proxy** box. In most cases, a single proxy server is used for all of your services.
IE11 also uses this registry key to verify that the component installed successfully during setup.
-
-|Subkey |Data type |Value |
-|-------|----------|-----------|
-|DisplayName |*string* |Friendly name for your uninstall app. This name must match your **Uninstall Key** in the **Add a Custom Component** page of the Internet Explorer Customization Wizard 11. For more info, see the [Custom Components](custom-components-ieak11-wizard.md) page. |
-|UninstallString |*string* |Full command-line text, including the path, to uninstall your component. You must not use a batch file or a sub-process. |
-
diff --git a/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md b/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
deleted file mode 100644
index 52e023abde..0000000000
--- a/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
+++ /dev/null
@@ -1,45 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: manage
-description: Learn how to use the Resultant Set of Policy (RSoP) snap-in to view your policy settings.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 0f21b320-e879-4a06-8589-aae6fc264666
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Use the RSoP snap-in to review policy settings (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Using the Resultant Set of Policy (RSoP) snap-in to review policy settings
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-After you’ve deployed your custom Internet Explorer package to your employees, you can use the Resultant Set of Policy (RSoP) snap-in to view your created policy settings. The RSoP snap-in is a two-step process. First, you run the RSoP wizard to determine what information should be viewed. Second, you open the specific items in the console window to view the settings. For complete instructions about how to use RSoP, see [Resultant Set of Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc772175(v=ws.11)).
-
-**To add the RSoP snap-in**
-
-1. On the **Start** screen, type *MMC*.
The Internet Explorer Customization Wizard 11 offers improved and extended search settings. However, you can still optionally include support for Search Suggestions and Favicons, as well as Accelerator previews by using an .ins file from a previous version of IEAK.
-
-**To use the Search Providers page**
-
-1. Click **Import** to automatically import your existing search providers from your current version of IE into this list.
-
-2. Click **Add** to add more providers.
To change your settings, click **Modify Settings** to open the **Internet Properties** box, and then click the **Security** and **Privacy** tabs to make your changes.
-
-2. Decide if you want to customize your content ratings. You can pick:
-
- - **Do not customize content ratings.** Pick this option if you don’t want to customize content ratings.
-
- - **Import the current content ratings settings.** Pick this option to import your content rating settings from your computer and use them as the preset for your employee’s settings.
Not all Internet content is rated. If you choose to allow users to view unrated sites, some of those sites could contain inappropriate material. To change your settings, click **Modify Settings** to open the **Content Advisor** box, where you can make your changes.
-
-3. Click **Next** to go to the [Add a Root Certificate](add-root-certificate-ieak11-wizard.md) page or **Back** to go to the [Proxy Settings](proxy-settings-ieak11-wizard.md) page.
-
-
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md
deleted file mode 100644
index b4fd0c45b2..0000000000
--- a/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md
+++ /dev/null
@@ -1,31 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Use the \[Security Imports\] .INS file setting to decide whether to import security info to your custom package.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 19791c44-aaa7-4f37-9faa-85cbdf29f68e
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Use the Security Imports .INS file to import security info (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the Security Imports .INS file to import security info
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-Info about how to import security information from your local device to your custom package.
-
-|Name |Value |Description |
-|-----|------|------------|
-|ImportAuthCode |
|Whether to import the existing Authenticode settings. |
-|ImportRatings |
|Whether to import the existing Content Ratings settings. |
-|ImportSecZones |
|Whether to import the existing Security Zone settings. |
-|ImportSiteCert |
|Whether to import the existing site certification authorities. |
-|Win16SiteCerts |
|Whether to use site certificates for computers running 16-bit versions of Windows. |
-
diff --git a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
deleted file mode 100644
index e4fcd7c739..0000000000
--- a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
+++ /dev/null
@@ -1,127 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: support
-description: Info about some of the known issues using the Internet Exporer Customization Wizard and a custom Internet Explorer install package.
-author: dansimp
-ms.author: dansimp
-ms.prod: ie11
-ms.assetid: 9e22cc61-6c63-4cab-bfdf-6fe49db945e4
-ms.reviewer:
-audience: itpro
-manager: dansimp
-title: Troubleshoot custom package and IEAK 11 problems (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Troubleshoot custom package and IEAK 11 problems
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-While the Internet Explorer Customization Wizard has been around for quite a while, there are still some known issues that you might encounter while deploying or managing your custom IE install package.
-
-## I am unable to locate some of the wizard pages
-The most common reasons you will not see certain pages is because:
-
-- **Your licensing agreement with Microsoft.** Your licensing agreement determines whether you install the **Internal** or **External** version of the Internet Explorer Customization Wizard, and there are different features available for each version. For info about which features are available for each version, see [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md).
-
-- **Your choice of operating system.** Depending on the operating system you picked from the **Platform Selection** page of the wizard, you might not see all of the pages. Some features aren’t available for all operating systems. For more information, see [Use the Platform Selection page in the IEAK 11 Wizard](platform-selection-ieak11-wizard.md).
-
-- **Your choice of features.** Depending on what you selected from the **Feature Selection** page of the wizard, you might not see all of the pages. You need to make sure that the features you want to customize are all checked. For more information, see [Use the Feature Selection page in the IEAK 11 Wizard](feature-selection-ieak11-wizard.md).
-
-## Internet Explorer Setup fails on user's devices
-Various issues can cause problems during Setup, including missing files, trust issues, or URL monikers. You can troubleshoot these issues by reviewing the Setup log file, located at `IE11\_main.log` from the **Windows** folder (typically, `C:\Windows`). The log file covers the entire Setup process from the moment IE11Setup.exe starts until the last .cab file finishes, providing error codes that you can use to help determine the cause of the failure.
-
-### Main.log file codes
-
-|Code |Description |
-|-----|------------|
-|0 |Initializing, making a temporary folder, and checking disk space. |
-|1 |Checking for all dependencies. |
-|2 |Downloading files from the server. |
-|3 |Copying files from download location to the temporary installation folder. |
-|4 |Restarting download and retrying Setup, because of a time-out error or other download error. |
-|5 |Checking trust and checking permissions. |
-|6 |Extracting files. |
-|7 |Running Setup program (an .inf or .exe file). |
-|8 |Installation is finished. |
-|9 |Download finished, and all files are downloaded. |
-
-### Main.log error codes
-
-|Code |Description |
-|-----|------------|
-|80100003 |Files are missing from the download folder during installation. |
-|800bxxxx |An error code starting with 800b is a trust failure. |
-|800Cxxxx |An error code starting with 800C is a Urlmon.dll failure. |
-
-
-## Internet Explorer Setup connection times out
-Internet Explorer Setup can switch servers during the installation process to maintain maximum throughput or to recover from a non-responsive download site (you receive less than 1 byte in 2 minutes). If the connection times out, but Setup is able to connect to the next download site on the list, your download starts over. If however the connection times out and Setup can’t connect to a different server, it’ll ask if you want to stop the installation or try again.
-
-To address connection issues (for example, as a result of server problems) where Setup can’t locate another download site by default, we recommend you overwrite your first download server using this workaround:
-
-``` syntax
-
|Determines whether to automatically configure the customized browser on your employee’s device. |
-|AutoConfigJSURL |`
|Determines whether to show the **Welcome** page the first time the browser’s used on an employee’s device. |
-|Quick_Link_1 |`
|Determines whether to make the Quick Links available for offline browsing. |
-|Search_Page |`
|Determines whether to use a local Internet Settings (.ins) file |
-
diff --git a/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
deleted file mode 100644
index 364daedbbc..0000000000
--- a/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
+++ /dev/null
@@ -1,64 +0,0 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use the User Experience page in the IEAK 11 Customization Wizard to decide user interaction with the Setup process.
-author: dansimp
-ms.prod: ie11
-ms.assetid: d3378058-e4f0-4a11-a888-b550af994bfa
-ms.reviewer:
-audience: itpro
-manager: dansimp
-ms.author: dansimp
-title: Use the User Experience page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the User Experience page in the IEAK 11 Wizard
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-
-The **User Experience** page of the Internet Explorer Customization Wizard 11 lets you decide how much you want your employees to interact with the custom package’s Setup process.
-
-**Note**
You’ll only see this page if you are running the **Internal** version of the Internet Explorer Customization Wizard 11.
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/BasePolicyId
+```
+
+
+
+
+The BasePolicyId of the Policy Indicated by the Policy GUID.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
##### Policies/{Policy GUID}/PolicyInfo/FriendlyName
@@ -453,6 +487,45 @@ TRUE/FALSE if the Policy is a System Policy, that's a policy managed by Microsof
+
+##### Policies/{Policy GUID}/PolicyInfo/PolicyOptions
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/PolicyOptions
+```
+
+
+
+
+The PolicyOptions of the Policy Indicated by the Policy GUID.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
##### Policies/{Policy GUID}/PolicyInfo/Status
diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md
index e7b2417319..b7c198fd13 100644
--- a/windows/client-management/mdm/applocker-csp.md
+++ b/windows/client-management/mdm/applocker-csp.md
@@ -1,14 +1,7 @@
---
title: AppLocker CSP
description: Learn more about the AppLocker CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/applocker-ddf-file.md b/windows/client-management/mdm/applocker-ddf-file.md
index 313a0a7700..11f10bf906 100644
--- a/windows/client-management/mdm/applocker-ddf-file.md
+++ b/windows/client-management/mdm/applocker-ddf-file.md
@@ -1,14 +1,7 @@
---
title: AppLocker DDF file
description: View the XML file containing the device description framework (DDF) for the AppLocker configuration service provider.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 12/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md
index 6aea2cc955..85fa624e4a 100644
--- a/windows/client-management/mdm/assignedaccess-csp.md
+++ b/windows/client-management/mdm/assignedaccess-csp.md
@@ -1,14 +1,7 @@
---
title: AssignedAccess CSP
description: Learn more about the AssignedAccess CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md
index 30739845c8..f5e0e84d26 100644
--- a/windows/client-management/mdm/assignedaccess-ddf.md
+++ b/windows/client-management/mdm/assignedaccess-ddf.md
@@ -1,14 +1,7 @@
---
title: AssignedAccess DDF file
description: View the XML file containing the device description framework (DDF) for the AssignedAccess configuration service provider.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 12/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
@@ -61,7 +54,7 @@ The following XML file contains the device description framework (DDF) for the A
Dependency URI: `Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/PFXCertPasswordEncryptionType`
Dependency Allowed Value: `[2]`
Dependency Allowed Value Type: `Range`
|
+| Dependency [EncryptionTypeDependency] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/PFXCertPasswordEncryptionType`
Dependency Allowed Value: `[2]`
Dependency Allowed Value Type: `Range`
|
@@ -499,7 +492,7 @@ The PFX isn't exportable when it's installed to TPM.
| Format | `bool` |
| Access Type | Add, Get, Replace |
| Default Value | true |
-| Dependency [KeyLocationDependency] | Dependency Type: `DependsOn`
Dependency URI: `Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/KeyLocation`
Dependency Allowed Value: `[3]`
Dependency Allowed Value Type: `Range`
|
+| Dependency [KeyLocationDependency] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/KeyLocation`
Dependency Allowed Value: `[3]`
Dependency Allowed Value Type: `Range`
|
@@ -1975,7 +1968,7 @@ When a value of "2" is contained in PFXCertPasswordEncryptionType, specify the s
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Get, Replace |
-| Dependency [EncryptionTypeDependency] | Dependency Type: `DependsOn`
Dependency URI: `Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/PFXCertPasswordEncryptionType`
Dependency Allowed Value: `[2]`
Dependency Allowed Value Type: `Range`
|
+| Dependency [EncryptionTypeDependency] | Dependency Type: `DependsOn`
Dependency URI: `User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/PFXCertPasswordEncryptionType`
Dependency Allowed Value: `[2]`
Dependency Allowed Value Type: `Range`
|
@@ -2073,7 +2066,7 @@ Optional. Used to specify if the private key installed is exportable (can be exp
| Format | `bool` |
| Access Type | Add, Get, Replace |
| Default Value | true |
-| Dependency [KeyLocationDependency] | Dependency Type: `DependsOn`
Dependency URI: `Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/KeyLocation`
Dependency Allowed Value: `[3]`
Dependency Allowed Value Type: `Range`
|
+| Dependency [KeyLocationDependency] | Dependency Type: `DependsOn`
Dependency URI: `User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/KeyLocation`
Dependency Allowed Value: `[3]`
Dependency Allowed Value Type: `Range`
|
diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
index d51b9201d5..7648af9a26 100644
--- a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
+++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
@@ -1,14 +1,7 @@
---
title: ClientCertificateInstall DDF file
description: View the XML file containing the device description framework (DDF) for the ClientCertificateInstall configuration service provider.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 12/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/31/2024
---
@@ -46,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the C
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/ArchiveMaxDepth
+```
+
+
+
+
+Specify the maximum folder depth to extract from archive files for scanning. If this configuration is off or not set, the default value (0) is applied, and all archives are extracted up to the deepest folder for scanning.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-4294967295]` |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+### Configuration/ArchiveMaxSize
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/ArchiveMaxSize
+```
+
+
+
+
+Specify the maximum size, in KB, of archive files to be extracted and scanned. If this configuration is off or not set, the default value (0) is applied, and all archives are extracted and scanned regardless of size.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-4294967295]` |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
### Configuration/ASROnlyPerRuleExclusions
@@ -402,6 +490,485 @@ Apply ASR only per rule exclusions.
+
+### Configuration/BehavioralNetworkBlocks
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Configuration/BehavioralNetworkBlocks/BruteForceProtection
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/BruteForceProtection
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionAggressiveness
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionAggressiveness
+```
+
+
+
+
+Set the criteria for when Brute-Force Protection blocks IP addresses.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Low: Only IP addresses that are 100% confidence malicious (default). |
+| 1 | Medium: Use cloud aggregation to block IP addresses that are over 99% likely malicious. |
+| 2 | High: Block IP addresses identified using client intelligence and context to block IP addresses that are over 90% likely malicious. |
+
+
+
+
+
+
+
+
+
+##### Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionConfiguredState
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionConfiguredState
+```
+
+
+
+
+Brute-Force Protection in Microsoft Defender Antivirus detects and blocks attempts to forcibly sign in and initiate sessions.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Not configured: Apply defaults set by the antivirus engine and platform. |
+| 1 | Block: Prevent suspicious and malicious behaviors. |
+| 2 | Audit: Generate EDR detections without blocking. |
+| 4 | Off: Feature is disabled with no performance impact. |
+
+
+
+
+
+
+
+
+
+##### Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionExclusions
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionExclusions
+```
+
+
+
+
+Specify IP addresses, subnets, or workstation names to exclude from being blocked by Brute-Force Protection. Note that attackers can spoof excluded addresses and names to bypass protection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `|`) |
+
+
+
+
+
+
+
+
+
+##### Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionMaxBlockTime
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionMaxBlockTime
+```
+
+
+
+
+Set the maximum time an IP address is blocked by Brute-Force Protection. After this time, blocked IP addresses will be able to sign-in and initiate sessions. If set to 0, internal feature logic will determine blocking time.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-4294967295]` |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+#### Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection/RemoteEncryptionProtectionAggressiveness
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection/RemoteEncryptionProtectionAggressiveness
+```
+
+
+
+
+Set the criteria for when Remote Encryption Protection blocks IP addresses.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Low: Block only when confidence level is 100% (Default). |
+| 1 | Medium: Use cloud aggregation and block when confidence level is above 99%. |
+| 2 | High: Use cloud intel and context, and block when confidence level is above 90%. |
+
+
+
+
+
+
+
+
+
+##### Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection/RemoteEncryptionProtectionConfiguredState
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection/RemoteEncryptionProtectionConfiguredState
+```
+
+
+
+
+Remote Encryption Protection in Microsoft Defender Antivirus detects and blocks attempts to replace local files with encrypted versions from another device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Not configured: Apply defaults set for the antivirus engine and platform. |
+| 1 | Block: Prevent suspicious and malicious behaviors. |
+| 2 | Audit: Generate EDR detections without blocking. |
+| 4 | Off: Feature is off with no performance impact. |
+
+
+
+
+
+
+
+
+
+##### Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection/RemoteEncryptionProtectionExclusions
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection/RemoteEncryptionProtectionExclusions
+```
+
+
+
+
+Specify IP addresses, subnets, or workstation names to exclude from being blocked by Remote Encryption Protection. Note that attackers can spoof excluded addresses and names to bypass protection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `|`) |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+##### Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection/RemoteEncryptionProtectionMaxBlockTime
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection/RemoteEncryptionProtectionMaxBlockTime
+```
+
+
+
+
+Set the maximum time an IP address is blocked by Remote Encryption Protection. After this time, blocked IP addresses will be able to reinitiate connections. If set to 0, internal feature logic will determine blocking time.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-4294967295]` |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
### Configuration/DataDuplicationDirectory
@@ -540,7 +1107,7 @@ Defines the maximum data duplication quota in MB that can be collected. When the
-Define data duplication remote location for device control.
+Define data duplication remote location for Device Control. When configuring this setting, ensure that Device Control is Enabled and that the provided path is a remote path the user can access.
@@ -1841,8 +2408,8 @@ This setting enables the DNS Sinkhole feature for Network Protection, respecting
| Value | Description |
|:--|:--|
-| 1 (Default) | DNS Sinkhole is disabled. |
-| 0 | DNS Sinkhole is enabled. |
+| 0 | DNS Sinkhole is disabled. |
+| 1 (Default) | DNS Sinkhole is enabled. |
@@ -2209,7 +2776,7 @@ Allow managed devices to update through metered connections. Default is 0 - not
-This sets the reputation mode for Network Protection.
+This sets the reputation mode engine for Network Protection.
@@ -2226,6 +2793,15 @@ This sets the reputation mode for Network Protection.
| Default Value | 0 |
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Use standard reputation engine. |
+| 1 | Use ESP reputation engine. |
+
+
@@ -2750,9 +3326,19 @@ Defines which device's primary ids should be secured by Defender Device Control.
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Regular Expression: `^RemovableMediaDevices|CdRomDevices|WpdDevices|PrinterDevices$` |
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| RemovableMediaDevices | RemovableMediaDevices. |
+| CdRomDevices | CdRomDevices. |
+| WpdDevices | WpdDevices. |
+| PrinterDevices | PrinterDevices. |
+
+
diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md
index e46a86acbd..2e65444a0f 100644
--- a/windows/client-management/mdm/defender-ddf.md
+++ b/windows/client-management/mdm/defender-ddf.md
@@ -1,14 +1,7 @@
---
title: Defender DDF file
description: View the XML file containing the device description framework (DDF) for the Defender configuration service provider.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 12/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/31/2024
---
@@ -46,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the D
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DevicePreparation/PageErrorCode
+```
+
+
+
+
+This node provides specific overall HRESULT causing a fatal error on the Device Preparation page. This node is valid only if the PageErrorPhase node's value isn't Unknown.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## PageErrorDetails
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DevicePreparation/PageErrorDetails
+```
+
+
+
+
+This node provides optional details for any fatal error on the Device Preparation page. This node is valid only if the PageErrorPhase node's value isn't Unknown, but not all errors will have details.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## PageErrorPhase
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DevicePreparation/PageErrorPhase
+```
+
+
+
+
+This node provides the specific phase that failed during the Device Preparation page. Values are an enum: 0 = Unknown; 1 = AgentDownload; 2 = AgentProgress.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Get |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Unknown. |
+| 1 | AgentDownload. |
+| 2 | AgentProgress. |
+
+
+
+
+
+
+
+
## PageSettings
diff --git a/windows/client-management/mdm/devicepreparation-ddf-file.md b/windows/client-management/mdm/devicepreparation-ddf-file.md
index eb4efc4afa..cdccc95934 100644
--- a/windows/client-management/mdm/devicepreparation-ddf-file.md
+++ b/windows/client-management/mdm/devicepreparation-ddf-file.md
@@ -1,14 +1,7 @@
---
title: DevicePreparation DDF file
description: View the XML file containing the device description framework (DDF) for the DevicePreparation configuration service provider.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 12/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/31/2024
---
@@ -47,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the D
Dependency URI: `Vendor/MSFT/DMAcc/[AccountUID]/AppAuth/[ObjectName]/AAuthLevel`
Dependency Allowed Value: `SRVCRED`
Dependency Allowed Value Type: `ENUM`
|
+| Dependency [AAuthlevelDependency] | Dependency Type: `DependsOn`
Dependency URI: `Syncml/DMAcc/[AccountUID]/AppAuth/[ObjectName]/AAuthLevel`
Dependency Allowed Value: `SRVCRED`
Dependency Allowed Value Type: `ENUM`
|
diff --git a/windows/client-management/mdm/dmacc-ddf-file.md b/windows/client-management/mdm/dmacc-ddf-file.md
index 7dd6bd406e..96ba92429a 100644
--- a/windows/client-management/mdm/dmacc-ddf-file.md
+++ b/windows/client-management/mdm/dmacc-ddf-file.md
@@ -1,14 +1,7 @@
---
title: DMAcc DDF file
description: View the XML file containing the device description framework (DDF) for the DMAcc configuration service provider.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 12/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/31/2024
---
@@ -47,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the D
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Vendor/MSFT/HealthAttestation/AttestErrorMessage
+```
+
+
+
+
+AttestErrorMessage maintains the error message for the last attestation session, if returned by the attestation service.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
## AttestStatus
diff --git a/windows/client-management/mdm/healthattestation-ddf.md b/windows/client-management/mdm/healthattestation-ddf.md
index 55bf10d11f..d68e4952d2 100644
--- a/windows/client-management/mdm/healthattestation-ddf.md
+++ b/windows/client-management/mdm/healthattestation-ddf.md
@@ -1,14 +1,7 @@
---
title: HealthAttestation DDF file
description: View the XML file containing the device description framework (DDF) for the HealthAttestation configuration service provider.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 12/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/31/2024
---
@@ -47,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the H
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
+
+
+
+```Device
+./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnableAccount
+```
+
+
+
+
+Use this setting to configure whether the automatically managed account is enabled or disabled.
+
+- If this setting is enabled, the target account will be enabled.
+
+- If this setting is disabled, the target account will be disabled.
+
+If not specified, this setting defaults to False.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `bool` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | False |
+| Dependency [AutomaticAccountManagementEnabled] | Dependency Type: `DependsOn`
Dependency URI: `Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled`
Dependency Allowed Value: `true`
Dependency Allowed Value Type: `ENUM`
|
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| False (Default) | The target account will be disabled. |
+| True | The target account will be enabled. |
+
+
+
+
+
+
+
+
+
+### Policies/AutomaticAccountManagementEnabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
+
+
+
+```Device
+./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled
+```
+
+
+
+
+Use this setting to specify whether automatic account management is enabled.
+
+- If this setting is enabled, the target account will be automatically managed.
+
+- If this setting is disabled, the target account won't be automatically managed.
+
+If not specified, this setting defaults to False.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `bool` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | The target account won't be automatically managed. |
+| true | The target account will be automatically managed. |
+
+
+
+
+
+
+
+
+
+### Policies/AutomaticAccountManagementNameOrPrefix
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
+
+
+
+```Device
+./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementNameOrPrefix
+```
+
+
+
+
+Use this setting to configure the name or prefix of the managed local administrator account.
+
+If specified, the value will be used as the name or name prefix of the managed account.
+
+If not specified, this setting will default to "WLapsAdmin".
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Dependency [AutomaticAccountManagementEnabled] | Dependency Type: `DependsOn`
Dependency URI: `Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled`
Dependency Allowed Value: `true`
Dependency Allowed Value Type: `ENUM`
|
+
+
+
+
+
+
+
+
+
+### Policies/AutomaticAccountManagementRandomizeName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
+
+
+
+```Device
+./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementRandomizeName
+```
+
+
+
+
+Use this setting to configure whether the name of the automatically managed account uses a random numeric suffix each time the password is rotated.
+
+If this setting is enabled, the name of the target account will use a random numeric suffix.
+
+If this setting is disbled, the name of the target account won't use a random numeric suffix.
+
+If not specified, this setting defaults to False.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `bool` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | False |
+| Dependency [AutomaticAccountManagementEnabled] | Dependency Type: `DependsOn`
Dependency URI: `Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled`
Dependency Allowed Value: `true`
Dependency Allowed Value Type: `ENUM`
|
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| False (Default) | The name of the target account won't use a random numeric suffix. |
+| True | The name of the target account will use a random numeric suffix. |
+
+
+
+
+
+
+
+
+
+### Policies/AutomaticAccountManagementTarget
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
+
+
+
+```Device
+./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementTarget
+```
+
+
+
+
+Use this setting to configure which account is automatically managed.
+
+The allowable settings are:
+
+0=The builtin administrator account will be managed.
+
+1=A new account created by Windows LAPS will be managed.
+
+If not specified, this setting will default to 1.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+| Dependency [AutomaticAccountManagementEnabled] | Dependency Type: `DependsOn`
Dependency URI: `Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled`
Dependency Allowed Value: `true`
Dependency Allowed Value Type: `ENUM`
|
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Manage the built-in administrator account. |
+| 1 (Default) | Manage a new custom administrator account. |
+
+
+
+
+
+
+
+
### Policies/BackupDirectory
@@ -485,6 +753,54 @@ If not specified, this setting will default to 0.
+
+### Policies/PassphraseLength
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
+
+
+
+```Device
+./Device/Vendor/MSFT/LAPS/Policies/PassphraseLength
+```
+
+
+
+
+Use this setting to configure the number of passphrase words.
+
+If not specified, this setting will default to 6 words.
+
+This setting has a minimum allowed value of 3 words.
+
+This setting has a maximum allowed value of 10 words.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[3-10]` |
+| Default Value | 6 |
+| Dependency [PasswordComplexity] | Dependency Type: `DependsOn`
Dependency URI: `Vendor/MSFT/LAPS/Policies/PasswordComplexity`
Dependency Allowed Value: `[6-8]`
Dependency Allowed Value Type: `Range`
|
+
+
+
+
+
+
+
+
### Policies/PasswordAgeDays
@@ -557,9 +873,15 @@ The allowable settings are:
1=Large letters
2=Large letters + small letters
3=Large letters + small letters + numbers
-4=Large letters + small letters + numbers + special characters.
+4=Large letters + small letters + numbers + special characters
+5=Large letters + small letters + numbers + special characters (improved readability)
+6=Passphrase (long words)
+7=Passphrase (short words)
+8=Passphrase (short words with unique prefixes)
If not specified, this setting will default to 4.
+
+Passphrase list taken from "Deep Dive: EFF's New Wordlists for Random Passphrases" by Electronic Frontier Foundation, and is used under a CC-BY-3.0 Attribution license. See
Dependency URI: `Vendor/MSFT/LAPS/Policies/PasswordComplexity`
Dependency Allowed Value: `[1-5]`
Dependency Allowed Value Type: `Range`
|
@@ -747,6 +1074,7 @@ If not specified, this setting will default to 3 (Reset the password and logoff
| 1 | Reset password: upon expiry of the grace period, the managed account password will be reset. |
| 3 (Default) | Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will be terminated. |
| 5 | Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted. |
+| 11 | Reset the password, logoff the managed account, and terminate any remaining processes: upon expiration of the grace period, the managed account password is reset, any interactive logon sessions using the managed account are logged off, and any remaining processes are terminated. |
diff --git a/windows/client-management/mdm/laps-ddf-file.md b/windows/client-management/mdm/laps-ddf-file.md
index d9f29bb7d6..d347e57374 100644
--- a/windows/client-management/mdm/laps-ddf-file.md
+++ b/windows/client-management/mdm/laps-ddf-file.md
@@ -1,14 +1,7 @@
---
title: LAPS DDF file
description: View the XML file containing the device description framework (DDF) for the LAPS configuration service provider.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 04/07/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/31/2024
---
@@ -201,8 +194,14 @@ The allowable settings are:
2=Large letters + small letters
3=Large letters + small letters + numbers
4=Large letters + small letters + numbers + special characters
+5=Large letters + small letters + numbers + special characters (improved readability)
+6=Passphrase (long words)
+7=Passphrase (short words)
+8=Passphrase (short words with unique prefixes)
-If not specified, this setting will default to 4.
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Help/AllowChildProcesses
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AllowChildProcesses |
+| ADMX File Name | Help.admx |
+
+
+
+
+
+
+
+
## DisableHHDEP
@@ -155,6 +200,56 @@ For additional options, see the "Restrict these programs from being launched fro
+
+## HideChildProcessMessageBox
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Help/HideChildProcessMessageBox
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | HideChildProcessMessageBox |
+| ADMX File Name | Help.admx |
+
+
+
+
+
+
+
+
## RestrictRunFromHelp
diff --git a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md
index b207a1fdec..3d1cc2cff2 100644
--- a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md
+++ b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md
@@ -1,14 +1,7 @@
---
title: ADMX_HelpAndSupport Policy CSP
description: Learn more about the ADMX_HelpAndSupport Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-hotspotauth.md b/windows/client-management/mdm/policy-csp-admx-hotspotauth.md
index 97c0f896dd..731f6ed051 100644
--- a/windows/client-management/mdm/policy-csp-admx-hotspotauth.md
+++ b/windows/client-management/mdm/policy-csp-admx-hotspotauth.md
@@ -1,14 +1,7 @@
---
title: ADMX_hotspotauth Policy CSP
description: Learn more about the ADMX_hotspotauth Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-icm.md b/windows/client-management/mdm/policy-csp-admx-icm.md
index b75dbe301d..17e2fbb340 100644
--- a/windows/client-management/mdm/policy-csp-admx-icm.md
+++ b/windows/client-management/mdm/policy-csp-admx-icm.md
@@ -1,14 +1,7 @@
---
title: ADMX_ICM Policy CSP
description: Learn more about the ADMX_ICM Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-iis.md b/windows/client-management/mdm/policy-csp-admx-iis.md
index 5a1b4f8ae9..d447964117 100644
--- a/windows/client-management/mdm/policy-csp-admx-iis.md
+++ b/windows/client-management/mdm/policy-csp-admx-iis.md
@@ -1,14 +1,7 @@
---
title: ADMX_IIS Policy CSP
description: Learn more about the ADMX_IIS Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-iscsi.md b/windows/client-management/mdm/policy-csp-admx-iscsi.md
index 2bb4a2a986..2e5c716a1d 100644
--- a/windows/client-management/mdm/policy-csp-admx-iscsi.md
+++ b/windows/client-management/mdm/policy-csp-admx-iscsi.md
@@ -1,14 +1,7 @@
---
title: ADMX_iSCSI Policy CSP
description: Learn more about the ADMX_iSCSI Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-kdc.md b/windows/client-management/mdm/policy-csp-admx-kdc.md
index c9bad00bc5..f972a10971 100644
--- a/windows/client-management/mdm/policy-csp-admx-kdc.md
+++ b/windows/client-management/mdm/policy-csp-admx-kdc.md
@@ -1,14 +1,7 @@
---
title: ADMX_kdc Policy CSP
description: Learn more about the ADMX_kdc Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-kerberos.md b/windows/client-management/mdm/policy-csp-admx-kerberos.md
index 267e0d30d2..085ac4f942 100644
--- a/windows/client-management/mdm/policy-csp-admx-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-admx-kerberos.md
@@ -1,14 +1,7 @@
---
title: ADMX_Kerberos Policy CSP
description: Learn more about the ADMX_Kerberos Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md
index 8cdab26c32..97c9ecc2d4 100644
--- a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md
+++ b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md
@@ -1,14 +1,7 @@
---
title: ADMX_LanmanServer Policy CSP
description: Learn more about the ADMX_LanmanServer Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md
index 474035a993..b507c61a1e 100644
--- a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md
+++ b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md
@@ -1,14 +1,7 @@
---
title: ADMX_LanmanWorkstation Policy CSP
description: Learn more about the ADMX_LanmanWorkstation Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md b/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md
index 10bfdf7962..067d3135e1 100644
--- a/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md
+++ b/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md
@@ -1,14 +1,7 @@
---
title: ADMX_LeakDiagnostic Policy CSP
description: Learn more about the ADMX_LeakDiagnostic Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md
index dc36ab7519..469330d891 100644
--- a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md
+++ b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md
@@ -1,14 +1,7 @@
---
title: ADMX_LinkLayerTopologyDiscovery Policy CSP
description: Learn more about the ADMX_LinkLayerTopologyDiscovery Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md b/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md
index c36607194b..970d6b6704 100644
--- a/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md
+++ b/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md
@@ -1,14 +1,7 @@
---
title: ADMX_LocationProviderAdm Policy CSP
description: Learn more about the ADMX_LocationProviderAdm Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-logon.md b/windows/client-management/mdm/policy-csp-admx-logon.md
index cf357ba833..dba5786104 100644
--- a/windows/client-management/mdm/policy-csp-admx-logon.md
+++ b/windows/client-management/mdm/policy-csp-admx-logon.md
@@ -1,14 +1,7 @@
---
title: ADMX_Logon Policy CSP
description: Learn more about the ADMX_Logon Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
@@ -97,12 +90,7 @@ This policy prevents the user from showing account details (email address or use
-
-This policy setting disables the acrylic blur effect on logon background image.
-
-- If you enable this policy, the logon background image shows without blur.
-
-- If you disable or don't configure this policy, the logon background image adopts the acrylic blur effect.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
index 2ed270ebf6..d56fe04616 100644
--- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
+++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
@@ -1,14 +1,7 @@
---
title: ADMX_MicrosoftDefenderAntivirus Policy CSP
description: Learn more about the ADMX_MicrosoftDefenderAntivirus Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 11/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-mmc.md b/windows/client-management/mdm/policy-csp-admx-mmc.md
index 33ef1a700b..d127a3b726 100644
--- a/windows/client-management/mdm/policy-csp-admx-mmc.md
+++ b/windows/client-management/mdm/policy-csp-admx-mmc.md
@@ -1,14 +1,7 @@
---
title: ADMX_MMC Policy CSP
description: Learn more about the ADMX_MMC Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md
index d7e7143b0d..d854617402 100644
--- a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md
+++ b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md
@@ -1,14 +1,7 @@
---
title: ADMX_MMCSnapins Policy CSP
description: Learn more about the ADMX_MMCSnapins Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md b/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md
index 54c66c7309..7e94f79eac 100644
--- a/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md
+++ b/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md
@@ -1,14 +1,7 @@
---
title: ADMX_MobilePCMobilityCenter Policy CSP
description: Learn more about the ADMX_MobilePCMobilityCenter Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md b/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md
index bd007d95f0..7fecf79eed 100644
--- a/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md
+++ b/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md
@@ -1,14 +1,7 @@
---
title: ADMX_MobilePCPresentationSettings Policy CSP
description: Learn more about the ADMX_MobilePCPresentationSettings Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-msapolicy.md b/windows/client-management/mdm/policy-csp-admx-msapolicy.md
index 334498bf41..b253142cc0 100644
--- a/windows/client-management/mdm/policy-csp-admx-msapolicy.md
+++ b/windows/client-management/mdm/policy-csp-admx-msapolicy.md
@@ -1,14 +1,7 @@
---
title: ADMX_MSAPolicy Policy CSP
description: Learn more about the ADMX_MSAPolicy Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-msched.md b/windows/client-management/mdm/policy-csp-admx-msched.md
index 34c9f09939..7d53cbdc2b 100644
--- a/windows/client-management/mdm/policy-csp-admx-msched.md
+++ b/windows/client-management/mdm/policy-csp-admx-msched.md
@@ -1,14 +1,7 @@
---
title: ADMX_msched Policy CSP
description: Learn more about the ADMX_msched Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-msdt.md b/windows/client-management/mdm/policy-csp-admx-msdt.md
index 61b9d77688..33e06d7063 100644
--- a/windows/client-management/mdm/policy-csp-admx-msdt.md
+++ b/windows/client-management/mdm/policy-csp-admx-msdt.md
@@ -1,14 +1,7 @@
---
title: ADMX_MSDT Policy CSP
description: Learn more about the ADMX_MSDT Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-msi.md b/windows/client-management/mdm/policy-csp-admx-msi.md
index 881922d5e8..30e507028d 100644
--- a/windows/client-management/mdm/policy-csp-admx-msi.md
+++ b/windows/client-management/mdm/policy-csp-admx-msi.md
@@ -1,14 +1,7 @@
---
title: ADMX_MSI Policy CSP
description: Learn more about the ADMX_MSI Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 11/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md b/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md
index 90a1241020..e87b0fb09d 100644
--- a/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md
+++ b/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md
@@ -1,14 +1,7 @@
---
title: ADMX_MsiFileRecovery Policy CSP
description: Learn more about the ADMX_MsiFileRecovery Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-mss-legacy.md b/windows/client-management/mdm/policy-csp-admx-mss-legacy.md
index c318f50ecd..27e93c1b63 100644
--- a/windows/client-management/mdm/policy-csp-admx-mss-legacy.md
+++ b/windows/client-management/mdm/policy-csp-admx-mss-legacy.md
@@ -1,14 +1,7 @@
---
title: ADMX_MSS-legacy Policy CSP
description: Learn more about the ADMX_MSS-legacy Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-nca.md b/windows/client-management/mdm/policy-csp-admx-nca.md
index 62d426d98e..8e47bcbc86 100644
--- a/windows/client-management/mdm/policy-csp-admx-nca.md
+++ b/windows/client-management/mdm/policy-csp-admx-nca.md
@@ -1,14 +1,7 @@
---
title: ADMX_nca Policy CSP
description: Learn more about the ADMX_nca Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 11/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-ncsi.md b/windows/client-management/mdm/policy-csp-admx-ncsi.md
index 19a7dcb36f..59719047b8 100644
--- a/windows/client-management/mdm/policy-csp-admx-ncsi.md
+++ b/windows/client-management/mdm/policy-csp-admx-ncsi.md
@@ -1,14 +1,7 @@
---
title: ADMX_NCSI Policy CSP
description: Learn more about the ADMX_NCSI Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-netlogon.md b/windows/client-management/mdm/policy-csp-admx-netlogon.md
index c9d7247cac..cc98c5cf2d 100644
--- a/windows/client-management/mdm/policy-csp-admx-netlogon.md
+++ b/windows/client-management/mdm/policy-csp-admx-netlogon.md
@@ -1,14 +1,7 @@
---
title: ADMX_Netlogon Policy CSP
description: Learn more about the ADMX_Netlogon Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-networkconnections.md b/windows/client-management/mdm/policy-csp-admx-networkconnections.md
index 04f22cb3cf..e65aa855ba 100644
--- a/windows/client-management/mdm/policy-csp-admx-networkconnections.md
+++ b/windows/client-management/mdm/policy-csp-admx-networkconnections.md
@@ -1,14 +1,7 @@
---
title: ADMX_NetworkConnections Policy CSP
description: Learn more about the ADMX_NetworkConnections Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
index 6fe146e767..3f4616f1d8 100644
--- a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
+++ b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
@@ -1,14 +1,7 @@
---
title: ADMX_OfflineFiles Policy CSP
description: Learn more about the ADMX_OfflineFiles Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 11/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-pca.md b/windows/client-management/mdm/policy-csp-admx-pca.md
index 362d358dbb..cf28909853 100644
--- a/windows/client-management/mdm/policy-csp-admx-pca.md
+++ b/windows/client-management/mdm/policy-csp-admx-pca.md
@@ -1,14 +1,7 @@
---
title: ADMX_pca Policy CSP
description: Learn more about the ADMX_pca Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md
index d71f78c562..83ba39d5bd 100644
--- a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md
+++ b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md
@@ -1,14 +1,7 @@
---
title: ADMX_PeerToPeerCaching Policy CSP
description: Learn more about the ADMX_PeerToPeerCaching Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-pentraining.md b/windows/client-management/mdm/policy-csp-admx-pentraining.md
index f6c7cd6556..1f8f990c0e 100644
--- a/windows/client-management/mdm/policy-csp-admx-pentraining.md
+++ b/windows/client-management/mdm/policy-csp-admx-pentraining.md
@@ -1,14 +1,7 @@
---
title: ADMX_PenTraining Policy CSP
description: Learn more about the ADMX_PenTraining Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md
index 4668a2c205..510a54b8fa 100644
--- a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md
+++ b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md
@@ -1,14 +1,7 @@
---
title: ADMX_PerformanceDiagnostics Policy CSP
description: Learn more about the ADMX_PerformanceDiagnostics Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-power.md b/windows/client-management/mdm/policy-csp-admx-power.md
index df3ab6fb49..d329f3a34e 100644
--- a/windows/client-management/mdm/policy-csp-admx-power.md
+++ b/windows/client-management/mdm/policy-csp-admx-power.md
@@ -1,14 +1,7 @@
---
title: ADMX_Power Policy CSP
description: Learn more about the ADMX_Power Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 10/23/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md
index 68f10aa963..bea468e20c 100644
--- a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md
+++ b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md
@@ -1,14 +1,7 @@
---
title: ADMX_PowerShellExecutionPolicy Policy CSP
description: Learn more about the ADMX_PowerShellExecutionPolicy Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-previousversions.md b/windows/client-management/mdm/policy-csp-admx-previousversions.md
index 12298c8668..f9552c2c37 100644
--- a/windows/client-management/mdm/policy-csp-admx-previousversions.md
+++ b/windows/client-management/mdm/policy-csp-admx-previousversions.md
@@ -1,14 +1,7 @@
---
title: ADMX_PreviousVersions Policy CSP
description: Learn more about the ADMX_PreviousVersions Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-printing.md b/windows/client-management/mdm/policy-csp-admx-printing.md
index 4e7b8d6bf5..712df5a4c8 100644
--- a/windows/client-management/mdm/policy-csp-admx-printing.md
+++ b/windows/client-management/mdm/policy-csp-admx-printing.md
@@ -1,14 +1,7 @@
---
title: ADMX_Printing Policy CSP
description: Learn more about the ADMX_Printing Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-printing2.md b/windows/client-management/mdm/policy-csp-admx-printing2.md
index a30b68056b..c687d9136e 100644
--- a/windows/client-management/mdm/policy-csp-admx-printing2.md
+++ b/windows/client-management/mdm/policy-csp-admx-printing2.md
@@ -1,14 +1,7 @@
---
title: ADMX_Printing2 Policy CSP
description: Learn more about the ADMX_Printing2 Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-programs.md b/windows/client-management/mdm/policy-csp-admx-programs.md
index ce4953e2bd..5548050a9c 100644
--- a/windows/client-management/mdm/policy-csp-admx-programs.md
+++ b/windows/client-management/mdm/policy-csp-admx-programs.md
@@ -1,14 +1,7 @@
---
title: ADMX_Programs Policy CSP
description: Learn more about the ADMX_Programs Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md b/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md
index f4c90fd2f1..806d9651ce 100644
--- a/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md
+++ b/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md
@@ -1,14 +1,7 @@
---
title: ADMX_PushToInstall Policy CSP
description: Learn more about the ADMX_PushToInstall Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-qos.md b/windows/client-management/mdm/policy-csp-admx-qos.md
index 88eb3a3e85..c19234a322 100644
--- a/windows/client-management/mdm/policy-csp-admx-qos.md
+++ b/windows/client-management/mdm/policy-csp-admx-qos.md
@@ -1,14 +1,7 @@
---
title: ADMX_QOS Policy CSP
description: Learn more about the ADMX_QOS Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-radar.md b/windows/client-management/mdm/policy-csp-admx-radar.md
index 787f2686d2..2d7bb746e9 100644
--- a/windows/client-management/mdm/policy-csp-admx-radar.md
+++ b/windows/client-management/mdm/policy-csp-admx-radar.md
@@ -1,14 +1,7 @@
---
title: ADMX_Radar Policy CSP
description: Learn more about the ADMX_Radar Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-reliability.md b/windows/client-management/mdm/policy-csp-admx-reliability.md
index 0c9e9c4c91..20c59c50f0 100644
--- a/windows/client-management/mdm/policy-csp-admx-reliability.md
+++ b/windows/client-management/mdm/policy-csp-admx-reliability.md
@@ -1,14 +1,7 @@
---
title: ADMX_Reliability Policy CSP
description: Learn more about the ADMX_Reliability Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md
index b3b804deb2..d6b3127e2e 100644
--- a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md
+++ b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md
@@ -1,14 +1,7 @@
---
title: ADMX_RemoteAssistance Policy CSP
description: Learn more about the ADMX_RemoteAssistance Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-removablestorage.md b/windows/client-management/mdm/policy-csp-admx-removablestorage.md
index 3184140eb7..8e706aa2c0 100644
--- a/windows/client-management/mdm/policy-csp-admx-removablestorage.md
+++ b/windows/client-management/mdm/policy-csp-admx-removablestorage.md
@@ -1,14 +1,7 @@
---
title: ADMX_RemovableStorage Policy CSP
description: Learn more about the ADMX_RemovableStorage Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-rpc.md b/windows/client-management/mdm/policy-csp-admx-rpc.md
index 7c8406a263..613e1bb668 100644
--- a/windows/client-management/mdm/policy-csp-admx-rpc.md
+++ b/windows/client-management/mdm/policy-csp-admx-rpc.md
@@ -1,14 +1,7 @@
---
title: ADMX_RPC Policy CSP
description: Learn more about the ADMX_RPC Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-sam.md b/windows/client-management/mdm/policy-csp-admx-sam.md
index f50403b71b..1427a02daf 100644
--- a/windows/client-management/mdm/policy-csp-admx-sam.md
+++ b/windows/client-management/mdm/policy-csp-admx-sam.md
@@ -1,14 +1,7 @@
---
title: ADMX_sam Policy CSP
description: Learn more about the ADMX_sam Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-scripts.md b/windows/client-management/mdm/policy-csp-admx-scripts.md
index 787caffb91..a507a7dc14 100644
--- a/windows/client-management/mdm/policy-csp-admx-scripts.md
+++ b/windows/client-management/mdm/policy-csp-admx-scripts.md
@@ -1,14 +1,7 @@
---
title: ADMX_Scripts Policy CSP
description: Learn more about the ADMX_Scripts Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-sdiageng.md b/windows/client-management/mdm/policy-csp-admx-sdiageng.md
index 6d21f4a202..c23bf10950 100644
--- a/windows/client-management/mdm/policy-csp-admx-sdiageng.md
+++ b/windows/client-management/mdm/policy-csp-admx-sdiageng.md
@@ -1,14 +1,7 @@
---
title: ADMX_sdiageng Policy CSP
description: Learn more about the ADMX_sdiageng Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-sdiagschd.md b/windows/client-management/mdm/policy-csp-admx-sdiagschd.md
index 7fe4560ed8..a221dc34b5 100644
--- a/windows/client-management/mdm/policy-csp-admx-sdiagschd.md
+++ b/windows/client-management/mdm/policy-csp-admx-sdiagschd.md
@@ -1,14 +1,7 @@
---
title: ADMX_sdiagschd Policy CSP
description: Learn more about the ADMX_sdiagschd Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-securitycenter.md b/windows/client-management/mdm/policy-csp-admx-securitycenter.md
index b485aeaea3..fd54e1f891 100644
--- a/windows/client-management/mdm/policy-csp-admx-securitycenter.md
+++ b/windows/client-management/mdm/policy-csp-admx-securitycenter.md
@@ -1,14 +1,7 @@
---
title: ADMX_Securitycenter Policy CSP
description: Learn more about the ADMX_Securitycenter Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 11/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-sensors.md b/windows/client-management/mdm/policy-csp-admx-sensors.md
index 467b0c299b..6c890631d8 100644
--- a/windows/client-management/mdm/policy-csp-admx-sensors.md
+++ b/windows/client-management/mdm/policy-csp-admx-sensors.md
@@ -1,14 +1,7 @@
---
title: ADMX_Sensors Policy CSP
description: Learn more about the ADMX_Sensors Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-servermanager.md b/windows/client-management/mdm/policy-csp-admx-servermanager.md
index 2e0010499f..0af31e3dda 100644
--- a/windows/client-management/mdm/policy-csp-admx-servermanager.md
+++ b/windows/client-management/mdm/policy-csp-admx-servermanager.md
@@ -1,14 +1,7 @@
---
title: ADMX_ServerManager Policy CSP
description: Learn more about the ADMX_ServerManager Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-servicing.md b/windows/client-management/mdm/policy-csp-admx-servicing.md
index 8a4ae0fb37..a31799041a 100644
--- a/windows/client-management/mdm/policy-csp-admx-servicing.md
+++ b/windows/client-management/mdm/policy-csp-admx-servicing.md
@@ -1,14 +1,7 @@
---
title: ADMX_Servicing Policy CSP
description: Learn more about the ADMX_Servicing Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-settingsync.md b/windows/client-management/mdm/policy-csp-admx-settingsync.md
index 27aef62087..5b949ace6f 100644
--- a/windows/client-management/mdm/policy-csp-admx-settingsync.md
+++ b/windows/client-management/mdm/policy-csp-admx-settingsync.md
@@ -1,14 +1,7 @@
---
title: ADMX_SettingSync Policy CSP
description: Learn more about the ADMX_SettingSync Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md
index 78196c2803..486085f08a 100644
--- a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md
+++ b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md
@@ -1,14 +1,7 @@
---
title: ADMX_SharedFolders Policy CSP
description: Learn more about the ADMX_SharedFolders Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-sharing.md b/windows/client-management/mdm/policy-csp-admx-sharing.md
index 5af4415dfe..a83e821101 100644
--- a/windows/client-management/mdm/policy-csp-admx-sharing.md
+++ b/windows/client-management/mdm/policy-csp-admx-sharing.md
@@ -1,14 +1,7 @@
---
title: ADMX_Sharing Policy CSP
description: Learn more about the ADMX_Sharing Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md
index 97565d0fc8..228d08b694 100644
--- a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md
+++ b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md
@@ -1,14 +1,7 @@
---
title: ADMX_ShellCommandPromptRegEditTools Policy CSP
description: Learn more about the ADMX_ShellCommandPromptRegEditTools Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-smartcard.md b/windows/client-management/mdm/policy-csp-admx-smartcard.md
index a427fcd365..22338b85ad 100644
--- a/windows/client-management/mdm/policy-csp-admx-smartcard.md
+++ b/windows/client-management/mdm/policy-csp-admx-smartcard.md
@@ -1,14 +1,7 @@
---
title: ADMX_Smartcard Policy CSP
description: Learn more about the ADMX_Smartcard Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-snmp.md b/windows/client-management/mdm/policy-csp-admx-snmp.md
index 36d22a34e9..0d2382bb64 100644
--- a/windows/client-management/mdm/policy-csp-admx-snmp.md
+++ b/windows/client-management/mdm/policy-csp-admx-snmp.md
@@ -1,14 +1,7 @@
---
title: ADMX_Snmp Policy CSP
description: Learn more about the ADMX_Snmp Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-soundrec.md b/windows/client-management/mdm/policy-csp-admx-soundrec.md
index ead22da785..41cf4a6ccc 100644
--- a/windows/client-management/mdm/policy-csp-admx-soundrec.md
+++ b/windows/client-management/mdm/policy-csp-admx-soundrec.md
@@ -1,14 +1,7 @@
---
title: ADMX_SoundRec Policy CSP
description: Learn more about the ADMX_SoundRec Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-srmfci.md b/windows/client-management/mdm/policy-csp-admx-srmfci.md
index 1758b042bb..7fc90a1ff0 100644
--- a/windows/client-management/mdm/policy-csp-admx-srmfci.md
+++ b/windows/client-management/mdm/policy-csp-admx-srmfci.md
@@ -1,14 +1,7 @@
---
title: ADMX_srmfci Policy CSP
description: Learn more about the ADMX_srmfci Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-startmenu.md b/windows/client-management/mdm/policy-csp-admx-startmenu.md
index ea6c920ff9..0a223d43d0 100644
--- a/windows/client-management/mdm/policy-csp-admx-startmenu.md
+++ b/windows/client-management/mdm/policy-csp-admx-startmenu.md
@@ -1,14 +1,7 @@
---
title: ADMX_StartMenu Policy CSP
description: Learn more about the ADMX_StartMenu Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-systemrestore.md b/windows/client-management/mdm/policy-csp-admx-systemrestore.md
index c3c396e287..2e1c03774b 100644
--- a/windows/client-management/mdm/policy-csp-admx-systemrestore.md
+++ b/windows/client-management/mdm/policy-csp-admx-systemrestore.md
@@ -1,14 +1,7 @@
---
title: ADMX_SystemRestore Policy CSP
description: Learn more about the ADMX_SystemRestore Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md b/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md
index c031995861..e7b2fb7d4a 100644
--- a/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md
+++ b/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md
@@ -1,14 +1,7 @@
---
title: ADMX_TabletPCInputPanel Policy CSP
description: Learn more about the ADMX_TabletPCInputPanel Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-tabletshell.md b/windows/client-management/mdm/policy-csp-admx-tabletshell.md
index 6682bc155c..7ee90e1830 100644
--- a/windows/client-management/mdm/policy-csp-admx-tabletshell.md
+++ b/windows/client-management/mdm/policy-csp-admx-tabletshell.md
@@ -1,14 +1,7 @@
---
title: ADMX_TabletShell Policy CSP
description: Learn more about the ADMX_TabletShell Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-taskbar.md b/windows/client-management/mdm/policy-csp-admx-taskbar.md
index 97e296b53b..176660f30b 100644
--- a/windows/client-management/mdm/policy-csp-admx-taskbar.md
+++ b/windows/client-management/mdm/policy-csp-admx-taskbar.md
@@ -1,14 +1,7 @@
---
title: ADMX_Taskbar Policy CSP
description: Learn more about the ADMX_Taskbar Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
@@ -105,16 +98,7 @@ A reboot is required for this policy setting to take effect.
-
-This policy disables the functionality that converts balloons to toast notifications.
-
-- If you enable this policy setting, system and application notifications will render as balloons instead of toast notifications.
-
-Enable this policy setting if a specific app or system component that uses balloon notifications has compatibility issues with toast notifications.
-
-- If you disable or don't configure this policy setting, all notifications will appear as toast notifications.
-
-A reboot is required for this policy setting to take effect.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-tcpip.md b/windows/client-management/mdm/policy-csp-admx-tcpip.md
index efef32bb83..a394a7a264 100644
--- a/windows/client-management/mdm/policy-csp-admx-tcpip.md
+++ b/windows/client-management/mdm/policy-csp-admx-tcpip.md
@@ -1,14 +1,7 @@
---
title: ADMX_tcpip Policy CSP
description: Learn more about the ADMX_tcpip Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md
index a278a237c3..0b5853336a 100644
--- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md
+++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md
@@ -1,14 +1,7 @@
---
title: ADMX_TerminalServer Policy CSP
description: Learn more about the ADMX_TerminalServer Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 12/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
@@ -2945,7 +2938,7 @@ This policy setting determines whether a user will be prompted on the client com
-This policy setting specifies the default connection URL for RemoteApp and Desktop Connections. The default connection URL is a specific connection that can only be configured by using Group Policy. In addition to the capabilities that are common to all connections, the default connection URL allows document file types to be associated with RemoteApp programs.
+This policy setting specifies the default connection URL for RemoteApp and Desktop Connections. In addition to the capabilities that are common to all connections, the default connection URL allows document file types to be associated with RemoteApp programs.
The default connection URL must be configured in the form of< https://contoso.com/rdweb/Feed/webfeed.aspx>.
diff --git a/windows/client-management/mdm/policy-csp-admx-thumbnails.md b/windows/client-management/mdm/policy-csp-admx-thumbnails.md
index aa937ea978..1b7747fb27 100644
--- a/windows/client-management/mdm/policy-csp-admx-thumbnails.md
+++ b/windows/client-management/mdm/policy-csp-admx-thumbnails.md
@@ -1,14 +1,7 @@
---
title: ADMX_Thumbnails Policy CSP
description: Learn more about the ADMX_Thumbnails Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-touchinput.md b/windows/client-management/mdm/policy-csp-admx-touchinput.md
index 2442bd1a0c..90a38cf981 100644
--- a/windows/client-management/mdm/policy-csp-admx-touchinput.md
+++ b/windows/client-management/mdm/policy-csp-admx-touchinput.md
@@ -1,14 +1,7 @@
---
title: ADMX_TouchInput Policy CSP
description: Learn more about the ADMX_TouchInput Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-tpm.md b/windows/client-management/mdm/policy-csp-admx-tpm.md
index c0de908883..299bc993aa 100644
--- a/windows/client-management/mdm/policy-csp-admx-tpm.md
+++ b/windows/client-management/mdm/policy-csp-admx-tpm.md
@@ -1,14 +1,7 @@
---
title: ADMX_TPM Policy CSP
description: Learn more about the ADMX_TPM Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md
index c89a4542be..5df403b933 100644
--- a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md
+++ b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md
@@ -1,14 +1,7 @@
---
title: ADMX_UserExperienceVirtualization Policy CSP
description: Learn more about the ADMX_UserExperienceVirtualization Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-userprofiles.md b/windows/client-management/mdm/policy-csp-admx-userprofiles.md
index df2fd32ecf..adf0ccefe0 100644
--- a/windows/client-management/mdm/policy-csp-admx-userprofiles.md
+++ b/windows/client-management/mdm/policy-csp-admx-userprofiles.md
@@ -1,14 +1,7 @@
---
title: ADMX_UserProfiles Policy CSP
description: Learn more about the ADMX_UserProfiles Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-w32time.md b/windows/client-management/mdm/policy-csp-admx-w32time.md
index 4c34ddc617..3aaf1c7335 100644
--- a/windows/client-management/mdm/policy-csp-admx-w32time.md
+++ b/windows/client-management/mdm/policy-csp-admx-w32time.md
@@ -1,14 +1,7 @@
---
title: ADMX_W32Time Policy CSP
description: Learn more about the ADMX_W32Time Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-wcm.md b/windows/client-management/mdm/policy-csp-admx-wcm.md
index 2daf25532c..e6fe0c1726 100644
--- a/windows/client-management/mdm/policy-csp-admx-wcm.md
+++ b/windows/client-management/mdm/policy-csp-admx-wcm.md
@@ -1,14 +1,7 @@
---
title: ADMX_WCM Policy CSP
description: Learn more about the ADMX_WCM Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-wdi.md b/windows/client-management/mdm/policy-csp-admx-wdi.md
index 14371f71cf..df4c5846ad 100644
--- a/windows/client-management/mdm/policy-csp-admx-wdi.md
+++ b/windows/client-management/mdm/policy-csp-admx-wdi.md
@@ -1,14 +1,7 @@
---
title: ADMX_WDI Policy CSP
description: Learn more about the ADMX_WDI Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-wincal.md b/windows/client-management/mdm/policy-csp-admx-wincal.md
index 97141edb41..31833306d1 100644
--- a/windows/client-management/mdm/policy-csp-admx-wincal.md
+++ b/windows/client-management/mdm/policy-csp-admx-wincal.md
@@ -1,14 +1,7 @@
---
title: ADMX_WinCal Policy CSP
description: Learn more about the ADMX_WinCal Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md b/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md
index c7c06a9fc3..2055d516ec 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md
@@ -1,14 +1,7 @@
---
title: ADMX_WindowsColorSystem Policy CSP
description: Learn more about the ADMX_WindowsColorSystem Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md
index 10dcf61ff3..b115f7d5e2 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md
@@ -1,14 +1,7 @@
---
title: ADMX_WindowsConnectNow Policy CSP
description: Learn more about the ADMX_WindowsConnectNow Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
index 33ab184dc5..7fe9bd9679 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
@@ -1,14 +1,7 @@
---
title: ADMX_WindowsExplorer Policy CSP
description: Learn more about the ADMX_WindowsExplorer Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md
index 9476a4fabb..dbd36541c4 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md
@@ -1,14 +1,7 @@
---
title: ADMX_WindowsMediaDRM Policy CSP
description: Learn more about the ADMX_WindowsMediaDRM Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md
index 46150339f6..04df21d7a7 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md
@@ -1,14 +1,7 @@
---
title: ADMX_WindowsMediaPlayer Policy CSP
description: Learn more about the ADMX_WindowsMediaPlayer Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md
index 3a972ef92a..9feebc0561 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md
@@ -1,14 +1,7 @@
---
title: ADMX_WindowsRemoteManagement Policy CSP
description: Learn more about the ADMX_WindowsRemoteManagement Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsstore.md b/windows/client-management/mdm/policy-csp-admx-windowsstore.md
index 757279b2fc..ad9da6b96b 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsstore.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsstore.md
@@ -1,14 +1,7 @@
---
title: ADMX_WindowsStore Policy CSP
description: Learn more about the ADMX_WindowsStore Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-wininit.md b/windows/client-management/mdm/policy-csp-admx-wininit.md
index b4561c36e3..016d00fda3 100644
--- a/windows/client-management/mdm/policy-csp-admx-wininit.md
+++ b/windows/client-management/mdm/policy-csp-admx-wininit.md
@@ -1,14 +1,7 @@
---
title: ADMX_WinInit Policy CSP
description: Learn more about the ADMX_WinInit Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-winlogon.md b/windows/client-management/mdm/policy-csp-admx-winlogon.md
index e9191d0a40..7861b20555 100644
--- a/windows/client-management/mdm/policy-csp-admx-winlogon.md
+++ b/windows/client-management/mdm/policy-csp-admx-winlogon.md
@@ -1,14 +1,7 @@
---
title: ADMX_WinLogon Policy CSP
description: Learn more about the ADMX_WinLogon Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-winsrv.md b/windows/client-management/mdm/policy-csp-admx-winsrv.md
index f92cba7883..56d9974fe2 100644
--- a/windows/client-management/mdm/policy-csp-admx-winsrv.md
+++ b/windows/client-management/mdm/policy-csp-admx-winsrv.md
@@ -1,14 +1,7 @@
---
title: ADMX_Winsrv Policy CSP
description: Learn more about the ADMX_Winsrv Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
@@ -38,12 +31,7 @@ ms.topic: reference
-
-This policy setting specifies whether Windows will allow console applications and GUI applications without visible top-level windows to block or cancel shutdown. By default, such applications are automatically terminated if they attempt to cancel shutdown or block it indefinitely.
-
-- If you enable this setting, console applications or GUI applications without visible top-level windows that block or cancel shutdown won't be automatically terminated during shutdown.
-
-- If you disable or don't configure this setting, these applications will be automatically terminated during shutdown, helping to ensure that Windows can shut down faster and more smoothly.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-wlansvc.md b/windows/client-management/mdm/policy-csp-admx-wlansvc.md
index 67f7fd4932..d09a2030f0 100644
--- a/windows/client-management/mdm/policy-csp-admx-wlansvc.md
+++ b/windows/client-management/mdm/policy-csp-admx-wlansvc.md
@@ -1,14 +1,7 @@
---
title: ADMX_wlansvc Policy CSP
description: Learn more about the ADMX_wlansvc Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-wordwheel.md b/windows/client-management/mdm/policy-csp-admx-wordwheel.md
index 8217f78031..a71623c248 100644
--- a/windows/client-management/mdm/policy-csp-admx-wordwheel.md
+++ b/windows/client-management/mdm/policy-csp-admx-wordwheel.md
@@ -1,14 +1,7 @@
---
title: ADMX_WordWheel Policy CSP
description: Learn more about the ADMX_WordWheel Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md b/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md
index 90b757d7e6..f5b3d60f6b 100644
--- a/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md
+++ b/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md
@@ -1,14 +1,7 @@
---
title: ADMX_WorkFoldersClient Policy CSP
description: Learn more about the ADMX_WorkFoldersClient Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-admx-wpn.md b/windows/client-management/mdm/policy-csp-admx-wpn.md
index 3a2751af33..f69b55da60 100644
--- a/windows/client-management/mdm/policy-csp-admx-wpn.md
+++ b/windows/client-management/mdm/policy-csp-admx-wpn.md
@@ -1,14 +1,7 @@
---
title: ADMX_WPN Policy CSP
description: Learn more about the ADMX_WPN Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md
index abed7ece97..ee6da319a3 100644
--- a/windows/client-management/mdm/policy-csp-applicationdefaults.md
+++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md
@@ -1,14 +1,7 @@
---
title: ApplicationDefaults Policy CSP
description: Learn more about the ApplicationDefaults Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 12/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md
index 15396470d3..ba4fc8b016 100644
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@@ -1,14 +1,7 @@
---
title: ApplicationManagement Policy CSP
description: Learn more about the ApplicationManagement Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-appruntime.md b/windows/client-management/mdm/policy-csp-appruntime.md
index c80e7472b4..20cddfc183 100644
--- a/windows/client-management/mdm/policy-csp-appruntime.md
+++ b/windows/client-management/mdm/policy-csp-appruntime.md
@@ -1,14 +1,7 @@
---
title: AppRuntime Policy CSP
description: Learn more about the AppRuntime Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md
index 7cfb9ef14a..6e677aa3b7 100644
--- a/windows/client-management/mdm/policy-csp-appvirtualization.md
+++ b/windows/client-management/mdm/policy-csp-appvirtualization.md
@@ -1,14 +1,7 @@
---
title: AppVirtualization Policy CSP
description: Learn more about the AppVirtualization Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 10/24/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md
index ad924dc539..63caf16da0 100644
--- a/windows/client-management/mdm/policy-csp-attachmentmanager.md
+++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md
@@ -1,14 +1,7 @@
---
title: AttachmentManager Policy CSP
description: Learn more about the AttachmentManager Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md
index 174c8e6dd0..c434116039 100644
--- a/windows/client-management/mdm/policy-csp-audit.md
+++ b/windows/client-management/mdm/policy-csp-audit.md
@@ -1,14 +1,7 @@
---
title: Audit Policy CSP
description: Learn more about the Audit Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
index dd50a84d62..ebc00056d8 100644
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -1,14 +1,7 @@
---
title: Authentication Policy CSP
description: Learn more about the Authentication Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 12/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md
index fbf76ab56a..f94c675d89 100644
--- a/windows/client-management/mdm/policy-csp-autoplay.md
+++ b/windows/client-management/mdm/policy-csp-autoplay.md
@@ -1,14 +1,7 @@
---
title: Autoplay Policy CSP
description: Learn more about the Autoplay Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md
index bdc7ed5eee..85ba82af82 100644
--- a/windows/client-management/mdm/policy-csp-bitlocker.md
+++ b/windows/client-management/mdm/policy-csp-bitlocker.md
@@ -1,14 +1,7 @@
---
title: Bitlocker Policy CSP
description: Learn more about the Bitlocker Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/09/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md
index b1d3449ae2..01dbd07987 100644
--- a/windows/client-management/mdm/policy-csp-bits.md
+++ b/windows/client-management/mdm/policy-csp-bits.md
@@ -1,14 +1,7 @@
---
title: BITS Policy CSP
description: Learn more about the BITS Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md
index 03ee87d6ff..fc321bd1b1 100644
--- a/windows/client-management/mdm/policy-csp-bluetooth.md
+++ b/windows/client-management/mdm/policy-csp-bluetooth.md
@@ -1,14 +1,7 @@
---
title: Bluetooth Policy CSP
description: Learn more about the Bluetooth Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index c6cf0c0b0b..0831538391 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -1,14 +1,7 @@
---
title: Browser Policy CSP
description: Learn more about the Browser Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 11/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md
index 3f89630a72..3882e07879 100644
--- a/windows/client-management/mdm/policy-csp-camera.md
+++ b/windows/client-management/mdm/policy-csp-camera.md
@@ -1,14 +1,7 @@
---
title: Camera Policy CSP
description: Learn more about the Camera Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md
index 1e98fdc8f5..a2cfae0564 100644
--- a/windows/client-management/mdm/policy-csp-cellular.md
+++ b/windows/client-management/mdm/policy-csp-cellular.md
@@ -1,14 +1,7 @@
---
title: Cellular Policy CSP
description: Learn more about the Cellular Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-clouddesktop.md b/windows/client-management/mdm/policy-csp-clouddesktop.md
index 66d7fcc0ad..cb287ddd00 100644
--- a/windows/client-management/mdm/policy-csp-clouddesktop.md
+++ b/windows/client-management/mdm/policy-csp-clouddesktop.md
@@ -1,14 +1,7 @@
---
title: CloudDesktop Policy CSP
description: Learn more about the CloudDesktop Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 09/14/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md
index 7e0a5b1426..26b96531e8 100644
--- a/windows/client-management/mdm/policy-csp-connectivity.md
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@@ -1,14 +1,7 @@
---
title: Connectivity Policy CSP
description: Learn more about the Connectivity Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
index 4c27326f83..cd2bf997f6 100644
--- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
+++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
@@ -1,14 +1,7 @@
---
title: ControlPolicyConflict Policy CSP
description: Learn more about the ControlPolicyConflict Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
@@ -44,7 +37,7 @@ If set to 1 then any MDM policy that's set that has an equivalent GP policy will
> [!NOTE]
-> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md). Nor does it apply to the [Update Policy CSP](policy-csp-update.md) for managing Windows updates.
+> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md). Nor does it apply to the [Update Policy CSP](policy-csp-update.md) for managing Windows updates.
This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md
index bf6c62f53a..d73b3ade9c 100644
--- a/windows/client-management/mdm/policy-csp-credentialproviders.md
+++ b/windows/client-management/mdm/policy-csp-credentialproviders.md
@@ -1,14 +1,7 @@
---
title: CredentialProviders Policy CSP
description: Learn more about the CredentialProviders Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-credentialsdelegation.md b/windows/client-management/mdm/policy-csp-credentialsdelegation.md
index 943113ee1d..af3cee543f 100644
--- a/windows/client-management/mdm/policy-csp-credentialsdelegation.md
+++ b/windows/client-management/mdm/policy-csp-credentialsdelegation.md
@@ -1,14 +1,7 @@
---
title: CredentialsDelegation Policy CSP
description: Learn more about the CredentialsDelegation Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md
index 2fb7881948..f6f9d847a7 100644
--- a/windows/client-management/mdm/policy-csp-credentialsui.md
+++ b/windows/client-management/mdm/policy-csp-credentialsui.md
@@ -1,14 +1,7 @@
---
title: CredentialsUI Policy CSP
description: Learn more about the CredentialsUI Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md
index a5874803b9..27aae04079 100644
--- a/windows/client-management/mdm/policy-csp-cryptography.md
+++ b/windows/client-management/mdm/policy-csp-cryptography.md
@@ -1,14 +1,7 @@
---
title: Cryptography Policy CSP
description: Learn more about the Cryptography Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/29/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md
index 591e62bd55..ed3d5d84d4 100644
--- a/windows/client-management/mdm/policy-csp-dataprotection.md
+++ b/windows/client-management/mdm/policy-csp-dataprotection.md
@@ -1,14 +1,7 @@
---
title: DataProtection Policy CSP
description: Learn more about the DataProtection Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md
index 3bb392662b..37ef82f657 100644
--- a/windows/client-management/mdm/policy-csp-datausage.md
+++ b/windows/client-management/mdm/policy-csp-datausage.md
@@ -1,14 +1,7 @@
---
title: DataUsage Policy CSP
description: Learn more about the DataUsage Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index b191cca03e..ce5814933e 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -1,14 +1,7 @@
---
title: Defender Policy CSP
description: Learn more about the Defender Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 12/08/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
index b79f7e2e0d..f9f05c2927 100644
--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@@ -1,14 +1,7 @@
---
title: DeliveryOptimization Policy CSP
description: Learn more about the DeliveryOptimization Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 12/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md
index 8c7fe07a3d..60c0d9c6aa 100644
--- a/windows/client-management/mdm/policy-csp-desktop.md
+++ b/windows/client-management/mdm/policy-csp-desktop.md
@@ -1,14 +1,7 @@
---
title: Desktop Policy CSP
description: Learn more about the Desktop Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-desktopappinstaller.md b/windows/client-management/mdm/policy-csp-desktopappinstaller.md
index e0c33829f6..2b3fea16a4 100644
--- a/windows/client-management/mdm/policy-csp-desktopappinstaller.md
+++ b/windows/client-management/mdm/policy-csp-desktopappinstaller.md
@@ -1,14 +1,7 @@
---
title: DesktopAppInstaller Policy CSP
description: Learn more about the DesktopAppInstaller Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 11/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md
index fe3ed53290..c27a142696 100644
--- a/windows/client-management/mdm/policy-csp-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-deviceguard.md
@@ -1,14 +1,7 @@
---
title: DeviceGuard Policy CSP
description: Learn more about the DeviceGuard Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
index 0f7c4c5589..271866959b 100644
--- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
+++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
@@ -1,14 +1,7 @@
---
title: DeviceHealthMonitoring Policy CSP
description: Learn more about the DeviceHealthMonitoring Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index 601453f34d..88d04325f2 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -1,14 +1,7 @@
---
title: DeviceInstallation Policy CSP
description: Learn more about the DeviceInstallation Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 11/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index 7b0d273a41..649a6dada2 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -1,14 +1,7 @@
---
title: DeviceLock Policy CSP
description: Learn more about the DeviceLock Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/31/2024
---
@@ -718,7 +711,7 @@ This security setting determines the period of time (in days) that a password ca
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-999]` |
-| Default Value | 1 |
+| Default Value | 42 |
@@ -1023,6 +1016,109 @@ This security setting determines the period of time (in days) that a password mu
+
+## MinimumPasswordLength
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinimumPasswordLength
+```
+
+
+
+
+This security setting determines the least number of characters that a password for a user account may contain. The maximum value for this setting depends on the value of the Relax minimum password length limits setting. If the Relax minimum password length limits setting isn't defined, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and disabled, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and enabled, this setting may be configured from 0 to 128. Setting the required number of characters to 0 means that no password is required.
+
+> [!NOTE]
+> By default, member computers follow the configuration of their domain controllers. Default values: 7 on domain controllers 0 on stand-alone servers Configuring this setting larger than 14 may affect compatibility with clients, services, and applications. We recommend that you only configure this setting larger than 14 after you use the Minimum password length audit setting to test for potential incompatibilities at the new setting.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-128]` |
+| Default Value | 0 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Minimum password length |
+| Path | Windows Settings > Security Settings > Account Policies > Password Policy |
+
+
+
+
+
+
+
+
+
+## MinimumPasswordLengthAudit
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinimumPasswordLengthAudit
+```
+
+
+
+
+This security setting determines the minimum password length for which password length audit warning events are issued. This setting may be configured from 1 to 128. You should only enable and configure this setting when you try to determine the potential effect of increasing the minimum password length setting in your environment. If this setting isn't defined, audit events won't be issued. If this setting is defined and is less than or equal to the minimum password length setting, audit events won't be issued. If this setting is defined and is greater than the minimum password length setting, and the length of a new account password is less than this setting, an audit event will be issued.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[1-128]` |
+| Default Value | 4294967295 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Minimum password length audit |
+| Path | Windows Settings > Security Settings > Account Policies > Password Policy |
+
+
+
+
+
+
+
+
## PasswordComplexity
@@ -1255,6 +1351,64 @@ If you enable this setting, users will no longer be able to modify slide show se
+
+## RelaxMinimumPasswordLengthLimits
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceLock/RelaxMinimumPasswordLengthLimits
+```
+
+
+
+
+This setting controls whether the minimum password length setting can be increased beyond the legacy limit of 14. If this setting isn't defined, minimum password length may be configured to no more than 14. If this setting is defined and disabled, minimum password length may be configured to no more than 14. If this setting is defined and enabled, minimum password length may be configured more than 14.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled. |
+| 1 | Enabled. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Relax minimum password length |
+| Path | Windows Settings > Security Settings > Account Policies > Password Policy |
+
+
+
+
+
+
+
+
## ScreenTimeoutWhileLocked
diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md
index c716b41a63..8f021f8337 100644
--- a/windows/client-management/mdm/policy-csp-display.md
+++ b/windows/client-management/mdm/policy-csp-display.md
@@ -1,14 +1,7 @@
---
title: Display Policy CSP
description: Learn more about the Display Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md
index 0a9aa6d814..ed3b7b4609 100644
--- a/windows/client-management/mdm/policy-csp-dmaguard.md
+++ b/windows/client-management/mdm/policy-csp-dmaguard.md
@@ -1,14 +1,7 @@
---
title: DmaGuard Policy CSP
description: Learn more about the DmaGuard Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-eap.md b/windows/client-management/mdm/policy-csp-eap.md
index ccc75b02bf..14022fde28 100644
--- a/windows/client-management/mdm/policy-csp-eap.md
+++ b/windows/client-management/mdm/policy-csp-eap.md
@@ -1,14 +1,7 @@
---
title: Eap Policy CSP
description: Learn more about the Eap Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md
index 4ec2cef651..cfd49a1bf0 100644
--- a/windows/client-management/mdm/policy-csp-education.md
+++ b/windows/client-management/mdm/policy-csp-education.md
@@ -1,14 +1,7 @@
---
title: Education Policy CSP
description: Learn more about the Education Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
index 4005e29555..016c5d5a51 100644
--- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
+++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
@@ -1,14 +1,7 @@
---
title: EnterpriseCloudPrint Policy CSP
description: Learn more about the EnterpriseCloudPrint Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
@@ -274,7 +267,7 @@ Resource URI for which access is being requested by the Mopria discovery client
This policy must target ./User, otherwise it fails.
-The default value is an empty string. Otherwise, the value should contain a URL.
+The default value is an empty string. Otherwise, the value should contain a URL.
**Example**:
diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md
index e97461a682..50e401227e 100644
--- a/windows/client-management/mdm/policy-csp-errorreporting.md
+++ b/windows/client-management/mdm/policy-csp-errorreporting.md
@@ -1,14 +1,7 @@
---
title: ErrorReporting Policy CSP
description: Learn more about the ErrorReporting Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md
index ce940b762e..83a5c6c350 100644
--- a/windows/client-management/mdm/policy-csp-eventlogservice.md
+++ b/windows/client-management/mdm/policy-csp-eventlogservice.md
@@ -1,14 +1,7 @@
---
title: EventLogService Policy CSP
description: Learn more about the EventLogService Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index 3fbecc7fbe..f7ecf4bf2a 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -1,14 +1,7 @@
---
title: Experience Policy CSP
description: Learn more about the Experience Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md
index 089a7066d9..6d947b5cd3 100644
--- a/windows/client-management/mdm/policy-csp-exploitguard.md
+++ b/windows/client-management/mdm/policy-csp-exploitguard.md
@@ -1,14 +1,7 @@
---
title: ExploitGuard Policy CSP
description: Learn more about the ExploitGuard Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-federatedauthentication.md b/windows/client-management/mdm/policy-csp-federatedauthentication.md
index 18426abce1..4b4de43f51 100644
--- a/windows/client-management/mdm/policy-csp-federatedauthentication.md
+++ b/windows/client-management/mdm/policy-csp-federatedauthentication.md
@@ -1,14 +1,7 @@
---
title: FederatedAuthentication Policy CSP
description: Learn more about the FederatedAuthentication Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 10/23/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-feeds.md b/windows/client-management/mdm/policy-csp-feeds.md
index a8a7ae5f57..98a8e70629 100644
--- a/windows/client-management/mdm/policy-csp-feeds.md
+++ b/windows/client-management/mdm/policy-csp-feeds.md
@@ -1,15 +1,7 @@
---
title: Policy CSP - Feeds
description: Use the Policy CSP - Feeds setting policy specifies whether news and interests is allowed on the device.
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
ms.date: 09/17/2021
-ms.reviewer:
-manager: aaroncz
---
# Policy CSP - Feeds
diff --git a/windows/client-management/mdm/policy-csp-fileexplorer.md b/windows/client-management/mdm/policy-csp-fileexplorer.md
index 75e9fb777f..fb55df7a5d 100644
--- a/windows/client-management/mdm/policy-csp-fileexplorer.md
+++ b/windows/client-management/mdm/policy-csp-fileexplorer.md
@@ -1,14 +1,7 @@
---
title: FileExplorer Policy CSP
description: Learn more about the FileExplorer Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/30/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-filesystem.md b/windows/client-management/mdm/policy-csp-filesystem.md
index b3c3aa2084..f1d4135999 100644
--- a/windows/client-management/mdm/policy-csp-filesystem.md
+++ b/windows/client-management/mdm/policy-csp-filesystem.md
@@ -1,14 +1,7 @@
---
title: FileSystem Policy CSP
description: Learn more about the FileSystem Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 12/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md
index 7be1ae616e..d16bea4048 100644
--- a/windows/client-management/mdm/policy-csp-games.md
+++ b/windows/client-management/mdm/policy-csp-games.md
@@ -1,14 +1,7 @@
---
title: Games Policy CSP
description: Learn more about the Games Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md
index 941b6ab1ce..6cd40803bd 100644
--- a/windows/client-management/mdm/policy-csp-handwriting.md
+++ b/windows/client-management/mdm/policy-csp-handwriting.md
@@ -1,14 +1,7 @@
---
title: Handwriting Policy CSP
description: Learn more about the Handwriting Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md
index 6584e6372b..3ef891ed68 100644
--- a/windows/client-management/mdm/policy-csp-humanpresence.md
+++ b/windows/client-management/mdm/policy-csp-humanpresence.md
@@ -1,14 +1,7 @@
---
title: HumanPresence Policy CSP
description: Learn more about the HumanPresence Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/30/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index d707b4af93..a6efb038f9 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -1,14 +1,7 @@
---
title: InternetExplorer Policy CSP
description: Learn more about the InternetExplorer Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 10/03/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
@@ -3666,17 +3659,7 @@ If you disable, or don't configure this policy, all sites are opened using the c
-
-This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.
-
-> [!IMPORTANT]
-> Some ActiveX controls and toolbars may not be available when 64-bit processes are used.
-
-- If you enable this policy setting, Internet Explorer 11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
-
-- If you disable this policy setting, Internet Explorer 11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
-
-- If you don't configure this policy setting, users can turn this feature on or off using Internet Explorer settings. This feature is turned off by default.
+
diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md
index ed58ffd639..092f0fcfa3 100644
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@@ -1,14 +1,7 @@
---
title: Kerberos Policy CSP
description: Learn more about the Kerberos Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 10/23/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/31/2024
---
@@ -323,7 +316,7 @@ If you don't configure this policy, the SHA1 algorithm will assume the **Default
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
-| Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfigurationEnabled`
Dependency Allowed Value: `[1]`
Dependency Allowed Value Type: `Range`
|
+| Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfiguration`
Dependency Allowed Value: `[1]`
Dependency Allowed Value Type: `Range`
|
@@ -396,7 +389,7 @@ If you don't configure this policy, the SHA256 algorithm will assume the **Defau
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
-| Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfigurationEnabled`
Dependency Allowed Value: `[1]`
Dependency Allowed Value Type: `Range`
|
+| Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfiguration`
Dependency Allowed Value: `[1]`
Dependency Allowed Value Type: `Range`
|
@@ -469,7 +462,7 @@ If you don't configure this policy, the SHA384 algorithm will assume the **Defau
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
-| Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfigurationEnabled`
Dependency Allowed Value: `[1]`
Dependency Allowed Value Type: `Range`
|
+| Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfiguration`
Dependency Allowed Value: `[1]`
Dependency Allowed Value Type: `Range`
|
@@ -542,7 +535,7 @@ If you don't configure this policy, the SHA512 algorithm will assume the **Defau
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
-| Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfigurationEnabled`
Dependency Allowed Value: `[1]`
Dependency Allowed Value Type: `Range`
|
+| Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfiguration`
Dependency Allowed Value: `[1]`
Dependency Allowed Value Type: `Range`
|
diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md
index 957c1a280e..ab923304b0 100644
--- a/windows/client-management/mdm/policy-csp-kioskbrowser.md
+++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md
@@ -1,14 +1,7 @@
---
title: KioskBrowser Policy CSP
description: Learn more about the KioskBrowser Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-lanmanworkstation.md
index 4c0d5e7b6e..b3e44fe44d 100644
--- a/windows/client-management/mdm/policy-csp-lanmanworkstation.md
+++ b/windows/client-management/mdm/policy-csp-lanmanworkstation.md
@@ -1,14 +1,7 @@
---
title: LanmanWorkstation Policy CSP
description: Learn more about the LanmanWorkstation Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md
index 27405e9ef7..69f8d74490 100644
--- a/windows/client-management/mdm/policy-csp-licensing.md
+++ b/windows/client-management/mdm/policy-csp-licensing.md
@@ -1,14 +1,7 @@
---
title: Licensing Policy CSP
description: Learn more about the Licensing Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index 00bb621743..bb70540374 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -1,14 +1,7 @@
---
title: LocalPoliciesSecurityOptions Policy CSP
description: Learn more about the LocalPoliciesSecurityOptions Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 12/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/31/2024
---
@@ -373,7 +366,7 @@ Accounts: Rename guest account This security setting determines whether a differ
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -402,6 +395,7 @@ Audit: Audit the use of Backup and Restore privilege This security setting deter
| Format | `b64` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: ``) |
+| Default Value | 00 |
@@ -416,7 +410,7 @@ Audit: Audit the use of Backup and Restore privilege This security setting deter
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -457,7 +451,7 @@ Audit: Force audit policy subcategory settings (Windows Vista or later) to overr
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -722,7 +716,7 @@ Devices: Restrict CD-ROM access to locally logged-on user only This security set
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -771,7 +765,7 @@ Devices: Restrict floppy access to locally logged-on user only This security set
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -824,7 +818,7 @@ Domain member: Digitally encrypt or sign secure channel data (always) This secur
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -880,7 +874,7 @@ Domain member: Digitally encrypt secure channel data (when possible) This securi
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -930,7 +924,7 @@ Domain member: Digitally sign secure channel data (when possible) This security
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -987,7 +981,7 @@ Domain member: Disable machine account password changes Determines whether a dom
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -1040,7 +1034,7 @@ Domain member: Maximum machine account password age This security setting determ
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -1325,31 +1319,31 @@ Interactive logon: Don't require CTRL+ALT+DEL This security setting determines w
-
-## InteractiveLogon_MachineAccountThreshold
+
+## InteractiveLogon_MachineAccountLockoutThreshold
-
+
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
-
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
-
+
```Device
-./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_MachineAccountThreshold
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_MachineAccountLockoutThreshold
```
-
+
-
+
Interactive logon: Machine account threshold. The machine lockout policy is enforced only on those machines that have BitLocker enabled for protecting OS volumes. Please ensure that appropriate recovery password backup policies are enabled. This security setting determines the number of failed logon attempts that causes the machine to be locked out. A locked out machine can only be recovered by providing recovery key at console. You can set the value between 1 and 999 failed logon attempts. If you set the value to 0, the machine will never be locked out. Values from 1 to 3 will be interpreted as 4. Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password protected screen savers counts as failed logon attempts. The machine lockout policy is enforced only on those machines that have BitLocker enabled for protecting OS volumes. Please ensure that the appropriate recovery password backup policies are enabled. Default: 0.
-
+
-
+
-
+
-
+
**Description framework properties**:
| Property name | Property value |
@@ -1358,22 +1352,22 @@ Interactive logon: Machine account threshold. The machine lockout policy is enfo
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-999]` |
| Default Value | 0 |
-
+
-
+
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Interactive logon: Machine account lockout threshold |
| Path | Windows Settings > Security Settings > Local Policies > Security Options |
-
+
-
+
-
+
-
+
## InteractiveLogon_MachineInactivityLimit
@@ -1531,7 +1525,7 @@ Interactive logon: Message title for users attempting to log on This security se
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -1571,7 +1565,7 @@ Interactive logon: Number of previous logons to cache (in case domain controller
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -1866,7 +1860,7 @@ Microsoft network client: Send unencrypted password to connect to third-party SM
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -1891,8 +1885,8 @@ Microsoft network server: Amount of idle time required before suspending a sessi
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-15]` |
-| Default Value | 15 |
+| Allowed Values | Range: `[0-99999]` |
+| Default Value | 99999 |
@@ -2049,7 +2043,7 @@ Microsoft network server: Digitally sign communications (if client agrees) This
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -2090,7 +2084,7 @@ Microsoft network server: Disconnect clients when logon hours expire This securi
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -2125,109 +2119,6 @@ Microsoft network server: Server SPN target name validation level This policy se
-
-## MinimumPasswordLength
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
-
-
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/MinimumPasswordLength
-```
-
-
-
-
-This security setting determines the least number of characters that a password for a user account may contain. The maximum value for this setting depends on the value of the Relax minimum password length limits setting. If the Relax minimum password length limits setting isn't defined, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and disabled, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and enabled, this setting may be configured from 0 to 128. Setting the required number of characters to 0 means that no password is required.
-
-> [!NOTE]
-> By default, member computers follow the configuration of their domain controllers. Default values: 7 on domain controllers 0 on stand-alone servers Configuring this setting larger than 14 may affect compatibility with clients, services, and applications. We recommend that you only configure this setting larger than 14 after you use the Minimum password length audit setting to test for potential incompatibilities at the new setting.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `int` |
-| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-128]` |
-| Default Value | 0 |
-
-
-
-**Group policy mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | Minimum password length |
-| Path | Windows Settings > Security Settings > Account Policies > Password Policy |
-
-
-
-
-
-
-
-
-
-## MinimumPasswordLengthAudit
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
-
-
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/MinimumPasswordLengthAudit
-```
-
-
-
-
-This security setting determines the minimum password length for which password length audit warning events are issued. This setting may be configured from 1 to 128. You should only enable and configure this setting when you try to determine the potential effect of increasing the minimum password length setting in your environment. If this setting isn't defined, audit events won't be issued. If this setting is defined and is less than or equal to the minimum password length setting, audit events won't be issued. If this setting is defined and is greater than the minimum password length setting, and the length of a new account password is less than this setting, an audit event will be issued.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `int` |
-| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[1-128]` |
-| Default Value | 4294967295 |
-
-
-
-**Group policy mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | Minimum password length audit |
-| Path | Windows Settings > Security Settings > Account Policies > Password Policy |
-
-
-
-
-
-
-
-
## NetworkAccess_AllowAnonymousSIDOrNameTranslation
@@ -2415,7 +2306,7 @@ Network access: Don't allow anonymous enumeration of SAM accounts and shares Thi
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -2463,7 +2354,7 @@ Network access: Don't allow storage of passwords and credentials for network aut
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -2513,7 +2404,7 @@ Network access: Let Everyone permissions apply to anonymous users This security
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -2538,6 +2429,7 @@ Network access: Named pipes that can be accessed anonymously This security setti
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `,`) |
@@ -2552,7 +2444,7 @@ Network access: Named pipes that can be accessed anonymously This security setti
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -2580,6 +2472,7 @@ Network access: Remotely accessible registry paths This security setting determi
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `,`) |
@@ -2594,7 +2487,7 @@ Network access: Remotely accessible registry paths This security setting determi
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -2622,6 +2515,7 @@ Network access: Remotely accessible registry paths and subpaths This security se
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `,`) |
@@ -2742,7 +2636,7 @@ Network access: Restrict clients allowed to make remote calls to SAM This policy
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -2767,6 +2661,7 @@ Network access: Shares that can be accessed anonymously This security setting de
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `,`) |
@@ -2781,7 +2676,7 @@ Network access: Shares that can be accessed anonymously This security setting de
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -2825,7 +2720,7 @@ Network access: Sharing and security model for local accounts This security sett
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -3083,7 +2978,7 @@ Network security: Force logoff when logon hours expire This security setting det
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
-| Default Value | 0 |
+| Default Value | 1 |
@@ -3091,8 +2986,8 @@ Network security: Force logoff when logon hours expire This security setting det
| Value | Description |
|:--|:--|
-| 1 | Enable. |
-| 0 (Default) | Disable. |
+| 1 (Default) | Enable. |
+| 0 | Disable. |
@@ -3181,7 +3076,7 @@ Network security LAN Manager authentication level This security setting determin
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -3213,7 +3108,7 @@ Network security: LDAP client signing requirements This security setting determi
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-2]` |
-| Default Value | 0 |
+| Default Value | 1 |
@@ -3587,7 +3482,7 @@ Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers This po
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -3637,7 +3532,7 @@ Recovery console: Allow automatic administrative logon This security setting det
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -3672,64 +3567,6 @@ Recovery console: Allow floppy copy and access to all drives and all folders Ena
-
-## RelaxMinimumPasswordLengthLimits
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
-
-
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/RelaxMinimumPasswordLengthLimits
-```
-
-
-
-
-This setting controls whether the minimum password length setting can be increased beyond the legacy limit of 14. If this setting isn't defined, minimum password length may be configured to no more than 14. If this setting is defined and disabled, minimum password length may be configured to no more than 14. If this setting is defined and enabled, minimum password length may be configured more than 14.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `int` |
-| Access Type | Add, Delete, Get, Replace |
-| Default Value | 0 |
-
-
-
-**Allowed values**:
-
-| Value | Description |
-|:--|:--|
-| 0 (Default) | Disabled. |
-| 1 | Enabled. |
-
-
-
-**Group policy mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | Relax minimum password length |
-| Path | Windows Settings > Security Settings > Account Policies > Password Policy |
-
-
-
-
-
-
-
-
## Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
@@ -3852,7 +3689,7 @@ Shutdown: Clear virtual memory pagefile This security setting determines whether
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -3893,7 +3730,7 @@ System Cryptography: Force strong key protection for user keys stored on the com
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -3943,7 +3780,7 @@ System objects: Require case insensitivity for non-Windows subsystems This secur
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -4101,6 +3938,64 @@ User Account Control: Behavior of the elevation prompt for administrators in Adm
+
+## UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators
+```
+
+
+
+
+User Account Control: Behavior of the elevation prompt for administrators running with enhanced privilege protection. This policy setting controls the behavior of the elevation prompt for administrators. The options are: - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. - Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 2 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | Prompt for credentials on the secure desktop. |
+| 2 (Default) | Prompt for consent on the secure desktop. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | User Account Control: Behavior of the elevation prompt for administrators running with enhanced privilege protection |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+
+
+
+
+
+
+
+
## UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
@@ -4453,6 +4348,64 @@ User Account Control: Switch to the secure desktop when prompting for elevation
+
+## UserAccountControl_TypeOfAdminApprovalMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_TypeOfAdminApprovalMode
+```
+
+
+
+
+User Account Control: Configure type of Admin Approval Mode. This policy setting controls whether enhanced privilege protection is applied to admin approval mode elevations. If you change this policy setting, you must restart your computer. This policy is only supported on Windows Desktop, not Server. The options are: - Admin Approval Mode is running in legacy mode (default). - Admin Approval Mode is running with enhanced privilege protection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 (Default) | Legacy Admin Approval Mode. |
+| 2 | Admin Approval Mode with enhanced privilege protection. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | User Account Control: Configure type of Admin Approval Mode |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+
+
+
+
+
+
+
+
## UserAccountControl_UseAdminApprovalMode
diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md
index 1ae1768b2e..7dc4364747 100644
--- a/windows/client-management/mdm/policy-csp-localusersandgroups.md
+++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md
@@ -1,14 +1,7 @@
---
title: LocalUsersAndGroups Policy CSP
description: Learn more about the LocalUsersAndGroups Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md
index f7afb94964..95f4c33c50 100644
--- a/windows/client-management/mdm/policy-csp-lockdown.md
+++ b/windows/client-management/mdm/policy-csp-lockdown.md
@@ -1,14 +1,7 @@
---
title: LockDown Policy CSP
description: Learn more about the LockDown Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-lsa.md b/windows/client-management/mdm/policy-csp-lsa.md
index 3359d00d6a..d4773d4c5d 100644
--- a/windows/client-management/mdm/policy-csp-lsa.md
+++ b/windows/client-management/mdm/policy-csp-lsa.md
@@ -1,14 +1,7 @@
---
title: LocalSecurityAuthority Policy CSP
description: Learn more about the LocalSecurityAuthority Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md
index e3a20f4341..7dc52aed91 100644
--- a/windows/client-management/mdm/policy-csp-maps.md
+++ b/windows/client-management/mdm/policy-csp-maps.md
@@ -1,14 +1,7 @@
---
title: Maps Policy CSP
description: Learn more about the Maps Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-memorydump.md b/windows/client-management/mdm/policy-csp-memorydump.md
index 5c6eedf729..d6550053a3 100644
--- a/windows/client-management/mdm/policy-csp-memorydump.md
+++ b/windows/client-management/mdm/policy-csp-memorydump.md
@@ -1,14 +1,7 @@
---
title: MemoryDump Policy CSP
description: Learn more about the MemoryDump Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md
index f0b04e92b7..30117ff84d 100644
--- a/windows/client-management/mdm/policy-csp-messaging.md
+++ b/windows/client-management/mdm/policy-csp-messaging.md
@@ -1,14 +1,7 @@
---
title: Messaging Policy CSP
description: Learn more about the Messaging Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md
index 79b92833b7..b8ae2bcd32 100644
--- a/windows/client-management/mdm/policy-csp-mixedreality.md
+++ b/windows/client-management/mdm/policy-csp-mixedreality.md
@@ -1,14 +1,7 @@
---
title: MixedReality Policy CSP
description: Learn more about the MixedReality Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/29/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/31/2024
---
@@ -328,6 +321,97 @@ This policy setting controls if pressing the brightness button changes the brigh
+
+## ConfigureDeviceStandbyAction
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE
❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/MixedReality/ConfigureDeviceStandbyAction
+```
+
+
+
+
+This policy setting controls device maintenance action during standby.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Not configured. |
+| 1 | Logoff users. |
+| 2 | Reboot device. |
+
+
+
+
+
+
+
+
+
+## ConfigureDeviceStandbyActionTimeout
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE
❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/MixedReality/ConfigureDeviceStandbyActionTimeout
+```
+
+
+
+
+This policy setting controls when to start maintenance action after device enters standby. The timeout value is in hours.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[1-168]` |
+| Default Value | 8 |
+
+
+
+
+
+
+
+
## ConfigureMovingPlatform
@@ -650,7 +734,7 @@ Windows Network Connectivity Status Indicator may get a false positive internet-
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE
❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE
❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
@@ -699,7 +783,7 @@ This policy setting controls if pinching your thumb and index finger, while look
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE
❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE
❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
@@ -748,7 +832,7 @@ This policy setting controls if using voice commands to open the Start menu is e
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE
❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE
❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
@@ -1111,7 +1195,7 @@ The following example XML string shows the value to enable this policy:
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE
❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE
❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
@@ -1160,7 +1244,7 @@ This policy configures whether the Sign-In App should prefer showing Other User
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE
❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE
❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
@@ -1209,7 +1293,7 @@ This policy setting controls if it's require that the Start icon to be pressed f
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE
❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE
❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
diff --git a/windows/client-management/mdm/policy-csp-mssecurityguide.md b/windows/client-management/mdm/policy-csp-mssecurityguide.md
index 9d94c49836..da47e000cd 100644
--- a/windows/client-management/mdm/policy-csp-mssecurityguide.md
+++ b/windows/client-management/mdm/policy-csp-mssecurityguide.md
@@ -1,14 +1,7 @@
---
title: MSSecurityGuide Policy CSP
description: Learn more about the MSSecurityGuide Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 11/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/31/2024
---
@@ -18,6 +11,8 @@ ms.topic: reference
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
@@ -228,7 +223,7 @@ ms.topic: reference
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
diff --git a/windows/client-management/mdm/policy-csp-msslegacy.md b/windows/client-management/mdm/policy-csp-msslegacy.md
index a34a41ff94..6e60b0d9dd 100644
--- a/windows/client-management/mdm/policy-csp-msslegacy.md
+++ b/windows/client-management/mdm/policy-csp-msslegacy.md
@@ -1,14 +1,7 @@
---
title: MSSLegacy Policy CSP
description: Learn more about the MSSLegacy Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-multitasking.md b/windows/client-management/mdm/policy-csp-multitasking.md
index c12b74e90f..84df0472de 100644
--- a/windows/client-management/mdm/policy-csp-multitasking.md
+++ b/windows/client-management/mdm/policy-csp-multitasking.md
@@ -1,14 +1,7 @@
---
title: Multitasking Policy CSP
description: Learn more about the Multitasking Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/30/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md
index dd7b76de61..14633df6c8 100644
--- a/windows/client-management/mdm/policy-csp-networkisolation.md
+++ b/windows/client-management/mdm/policy-csp-networkisolation.md
@@ -1,14 +1,7 @@
---
title: NetworkIsolation Policy CSP
description: Learn more about the NetworkIsolation Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md
index 8b5b22dbeb..0ade49a774 100644
--- a/windows/client-management/mdm/policy-csp-networklistmanager.md
+++ b/windows/client-management/mdm/policy-csp-networklistmanager.md
@@ -1,14 +1,7 @@
---
title: NetworkListManager Policy CSP
description: Learn more about the NetworkListManager Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 12/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/31/2024
---
@@ -16,6 +9,8 @@ ms.topic: reference
# Policy CSP - NetworkListManager
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
@@ -26,7 +21,7 @@ ms.topic: reference
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -75,7 +70,7 @@ This policy setting allows you to specify whether users can change the network i
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -124,7 +119,7 @@ This policy setting allows you to specify whether users can change the network l
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -267,7 +262,7 @@ This policy setting provides the string that names a network. If this setting is
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -316,7 +311,7 @@ This policy setting allows you to configure the Network Location for networks th
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -365,7 +360,7 @@ This policy setting allows you to configure the Network Location type for networ
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
diff --git a/windows/client-management/mdm/policy-csp-newsandinterests.md b/windows/client-management/mdm/policy-csp-newsandinterests.md
index c22d8a9bfa..16fabdc822 100644
--- a/windows/client-management/mdm/policy-csp-newsandinterests.md
+++ b/windows/client-management/mdm/policy-csp-newsandinterests.md
@@ -1,14 +1,7 @@
---
title: NewsAndInterests Policy CSP
description: Learn more about the NewsAndInterests Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md
index 1f7b42377a..65d5cb42bc 100644
--- a/windows/client-management/mdm/policy-csp-notifications.md
+++ b/windows/client-management/mdm/policy-csp-notifications.md
@@ -1,14 +1,7 @@
---
title: Notifications Policy CSP
description: Learn more about the Notifications Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/30/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md
index 68c365431c..e1e5083184 100644
--- a/windows/client-management/mdm/policy-csp-power.md
+++ b/windows/client-management/mdm/policy-csp-power.md
@@ -1,14 +1,7 @@
---
title: Power Policy CSP
description: Learn more about the Power Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 10/24/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md
index 10b73e98be..fa423988bf 100644
--- a/windows/client-management/mdm/policy-csp-printers.md
+++ b/windows/client-management/mdm/policy-csp-printers.md
@@ -1,14 +1,7 @@
---
title: Printers Policy CSP
description: Learn more about the Printers Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/31/2024
---
@@ -676,6 +669,56 @@ If you disable or don't configure this policy setting, dynamic TCP ports are use
+
+## ConfigureWindowsProtectedPrint
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureWindowsProtectedPrint
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ConfigureWindowsProtectedPrint |
+| ADMX File Name | Printing.admx |
+
+
+
+
+
+
+
+
## EnableDeviceControl
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
index f96c5acb6a..5094419e31 100644
--- a/windows/client-management/mdm/policy-csp-privacy.md
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -1,14 +1,7 @@
---
title: Privacy Policy CSP
description: Learn more about the Privacy Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/30/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md
index fa85c9cec4..1e190204ac 100644
--- a/windows/client-management/mdm/policy-csp-remoteassistance.md
+++ b/windows/client-management/mdm/policy-csp-remoteassistance.md
@@ -1,14 +1,7 @@
---
title: RemoteAssistance Policy CSP
description: Learn more about the RemoteAssistance Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-remotedesktop.md b/windows/client-management/mdm/policy-csp-remotedesktop.md
index e112f3b6d8..caa589b6f9 100644
--- a/windows/client-management/mdm/policy-csp-remotedesktop.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktop.md
@@ -1,14 +1,7 @@
---
title: RemoteDesktop Policy CSP
description: Learn more about the RemoteDesktop Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
index e56b901ad4..2e7833047e 100644
--- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
@@ -1,14 +1,7 @@
---
title: RemoteDesktopServices Policy CSP
description: Learn more about the RemoteDesktopServices Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 12/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md
index 1a0bbae405..0f19f54970 100644
--- a/windows/client-management/mdm/policy-csp-remotemanagement.md
+++ b/windows/client-management/mdm/policy-csp-remotemanagement.md
@@ -1,14 +1,7 @@
---
title: RemoteManagement Policy CSP
description: Learn more about the RemoteManagement Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
index c939be5ef0..1def7d700f 100644
--- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
+++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
@@ -1,14 +1,7 @@
---
title: RemoteProcedureCall Policy CSP
description: Learn more about the RemoteProcedureCall Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md
index 95deedc15b..e7c0d076a7 100644
--- a/windows/client-management/mdm/policy-csp-remoteshell.md
+++ b/windows/client-management/mdm/policy-csp-remoteshell.md
@@ -1,14 +1,7 @@
---
title: RemoteShell Policy CSP
description: Learn more about the RemoteShell Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md
index 83c65f6386..6c8af25f6a 100644
--- a/windows/client-management/mdm/policy-csp-restrictedgroups.md
+++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md
@@ -1,14 +1,7 @@
---
title: RestrictedGroups Policy CSP
description: Learn more about the RestrictedGroups Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md
index 624d6566b7..ba702af769 100644
--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@@ -1,14 +1,7 @@
---
title: Search Policy CSP
description: Learn more about the Search Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 10/24/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/31/2024
---
@@ -293,7 +286,7 @@ The most restrictive value is `0` to not allow indexing of encrypted items.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2009 [10.0.19042.1620] and later
✅ Windows 10, version 21H1 [10.0.19043.1620] and later
✅ Windows 10, version 21H2 [10.0.19044.1620] and later
✅ Windows 11, version 21H2 [10.0.22000.1761] and later
✅ Windows 11, version 22H2 [10.0.22621] and later |
diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md
index ef1082ff7d..b1093ffddc 100644
--- a/windows/client-management/mdm/policy-csp-security.md
+++ b/windows/client-management/mdm/policy-csp-security.md
@@ -1,14 +1,7 @@
---
title: Security Policy CSP
description: Learn more about the Security Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
index 73dbb1343a..46c10a8e9a 100644
--- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
+++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
@@ -1,14 +1,7 @@
---
title: ServiceControlManager Policy CSP
description: Learn more about the ServiceControlManager Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md
index 9f5437e695..eeb0d6f1ba 100644
--- a/windows/client-management/mdm/policy-csp-settings.md
+++ b/windows/client-management/mdm/policy-csp-settings.md
@@ -1,14 +1,7 @@
---
title: Settings Policy CSP
description: Learn more about the Settings Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-settingssync.md b/windows/client-management/mdm/policy-csp-settingssync.md
index 954bbaeaf2..39e032a8b4 100644
--- a/windows/client-management/mdm/policy-csp-settingssync.md
+++ b/windows/client-management/mdm/policy-csp-settingssync.md
@@ -1,14 +1,7 @@
---
title: SettingsSync Policy CSP
description: Learn more about the SettingsSync Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/30/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md
index a59c0981e8..6e99e05ccb 100644
--- a/windows/client-management/mdm/policy-csp-smartscreen.md
+++ b/windows/client-management/mdm/policy-csp-smartscreen.md
@@ -1,14 +1,7 @@
---
title: SmartScreen Policy CSP
description: Learn more about the SmartScreen Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/31/2024
---
@@ -77,6 +70,8 @@ App Install Control is a feature of Windows Defender SmartScreen that helps prot
|:--|:--|
| 0 (Default) | Turns off Application Installation Control, allowing users to download and install files from anywhere on the web. |
| 1 | Turns on Application Installation Control, allowing users to only install apps from the Store. |
+| 2 | Turns on Application Installation Control, letting users know that there's a comparable app in the Store. |
+| 3 | Turns on Application Installation Control, warning users before installing apps from outside the Store. |
diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md
index bf6e6f78d4..437f917212 100644
--- a/windows/client-management/mdm/policy-csp-speech.md
+++ b/windows/client-management/mdm/policy-csp-speech.md
@@ -1,14 +1,7 @@
---
title: Speech Policy CSP
description: Learn more about the Speech Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
index 838e2faf41..8ae3504c72 100644
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -1,14 +1,7 @@
---
title: Start Policy CSP
description: Learn more about the Start Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 09/25/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-stickers.md b/windows/client-management/mdm/policy-csp-stickers.md
index 9f2e6a4f60..34b5c89385 100644
--- a/windows/client-management/mdm/policy-csp-stickers.md
+++ b/windows/client-management/mdm/policy-csp-stickers.md
@@ -1,14 +1,7 @@
---
title: Stickers Policy CSP
description: Learn more about the Stickers Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md
index 3e241acee7..78f789eba8 100644
--- a/windows/client-management/mdm/policy-csp-storage.md
+++ b/windows/client-management/mdm/policy-csp-storage.md
@@ -1,14 +1,7 @@
---
title: Storage Policy CSP
description: Learn more about the Storage Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-sudo.md b/windows/client-management/mdm/policy-csp-sudo.md
new file mode 100644
index 0000000000..13be1bd00e
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-sudo.md
@@ -0,0 +1,78 @@
+---
+title: Sudo Policy CSP
+description: Learn more about the Sudo Area in Policy CSP.
+ms.date: 01/31/2024
+---
+
+
+
+
+# Policy CSP - Sudo
+
+[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
+
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
+
+
+
+
+
+## EnableSudo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE
❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Sudo/EnableSudo
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | EnableSudo |
+| ADMX File Name | Sudo.admx |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index 22ff8ce8ea..337e3987e3 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -1,14 +1,7 @@
---
title: System Policy CSP
description: Learn more about the System Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 11/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-systemservices.md b/windows/client-management/mdm/policy-csp-systemservices.md
index b0e97a7454..b08d9a0c2d 100644
--- a/windows/client-management/mdm/policy-csp-systemservices.md
+++ b/windows/client-management/mdm/policy-csp-systemservices.md
@@ -1,14 +1,7 @@
---
title: SystemServices Policy CSP
description: Learn more about the SystemServices Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 11/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md
index 9882cd2083..439cfdb8d3 100644
--- a/windows/client-management/mdm/policy-csp-taskmanager.md
+++ b/windows/client-management/mdm/policy-csp-taskmanager.md
@@ -1,14 +1,7 @@
---
title: TaskManager Policy CSP
description: Learn more about the TaskManager Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-taskscheduler.md b/windows/client-management/mdm/policy-csp-taskscheduler.md
index 61603da719..a847cb3ec9 100644
--- a/windows/client-management/mdm/policy-csp-taskscheduler.md
+++ b/windows/client-management/mdm/policy-csp-taskscheduler.md
@@ -1,14 +1,7 @@
---
title: TaskScheduler Policy CSP
description: Learn more about the TaskScheduler Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md b/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md
index 32c6595782..6c9181ab8c 100644
--- a/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md
+++ b/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md
@@ -1,14 +1,7 @@
---
title: TenantDefinedTelemetry Policy CSP
description: Learn more about the TenantDefinedTelemetry Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-tenantrestrictions.md b/windows/client-management/mdm/policy-csp-tenantrestrictions.md
index 62451125d8..b0838899b1 100644
--- a/windows/client-management/mdm/policy-csp-tenantrestrictions.md
+++ b/windows/client-management/mdm/policy-csp-tenantrestrictions.md
@@ -1,14 +1,7 @@
---
title: TenantRestrictions Policy CSP
description: Learn more about the TenantRestrictions Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md
index 49037f5600..359c78a5c8 100644
--- a/windows/client-management/mdm/policy-csp-textinput.md
+++ b/windows/client-management/mdm/policy-csp-textinput.md
@@ -1,14 +1,7 @@
---
title: TextInput Policy CSP
description: Learn more about the TextInput Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
index 216139ba2a..ec0faa2924 100644
--- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md
+++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
@@ -1,14 +1,7 @@
---
title: TimeLanguageSettings Policy CSP
description: Learn more about the TimeLanguageSettings Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-troubleshooting.md b/windows/client-management/mdm/policy-csp-troubleshooting.md
index 96e90c4433..4e27dcdaee 100644
--- a/windows/client-management/mdm/policy-csp-troubleshooting.md
+++ b/windows/client-management/mdm/policy-csp-troubleshooting.md
@@ -1,14 +1,7 @@
---
title: Troubleshooting Policy CSP
description: Learn more about the Troubleshooting Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 11/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 5232cbd5a3..ff2d3b69e6 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -1,14 +1,7 @@
---
title: Update Policy CSP
description: Learn more about the Update Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 11/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/31/2024
---
@@ -282,7 +275,7 @@ Allows the IT admin to manage whether Automatic Updates accepts updates signed b
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 21H2 [10.0.19044.3757] and later |
@@ -2435,7 +2428,7 @@ Number of days before feature updates are installed on devices automatically reg
> [!NOTE]
->
+>
> - After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule.
> - When this policy is used, the download, installation, and reboot settings from [Update/AllowAutoUpdate](#allowautoupdate) are ignored.
@@ -2494,7 +2487,7 @@ Number of days before quality updates are installed on devices automatically reg
> [!NOTE]
->
+>
> - After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule.
> - When this policy is used, the download, installation, and reboot settings from [Update/AllowAutoUpdate](#allowautoupdate) are ignored.
diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index 39a023b122..dc226ea336 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -1,14 +1,7 @@
---
title: UserRights Policy CSP
description: Learn more about the UserRights Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 11/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md b/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md
index 5c2fd4615b..bfea6628c8 100644
--- a/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md
+++ b/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md
@@ -1,14 +1,7 @@
---
title: VirtualizationBasedTechnology Policy CSP
description: Learn more about the VirtualizationBasedTechnology Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-webthreatdefense.md b/windows/client-management/mdm/policy-csp-webthreatdefense.md
index e415fba8e2..0b01461d1e 100644
--- a/windows/client-management/mdm/policy-csp-webthreatdefense.md
+++ b/windows/client-management/mdm/policy-csp-webthreatdefense.md
@@ -1,14 +1,7 @@
---
title: WebThreatDefense Policy CSP
description: Learn more about the WebThreatDefense Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 11/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/31/2024
---
@@ -16,6 +9,8 @@ ms.topic: reference
# Policy CSP - WebThreatDefense
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
> [!NOTE]
@@ -28,7 +23,7 @@ ms.topic: reference
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 23H2 [10.0.22631] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md
index 0eb72b28a0..677a40fffb 100644
--- a/windows/client-management/mdm/policy-csp-wifi.md
+++ b/windows/client-management/mdm/policy-csp-wifi.md
@@ -1,14 +1,7 @@
---
title: Wifi Policy CSP
description: Learn more about the Wifi Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/31/2024
---
@@ -16,6 +9,8 @@ ms.topic: reference
# Policy CSP - Wifi
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
@@ -234,7 +229,7 @@ Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -284,7 +279,7 @@ Allow or disallow the device to use the DSCP to UP Mapping feature from the Wi-F
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
diff --git a/windows/client-management/mdm/policy-csp-windowsai.md b/windows/client-management/mdm/policy-csp-windowsai.md
index 879c8ba6b4..aa027def07 100644
--- a/windows/client-management/mdm/policy-csp-windowsai.md
+++ b/windows/client-management/mdm/policy-csp-windowsai.md
@@ -1,14 +1,7 @@
---
title: WindowsAI Policy CSP
description: Learn more about the WindowsAI Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 12/14/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/31/2024
---
@@ -16,17 +9,81 @@ ms.topic: reference
# Policy CSP - WindowsAI
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
+
+## DisableAIDataAnalysis
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/WindowsAI/DisableAIDataAnalysis
+```
+
+
+
+
+This policy setting allows you to prevent Windows AI from using and analyzing user patterns and data.
+
+- If you enable this policy setting, Windows AI won't be able to take advantage of historical user patterns.
+
+- If you disable or don't configure this policy setting, Windows AI will be able to assist users by considering their historical behaviors and data.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Enable Data Analysis for Windows AI. |
+| 1 | Disable Data Analysis for Windows AI. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DisableAIDataAnalysis |
+| Path | WindowsAI > AT > WindowsComponents > WindowsAI |
+
+
+
+
+
+
+
+
## TurnOffWindowsCopilot
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ❌ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 22H2 [10.0.19045.3758] and later
✅ Windows 11, version 22H2 [10.0.22621.2361] and later
✅ Windows 11, version 23H2 [10.0.22631] and later |
+| ❌ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 21H2 [10.0.19044.3758] and later
✅ Windows 10, version 22H2 [10.0.19045.3758] and later
✅ Windows 11, version 22H2 [10.0.22621.2361] and later
✅ Windows 11, version 23H2 [10.0.22631] and later |
diff --git a/windows/client-management/mdm/policy-csp-windowsautopilot.md b/windows/client-management/mdm/policy-csp-windowsautopilot.md
index 6fc277fe8f..1e3b68c37a 100644
--- a/windows/client-management/mdm/policy-csp-windowsautopilot.md
+++ b/windows/client-management/mdm/policy-csp-windowsautopilot.md
@@ -1,14 +1,7 @@
---
title: WindowsAutopilot Policy CSP
description: Learn more about the WindowsAutopilot Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md
index 3b1491564f..ae7bafe0cf 100644
--- a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md
+++ b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md
@@ -1,14 +1,7 @@
---
title: WindowsConnectionManager Policy CSP
description: Learn more about the WindowsConnectionManager Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
index 44ed4083ba..bc665f2973 100644
--- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
+++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
@@ -1,14 +1,7 @@
---
title: WindowsDefenderSecurityCenter Policy CSP
description: Learn more about the WindowsDefenderSecurityCenter Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
index a2608dd9a9..c84c0bded7 100644
--- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
+++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
@@ -1,14 +1,7 @@
---
title: WindowsInkWorkspace Policy CSP
description: Learn more about the WindowsInkWorkspace Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md
index 7f43647495..9d17406fe6 100644
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@@ -1,14 +1,7 @@
---
title: WindowsLogon Policy CSP
description: Learn more about the WindowsLogon Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 10/24/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
@@ -41,11 +34,11 @@ ms.topic: reference
This policy setting controls whether a device will automatically sign in and lock the last interactive user after the system restarts or after a shutdown and cold boot.
-This only occurs if the last interactive user didn't sign out before the restart or shutdown.
+This only occurs if the last interactive user didn't sign out before the restart or shutdown.
If the device is joined to Active Directory or Microsoft Entra ID, this policy only applies to Windows Update restarts. Otherwise, this will apply to both Windows Update restarts and user-initiated restarts and shutdowns.
-- If you don't configure this policy setting, it's enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots.
+- If you don't configure this policy setting, it's enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots.
After enabling this policy, you can configure its settings through the ConfigAutomaticRestartSignOn policy, which configures the mode of automatically signing in and locking the last interactive user after a restart or cold boot .
diff --git a/windows/client-management/mdm/policy-csp-windowspowershell.md b/windows/client-management/mdm/policy-csp-windowspowershell.md
index 2a3b6be557..9e4a87efb2 100644
--- a/windows/client-management/mdm/policy-csp-windowspowershell.md
+++ b/windows/client-management/mdm/policy-csp-windowspowershell.md
@@ -1,14 +1,7 @@
---
title: WindowsPowerShell Policy CSP
description: Learn more about the WindowsPowerShell Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-windowssandbox.md b/windows/client-management/mdm/policy-csp-windowssandbox.md
index be6709c49c..ffa94e847a 100644
--- a/windows/client-management/mdm/policy-csp-windowssandbox.md
+++ b/windows/client-management/mdm/policy-csp-windowssandbox.md
@@ -1,14 +1,7 @@
---
title: WindowsSandbox Policy CSP
description: Learn more about the WindowsSandbox Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 11/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
index 2d101d6563..70e8e67fba 100644
--- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md
+++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
@@ -1,14 +1,7 @@
---
title: WirelessDisplay Policy CSP
description: Learn more about the WirelessDisplay Area in Policy CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/printerprovisioning-csp.md b/windows/client-management/mdm/printerprovisioning-csp.md
index bea685738c..a80ace3abb 100644
--- a/windows/client-management/mdm/printerprovisioning-csp.md
+++ b/windows/client-management/mdm/printerprovisioning-csp.md
@@ -1,14 +1,7 @@
---
title: PrinterProvisioning CSP
description: Learn more about the PrinterProvisioning CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/printerprovisioning-ddf-file.md b/windows/client-management/mdm/printerprovisioning-ddf-file.md
index fb871d05c8..3c4a974d93 100644
--- a/windows/client-management/mdm/printerprovisioning-ddf-file.md
+++ b/windows/client-management/mdm/printerprovisioning-ddf-file.md
@@ -1,14 +1,7 @@
---
title: PrinterProvisioning DDF file
description: View the XML file containing the device description framework (DDF) for the PrinterProvisioning configuration service provider.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 12/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/provisioning-csp.md b/windows/client-management/mdm/provisioning-csp.md
index 11e636ca48..62d027c686 100644
--- a/windows/client-management/mdm/provisioning-csp.md
+++ b/windows/client-management/mdm/provisioning-csp.md
@@ -1,13 +1,6 @@
---
title: Provisioning CSP
description: The Provisioning configuration service provider is used for bulk user enrollment to an MDM service.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 06/26/2017
---
diff --git a/windows/client-management/mdm/pxlogical-csp.md b/windows/client-management/mdm/pxlogical-csp.md
index bfc6a262c4..b452264fde 100644
--- a/windows/client-management/mdm/pxlogical-csp.md
+++ b/windows/client-management/mdm/pxlogical-csp.md
@@ -1,13 +1,6 @@
---
title: PXLOGICAL configuration service provider
description: The PXLOGICAL configuration service provider is used to add, remove, or modify WAP logical and physical proxies by using WAP or the standard Windows techniques.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 06/26/2017
---
diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md
index f289a7e154..b095998bbd 100644
--- a/windows/client-management/mdm/reboot-csp.md
+++ b/windows/client-management/mdm/reboot-csp.md
@@ -1,14 +1,7 @@
---
title: Reboot CSP
description: Learn more about the Reboot CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/reboot-ddf-file.md b/windows/client-management/mdm/reboot-ddf-file.md
index 68b6e64ef9..3b86f5316c 100644
--- a/windows/client-management/mdm/reboot-ddf-file.md
+++ b/windows/client-management/mdm/reboot-ddf-file.md
@@ -1,14 +1,7 @@
---
title: Reboot DDF file
description: View the XML file containing the device description framework (DDF) for the Reboot configuration service provider.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 12/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/remotefind-csp.md b/windows/client-management/mdm/remotefind-csp.md
index 2b3973921d..2acb98e912 100644
--- a/windows/client-management/mdm/remotefind-csp.md
+++ b/windows/client-management/mdm/remotefind-csp.md
@@ -1,13 +1,6 @@
---
title: RemoteFind CSP
description: The RemoteFind configuration service provider retrieves the location information for a particular device.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 06/26/2017
---
diff --git a/windows/client-management/mdm/remotefind-ddf-file.md b/windows/client-management/mdm/remotefind-ddf-file.md
index e805197cf2..572d1cbf9e 100644
--- a/windows/client-management/mdm/remotefind-ddf-file.md
+++ b/windows/client-management/mdm/remotefind-ddf-file.md
@@ -1,13 +1,6 @@
---
title: RemoteFind DDF file
description: This topic shows the OMA DM device description framework (DDF) for the RemoteFind configuration service provider. DDF files are used only with OMA DM provisioning XML.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 12/05/2017
---
diff --git a/windows/client-management/mdm/remotering-csp.md b/windows/client-management/mdm/remotering-csp.md
index 16c44fd50b..12526066f9 100644
--- a/windows/client-management/mdm/remotering-csp.md
+++ b/windows/client-management/mdm/remotering-csp.md
@@ -1,13 +1,6 @@
---
title: RemoteRing CSP
description: The RemoteRing CSP can be used to remotely trigger a device to produce an audible ringing sound regardless of the volume that's set on the device.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: article
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 06/26/2017
---
@@ -17,29 +10,27 @@ ms.date: 06/26/2017
You can use the RemoteRing configuration service provider to remotely trigger a device to produce an audible ringing sound, regardless of the volume that is set on the device.
The following DDF format shows the RemoteRing configuration service provider in tree format.
+
```
./User/Vendor/MSFT
RemoteRing
----Ring
-
./Device/Vendor/MSFT
Root
-
./User/Vendor/MSFT
./Device/Vendor/MSFT
RemoteRing
----Ring
```
-**Ring**
-Required. The node accepts requests to ring the device.
-The supported operation is Exec.
+## Ring
+
+Required. The node accepts requests to ring the device. The supported operation is Exec.
## Examples
-
The following sample shows how to initiate a remote ring on the device.
```xml
@@ -52,13 +43,3 @@ The following sample shows how to initiate a remote ring on the device.
```
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index d0ae5d1f19..1c0afff55f 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -1,14 +1,7 @@
---
title: RemoteWipe CSP
description: Learn more about the RemoteWipe CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/remotewipe-ddf-file.md b/windows/client-management/mdm/remotewipe-ddf-file.md
index 1bc56998aa..6ec9d27e89 100644
--- a/windows/client-management/mdm/remotewipe-ddf-file.md
+++ b/windows/client-management/mdm/remotewipe-ddf-file.md
@@ -1,14 +1,7 @@
---
title: RemoteWipe DDF file
description: View the XML file containing the device description framework (DDF) for the RemoteWipe configuration service provider.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 02/17/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/reporting-csp.md b/windows/client-management/mdm/reporting-csp.md
index a6ff79d5e1..b8b1422494 100644
--- a/windows/client-management/mdm/reporting-csp.md
+++ b/windows/client-management/mdm/reporting-csp.md
@@ -1,13 +1,6 @@
---
title: Reporting CSP
description: The Reporting configuration service provider is used to retrieve Windows Information Protection (formerly known as Enterprise Data Protection) and security auditing logs.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 06/26/2017
---
diff --git a/windows/client-management/mdm/reporting-ddf-file.md b/windows/client-management/mdm/reporting-ddf-file.md
index 71c1e4a728..b04625ed11 100644
--- a/windows/client-management/mdm/reporting-ddf-file.md
+++ b/windows/client-management/mdm/reporting-ddf-file.md
@@ -1,13 +1,6 @@
---
title: Reporting DDF file
description: View the OMA DM device description framework (DDF) for the Reporting configuration service provider.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 12/05/2017
---
diff --git a/windows/client-management/mdm/rootcacertificates-csp.md b/windows/client-management/mdm/rootcacertificates-csp.md
index 67664ef793..6445586c10 100644
--- a/windows/client-management/mdm/rootcacertificates-csp.md
+++ b/windows/client-management/mdm/rootcacertificates-csp.md
@@ -1,14 +1,7 @@
---
title: RootCATrustedCertificates CSP
description: Learn more about the RootCATrustedCertificates CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/rootcacertificates-ddf-file.md b/windows/client-management/mdm/rootcacertificates-ddf-file.md
index fbfb864c26..d5a746496d 100644
--- a/windows/client-management/mdm/rootcacertificates-ddf-file.md
+++ b/windows/client-management/mdm/rootcacertificates-ddf-file.md
@@ -1,14 +1,7 @@
---
title: RootCATrustedCertificates DDF file
description: View the XML file containing the device description framework (DDF) for the RootCATrustedCertificates configuration service provider.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 12/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/secureassessment-csp.md b/windows/client-management/mdm/secureassessment-csp.md
index 1ccd2b55b5..172e2ef819 100644
--- a/windows/client-management/mdm/secureassessment-csp.md
+++ b/windows/client-management/mdm/secureassessment-csp.md
@@ -1,14 +1,7 @@
---
title: SecureAssessment CSP
description: Learn more about the SecureAssessment CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 10/23/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/secureassessment-ddf-file.md b/windows/client-management/mdm/secureassessment-ddf-file.md
index 01eaf192bc..ef8d526873 100644
--- a/windows/client-management/mdm/secureassessment-ddf-file.md
+++ b/windows/client-management/mdm/secureassessment-ddf-file.md
@@ -1,14 +1,7 @@
---
title: SecureAssessment DDF file
description: View the XML file containing the device description framework (DDF) for the SecureAssessment configuration service provider.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 12/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/securitypolicy-csp.md b/windows/client-management/mdm/securitypolicy-csp.md
index 49390c0ef7..c35bb9bfe7 100644
--- a/windows/client-management/mdm/securitypolicy-csp.md
+++ b/windows/client-management/mdm/securitypolicy-csp.md
@@ -1,13 +1,6 @@
---
title: SecurityPolicy CSP
description: The SecurityPolicy CSP is used to configure security policy settings for WAP push, OMA DM, Service Indication (SI), Service Loading (SL), and MMS.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 06/26/2017
---
diff --git a/windows/client-management/mdm/sharedpc-csp.md b/windows/client-management/mdm/sharedpc-csp.md
index f2446290ae..bdff7ac7bd 100644
--- a/windows/client-management/mdm/sharedpc-csp.md
+++ b/windows/client-management/mdm/sharedpc-csp.md
@@ -1,14 +1,7 @@
---
title: SharedPC CSP
description: Learn more about the SharedPC CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/sharedpc-ddf-file.md b/windows/client-management/mdm/sharedpc-ddf-file.md
index b652268570..fd1f225e74 100644
--- a/windows/client-management/mdm/sharedpc-ddf-file.md
+++ b/windows/client-management/mdm/sharedpc-ddf-file.md
@@ -1,14 +1,7 @@
---
title: SharedPC DDF file
description: View the XML file containing the device description framework (DDF) for the SharedPC configuration service provider.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 12/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/storage-csp.md b/windows/client-management/mdm/storage-csp.md
index 7593043812..3319247b9f 100644
--- a/windows/client-management/mdm/storage-csp.md
+++ b/windows/client-management/mdm/storage-csp.md
@@ -1,13 +1,6 @@
---
title: Storage CSP
description: Learn how the Storage enterprise configuration service provider (CSP) is used to configure the storage card settings.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 06/26/2017
---
diff --git a/windows/client-management/mdm/storage-ddf-file.md b/windows/client-management/mdm/storage-ddf-file.md
index 9b582019e9..e0797e83a5 100644
--- a/windows/client-management/mdm/storage-ddf-file.md
+++ b/windows/client-management/mdm/storage-ddf-file.md
@@ -1,13 +1,6 @@
---
title: Storage DDF file
description: Learn about the OMA DM device description framework (DDF) for the Storage configuration service provider (CSP).
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 12/05/2017
---
diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md
index 90fb91e0bd..3793140f08 100644
--- a/windows/client-management/mdm/supl-csp.md
+++ b/windows/client-management/mdm/supl-csp.md
@@ -1,14 +1,7 @@
---
title: SUPL CSP
description: Learn more about the SUPL CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md
index 3d0aa1baf9..e489dea63b 100644
--- a/windows/client-management/mdm/supl-ddf-file.md
+++ b/windows/client-management/mdm/supl-ddf-file.md
@@ -1,14 +1,7 @@
---
title: SUPL DDF file
description: View the XML file containing the device description framework (DDF) for the SUPL configuration service provider.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 12/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md
index 4c9892dc4c..553037a410 100644
--- a/windows/client-management/mdm/surfacehub-csp.md
+++ b/windows/client-management/mdm/surfacehub-csp.md
@@ -1,14 +1,7 @@
---
title: SurfaceHub CSP
description: Learn more about the SurfaceHub CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/surfacehub-ddf-file.md b/windows/client-management/mdm/surfacehub-ddf-file.md
index 2519ecf5d4..4bfee13fce 100644
--- a/windows/client-management/mdm/surfacehub-ddf-file.md
+++ b/windows/client-management/mdm/surfacehub-ddf-file.md
@@ -1,14 +1,7 @@
---
title: SurfaceHub DDF file
description: View the XML file containing the device description framework (DDF) for the SurfaceHub configuration service provider.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/tenantlockdown-csp.md b/windows/client-management/mdm/tenantlockdown-csp.md
index 97551d7680..f9abc97d80 100644
--- a/windows/client-management/mdm/tenantlockdown-csp.md
+++ b/windows/client-management/mdm/tenantlockdown-csp.md
@@ -1,14 +1,7 @@
---
title: TenantLockdown CSP
description: To lock a device to a tenant to prevent accidental or intentional resets or wipes, use the TenantLockdown configuration service provider.
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 08/13/2018
-ms.reviewer:
-manager: aaroncz
---
# TenantLockdown CSP
diff --git a/windows/client-management/mdm/tenantlockdown-ddf.md b/windows/client-management/mdm/tenantlockdown-ddf.md
index 3aa78e83a1..05bf7451c6 100644
--- a/windows/client-management/mdm/tenantlockdown-ddf.md
+++ b/windows/client-management/mdm/tenantlockdown-ddf.md
@@ -1,14 +1,7 @@
---
title: TenantLockdown DDF file
description: XML file containing the device description framework for the TenantLockdown configuration service provider (CSP).
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 08/13/2018
-ms.reviewer:
-manager: aaroncz
---
# TenantLockdown DDF file
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml
index 2ca71c81c0..f6ca93aa95 100644
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@@ -537,6 +537,8 @@ items:
href: policy-csp-stickers.md
- name: Storage
href: policy-csp-storage.md
+ - name: Sudo
+ href: policy-csp-sudo.md
- name: System
href: policy-csp-system.md
- name: SystemServices
diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md
index 5486abb6d0..299b1077a8 100644
--- a/windows/client-management/mdm/tpmpolicy-csp.md
+++ b/windows/client-management/mdm/tpmpolicy-csp.md
@@ -1,14 +1,7 @@
---
title: TPMPolicy CSP
description: The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero-exhaust configuration on a Windows device for TPM software components.
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 11/01/2017
-ms.reviewer:
-manager: aaroncz
---
# TPMPolicy CSP
diff --git a/windows/client-management/mdm/tpmpolicy-ddf-file.md b/windows/client-management/mdm/tpmpolicy-ddf-file.md
index 2987a036eb..ae8d4f38f6 100644
--- a/windows/client-management/mdm/tpmpolicy-ddf-file.md
+++ b/windows/client-management/mdm/tpmpolicy-ddf-file.md
@@ -1,14 +1,7 @@
---
title: TPMPolicy DDF file
description: Learn about the OMA DM device description framework (DDF) for the TPMPolicy configuration service provider (CSP).
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 12/05/2017
-ms.reviewer:
-manager: aaroncz
---
# TPMPolicy DDF file
diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md
index a818eb9880..e3e130ee43 100644
--- a/windows/client-management/mdm/uefi-csp.md
+++ b/windows/client-management/mdm/uefi-csp.md
@@ -1,14 +1,7 @@
---
title: UEFI CSP
description: The Uefi CSP interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes.
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 10/02/2018
-ms.reviewer:
-manager: aaroncz
---
# UEFI CSP
diff --git a/windows/client-management/mdm/uefi-ddf.md b/windows/client-management/mdm/uefi-ddf.md
index dde7789737..3ce949f7c8 100644
--- a/windows/client-management/mdm/uefi-ddf.md
+++ b/windows/client-management/mdm/uefi-ddf.md
@@ -1,14 +1,7 @@
---
title: UEFI DDF file
description: Learn about the OMA DM device description framework (DDF) for the Uefi configuration service provider (CSP).
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 10/02/2018
-ms.reviewer:
-manager: aaroncz
---
# UEFI DDF file
diff --git a/windows/client-management/mdm/unifiedwritefilter-csp.md b/windows/client-management/mdm/unifiedwritefilter-csp.md
index b35a740976..1df0f1e524 100644
--- a/windows/client-management/mdm/unifiedwritefilter-csp.md
+++ b/windows/client-management/mdm/unifiedwritefilter-csp.md
@@ -1,13 +1,6 @@
---
title: UnifiedWriteFilter CSP
description: The UnifiedWriteFilter (UWF) configuration service provider allows you to remotely manage the UWF. Understand how it helps protect physical storage media.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 06/26/2017
---
diff --git a/windows/client-management/mdm/unifiedwritefilter-ddf.md b/windows/client-management/mdm/unifiedwritefilter-ddf.md
index ffaf61bb19..3e28dc3252 100644
--- a/windows/client-management/mdm/unifiedwritefilter-ddf.md
+++ b/windows/client-management/mdm/unifiedwritefilter-ddf.md
@@ -1,13 +1,6 @@
---
title: UnifiedWriteFilter DDF File
description: UnifiedWriteFilter DDF File
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 12/05/2017
---
diff --git a/windows/client-management/mdm/universalprint-csp.md b/windows/client-management/mdm/universalprint-csp.md
index cfaae48b05..183576910e 100644
--- a/windows/client-management/mdm/universalprint-csp.md
+++ b/windows/client-management/mdm/universalprint-csp.md
@@ -1,14 +1,8 @@
---
title: UniversalPrint CSP
description: Learn how the UniversalPrint configuration service provider (CSP) is used to install printers on Windows client devices.
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 06/02/2022
ms.reviewer: jimwu
-manager: aaroncz
---
# UniversalPrint CSP
diff --git a/windows/client-management/mdm/universalprint-ddf-file.md b/windows/client-management/mdm/universalprint-ddf-file.md
index 3d3fdc2426..e1a1037685 100644
--- a/windows/client-management/mdm/universalprint-ddf-file.md
+++ b/windows/client-management/mdm/universalprint-ddf-file.md
@@ -1,14 +1,8 @@
---
title: UniversalPrint DDF file
description: UniversalPrint DDF file
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 06/02/2022
ms.reviewer: jimwu
-manager: aaroncz
---
# UniversalPrint DDF file
diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md
index e825289b3c..ab540156f2 100644
--- a/windows/client-management/mdm/update-csp.md
+++ b/windows/client-management/mdm/update-csp.md
@@ -1,13 +1,6 @@
---
title: Update CSP
description: Learn how the Update configuration service provider (CSP) enables IT administrators to manage and control the rollout of new updates.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 11/16/2023
---
diff --git a/windows/client-management/mdm/update-ddf-file.md b/windows/client-management/mdm/update-ddf-file.md
index a1ba78b157..186bfc4f22 100644
--- a/windows/client-management/mdm/update-ddf-file.md
+++ b/windows/client-management/mdm/update-ddf-file.md
@@ -1,13 +1,6 @@
---
title: Update DDF file
description: Learn about the OMA DM device description framework (DDF) for the Update configuration service provider (CSP).
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 02/23/2018
---
diff --git a/windows/client-management/mdm/vpn-csp.md b/windows/client-management/mdm/vpn-csp.md
index 4f43fb1e32..da946f07ea 100644
--- a/windows/client-management/mdm/vpn-csp.md
+++ b/windows/client-management/mdm/vpn-csp.md
@@ -1,13 +1,6 @@
---
title: VPN CSP
description: Learn how the VPN configuration service provider (CSP) allows the mobile device management (MDM) server to configure the VPN profile of the device.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 04/02/2017
---
diff --git a/windows/client-management/mdm/vpn-ddf-file.md b/windows/client-management/mdm/vpn-ddf-file.md
index f3df5126a9..81e88ca2b9 100644
--- a/windows/client-management/mdm/vpn-ddf-file.md
+++ b/windows/client-management/mdm/vpn-ddf-file.md
@@ -1,13 +1,6 @@
---
title: VPN DDF file
description: Learn about the OMA DM device description framework (DDF) for the VPN configuration service provider (CSP).
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 06/26/2017
---
diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index 3e5e3a5468..58d6463c97 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -1,14 +1,7 @@
---
title: VPNv2 CSP
description: Learn more about the VPNv2 CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/vpnv2-ddf-file.md b/windows/client-management/mdm/vpnv2-ddf-file.md
index 20a3da3401..badf9f29e6 100644
--- a/windows/client-management/mdm/vpnv2-ddf-file.md
+++ b/windows/client-management/mdm/vpnv2-ddf-file.md
@@ -1,14 +1,7 @@
---
title: VPNv2 DDF file
description: View the XML file containing the device description framework (DDF) for the VPNv2 configuration service provider.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 12/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md
index 6b33ccc664..a84f2bf593 100644
--- a/windows/client-management/mdm/w4-application-csp.md
+++ b/windows/client-management/mdm/w4-application-csp.md
@@ -1,13 +1,6 @@
---
title: w4 APPLICATION CSP
description: Use an APPLICATION configuration service provider (CSP) that has an APPID of w4 to configure Multimedia Messaging Service (MMS).
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 06/26/2017
---
diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md
index 0c5e7f4cd5..28acb291e9 100644
--- a/windows/client-management/mdm/w7-application-csp.md
+++ b/windows/client-management/mdm/w7-application-csp.md
@@ -1,13 +1,6 @@
---
title: w7 APPLICATION CSP
description: Learn that the APPLICATION configuration service provider (CSP) that has an APPID of w7 is used for bootstrapping a device with an OMA DM account.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 06/26/2017
---
diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md
index d7b549f5e8..da583b8cd9 100644
--- a/windows/client-management/mdm/wifi-csp.md
+++ b/windows/client-management/mdm/wifi-csp.md
@@ -1,14 +1,7 @@
---
title: WiFi CSP
description: Learn more about the WiFi CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md
index 6fe4d9867a..a0ff37f35e 100644
--- a/windows/client-management/mdm/wifi-ddf-file.md
+++ b/windows/client-management/mdm/wifi-ddf-file.md
@@ -1,14 +1,7 @@
---
title: WiFi DDF file
description: View the XML file containing the device description framework (DDF) for the WiFi configuration service provider.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 12/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/win32appinventory-csp.md b/windows/client-management/mdm/win32appinventory-csp.md
index d76120673d..0c9cc388d4 100644
--- a/windows/client-management/mdm/win32appinventory-csp.md
+++ b/windows/client-management/mdm/win32appinventory-csp.md
@@ -1,13 +1,6 @@
---
title: Win32AppInventory CSP
description: Learn how the Win32AppInventory configuration service provider (CSP) is used to provide an inventory of installed applications on a device.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 06/26/2017
---
diff --git a/windows/client-management/mdm/win32appinventory-ddf-file.md b/windows/client-management/mdm/win32appinventory-ddf-file.md
index 413f6927a8..c30f6ba4a9 100644
--- a/windows/client-management/mdm/win32appinventory-ddf-file.md
+++ b/windows/client-management/mdm/win32appinventory-ddf-file.md
@@ -1,13 +1,6 @@
---
title: Win32AppInventory DDF file
description: Learn about the OMA DM device description framework (DDF) for the Win32AppInventory configuration service provider (CSP).
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 12/05/2017
---
diff --git a/windows/client-management/mdm/win32compatibilityappraiser-csp.md b/windows/client-management/mdm/win32compatibilityappraiser-csp.md
index 72e4dc7e0d..0e9a1dd3b8 100644
--- a/windows/client-management/mdm/win32compatibilityappraiser-csp.md
+++ b/windows/client-management/mdm/win32compatibilityappraiser-csp.md
@@ -1,14 +1,7 @@
---
title: Win32CompatibilityAppraiser CSP
description: Learn how the Win32CompatibilityAppraiser configuration service provider enables the IT admin to query the current status of the Appraiser and UTC telemetry health.
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 07/19/2018
-ms.reviewer:
-manager: aaroncz
---
# Win32CompatibilityAppraiser CSP
diff --git a/windows/client-management/mdm/win32compatibilityappraiser-ddf.md b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md
index 2412d86ade..6e1017cd32 100644
--- a/windows/client-management/mdm/win32compatibilityappraiser-ddf.md
+++ b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md
@@ -1,14 +1,7 @@
---
title: Win32CompatibilityAppraiser DDF file
description: Learn about the XML file containing the device description framework for the Win32CompatibilityAppraiser configuration service provider.
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 07/19/2018
-ms.reviewer:
-manager: aaroncz
---
# Win32CompatibilityAppraiser DDF file
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
index ab6d3cfd03..040365664e 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
@@ -1,13 +1,6 @@
---
title: WindowsAdvancedThreatProtection CSP
description: The Windows Defender Advanced Threat Protection (WDATP) CSP allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 11/01/2017
---
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
index 1e3460593d..9486c07290 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
@@ -2,13 +2,6 @@
title: WindowsAdvancedThreatProtection DDF file
description: Learn about the OMA DM device description framework (DDF) for the WindowsAdvancedThreatProtection configuration service provider (CSP).
ms.assetid: 0C62A790-4351-48AF-89FD-7D46C42D13E0
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 12/05/2017
---
diff --git a/windows/client-management/mdm/windowsautopilot-csp.md b/windows/client-management/mdm/windowsautopilot-csp.md
index 7a34b0a995..788144001b 100644
--- a/windows/client-management/mdm/windowsautopilot-csp.md
+++ b/windows/client-management/mdm/windowsautopilot-csp.md
@@ -1,13 +1,6 @@
---
title: WindowsAutopilot CSP
description: Learn how without the ability to mark a device as remediation required, the device will remain in a broken state, which results in security and privacy concerns in Autopilot.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 05/09/2022
---
diff --git a/windows/client-management/mdm/windowsautopilot-ddf-file.md b/windows/client-management/mdm/windowsautopilot-ddf-file.md
index 88313274a6..86b4d615ca 100644
--- a/windows/client-management/mdm/windowsautopilot-ddf-file.md
+++ b/windows/client-management/mdm/windowsautopilot-ddf-file.md
@@ -1,14 +1,7 @@
---
title: WindowsAutopilot DDF file
description: Learn how, without the ability to mark a device as remediation required, the device will remain in a broken state for the WindowsAutopilot DDF file configuration service provider (CSP).
-ms.author: vinpa
-ms.topic: reference
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.date: 02/07/2022
-ms.reviewer:
-manager: aaroncz
---
# WindowsAutopilot DDF file
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
index 0261c3b007..10546d7713 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@@ -1,14 +1,7 @@
---
title: WindowsDefenderApplicationGuard CSP
description: Learn more about the WindowsDefenderApplicationGuard CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
index 233de242bb..bdee83a712 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
@@ -1,14 +1,7 @@
---
title: WindowsDefenderApplicationGuard DDF file
description: View the XML file containing the device description framework (DDF) for the WindowsDefenderApplicationGuard configuration service provider.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 12/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md
index 156b999f6d..f880dd265e 100644
--- a/windows/client-management/mdm/windowslicensing-csp.md
+++ b/windows/client-management/mdm/windowslicensing-csp.md
@@ -1,14 +1,7 @@
---
title: WindowsLicensing CSP
description: Learn more about the WindowsLicensing CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md
index fae5beb908..2830112994 100644
--- a/windows/client-management/mdm/windowslicensing-ddf-file.md
+++ b/windows/client-management/mdm/windowslicensing-ddf-file.md
@@ -1,14 +1,7 @@
---
title: WindowsLicensing DDF file
description: View the XML file containing the device description framework (DDF) for the WindowsLicensing configuration service provider.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 12/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md
index a609a45d59..12bac7c750 100644
--- a/windows/client-management/mdm/wirednetwork-csp.md
+++ b/windows/client-management/mdm/wirednetwork-csp.md
@@ -1,14 +1,7 @@
---
title: WiredNetwork CSP
description: Learn more about the WiredNetwork CSP.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 08/10/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mdm/wirednetwork-ddf-file.md b/windows/client-management/mdm/wirednetwork-ddf-file.md
index e59398aa57..ba3a3845ed 100644
--- a/windows/client-management/mdm/wirednetwork-ddf-file.md
+++ b/windows/client-management/mdm/wirednetwork-ddf-file.md
@@ -1,14 +1,7 @@
---
title: WiredNetwork DDF file
description: View the XML file containing the device description framework (DDF) for the WiredNetwork configuration service provider.
-author: vinaypamnani-msft
-manager: aaroncz
-ms.author: vinpa
-ms.date: 12/06/2023
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-manage
-ms.topic: reference
+ms.date: 01/18/2024
---
diff --git a/windows/client-management/mobile-device-enrollment.md b/windows/client-management/mobile-device-enrollment.md
index c69c1fb951..5d0537216a 100644
--- a/windows/client-management/mobile-device-enrollment.md
+++ b/windows/client-management/mobile-device-enrollment.md
@@ -1,7 +1,7 @@
---
title: Mobile device enrollment
description: Learn how mobile device enrollment verifies that only authenticated and authorized devices are managed by the enterprise.
-ms.topic: article
+ms.topic: conceptual
ms.date: 08/10/2023
ms.collection:
- highpri
diff --git a/windows/client-management/new-in-windows-mdm-enrollment-management.md b/windows/client-management/new-in-windows-mdm-enrollment-management.md
index 4ed6e26aaf..dcfbdeb34b 100644
--- a/windows/client-management/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/new-in-windows-mdm-enrollment-management.md
@@ -1,7 +1,7 @@
---
title: What's new in MDM enrollment and management
description: Discover what's new and breaking changes in mobile device management (MDM) enrollment and management experience across all Windows devices.
-ms.topic: article
+ms.topic: conceptual
ms.localizationpriority: medium
ms.date: 08/10/2023
---
diff --git a/windows/client-management/oma-dm-protocol-support.md b/windows/client-management/oma-dm-protocol-support.md
index ad62b88273..3d1ff0619c 100644
--- a/windows/client-management/oma-dm-protocol-support.md
+++ b/windows/client-management/oma-dm-protocol-support.md
@@ -1,7 +1,7 @@
---
title: OMA DM protocol support
description: See how the OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload.
-ms.topic: article
+ms.topic: conceptual
ms.date: 08/10/2023
---
diff --git a/windows/client-management/on-premise-authentication-device-enrollment.md b/windows/client-management/on-premise-authentication-device-enrollment.md
index 39e4133d55..0d3a3b1a1d 100644
--- a/windows/client-management/on-premise-authentication-device-enrollment.md
+++ b/windows/client-management/on-premise-authentication-device-enrollment.md
@@ -1,7 +1,7 @@
---
title: On-premises authentication device enrollment
description: This section provides an example of the mobile device enrollment protocol using on-premises authentication policy.
-ms.topic: article
+ms.topic: conceptual
ms.date: 08/10/2023
---
diff --git a/windows/client-management/push-notification-windows-mdm.md b/windows/client-management/push-notification-windows-mdm.md
index d449bbfa9f..0ac4310aab 100644
--- a/windows/client-management/push-notification-windows-mdm.md
+++ b/windows/client-management/push-notification-windows-mdm.md
@@ -1,7 +1,7 @@
---
title: Push notification support for device management
description: The DMClient CSP supports the ability to configure push-initiated device management sessions.
-ms.topic: article
+ms.topic: conceptual
ms.date: 08/10/2023
---
diff --git a/windows/client-management/server-requirements-windows-mdm.md b/windows/client-management/server-requirements-windows-mdm.md
index e3cafbd896..6b3a303e0a 100644
--- a/windows/client-management/server-requirements-windows-mdm.md
+++ b/windows/client-management/server-requirements-windows-mdm.md
@@ -1,7 +1,7 @@
---
title: Server requirements for using OMA DM to manage Windows devices
description: Learn about the general server requirements for using OMA DM to manage Windows devices, including the supported versions of OMA DM.
-ms.topic: article
+ms.topic: conceptual
ms.date: 08/10/2023
---
diff --git a/windows/client-management/structure-of-oma-dm-provisioning-files.md b/windows/client-management/structure-of-oma-dm-provisioning-files.md
index c239b9d0fd..170d213948 100644
--- a/windows/client-management/structure-of-oma-dm-provisioning-files.md
+++ b/windows/client-management/structure-of-oma-dm-provisioning-files.md
@@ -1,7 +1,7 @@
---
title: Structure of OMA DM provisioning files
description: Learn about the structure of OMA DM provisioning files, for example how each message is composed of a header, specified by the SyncHdr element, and a message body.
-ms.topic: article
+ms.topic: conceptual
ms.date: 08/10/2023
---
diff --git a/windows/client-management/understanding-admx-backed-policies.md b/windows/client-management/understanding-admx-backed-policies.md
index e7bccddb07..7b80861923 100644
--- a/windows/client-management/understanding-admx-backed-policies.md
+++ b/windows/client-management/understanding-admx-backed-policies.md
@@ -1,7 +1,7 @@
---
title: Understanding ADMX policies
description: You can use ADMX policies for Windows mobile device management (MDM) across Windows devices.
-ms.topic: article
+ms.topic: conceptual
ms.date: 08/10/2023
---
diff --git a/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md b/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md
index 4c631e20f5..5fc0485080 100644
--- a/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md
+++ b/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md
@@ -1,7 +1,7 @@
---
title: Using PowerShell scripting with the WMI Bridge Provider
description: This article covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, and how to invoke methods through the WMI Bridge Provider.
-ms.topic: article
+ms.topic: conceptual
ms.date: 08/10/2023
---
diff --git a/windows/client-management/win32-and-centennial-app-policy-configuration.md b/windows/client-management/win32-and-centennial-app-policy-configuration.md
index 0cab615908..ff1887a640 100644
--- a/windows/client-management/win32-and-centennial-app-policy-configuration.md
+++ b/windows/client-management/win32-and-centennial-app-policy-configuration.md
@@ -1,7 +1,7 @@
---
title: Win32 and Desktop Bridge app ADMX policy Ingestion
description: Ingest ADMX files and set ADMX policies for Win32 and Desktop Bridge apps.
-ms.topic: article
+ms.topic: conceptual
ms.date: 08/10/2023
---
diff --git a/windows/client-management/windows-mdm-enterprise-settings.md b/windows/client-management/windows-mdm-enterprise-settings.md
index e3503a278f..03c28bfba7 100644
--- a/windows/client-management/windows-mdm-enterprise-settings.md
+++ b/windows/client-management/windows-mdm-enterprise-settings.md
@@ -1,7 +1,7 @@
---
title: Enterprise settings and policy management
description: The DM client manages the interaction between a device and a server. Learn more about the client-server management workflow.
-ms.topic: article
+ms.topic: conceptual
ms.date: 08/10/2023
---
diff --git a/windows/client-management/wmi-providers-supported-in-windows.md b/windows/client-management/wmi-providers-supported-in-windows.md
index ab34b9d0c7..81c71bd5ba 100644
--- a/windows/client-management/wmi-providers-supported-in-windows.md
+++ b/windows/client-management/wmi-providers-supported-in-windows.md
@@ -1,7 +1,7 @@
---
title: WMI providers supported in Windows
description: Manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service with Windows Management Infrastructure (WMI).
-ms.topic: article
+ms.topic: conceptual
ms.date: 08/10/2023
---
diff --git a/windows/configuration/TOC.yml b/windows/configuration/TOC.yml
deleted file mode 100644
index 97c1386a73..0000000000
--- a/windows/configuration/TOC.yml
+++ /dev/null
@@ -1,367 +0,0 @@
-- name: Configure Windows client
- href: index.yml
-- name: Customize the appearance
- items:
- - name: Windows 11
- items:
- - name: Start menu
- items:
- - name: Customize Start menu layout
- href: customize-start-menu-layout-windows-11.md
- - name: Supported Start menu CSPs
- href: supported-csp-start-menu-layout-windows.md
- - name: Taskbar
- items:
- - name: Customize Taskbar
- href: customize-taskbar-windows-11.md
- - name: Supported Taskbar CSPs
- href: supported-csp-taskbar-windows.md
- - name: Windows 10 Start and taskbar
- items:
- - name: Start layout and taskbar
- href: windows-10-start-layout-options-and-policies.md
- - name: Use XML
- items:
- - name: Customize and export Start layout
- href: customize-and-export-start-layout.md
- - name: Customize the taskbar
- href: configure-windows-10-taskbar.md
- - name: Add image for secondary Microsoft Edge tiles
- href: start-secondary-tiles.md
- - name: Start layout XML for Windows 10 desktop editions (reference)
- href: start-layout-xml-desktop.md
- - name: Use group policy
- href: customize-windows-10-start-screens-by-using-group-policy.md
- - name: Use provisioning packages
- href: customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
- - name: Use mobile device management (MDM)
- href: customize-windows-10-start-screens-by-using-mobile-device-management.md
- - name: Troubleshoot Start menu errors
- href: /troubleshoot/windows-client/shell-experience/troubleshoot-start-menu-errors
- - name: Changes to Start policies in Windows 10
- href: changes-to-start-policies-in-windows-10.md
- - name: Accessibility settings
- items:
- - name: Accessibility information for IT Pros
- href: windows-accessibility-for-ITPros.md
- - name: Configure access to Microsoft Store
- href: stop-employees-from-using-microsoft-store.md
- - name: Configure Windows Spotlight on the lock screen
- href: windows-spotlight.md
- - name: Manage Windows 10 and Microsoft Store tips, "fun facts", and suggestions
- href: manage-tips-and-suggestions.md
- - name: Configure cellular settings for tablets and PCs
- href: provisioning-apn.md
- - name: Lockdown features from Windows Embedded 8.1 Industry
- href: lockdown-features-windows-10.md
-
-
-- name: Configure kiosks and digital signs
- items:
- - name: Configure kiosks and digital signs on Windows desktop editions
- href: kiosk-methods.md
- - name: Prepare a device for kiosk configuration
- href: kiosk-prepare.md
- - name: Set up digital signs
- href: setup-digital-signage.md
- - name: Set up a single-app kiosk
- href: kiosk-single-app.md
- - name: Set up a multi-app kiosk for Windows 10
- href: lock-down-windows-10-to-specific-apps.md
- - name: Set up a multi-app kiosk for Windows 11
- href: lock-down-windows-11-to-specific-apps.md
- - name: Kiosk reference information
- items:
- - name: More kiosk methods and reference information
- href: kiosk-additional-reference.md
- - name: Find the Application User Model ID of an installed app
- href: find-the-application-user-model-id-of-an-installed-app.md
- - name: Validate your kiosk configuration
- href: kiosk-validate.md
- - name: Guidelines for choosing an app for assigned access (kiosk mode)
- href: guidelines-for-assigned-access-app.md
- - name: Policies enforced on kiosk devices
- href: kiosk-policies.md
- - name: Assigned access XML reference
- href: kiosk-xml.md
- - name: Use AppLocker to create a Windows 10 kiosk
- href: lock-down-windows-10-applocker.md
- - name: Use Shell Launcher to create a Windows client kiosk
- href: kiosk-shelllauncher.md
- - name: Use MDM Bridge WMI Provider to create a Windows client kiosk
- href: kiosk-mdm-bridge.md
- - name: Troubleshoot kiosk mode issues
- href: /troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting
-
-- name: Configure multi-user and guest devices
- items:
- - name: Shared devices concepts
- href: shared-devices-concepts.md
- - name: Configure shared devices with Shared PC
- href: set-up-shared-or-guest-pc.md
- - name: Shared PC technical reference
- href: shared-pc-technical.md
-
-- name: Use provisioning packages
- items:
- - name: Provisioning packages for Windows client
- href: provisioning-packages/provisioning-packages.md
- - name: How provisioning works in Windows client
- href: provisioning-packages/provisioning-how-it-works.md
- - name: Introduction to configuration service providers (CSPs)
- href: provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
- - name: Install Windows Configuration Designer
- href: provisioning-packages/provisioning-install-icd.md
- - name: Create a provisioning package
- href: provisioning-packages/provisioning-create-package.md
- - name: Apply a provisioning package
- href: provisioning-packages/provisioning-apply-package.md
- - name: Settings changed when you uninstall a provisioning package
- href: provisioning-packages/provisioning-uninstall-package.md
- - name: Provision PCs with common settings for initial deployment (desktop wizard)
- href: provisioning-packages/provision-pcs-for-initial-deployment.md
- - name: Provision PCs with apps
- href: provisioning-packages/provision-pcs-with-apps.md
- - name: Use a script to install a desktop app in provisioning packages
- href: provisioning-packages/provisioning-script-to-install-app.md
- - name: Create a provisioning package with multivariant settings
- href: provisioning-packages/provisioning-multivariant.md
- - name: PowerShell cmdlets for provisioning Windows client (reference)
- href: provisioning-packages/provisioning-powershell.md
- - name: Diagnose provisioning packages
- href: provisioning-packages/diagnose-provisioning-packages.md
- - name: Windows Configuration Designer command-line interface (reference)
- href: provisioning-packages/provisioning-command-line.md
-
-- name: Configure Cortana
- items:
- - name: Configure Cortana in Windows 10
- href: cortana-at-work/cortana-at-work-overview.md
- - name: Testing scenarios using Cortana n Windows 10, version 2004 and later
- items:
- - name: Set up and test Cortana in Windows 10, version 2004 and later
- href: cortana-at-work/set-up-and-test-cortana-in-windows-10.md
- - name: Cortana at work testing scenarios
- href: cortana-at-work/cortana-at-work-testing-scenarios.md
- - name: Test scenario 1 - Sign into Microsoft Entra ID, enable the wake word, and try a voice query
- href: cortana-at-work/cortana-at-work-scenario-1.md
- - name: Test scenario 2 - Run a Bing search with Cortana
- href: cortana-at-work/cortana-at-work-scenario-2.md
- - name: Test scenario 3 - Set a reminder
- href: cortana-at-work/cortana-at-work-scenario-3.md
- - name: Test scenario 4 - Use Cortana to find free time on your calendar
- href: cortana-at-work/cortana-at-work-scenario-4.md
- - name: Test scenario 5 - Find out about a person
- href: cortana-at-work/cortana-at-work-scenario-5.md
- - name: Test scenario 6 - Change your language and run a quick search with Cortana
- href: cortana-at-work/cortana-at-work-scenario-6.md
- - name: Send feedback about Cortana back to Microsoft
- href: cortana-at-work/cortana-at-work-feedback.md
- - name: Testing scenarios using Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization
- items:
- - name: Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization
- href: cortana-at-work/cortana-at-work-o365.md
- - name: Testing scenarios using Cortana in your business or organization
- href: cortana-at-work/testing-scenarios-using-cortana-in-business-org.md
- - name: Test scenario 1 - Sign into Microsoft Entra ID, enable the wake word, and try a voice query
- href: cortana-at-work/test-scenario-1.md
- - name: Test scenario 2 - Run a quick search with Cortana at work
- href: cortana-at-work/test-scenario-2.md
- - name: Test scenario 3 - Set a reminder for a specific location using Cortana at work
- href: cortana-at-work/test-scenario-3.md
- - name: Test scenario 4 - Use Cortana at work to find your upcoming meetings
- href: cortana-at-work/test-scenario-4.md
- - name: Test scenario 5 - Use Cortana to send email to a coworker
- href: cortana-at-work/test-scenario-5.md
- - name: Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email
- href: cortana-at-work/test-scenario-6.md
- - name: Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device
- href: cortana-at-work/cortana-at-work-scenario-7.md
-
- - name: Set up and test custom voice commands in Cortana for your organization
- href: cortana-at-work/cortana-at-work-voice-commands.md
- - name: Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization
- href: cortana-at-work/cortana-at-work-policy-settings.md
-
-
-- name: Reference
- items:
- - name: Windows Configuration Designer reference
- items:
- - name: Windows Configuration Designer provisioning settings (reference)
- href: wcd/wcd.md
- - name: Changes to settings in Windows Configuration Designer
- href: wcd/wcd-changes.md
- - name: AccountManagement
- href: wcd/wcd-accountmanagement.md
- - name: Accounts
- href: wcd/wcd-accounts.md
- - name: ADMXIngestion
- href: wcd/wcd-admxingestion.md
- - name: AssignedAccess
- href: wcd/wcd-assignedaccess.md
- - name: Browser
- href: wcd/wcd-browser.md
- - name: CellCore
- href: wcd/wcd-cellcore.md
- - name: Cellular
- href: wcd/wcd-cellular.md
- - name: Certificates
- href: wcd/wcd-certificates.md
- - name: CleanPC
- href: wcd/wcd-cleanpc.md
- - name: Connections
- href: wcd/wcd-connections.md
- - name: ConnectivityProfiles
- href: wcd/wcd-connectivityprofiles.md
- - name: CountryAndRegion
- href: wcd/wcd-countryandregion.md
- - name: DesktopBackgroundAndColors
- href: wcd/wcd-desktopbackgroundandcolors.md
- - name: DeveloperSetup
- href: wcd/wcd-developersetup.md
- - name: DeviceFormFactor
- href: wcd/wcd-deviceformfactor.md
- - name: DeviceManagement
- href: wcd/wcd-devicemanagement.md
- - name: DeviceUpdateCenter
- href: wcd/wcd-deviceupdatecenter.md
- - name: DMClient
- href: wcd/wcd-dmclient.md
- - name: EditionUpgrade
- href: wcd/wcd-editionupgrade.md
- - name: FirewallConfiguration
- href: wcd/wcd-firewallconfiguration.md
- - name: FirstExperience
- href: wcd/wcd-firstexperience.md
- - name: Folders
- href: wcd/wcd-folders.md
- - name: HotSpot
- href: wcd/wcd-hotspot.md
- - name: KioskBrowser
- href: wcd/wcd-kioskbrowser.md
- - name: Licensing
- href: wcd/wcd-licensing.md
- - name: Location
- href: wcd/wcd-location.md
- - name: Maps
- href: wcd/wcd-maps.md
- - name: NetworkProxy
- href: wcd/wcd-networkproxy.md
- - name: NetworkQOSPolicy
- href: wcd/wcd-networkqospolicy.md
- - name: OOBE
- href: wcd/wcd-oobe.md
- - name: Personalization
- href: wcd/wcd-personalization.md
- - name: Policies
- href: wcd/wcd-policies.md
- - name: Privacy
- href: wcd/wcd-privacy.md
- - name: ProvisioningCommands
- href: wcd/wcd-provisioningcommands.md
- - name: SharedPC
- href: wcd/wcd-sharedpc.md
- - name: SMISettings
- href: wcd/wcd-smisettings.md
- - name: Start
- href: wcd/wcd-start.md
- - name: StartupApp
- href: wcd/wcd-startupapp.md
- - name: StartupBackgroundTasks
- href: wcd/wcd-startupbackgroundtasks.md
- - name: StorageD3InModernStandby
- href: wcd/wcd-storaged3inmodernstandby.md
- - name: SurfaceHubManagement
- href: wcd/wcd-surfacehubmanagement.md
- - name: TabletMode
- href: wcd/wcd-tabletmode.md
- - name: TakeATest
- href: wcd/wcd-takeatest.md
- - name: Time
- href: wcd/wcd-time.md
- - name: UnifiedWriteFilter
- href: wcd/wcd-unifiedwritefilter.md
- - name: UniversalAppInstall
- href: wcd/wcd-universalappinstall.md
- - name: UniversalAppUninstall
- href: wcd/wcd-universalappuninstall.md
- - name: UsbErrorsOEMOverride
- href: wcd/wcd-usberrorsoemoverride.md
- - name: WeakCharger
- href: wcd/wcd-weakcharger.md
- - name: WindowsHelloForBusiness
- href: wcd/wcd-windowshelloforbusiness.md
- - name: WindowsTeamSettings
- href: wcd/wcd-windowsteamsettings.md
- - name: WLAN
- href: wcd/wcd-wlan.md
- - name: Workplace
- href: wcd/wcd-workplace.md
-
- - name: User Experience Virtualization (UE-V)
- items:
- - name: User Experience Virtualization (UE-V) for Windows 10
- href: ue-v/uev-for-windows.md
- - name: Get started with UE-V
- items:
- - name: Get started with UE-V
- href: ue-v/uev-getting-started.md
- - name: What's New in UE-V for Windows 10, version 1607
- href: ue-v/uev-whats-new-in-uev-for-windows.md
- - name: User Experience Virtualization Release Notes
- href: ue-v/uev-release-notes-1607.md
- - name: Upgrade to UE-V for Windows 10
- href: ue-v/uev-upgrade-uev-from-previous-releases.md
- - name: Prepare a UE-V Deployment
- items:
- - name: Prepare a UE-V Deployment
- href: ue-v/uev-prepare-for-deployment.md
- - name: Deploy Required UE-V Features
- href: ue-v/uev-deploy-required-features.md
- - name: Deploy UE-V for use with Custom Applications
- href: ue-v/uev-deploy-uev-for-custom-applications.md
- - name: Administer UE-V
- items:
- - name: UE-V administration guide
- href: ue-v/uev-administering-uev.md
- - name: Manage Configurations for UE-V
- items:
- - name: Manage Configurations for UE-V
- href: ue-v/uev-manage-configurations.md
- - name: Configuring UE-V with Group Policy Objects
- href: ue-v/uev-configuring-uev-with-group-policy-objects.md
- - name: Configuring UE-V with Microsoft Configuration Manager
- href: ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
- - name: Administering UE-V with Windows PowerShell and WMI
- href: ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
- - name: Managing the UE-V Service and Packages with Windows PowerShell and WMI
- href: ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md
- - name: Managing UE-V Settings Location Templates Using Windows PowerShell and WMI
- href: ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md
- - name: Working with Custom UE-V Templates and the UE-V Template Generator
- href: ue-v/uev-working-with-custom-templates-and-the-uev-generator.md
- - name: Manage Administrative Backup and Restore in UE-V
- href: ue-v/uev-manage-administrative-backup-and-restore.md
- - name: Changing the Frequency of UE-V Scheduled Tasks
- href: ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
- - name: Migrating UE-V Settings Packages
- href: ue-v/uev-migrating-settings-packages.md
- - name: Using UE-V with Application Virtualization Applications
- href: ue-v/uev-using-uev-with-application-virtualization-applications.md
- - name: Troubleshooting UE-V
- href: ue-v/uev-troubleshooting.md
- - name: Technical Reference for UE-V
- items:
- - name: Technical Reference for UE-V
- href: ue-v/uev-technical-reference.md
- - name: Sync Methods for UE-V
- href: ue-v/uev-sync-methods.md
- - name: Sync Trigger Events for UE-V
- href: ue-v/uev-sync-trigger-events.md
- - name: Synchronizing Microsoft Office with UE-V
- href: ue-v/uev-synchronizing-microsoft-office-with-uev.md
- - name: Application Template Schema Reference for UE-V
- href: ue-v/uev-application-template-schema-reference.md
- - name: Security Considerations for UE-V
- href: ue-v/uev-security-considerations.md
diff --git a/windows/configuration/windows-accessibility-for-ITPros.md b/windows/configuration/accessibility/index.md
similarity index 95%
rename from windows/configuration/windows-accessibility-for-ITPros.md
rename to windows/configuration/accessibility/index.md
index cda104c484..335576ee27 100644
--- a/windows/configuration/windows-accessibility-for-ITPros.md
+++ b/windows/configuration/accessibility/index.md
@@ -1,19 +1,9 @@
---
title: Windows accessibility information for IT Pros
description: Lists the various accessibility features available in Windows client with links to detailed guidance on how to set them.
-ms.prod: windows-client
-ms.technology: itpro-configure
-ms.author: lizlong
-author: lizgt2000
-ms.date: 08/11/2023
-ms.reviewer:
-manager: aaroncz
-ms.localizationpriority: medium
+ms.date: 01/25/2024
ms.topic: conceptual
ms.collection: tier1
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
---
@@ -25,76 +15,54 @@ Microsoft is dedicated to making its products and services accessible and usable
This article helps you as the IT administrator learn about built-in accessibility features. It also includes recommendations for how to support people in your organization who use these features.
-Windows 11, version 22H2, includes improvements for people with disabilities: system-wide live captions, Focus sessions, voice access, and more natural voices for Narrator. For more information, see [New accessibility features coming to Windows 11](https://blogs.windows.com/windowsexperience/2022/05/10/new-accessibility-features-coming-to-windows-11/) and [How inclusion drives innovation in Windows 11](https://blogs.windows.com/windowsexperience/?p=177554).
+Windows 11, version 22H2, includes improvements for people with disabilities: system-wide live captions, Focus sessions, voice access, and more natural voices for Narrator. For more information, see [New accessibility features coming to Windows 11](https://blogs.windows.com/windowsexperience/2022/05/10/new-accessibility-features-coming-to-windows-11/) and [How inclusion drives innovation in Windows 11](https://blogs.windows.com/windowsexperience/?p=177554).
+
## General recommendations
- **Be aware of Ease of Access settings**. Understand how people in your organization might use these settings. Help people in your organization learn how they can customize Windows.
-
- **Don't block settings**. Avoid using group policy or MDM settings that override Ease of Access settings.
-
- **Encourage choice**. Allow people in your organization to customize their computers based on their needs. That customization might be installing an add-on for their browser, or a non-Microsoft assistive technology.
## Vision
- [Use Narrator to use devices without a screen](https://support.microsoft.com/windows/complete-guide-to-narrator-e4397a0d-ef4f-b386-d8ae-c172f109bdb1). Narrator describes Windows and apps and enables you to control devices by using a keyboard, controller, or with a range of gestures on touch-supported devices. Now the user is able to download and install 10 more natural languages.
-
- [Create accessible apps](/windows/apps/develop/accessibility). You can develop accessible apps just like Mail, Groove, and Store that work well with Narrator and other leading screen readers.
-
- Use keyboard shortcuts. Get the most out of Windows with shortcuts for apps and desktops.
-
- [Keyboard shortcuts in Windows](https://support.microsoft.com/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec)
- [Narrator keyboard commands and touch gestures](https://support.microsoft.com/windows/appendix-b-narrator-keyboard-commands-and-touch-gestures-8bdab3f4-b3e9-4554-7f28-8b15bd37410a)
- [Windows keyboard shortcuts for accessibility](https://support.microsoft.com/windows/windows-keyboard-shortcuts-for-accessibility-021bcb62-45c8-e4ef-1e4f-41b8c1fc87fd)
-
- Get closer with [Magnifier](https://support.microsoft.com/windows/use-magnifier-to-make-things-on-the-screen-easier-to-see-414948ba-8b1c-d3bd-8615-0e5e32204198). Magnifier enlarges all or part of your screen and offers various configuration settings.
-
- [Make Windows easier to see](https://support.microsoft.com/windows/make-windows-easier-to-see-c97c2b0d-cadb-93f0-5fd1-59ccfe19345d).
-
- Changing the size or color of pointers or adding trails or touch feedback make it easier to follow the mouse.
- Adjust the size of text, icons, and other screen items to make them easier to see.
- Many high-contrast themes are available to suit your needs.
-
- [Have Cortana assist](https://support.microsoft.com/topic/what-is-cortana-953e648d-5668-e017-1341-7f26f7d0f825). Cortana can handle various tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts.
-
- [Dictate text and commands](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571). Windows includes speech recognition that lets you tell it what to do.
-
- [Simplify for focus](https://support.microsoft.com/windows/make-it-easier-to-focus-on-tasks-0d259fd9-e9d0-702c-c027-007f0e78eaf2). Reducing animations and turning off background images and transparency can minimize distractions.
-
- [Keep notifications around longer](https://support.microsoft.com/windows/make-windows-easier-to-hear-9c18cfdc-63be-2d47-0f4f-5b00facfd2e1). If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes.
-
- [Read in braille](https://support.microsoft.com/windows/chapter-8-using-narrator-with-braille-3e5f065b-1c9d-6eb2-ec6d-1d07c9e94b20). Narrator supports braille displays from more than 35 manufacturers using more than 40 languages and multiple braille variants.
-
- Starting in Windows 11, version 22H2 with [KB5022913](https://support.microsoft.com/kb/5022913), the compatibility of braille displays has been expanded. Braille displays work seamlessly and reliably across multiple screen readers, improving the end user experience.
## Hearing
- [Use live captions to better understand audio](https://support.microsoft.com/windows/use-live-captions-to-better-understand-audio-b52da59c-14b8-4031-aeeb-f6a47e6055df). Use Windows 11, version 22H2 or later to better understand any spoken audio with real time captions.
-
- Starting with Windows 11, version 22H2 with [KB5026446](https://support.microsoft.com/kb/5026446), live captions now supports additional languages.
-
- [View live transcription in a Teams meeting](https://support.microsoft.com/office/view-live-transcription-in-a-teams-meeting-dc1a8f23-2e20-4684-885e-2152e06a4a8b). During any Teams meeting, view a live transcription so you don't miss what's being said.
-
- [Use Teams for sign language](https://www.microsoft.com/microsoft-teams/group-chat-software). Teams is available on various platforms and devices, so you don't have to worry about whether your co-workers, friends, and family can communicate with you.
- [Make Windows easier to hear](https://support.microsoft.com/windows/make-windows-easier-to-hear-9c18cfdc-63be-2d47-0f4f-5b00facfd2e1).
-
- Replace audible alerts with visual alerts.
- If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes.
- Send all sounds to both left and right channels, which is helpful for those people with partial hearing loss or deafness in one ear.
-
- [Read spoken words with captioning](https://support.microsoft.com/windows/change-caption-settings-135c465b-8cfd-3bac-9baf-4af74bc0069a). You can customize things like color, size, and background transparency to suit your needs and tastes.
-
- Use the [Azure Cognitive Services Translator](/azure/cognitive-services/translator/) service to add machine translation to your solutions.
## Physical
- [Have Cortana assist you](https://support.microsoft.com/topic/what-is-cortana-953e648d-5668-e017-1341-7f26f7d0f825). Cortana can handle various tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts.
-
- [Dictate text and commands](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571). Windows includes voice recognition that lets you tell it what to do.
-
- [Use the On-Screen Keyboard (OSK)](https://support.microsoft.com/windows/use-the-on-screen-keyboard-osk-to-type-ecbb5e08-5b4e-d8c8-f794-81dbf896267a). Instead of relying on a physical keyboard, use the OSK to enter data and select keys with a mouse or other pointing device. It also offers word prediction and completion.
-
- [Make your mouse, keyboard, and other input devices easier to use](https://support.microsoft.com/windows/make-your-mouse-keyboard-and-other-input-devices-easier-to-use-10733da7-fa82-88be-0672-f123d4b3dcfe).
- If you have limited control of your hands, you can personalize your keyboard to do helpful things like ignore repeated keys.
@@ -103,32 +71,24 @@ Windows 11, version 22H2, includes improvements for people with disabilities: sy
## Cognition
- [Simplify for focus](https://support.microsoft.com/windows/make-it-easier-to-focus-on-tasks-0d259fd9-e9d0-702c-c027-007f0e78eaf2). Reducing animations and turning off background images and transparency can minimize distractions.
-
- [Download and use fonts that are easier to read](https://www.microsoft.com/download/details.aspx?id=50721). **Fluent Sitka Small** and **Fluent Calibri** are fonts that address "visual crowding" by adding character and enhance word and line spacing.
-
- [Microsoft Edge reading view](https://support.microsoft.com/windows/take-your-reading-with-you-b6699255-4436-708e-7b93-4d2e19a15af8). Clears distracting content from web pages so you can stay focused on what you really want to read.
## Assistive technology devices built into Windows
- [Hear text read aloud with Narrator](https://support.microsoft.com/windows/hear-text-read-aloud-with-narrator-040f16c1-4632-b64e-110a-da4a0ac56917). Narrator reads text on your PC screen aloud and describes events, such as notifications or calendar appointments, so you can use your PC without a display.
-
- Scripting functionality has been added to Narrator. There is store delivery of Narrator extension scripts which currently include an Outlook script and an Excel script.
-
- [Use voice recognition](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571).
- With spellings experience in voice access, you can dictate a complex or non-standard word letter-by-letter and add it to Windows dictionary. The next time you try to dictate the same word, voice access improves its recognition.
- [Save time with keyboard shortcuts](https://support.microsoft.com/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec).
-
-- [Use voice access to control your PC and author text with your voice](https://support.microsoft.com/en-us/topic/use-voice-access-to-control-your-pc-author-text-with-your-voice-4dcd23ee-f1b9-4fd1-bacc-862ab611f55d).
+- [Use voice access to control your PC and author text with your voice](https://support.microsoft.com/topic/use-voice-access-to-control-your-pc-author-text-with-your-voice-4dcd23ee-f1b9-4fd1-bacc-862ab611f55d).
## Other resources
[Windows accessibility](https://www.microsoft.com/Accessibility/windows)
-
[Designing accessible software](/windows/apps/design/accessibility/designing-inclusive-software)
-
[Inclusive design](https://www.microsoft.com/design/inclusive)
-
[Accessibility guide for Microsoft 365 Apps](/deployoffice/accessibility-guide)
diff --git a/windows/configuration/images/apn-add-details.PNG b/windows/configuration/cellular/images/apn-add-details.PNG
similarity index 100%
rename from windows/configuration/images/apn-add-details.PNG
rename to windows/configuration/cellular/images/apn-add-details.PNG
diff --git a/windows/configuration/images/apn-add.PNG b/windows/configuration/cellular/images/apn-add.PNG
similarity index 100%
rename from windows/configuration/images/apn-add.PNG
rename to windows/configuration/cellular/images/apn-add.PNG
diff --git a/windows/configuration/provisioning-apn.md b/windows/configuration/cellular/provisioning-apn.md
similarity index 66%
rename from windows/configuration/provisioning-apn.md
rename to windows/configuration/cellular/provisioning-apn.md
index 4600c0eaf2..88c77810eb 100644
--- a/windows/configuration/provisioning-apn.md
+++ b/windows/configuration/cellular/provisioning-apn.md
@@ -1,63 +1,40 @@
---
-title: Configure cellular settings for tablets and PCs (Windows 10)
+title: Configure cellular settings for tablets and PCs
description: Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles.
-ms.reviewer:
-manager: aaroncz
-ms.prod: windows-client
-author: lizgt2000
-ms.author: lizlong
-ms.topic: article
-ms.localizationpriority: medium
+ms.topic: concept-article
ms.date: 04/13/2018
-ms.technology: itpro-configure
---
# Configure cellular settings for tablets and PCs
-
-**Applies to**
-
-- Windows 10
-
>**Looking for consumer information?** See [Cellular settings in Windows 10](https://support.microsoft.com/help/10739/windows-10-cellular-settings)
-Enterprises can configure cellular settings for tablets and PC that have built-in cellular modems or plug-in USB modem dongles and apply the settings in a [provisioning package](provisioning-packages/provisioning-packages.md). After the devices are configured, users are automatically connected using the access point name (APN) defined by the enterprise without needing to manually connect.
+Enterprises can configure cellular settings for tablets and PC that have built-in cellular modems or plug-in USB modem dongles and apply the settings in a [provisioning package](../provisioning-packages/provisioning-packages.md). After the devices are configured, users are automatically connected using the access point name (APN) defined by the enterprise without needing to manually connect.
For users who work in different locations, you can configure one APN to connect when the users are at work and a different APN when the users are traveling.
-
## Prerequisites
- Windows 10, version 1703, desktop editions (Home, Pro, Enterprise, Education)
-
- Tablet or PC with built-in cellular modem or plug-in USB modem dongle
-
-- [Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md)
-
+- [Windows Configuration Designer](../provisioning-packages/provisioning-install-icd.md)
- APN (the address that your PC uses to connect to the Internet when using the cellular data connection)
- >[!NOTE]
- >You can get the APN from your mobile operator.
-
## How to configure cellular settings in a provisioning package
-1. In Windows Configuration Designer, [start a new project](provisioning-packages/provisioning-create-package.md) using the **Advanced provisioning** option.
+1. In Windows Configuration Designer, [start a new project](../provisioning-packages/provisioning-create-package.md) using the **Advanced provisioning** option.
+1. Enter a name for your project, and then click **Next**.
+1. Select **All Windows desktop editions**, click **Next**, and then click **Finish**.
+1. Go to **Runtime settings > Connections > EnterpriseAPN**.
+1. Enter a name for the connection, and then click **Add**.
-2. Enter a name for your project, and then click **Next**.
+
-3. Select **All Windows desktop editions**, click **Next**, and then click **Finish**.
+1. The connection appears in the **Available customizations** pane. Select it to view the settings that you can configure for the connection.
-4. Go to **Runtime settings > Connections > EnterpriseAPN**.
+
-5. Enter a name for the connection, and then click **Add**.
-
- 
-
-6. The connection appears in the **Available customizations** pane. Select it to view the settings that you can configure for the connection.
-
- 
-
-7. The following table describes the settings available for the connection.
+1. The following table describes the settings available for the connection.
| Setting | Description |
| --- | --- |
@@ -72,45 +49,39 @@ For users who work in different locations, you can configure one APN to connect
| Password | If you select PAP, CHAP, or MSCHAPv2 authentication, enter a password that corresponds to the user name. |
| Roaming | Select the behavior that you want when the device is roaming. The options are:-Disallowed-Allowed (default)-DomesticRoaming-Use OnlyForDomesticRoaming-UseOnlyForNonDomesticRoaming-UseOnlyForRoaming |
| UserName | If you select PAP, CHAP, or MSCHAPv2 authentication, enter a user name. |
-
-8. After you configure the connection settings, [build the provisioning package](provisioning-packages/provisioning-create-package.md#build-package).
-
-9. [Apply the package to devices.](provisioning-packages/provisioning-apply-package.md)
+1. After you configure the connection settings, [build the provisioning package](../provisioning-packages/provisioning-create-package.md#build-package).
+1. [Apply the package to devices.](../provisioning-packages/provisioning-apply-package.md)
## Confirm the settings
After you apply the provisioning package, you can confirm that the settings have been applied.
1. On the configured device, open a command prompt as an administrator.
+1. Run the following command:
-2. Run the following command:
-
- ```
+ ```cmd
netsh mbn show profiles
```
-3. The command will list the mobile broadband profiles. Using the "Name" for the listed mobile broadband profile, run:
+1. The command will list the mobile broadband profiles. Using the "Name" for the listed mobile broadband profile, run:
- ```
+ ```cmd
netsh mbn show profiles name="name"
```
This command will list details for that profile, including Access Point Name.
-
Alternatively, you can also use the command:
-```
+```cmd
netsh mbn show interface
```
From the results of that command, get the name of the cellular/mobile broadband interface and run:
-```
+```cmd
netsh mbn show connection interface="name"
```
The result of that command will show details for the cellular interface, including Access Point Name.
-
-
diff --git a/windows/configuration/changes-to-start-policies-in-windows-10.md b/windows/configuration/changes-to-start-policies-in-windows-10.md
deleted file mode 100644
index c8a911f8a2..0000000000
--- a/windows/configuration/changes-to-start-policies-in-windows-10.md
+++ /dev/null
@@ -1,91 +0,0 @@
----
-title: Changes to Group Policy settings for Windows 10 Start menu (Windows 10)
-description: Learn about changes to Group Policy settings for the Windows 10 Start menu. Also, learn about the new Windows 10 Start experience.
-ms.reviewer:
-manager: aaroncz
-ms.prod: windows-client
-author: lizgt2000
-ms.author: lizlong
-ms.topic: whats-new
-ms.localizationpriority: medium
-ms.date: 08/18/2023
-ms.technology: itpro-configure
----
-
-# Changes to Group Policy settings for Windows 10 Start
-
-**Applies to**:
-
-- Windows 10
-
-Windows 10 has a brand new Start experience. As a result, there are changes to the Group Policy settings that you can use to manage Start. Some policy settings are new or changed, and some old Start policy settings still apply. Other Start policy settings no longer apply and are deprecated.
-
-## Start policy settings supported for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
-
-These policy settings are available in **Administrative Templates\\Start Menu and Taskbar** under **User Configuration**.
-
-|Policy|Notes|
-|--- |--- |
-|Clear history of recently opened documents on exit|Documents that the user opens are tracked during the session. When the user signs off, the history of opened documents is deleted.|
-|Don't allow pinning items in Jump Lists|Jump Lists are lists of recently opened items, such as files, folders, or websites, organized by the program that you use to open them. This policy prevents users from pinning items to any Jump List.|
-|Don't display or track items in Jump Lists from remote locations|When this policy is applied, only items local on the computer are shown in Jump Lists.|
-|Don't keep history of recently opened documents|Documents that the user opens aren't tracked during the session.|
-|Prevent changes to Taskbar and Start Menu Settings|In Windows 10, this policy disables all of the settings in **Settings** > **Personalization** > **Start** and the options in dialog available via right-click Taskbar > **Properties**|
-|Prevent users from customizing their Start Screen|Use this policy with a [customized Start layout](windows-10-start-layout-options-and-policies.md) to prevent users from changing it|
-|Prevent users from uninstalling applications from Start|In Windows 10, this policy removes the uninstall button in the context menu. It doesn't prevent users from uninstalling the app through other entry points (for example, PowerShell)|
-|Remove All Programs list from the Start menu|In Windows 10, this policy removes the **All apps** button.|
-|Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands|This policy removes the Shut Down, Restart, Sleep, and Hibernate commands from the Start Menu, Start Menu power button, CTRL+ALT+DEL screen, and Alt+F4 Shut Down Windows menu.|
-|Remove common program groups from Start Menu|As in earlier versions of Windows, this policy removes apps specified in the All Users profile from Start|
-|Remove frequent programs list from the Start Menu|In Windows 10, this policy removes the top left **Most used** group of apps.|
-|Remove Logoff on the Start Menu|**Logoff** has been changed to **Sign Out** in the user interface, however the functionality is the same.|
-|Remove pinned programs list from the Start Menu|In Windows 10, this policy removes the bottom left group of apps (by default, only File Explorer and Settings are pinned).|
-|Show "Run as different user" command on Start|This policy enables the **Run as different user** option in the right-click menu for apps.|
-|Start Layout|This policy applies a specific Start layout, and it also prevents users from changing the layout. This policy can be configured in **User Configuration** or **Computer Configuration**.|
-|Force Start to be either full screen size or menu size|This policy applies a specific size for Start.|
-
-## Deprecated Group Policy settings for Start
-
-The Start policy settings listed in the following table don't work on Windows 10. Most of them were deprecated in Windows 8 however a few more were deprecated in Windows 10. Deprecation in this case means that the policy setting won't work on Windows 10. The “Supported on” text for a policy setting won't list Windows 10. The policy settings are still in the Group Policy Management Console and can be used on the operating systems that they apply to.
-
-| Policy | When deprecated |
-|----------------------------------------------------------------------------------|-----------------|
-| Go to the desktop instead of Start when signing in | Windows 10 |
-| List desktop apps first in the Apps view | Windows 10 |
-| Pin Apps to Start when installed (User or Computer) | Windows 10 |
-| Remove Default Programs link from the Start menu. | Windows 10 |
-| Remove Documents icon from Start Menu | Windows 10 |
-| Remove programs on Settings menu | Windows 10 |
-| Remove Run menu from Start Menu | Windows 10 |
-| Remove the "Undock PC" button from the Start Menu | Windows 10 |
-| Search just apps from the Apps view | Windows 10 |
-| Show Start on the display the user is using when they press the Windows logo key | Windows 10 |
-| Show the Apps view automatically when the user goes to Start | Windows 10 |
-| Add the Run command to the Start Menu | Windows 8 |
-| Change Start Menu power button | Windows 8 |
-| Gray unavailable Windows Installer programs Start Menu shortcuts | Windows 8 |
-| Remove Downloads link from Start Menu | Windows 8 |
-| Remove Favorites menu from Start Menu | Windows 8 |
-| Remove Games link from Start Menu | Windows 8 |
-| Remove Help menu from Start Menu | Windows 8 |
-| Remove Homegroup link from Start Menu | Windows 8 |
-| Remove Music icon from Start Menu | Windows 8 |
-| Remove Network icon from Start Menu | Windows 8 |
-| Remove Pictures icon from Start Menu | Windows 8 |
-| Remove Recent Items menu from Start Menu | Windows 8 |
-| Remove Recorded TV link from Start Menu | Windows 8 |
-| Remove user folder link from Start Menu | Windows 8 |
-| Remove Videos link from Start Menu | Windows 8 |
-
-
-
-## Related topics
-
-- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
-- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
-- [Customize and export Start layout](customize-and-export-start-layout.md)
-- [Add image for secondary tiles](start-secondary-tiles.md)
-- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
-- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
-- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
-- [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
deleted file mode 100644
index d238ab8539..0000000000
--- a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
+++ /dev/null
@@ -1,27 +0,0 @@
----
-title: Send feedback about Cortana at work back to Microsoft
-description: Learn how to send feedback to Microsoft about Cortana at work so you can provide more information to help diagnose reported issues.
-ms.prod: windows-client
-ms.collection: tier3
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
-ms.date: 10/05/2017
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
----
-
-# Send feedback about Cortana back to Microsoft
-
-[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
-
-To provide feedback on an individual request or response, select the item in the conversation history and then select **Give feedback**. The Feedback Hub application is launched, where you can provide more information to help diagnose reported issues.
-
-:::image type="content" source="../screenshot1.png" alt-text="Screenshot: Send feedback page":::
-
-To provide feedback about the application in general, go to the **Settings** menu by selecting the three dots in the top left of the application, and select **Feedback**. The Feedback Hub is launched, where more information on the issue can be provided.
-
-:::image type="content" source="../screenshot12.png" alt-text="Screenshot: Select Feedback to go to the Feedback Hub":::
-
-In order for enterprise users to provide feedback, admins must unblock the Feedback Hub in the [Azure portal](https://portal.azure.com/). Go to the **Enterprise applications section** and enable **Users can allow apps to access their data**.
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-o365.md b/windows/configuration/cortana-at-work/cortana-at-work-o365.md
deleted file mode 100644
index 8cc906cd9f..0000000000
--- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md
+++ /dev/null
@@ -1,60 +0,0 @@
----
-title: Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization
-description: Learn how to connect Cortana to Office 365 so employees are notified about regular meetings and unusual events. You can even set an alarm for early meetings.
-ms.prod: windows-client
-ms.collection: tier3
-ms.mktglfcycl: manage
-ms.sitesec: library
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
-ms.date: 10/05/2017
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
----
-
-# Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization
-
-
-[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
-
-## What can you do with in Windows 10, versions 1909 and earlier?
-Your employees can use Cortana to help manage their day and be more productive by getting quick answers to common questions, setting reminders, adding tasks to their To-Do lists, and find out where their next meeting is.
-
-**See also:**
-
-[Known issues for Windows Desktop Search and Cortana in Windows 10](/troubleshoot/windows-client/shell-experience/windows-desktop-search-and-cortana-issues).
-
-### Before you begin
-There are a few things to be aware of before you start using Cortana in Windows 10, versions 1909 and earlier.
-
-- **Microsoft Entra account.** Before your employees can use Cortana in your org, they must be logged in using their Microsoft Entra account through Cortana's notebook. They must also authorize Cortana to access Microsoft 365 on their behalf.
-
-- **Office 365 Trust Center.** Cortana in Windows 10, version 1909 and earlier, isn't a service governed by the [Online Services Terms](https://www.microsoft.com/en-us/licensing/product-licensing/products). [Learn more about how Cortana in Windows 10, versions 1909 and earlier, treats your data](https://support.microsoft.com/en-us/help/4468233/cortana-and-privacy-microsoft-privacy).
-
-- Windows Information Protection (WIP). If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). If you decide to use WIP, you must also have a management solution. This solution can be Microsoft Intune, Configuration Manager (version 1606 or later), or your current company-wide third-party mobile device management (MDM) solution.
-
-- **Troubleshooting tips.** If you run into issues, check out these [troubleshooting tips](/office365/troubleshoot/miscellaneous/issues-in-cortana).
-
-### Turn on Cortana enterprise services on employees' devices
-Your employees must connect Cortana to their Microsoft 365 account to be able to use skills like email and calendar.
-
-#### Turn on Cortana enterprise services
-
-1. Select the **Cortana** search box in the taskbar, and then select the **Notebook** icon.
-
-2. Select **Manage Skills** , select **Manage accounts** , and under **Microsoft 365** select **Link**. The employee will be directed to sign into their Microsoft 365 account.
-
-3. The employee can also disconnect by selecting **Microsoft 365**, then **Unlink**.
-
-#### Turn off Cortana enterprise services
-Cortana in Windows 10, versions 1909 and earlier can only access data in your Microsoft 365 organization when it's turned on. If you don't want Cortana to access your corporate data, you can turn it off in the Microsoft 365 admin center.
-
-1. Sign into the [Microsoft 365 admin center](https://admin.microsoft.com/) using your admin account.
-
-2. Select the app launcher icon in the upper-left and choose **Admin**.
-
-3. Expand **Settings** and select **Org Settings**.
-
-4. Select **Cortana** to toggle Cortana's access to Microsoft 365 data off.
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
deleted file mode 100644
index 9bd3833b21..0000000000
--- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md
+++ /dev/null
@@ -1,99 +0,0 @@
----
-title: Configure Cortana in Windows 10 and Windows 11
-ms.reviewer:
-manager: aaroncz
-description: Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and for enterprise environments.
-ms.prod: windows-client
-ms.collection: tier3
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
-ms.technology: itpro-configure
-ms.date: 12/31/2017
-ms.topic: article
----
-
-# Configure Cortana in Windows 10 and Windows 11
-
-[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
-## Who is Cortana?
-
-Cortana is a personal productivity assistant in Microsoft 365, helping your users achieve more with less effort and focus on what matters. The Cortana app in Windows 10 and Windows 11 helps users quickly get information across Microsoft 365, using typed or spoken queries to connect with people, check calendars, set reminders, add tasks, and more.
-
-:::image type="content" source="./images/screenshot1.png" alt-text="Screenshot: Cortana home page example":::
-
-## Where is Cortana available for use in my organization?
-
-Your employees can use Cortana in the languages listed [here](https://support.microsoft.com/help/4026948/cortanas-regions-and-languages). However, most productivity skills are currently only enabled for English (United States), for users with mailboxes in the United States.
-
-The Cortana app in Windows 10, version 2004 requires the latest Microsoft Store update to support languages other than English (United States).
-
-## Required hardware and software
-
-Cortana requires a PC running Windows 10, version 1703 or later, and the following software to successfully run the included scenario in your organization.
-
->[!NOTE]
->A microphone isn't required to use Cortana.
-
-| Software | Minimum version |
-|---------|---------|
-|Client operating system | - Windows 10, version 2004 (recommended)
- Windows 10, version 1703 (legacy version of Cortana)
For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](#how-is-my-data-processed-by-cortana) below. |
-|Microsoft Entra ID | While all employees signing into Cortana need a Microsoft Entra account, a Microsoft Entra ID P1 or P2 tenant isn't required. |
-|Additional policies (Group Policy and Mobile Device Management (MDM)) |There's a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn off Cortana. For example, if you turn **Speech** off, your employees won't be able to use the wake word ("Cortana") for hands-free activation or voice commands to easily ask for help. |
-
->[!NOTE]
->For Windows 11, Cortana is no longer pinned to the taskbar by default. You can still pin the Cortana app to the taskbar as you would any other app. In addition, the keyboard shortcut that launched Cortana (Win+C) no longer opens Cortana.
-
-
-
-## Signing in using Microsoft Entra ID
-
-Your organization must have a Microsoft Entra tenant and your employees' devices must all be Microsoft Entra joined for the best Cortana experience. (Users may also sign into Cortana with a Microsoft account, but won't be able to use their enterprise email or calendar.) For info about what a Microsoft Entra tenant is, how to get your devices joined, and other Microsoft Entra maintenance info, see [Microsoft Entra documentation.](/azure/active-directory/)
-
-## How is my data processed by Cortana?
-
-Cortana's approach to integration with Microsoft 365 has changed with Windows 10, version 2004 and later.
-
-### Cortana in Windows 10, version 2004 and later, or Windows 11
-
-Cortana enterprise services that can be accessed using Microsoft Entra ID through Cortana meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365&preserve-view=true).
-
-#### How does Microsoft store, retain, process, and use Customer Data in Cortana?
-
-The table below describes the data handling for Cortana enterprise services.
-
-
-| Name | Description |
-|---------|---------|
-|**Storage** |Customer Data is stored on Microsoft servers inside the Office 365 cloud. Your data is part of your tenant. Speech audio isn't retained. |
-|**Stays in Geo** |Customer Data is stored on Microsoft servers inside the Office 365 cloud in Geo. Your data is part of your tenant. |
-|**Retention** |Customer Data is deleted when the account is closed by the tenant administrator or when a GDPR Data Subject Rights deletion request is made. Speech audio isn't retained. |
-|**Processing and confidentiality** |Personnel engaged in the processing of Customer Data and personal data (i) will process such data only on instructions from Customer, and (ii) will be obligated to maintain the confidentiality and security of such data even after their engagement ends. |
-|**Usage** |Microsoft uses Customer Data only to provide the services agreed upon, and for purposes that are compatible with those services. Machine learning to develop and improve models is one of those purposes. Machine learning is done inside the Office 365 cloud consistent with the Online Services Terms. Your data isn't used to target advertising. |
-
-#### How does the wake word (Cortana) work? If I enable it, is Cortana always listening?
-
->[!NOTE]
->The wake word has been re-enabled in the latest version of Cortana in Windows. If you're on Windows 10, version 2004, be sure that you've updated to build 19041.329 or later to use the wake word with Cortana. For earlier builds, you can still click on the microphone button to use your voice with Cortana.
-
-Cortana only begins listening for commands or queries when the wake word is detected, or the microphone button has been selected.
-
-First, the user must enable the wake word from within Cortana settings. Once it has been enabled, a component of Windows called the [Windows Multiple Voice Assistant platform](/windows-hardware/drivers/audio/voice-activation-mva#voice-activation) will start listening for the wake word. No audio is processed by speech recognition unless two local wake word detectors and a server-side one agree with high confidence that the wake word was heard.
-
-The first decision is made by the Windows Multiple Voice Assistant platform using hardware optionally included in the user's PC for power savings. If the wake word is detected, Windows will show a microphone icon in the system tray indicating an assistant app is listening.
-
-:::image type="content" source="./images/screenshot2.png" alt-text="Screenshot: Microphone icon in the system tray indicating an assistant app is listening":::
-
-At that point, the Cortana app will receive the audio, run a second, more accurate wake word detector, and optionally send it to a Microsoft cloud service where a third wake word detector will confirm. If the service doesn't confirm that the activation was valid, the audio will be discarded and deleted from any further processing or server logs. On the user's PC, the Cortana app will be silently dismissed, and no query will be shown in conversation history because the query was discarded.
-
-If all three wake word detectors agree, the Cortana canvas will show what speech has been recognized.
-
-### Cortana in Windows 10, versions 1909 and earlier
-
-Cortana in Windows 10, versions 1909 and earlier, isn't a service covered by the Office 365 Trust Center. [Learn more about how Cortana in Windows 10, version 1909 and earlier, treats your data](https://go.microsoft.com/fwlink/p/?LinkId=536419).
-
-Cortana is covered under the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement).
-
-## See also
-
-- [What is Cortana?](https://go.microsoft.com/fwlink/p/?LinkId=746818)
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
deleted file mode 100644
index e0881606c0..0000000000
--- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
+++ /dev/null
@@ -1,88 +0,0 @@
----
-title: Configure Cortana with Group Policy and MDM settings (Windows)
-description: The list of Group Policy and mobile device management (MDM) policy settings that apply to Cortana at work.
-ms.prod: windows-client
-ms.collection: tier3
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
-ms.date: 12/31/2017
-ms.topic: article
----
-
-# Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization
-
-[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
-
-For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
-
-- **Allow Cortana**
- - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana`
- - **MDM policy CSP**: [Experience/AllowCortana](/windows/client-management/mdm/policy-csp-experience#experience-allowcortana)
- - **Description**: Specifies if users can use Cortana.
-
- Cortana won’t work if this setting is turned off (disabled). On Windows 10, version 1809 and below, users can still do local searches, even with Cortana turned off.
-
-- **AllowCortanaAboveLock**
- - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock`
- - **MDM policy CSP**: [AboveLock/AllowCortanaAboveLock](/windows/client-management/mdm/policy-csp-abovelock#abovelock-allowcortanaabovelock)
- - **Description**: Specifies whether users can interact with Cortana using voice commands when the system is locked.
-
- This setting:
-
- - Doesn't apply to Windows 10, versions 2004 and later
- - Doesn't apply to Windows 11
-
-- **LetAppsActivateWithVoice**
- - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsActivateWithVoice`
- - **MDM policy CSP**: [Privacy/LetAppsActivateWithVoice](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsactivatewithvoice)
- - **Description**: Specifies if apps, like Cortana or other voice assistants, can activate using a wake word, like “Hey Cortana”.
-
- This setting applies to:
-
- - Windows 10 versions 2004 and later
- - Windows 11
-
- To disable wake word activation on Windows 10 versions 1909 and earlier, disable voice commands using the [Privacy/AllowInputPersonalization CSP](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization).
-
-- **LetAppsAccessMicrophone**
- - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsAccessMicrophone`
- - **MDM policy CSP**: [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone-forcedenytheseapps)
- - **Description**: Disables Cortana’s access to the microphone. To use this setting, enter Cortana’s Package Family Name: `Microsoft.549981C3F5F10_8wekyb3d8bbwe`. Users can still type queries to Cortana.
-
-- **Allow users to enable online speech recognition services**
- - **Group policy**: `Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow users to enable online speech recognition services`
- - **MDM policy CSP**: [Privacy/AllowInputPersonalization](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization)
- - **Description**: Specifies whether users can use voice commands with Cortana in your organization.
- - **Windows 10, version 1511**: Cortana won’t work if this setting is turned off (disabled).
- - **Windows 10, version 1607 and later**: Non-speech aspects of Cortana will still work if this setting is turned off (disabled).
- - **Windows 10, version 2004 and later**: Cortana will work, but voice input will be disabled.
-
-- **AllowLocation**
- - **Group policy**: None
- - **MDM policy CSP**: [System/AllowLocation](/windows/client-management/mdm/policy-csp-system#system-allowlocation)
- - **Description**: Specifies whether to allow app access to the Location service.
- - **Windows 10, version 1511**: Cortana won’t work if this setting is turned off (disabled).
- - **Windows 10, version 1607 and later**: Cortana still works if this setting is turned off (disabled).
- - **Windows 10, version 2004 and later**: Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11 don't use the Location service.
-
-- **AllowMicrosoftAccountConnection**
- - **Group policy**: None
- - **MDM policy CSP**: [Accounts/AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection)
- - **Description**: Specifies whether to allow users to sign in using a Microsoft account (MSA) from Windows apps. If you only want to allow users to sign in with their Microsoft Entra account, then disable this setting.
-
-- **Allow search and Cortana to use location**
- - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location`
- - **MDM policy CSP**: [Search/AllowSearchToUseLocation](/windows/client-management/mdm/policy-csp-search#search-allowsearchtouselocation)
- - **Description**: Specifies whether Cortana can use your current location during searches and for location reminders. In **Windows 10, version 2004 and later**, Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11, don't use the Location service.
-
-- **Don't search the web or display web results**
- - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results`
- - **MDM policy CSP**: [Search/DoNotUseWebResults](/windows/client-management/mdm/policy-csp-search#search-donotusewebresults)
- - **Description**: Specifies if search can do queries on the web, and if the web results are shown in search.
- - **Windows 10 Pro edition**: This setting can’t be managed.
- - **Windows 10 Enterprise edition**: Cortana won't work if this setting is turned off (disabled).
- - **Windows 10, version 2004 and later**: This setting no longer impacts Cortana.
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
deleted file mode 100644
index 28baf34fab..0000000000
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
+++ /dev/null
@@ -1,38 +0,0 @@
----
-title: Sign into Microsoft Entra ID, enable the wake word, and try a voice query
-description: A test scenario walking you through signing in and managing the notebook.
-ms.prod: windows-client
-ms.collection: tier3
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
-ms.date: 12/31/2017
-ms.topic: article
----
-
-# Test scenario 1 – Sign into Microsoft Entra ID, enable the wake word, and try a voice query
-
-[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
-
->[!NOTE]
->The wake word has been re-enabled in the latest version of Cortana in Windows. If you're on Windows 10, version 2004, be sure that you've updated to build 19041.329 or later to use the wake word with Cortana. For earlier builds, you can still click on the microphone button to use your voice with Cortana.
-
-1. Select the **Cortana** icon in the task bar and sign in using your Microsoft Entra account.
-
-2. Select the "…" menu and select **Talking to Cortana**.
-
-3. Toggle **Wake word** to **On** and close Cortana.
-
-4. Say **Cortana, what can you do?**
-
- When you say **Cortana**, Cortana will open in listening mode to acknowledge the wake word.
-
- :::image type="content" source="../screenshot4.png" alt-text="Screenshot: Cortana listening mode":::
-
- Once you finish saying your query, Cortana will open with the result.
-
->[!NOTE]
->If you've disabled the wake word using MDM or Group Policy, you will need to manually activate the microphone by selecting Cortana, then the mic button.
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
deleted file mode 100644
index c107c97a64..0000000000
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
+++ /dev/null
@@ -1,28 +0,0 @@
----
-title: Perform a quick search with Cortana at work (Windows)
-description: This scenario is a test scenario about how to perform a quick search with Cortana at work.
-ms.prod: windows-client
-ms.collection: tier3
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
-ms.date: 10/05/2017
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
----
-
-# Test scenario 2 – Perform a Bing search with Cortana
-
-[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
-
-1. Select the **Cortana** icon in the taskbar.
-
-2. Type **What time is it in Hyderabad?**.
-
-Cortana will respond with the information from Bing.
-
-:::image type="content" source="../screenshot5.png" alt-text="Screenshot: Cortana showing current time in Hyderabad":::
-
->[!NOTE]
->This scenario requires Bing Answers to be enabled. To learn more, see [Set up and configure the Bing Answers feature](./set-up-and-test-cortana-in-windows-10.md#set-up-and-configure-the-bing-answers-feature).
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
deleted file mode 100644
index 50fb4c4d32..0000000000
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
+++ /dev/null
@@ -1,27 +0,0 @@
----
-title: Set a reminder for a location with Cortana at work (Windows)
-description: A test scenario about how to set a location-based reminder using Cortana at work.
-ms.prod: windows-client
-ms.collection: tier3
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
-ms.date: 10/05/2017
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
----
-
-# Test scenario 3 - Set a reminder
-
-[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
-
-This scenario helps you set up, review, and edit a reminder. For example, you can remind yourself to send someone a link to a document after a meeting.
-
-1. Select the **Cortana** icon in the taskbar and type **Remind me to send a link to the deck at 3:05pm** and press **Enter**.
-
-Cortana will create a reminder in Microsoft To Do and will remind you at the appropriate time.
-
-:::image type="content" source="../screenshot6.png" alt-text="Screenshot: Cortana set a reminder":::
-
-:::image type="content" source="../screenshot7.png" alt-text="Screenshot: Cortana showing reminder on page":::
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
deleted file mode 100644
index 997bd2f471..0000000000
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
+++ /dev/null
@@ -1,30 +0,0 @@
----
-title: Use Cortana at work to find your upcoming meetings (Windows)
-description: A test scenario on how to use Cortana at work to find your upcoming meetings.
-ms.prod: windows-client
-ms.collection: tier3
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
-ms.date: 10/05/2017
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
----
-
-# Test scenario 4 - Use Cortana to find free time on your calendar for your upcoming meetings.
-
-
-[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
-
-This scenario helps you find out if a time slot is free on your calendar.
-
-1. Select the **Cortana** icon in the taskbar.
-
-2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
-
-3. Type **Am I free at 3 PM tomorrow?**
-
-Cortana will respond with your availability for that time, and nearby meetings.
-
-:::image type="content" source="../screenshot8.png" alt-text="Screenshot: Cortana showing free time on a calendar":::
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
deleted file mode 100644
index 67d77779e6..0000000000
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
+++ /dev/null
@@ -1,27 +0,0 @@
----
-title: Use Cortana to send email to a coworker (Windows)
-description: A test scenario about how to use Cortana at work to send email to a coworker.
-ms.prod: windows-client
-ms.collection: tier3
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
-ms.date: 10/05/2017
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
----
-
-# Test scenario 5 - Test scenario 5 – Find out about a person
-
-[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
-
-Cortana can help you quickly look up information about someone or the org chart.
-
-1. Select the **Cortana** icon in the taskbar.
-
-2. Type or select the mic and say, **Who is name of person in your organization's?**
-
-:::image type="content" source="../screenshot9.png" alt-text="Screenshot: Cortana showing name of person in your organization":::
-
-Cortana will respond with information about the person. You can select the person to see more information about them in Microsoft Search.
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
deleted file mode 100644
index a940f6be39..0000000000
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
+++ /dev/null
@@ -1,27 +0,0 @@
----
-title: Review a reminder suggested by Cortana (Windows)
-description: A test scenario on how to use Cortana with the Suggested reminders feature.
-ms.prod: windows-client
-ms.collection: tier3
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
-ms.date: 10/05/2017
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
----
-
-# Test scenario 6 – Change your language and perform a quick search with Cortana
-
-[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
-
-Cortana can help employees in regions outside the US search for quick answers like currency conversions, time zone conversions, or weather in their location.
-
-1. Select the **Cortana** icon in the taskbar.
-
-2. Select the **…** menu, then select **Settings**, **Language**, then select **Español (España)**. You'll be prompted to restart the app.
-
-3. Once the app has restarted, type or say **Convierte 100 Euros a Dólares**.
-
-:::image type="content" source="../screenshot10.png" alt-text="Screenshot: Cortana showing a change your language and showing search results in Spanish":::
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
deleted file mode 100644
index 88e5901e0c..0000000000
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
+++ /dev/null
@@ -1,38 +0,0 @@
----
-title: Help protect data with Cortana and WIP (Windows)
-description: An optional test scenario about how to use Cortana at work with Windows Information Protection (WIP).
-ms.prod: windows-client
-ms.collection: tier3
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
-ms.date: 10/05/2017
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
----
-
-# Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device
-
-[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
-
->[!IMPORTANT]
->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
-
-This optional scenario helps you to protect your organization’s data on a device, based on an inspection by Cortana.
-
-## Use Cortana and WIP to protect your organization’s data
-
-1. Create and deploy a WIP policy to your organization. For information about how to do this step, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip).
-
-2. Create a new email from a non-protected or personal mailbox, including the text _I’ll send you that presentation tomorrow_.
-
-3. Wait up to 2 hours to make sure everything has updated, click the **Cortana** icon in the taskbar, and then click in the **Search** bar.
-
- Cortana automatically pulls your commitment to sending the presentation out of your email, showing it to you.
-
-4. Create a new email from a protected mailbox, including the same text as above, _I’ll send you that presentation tomorrow_.
-
-5. Wait until everything has updated again, click the **Cortana** icon in the taskbar, and then click in the **Search** bar.
-
- Because it was in an WIP-protected email, the presentation info isn’t pulled out and it isn’t shown to you.
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
deleted file mode 100644
index 9260043d11..0000000000
--- a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
+++ /dev/null
@@ -1,28 +0,0 @@
----
-title: Cortana at work testing scenarios
-description: Suggested testing scenarios that you can use to test Cortana in your organization.
-ms.prod: windows-client
-ms.collection: tier3
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
-ms.date: 06/28/2021
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
----
-
-# Cortana at work testing scenarios
-
-
-[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
-
-We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to:
-
-- [Sign into Microsoft Entra ID, enable the Cortana wake word, and try a voice query](cortana-at-work-scenario-1.md)
-- [Perform a Bing search with Cortana](cortana-at-work-scenario-2.md)
-- [Set a reminder](cortana-at-work-scenario-3.md)
-- [Use Cortana to find free time on your calendar](cortana-at-work-scenario-4.md)
-- [Find out about a person](cortana-at-work-scenario-5.md)
-- [Change your language and perform a quick search with Cortana](cortana-at-work-scenario-6.md)
-- [Use Windows Information Protection (WIP) to secure content on a device and then try to manage your organization’s entries in the notebook](cortana-at-work-scenario-7.md)
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
deleted file mode 100644
index 21f168168d..0000000000
--- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
+++ /dev/null
@@ -1,64 +0,0 @@
----
-title: Set up and test custom voice commands in Cortana for your organization (Windows)
-description: How to create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps.
-ms.prod: windows-client
-ms.collection: tier3
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
-ms.date: 10/05/2017
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
----
-
-# Set up and test custom voice commands in Cortana for your organization
-
-[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
-
->[!NOTE]
->This content applies to Cortana in versions 1909 and earlier, but will not be available in future releases.
-
-Working with a developer, you can create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. These voice-enabled actions can reduce the time necessary to access your apps and to complete simple actions.
-
-## High-level process
-Cortana uses a Voice Command Definition (VCD) file, aimed at an installed app, to define the actions that are to happen during certain vocal commands. A VCD file can be simple to complex, supporting anything from a single sound to a collection of more flexible, natural language sounds, all with the same intent.
-
-To enable voice commands in Cortana
-
-1. **Extend your LOB app.** Add a custom VCD file to your app package. This file defines what capabilities are available to Cortana from the app, letting you tell Cortana what vocal commands should be understood and handled by your app and how the app should start when the command is vocalized.
-
- Cortana can perform actions on apps in the foreground (taking focus from Cortana) or in the background (allowing Cortana to keep focus). We recommend that you decide where an action should happen, based on what your voice command is intended to do. For example, if your voice command requires employee input, it’s best for that to happen in the foreground. However, if the app only uses basic commands and doesn’t require interaction, it can happen in the background.
-
- - **Start Cortana with focus on your app, using specific voice-enabled statements.** [Activate a foreground app with voice commands through Cortana](/cortana/voice-commands/launch-a-foreground-app-with-voice-commands-in-cortana).
-
- - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Activate a background app in Cortana using voice commands](/cortana/voice-commands/launch-a-background-app-with-voice-commands-in-cortana).
-
-2. **Install the VCD file on employees' devices**. You can use Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization.
-
-## Test scenario: Use voice commands in a Microsoft Store app
-While these apps aren't line-of-business apps, we've worked to make sure to implement a VCD file, allowing you to test how the functionality works with Cortana in your organization.
-
-**To get a Microsoft Store app**
-1. Go to the Microsoft Store, scroll down to the **Collections** area, select **Show All**, and then select **Better with Cortana**.
-
-2. Select **Uber**, and then select **Install**.
-
-3. Open Uber, create an account or sign in, and then close the app.
-
-**To set up the app with Cortana**
-1. Select on the **Cortana** search box in the taskbar, and then select the **Notebook** icon.
-
-2. Select on **Connected Services**, select **Uber**, and then select **Connect**.
-
- 
-
-**To use the voice-enabled commands with Cortana**
-1. Select on the **Cortana** icon in the taskbar, and then select the **Microphone** icon (to the right of the **Search** box).
-
-2. Say _Uber get me a taxi_.
-
- Cortana changes, letting you provide your trip details for Uber.
-
-## See also
-- [Cortana for developers](/cortana/skills/)
diff --git a/windows/configuration/cortana-at-work/images/screenshot1.png b/windows/configuration/cortana-at-work/images/screenshot1.png
deleted file mode 100644
index ed62740e92..0000000000
Binary files a/windows/configuration/cortana-at-work/images/screenshot1.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/screenshot2.png b/windows/configuration/cortana-at-work/images/screenshot2.png
deleted file mode 100644
index fb7995600e..0000000000
Binary files a/windows/configuration/cortana-at-work/images/screenshot2.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/includes/cortana-deprecation.md b/windows/configuration/cortana-at-work/includes/cortana-deprecation.md
deleted file mode 100644
index c5ad2bd22a..0000000000
--- a/windows/configuration/cortana-at-work/includes/cortana-deprecation.md
+++ /dev/null
@@ -1,14 +0,0 @@
----
-author: mestew
-ms.author: mstewart
-manager: aaroncz
-ms.technology: itpro-updates
-ms.prod: windows-client
-ms.topic: include
-ms.date: 06/08/2023
-ms.localizationpriority: medium
----
-
-
-> [!Important]
-> Cortana in Windows as a standalone app is [deprecated](/windows/whats-new/deprecated-features). This change only impacts Cortana in Windows, and your productivity assistant, Cortana, will continue to be available in Outlook mobile, Teams mobile, Microsoft Teams display, and Microsoft Teams rooms.
diff --git a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
deleted file mode 100644
index b9fd7b9023..0000000000
--- a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
+++ /dev/null
@@ -1,52 +0,0 @@
----
-title: Set up and test Cortana in Windows 10, version 2004 and later
-ms.reviewer:
-manager: aaroncz
-description: Cortana includes powerful configuration options specifically to optimize unique small to medium-sized business and enterprise environments.
-ms.prod: windows-client
-ms.collection: tier3
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
-ms.technology: itpro-configure
-ms.date: 12/31/2017
-ms.topic: article
----
-
-# Set up and test Cortana in Windows 10, version 2004 and later
-
-[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
-## Before you begin
-
-- If your enterprise had previously disabled Cortana for your employees using the **Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana** Group Policy or the **Experience\AllowCortana** MDM setting but want to enable it now that Cortana is part of Microsoft 365, you'll need to re-enable it at least for Windows 10, version 2004 and later, or Windows 11.
-- **Cortana is regularly updated through the Microsoft Store.** Beginning with Windows 10, version 2004, Cortana is an appx preinstalled with Windows and is regularly updated through the Microsoft Store. To receive the latest updates to Cortana, you'll need to [enable updates through the Microsoft Store](../stop-employees-from-using-microsoft-store.md).
-
-## Set up and configure the Bing Answers feature
-Bing Answers provides fast, authoritative results to search queries based on search terms. When the Bing Answers feature is enabled, users will be able to ask Cortana web-related questions in the Cortana in Windows app, such as "What's the current weather?" or "Who is the president of the U.S.?," and get a response, based on public results from Bing.com.
-
-The above experience is powered by Microsoft Bing, and Cortana sends the user queries to Bing. The use of Microsoft Bing is governed by the [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement) and [Privacy Statement](https://privacy.microsoft.com/en-US/privacystatement).
-
-## Configure the Bing Answers feature
-
-Admins can configure the Cortana in Windows Bing Answers feature for their organizations. As the admin, use the following steps to change the setting for Bing Answers at the tenant/security group level. This setting is enabled by default, so that all users who have Cortana enabled will be able to receive Bing Answers. By default, the Bing Answer feature will be available to your users.
-
-Users can't enable or disable the Bing Answer feature individually. So, if you disable this feature at the tenant/security group level, no users in your organization or specific security group will be able to use Bing Answers in Cortana in Windows.
-
-Sign in to the [Office Configuration Admin tool](https://config.office.com/).
-
-Follow the steps [here](/deployoffice/overview-office-cloud-policy-service#steps-for-creating-a-policy-configuration) to create this policy configuration. Once completed, the policy will look as shown below:
-
-:::image type="content" source="../screenshot3.png" alt-text="Screenshot: Bing policy example":::
-
-## How does Microsoft handle customer data for Bing Answers?
-
-When a user enters a search query (by speech or text), Cortana evaluates if the request is for any of our first-party compliant skills if enabled in a specific market, and does the following actions:
-
-1. If it is for any of the first-party compliant skills, the query is sent to that skill, and results/action are returned.
-
-2. If it isn't for any of the first-party compliant skills, the query is sent to Bing for a search of public results from Bing.com. Because enterprise searches might be sensitive, similar to [Microsoft Search in Bing](/MicrosoftSearch/security-for-search#microsoft-search-in-bing-protects-workplace-searches), Bing Answers in Cortana has implemented a set of trust measures, described below, that govern how the separate search of public results from Bing.com is handled. The Bing Answers in Cortana trust measures are consistent with the enhanced privacy and security measures described in [Microsoft Search in Bing](/MicrosoftSearch/security-for-search). All Bing.com search logs that pertain to Cortana traffic are disassociated from users' workplace identity. All Cortana queries issued via a work or school account are stored separately from public, non-Cortana traffic.
-
-Bing Answers is enabled by default for all users. However, admins can configure and change this setting for specific users and user groups in their organization.
-
-## How the Bing Answer policy configuration is applied
-Before a query is sent to Bing for a search of public results from Bing.com, the Bing Answers service checks with the Office Cloud Policy Service to see if there are any policy configurations that pertain to the user for allowing Bing Answers to respond to questions users ask Cortana. If the user is a member of a Microsoft Entra group that is assigned that policy configuration, then the appropriate policy settings are applied and a check is made again in 10 minutes.
diff --git a/windows/configuration/cortana-at-work/test-scenario-1.md b/windows/configuration/cortana-at-work/test-scenario-1.md
deleted file mode 100644
index cd72adceb2..0000000000
--- a/windows/configuration/cortana-at-work/test-scenario-1.md
+++ /dev/null
@@ -1,48 +0,0 @@
----
-title: Test scenario 1 – Sign in with your work or school account and use Cortana to manage the notebook
-description: A test scenario about how to sign in with your work or school account and use Cortana to manage the notebook.
-ms.prod: windows-client
-ms.collection: tier3
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
-ms.date: 10/05/2017
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
----
-
-# Test scenario 1 – Sign in with your work or school account and use Cortana to manage the notebook
-
-[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
-
-This scenario turns on Microsoft Entra ID and lets your employee use Cortana to manage an entry in the notebook.
-
-## Sign in with your work or school account
-
-This process helps you to sign out of a Microsoft Account and to sign into a Microsoft Entra account.
-
-1. Click on the **Cortana** icon in the taskbar, then click the profile picture in the navigation to open Cortana settings.
-
-2. Click your email address.
-
-A dialog box appears, showing the associated account info.
-
-3. Click **Sign out** under your email address.
-
-This signs out the Microsoft account, letting you continue to add your work or school account.
-
-4. Open Cortana again and select the **Sign in** glyph in the left rail and follow the instructions to sign in with your work or school account.
-
-## Use Cortana to manage the notebook content
-
-This process helps you to manage the content Cortana shows in your Notebook.
-
-1. Select the **Cortana** icon in the taskbar, click **Notebook**, select **Manage Skills.** Scroll down and click **Weather**.
-
-2. In the **Weather** settings, scroll down to the **Cities you're tracking** area, and then click **Add a city**.
-
-3. Add **Redmond, Washington**.
-
-> [!IMPORTANT]
-> The data created as part of these scenarios will be uploaded to Microsoft's Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
diff --git a/windows/configuration/cortana-at-work/test-scenario-2.md b/windows/configuration/cortana-at-work/test-scenario-2.md
deleted file mode 100644
index f69b1c2789..0000000000
--- a/windows/configuration/cortana-at-work/test-scenario-2.md
+++ /dev/null
@@ -1,40 +0,0 @@
----
-title: Test scenario 2 - Perform a quick search with Cortana at work
-description: A test scenario about how to perform a quick search with Cortana at work.
-ms.prod: windows-client
-ms.collection: tier3
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
-ms.date: 10/05/2017
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
----
-
-# Test scenario 2 – Perform a quick search with Cortana at work
-
-[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
-
->[!Important]
->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
-
-This scenario helps you perform a quick search using Cortana, both by typing and through voice commands.
-
-## Search using Cortana
-
-1. Click on the Cortana icon in the taskbar, and then click in the Search bar.
-
-2. Type **Type Weather in New York**.
-
-You should see the weather in New York, New York at the top of the search results.
-Insert screenshot
-
-## Search with Cortana, by using voice commands
-
-This process helps you to use Cortana at work and voice commands to perform a quick search.
-
-1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the Search box).
-
-2. Say **What's the weather in Chicago?** Cortana tells you and shows you the current weather in Chicago.
-Insert screenshot
diff --git a/windows/configuration/cortana-at-work/test-scenario-3.md b/windows/configuration/cortana-at-work/test-scenario-3.md
deleted file mode 100644
index b57dded7f3..0000000000
--- a/windows/configuration/cortana-at-work/test-scenario-3.md
+++ /dev/null
@@ -1,81 +0,0 @@
----
-title: Test scenario 3 - Set a reminder for a specific location using Cortana at work
-description: A test scenario about how to set up, review, and edit a reminder based on a location.
-ms.prod: windows-client
-ms.collection: tier3
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
-ms.date: 10/05/2017
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
----
-
-# Test scenario 3 - Set a reminder for a specific location using Cortana at work
-
-[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
-
->[!Important]
->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
-
-This scenario helps you set up, review, and edit a reminder based on a location. For example, reminding yourself to grab your expense report receipts before you leave the house.
-
->[!Note]
->You can set each reminder location individually as you create the reminders, or you can go into the About me screen and add both Work and Home addresses as favorites. Make sure that you use real addresses since you’ll need to go to these locations to complete your testing scenario.
-
-Additionally, if you’ve turned on the Meeting & reminder cards & notifications option (in the Meetings & reminders option of your Notebook), you’ll also see your pending reminders on the Cortana Home page.
-
-## Create a reminder for a specific location
-
-This process helps you to create a reminder based on a specific location.
-
-1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**.
-
-2. Click the **+** sign, add a subject for your reminder, such as **Remember to file expense report receipts**, and then click **Place**.
-
-3. Choose **Arrive** from the drop-down box, and then type a location to associate with your reminder. For example, you can use the physical address of where you work. Just make sure you can physically get to your location, so you can test the reminder.
-
-4. Click **Done**.
-
->[!Note]
->If you’ve never used this location before, you’ll be asked to add a name for it so it can be added to the Favorites list in Windows Maps.
-
-5. Choose to be reminded the Next time you arrive at the location or on a specific day of the week from the drop-down box.
-
-6. Take a picture of your receipts and store them locally on your device.
-
-7. Click **Add Photo**, click **Library**, browse to your picture, and then click **OK**.
-
-The photo is stored with the reminder.
-
-Insert screenshot 6
-
-8. Review the reminder info, and then click **Remind**.
-
-The reminder is saved and ready to be triggered.
-Insert screenshot
-
-## Create a reminder for a specific location by using voice commands
-
-This process helps you to use Cortana at work and voice commands to create a reminder for a specific location.
-
-1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone* icon (to the right of the Search box).
-
-2. Say **Remind me to grab my expense report receipts before I leave home**.
-
-Cortana opens a new reminder task and asks if it sounds good.
-insert screenshot
-
-3. Say **Yes** so Cortana can save the reminder.
-insert screenshot
-
-## Edit or archive an existing reminder
-
-This process helps you to edit or archive and existing or completed reminder.
-
-1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**.
-
-2. Click the pending reminder you want to edit.
-
-3. Change any text that you want to change, click **Add photo** if you want to add or replace an image, click **Delete** if you want to delete the entire reminder, click Save to save your changes, and click **Complete and move to History** if you want to save a completed reminder in your **Reminder History**.
diff --git a/windows/configuration/cortana-at-work/test-scenario-4.md b/windows/configuration/cortana-at-work/test-scenario-4.md
deleted file mode 100644
index 206010600b..0000000000
--- a/windows/configuration/cortana-at-work/test-scenario-4.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-title: Use Cortana to find your upcoming meetings at work (Windows)
-description: A test scenario about how to use Cortana at work to find your upcoming meetings.
-ms.prod: windows-client
-ms.collection: tier3
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
-ms.date: 10/05/2017
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
----
-
-# Test scenario 4 - Use Cortana to find your upcoming meetings at work
-
-[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
-
->[!Important]
->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
-
-This scenario helps you search for both general upcoming meetings, and specific meetings, both manually and verbally.
-
->[!Note]
->If you’ve turned on the Meeting & reminder cards & notifications option (in the Meetings & reminders option of your Notebook), you’ll also see your pending reminders on the Cortana Home page.
-
-## Find out about upcoming meetings
-
-This process helps you find your upcoming meetings.
-
-1. Check to make sure your work calendar is connected and synchronized with your Microsoft Entra account.
-
-2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
-
-3. Type **Show me my meetings for tomorrow**.
-
-You’ll see all your meetings scheduled for the next day.
-
-Cortana at work, showing all upcoming meetings
-screenshot
-
-## Find out about upcoming meetings by using voice commands
-
-This process helps you to use Cortana at work and voice commands to find your upcoming meetings.
-
-1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the Search box.
-
-2. Say **Show me what meeting I have at 3pm tomorrow**.
-
->[!Important]
->Make sure that you have a meeting scheduled for the time you specify here.
-
-Cortana at work, showing the meeting scheduled for 3pm
-screenshot
diff --git a/windows/configuration/cortana-at-work/test-scenario-5.md b/windows/configuration/cortana-at-work/test-scenario-5.md
deleted file mode 100644
index f8dfb7cf8e..0000000000
--- a/windows/configuration/cortana-at-work/test-scenario-5.md
+++ /dev/null
@@ -1,63 +0,0 @@
----
-title: Use Cortana to send an email to co-worker (Windows)
-description: A test scenario on how to use Cortana at work to send email to a co-worker.
-ms.prod: windows-client
-ms.collection: tier3
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
-ms.date: 10/05/2017
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
----
-
-# Test scenario 5 - Use Cortana to send an email to co-worker
-
-[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
-
->[!Important]
->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
-
-This scenario helps you to send an email to a co-worker listed in your work address book, both manually and verbally.
-
-## Send email to a co-worker
-
-This process helps you to send a quick message to a co-worker from the work address book.
-
-1. Check to make sure your Microsoft Outlook or mail app is connected and synchronized with your Microsoft Entra account.
-
-2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
-
-3. Type **Send an email to
For example, if you want people to be limited to `http://contoso.com` only, you would add `.contoso.com` to blocked URL exception list and then block all other URLs.
-Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards.
If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list.
-Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make sure your blocked URLs don't include your default URL.
-Enable End Session Button | Show a button in Kiosk Browser that people can use to reset the browser. End Session will clear all browsing data and navigate back to the default URL.
-Enable Home Button | Show a Home button in Kiosk Browser. Home will return the browser to the default URL.
-Enable Navigation Buttons | Show forward and back buttons in Kiosk Browser.
-Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh state after an amount of idle time since the last user interaction.
+| Kiosk Browser settings | Use this setting to |
+|--|--|
+| Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards.
For example, if you want people to be limited to `http://contoso.com` only, you would add `.contoso.com` to blocked URL exception list and then block all other URLs. |
+| Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards.
If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list. |
+| Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make sure your blocked URLs don't include your default URL. |
+| Enable End Session Button | Show a button in Kiosk Browser that people can use to reset the browser. End Session will clear all browsing data and navigate back to the default URL. |
+| Enable Home Button | Show a Home button in Kiosk Browser. Home will return the browser to the default URL. |
+| Enable Navigation Buttons | Show forward and back buttons in Kiosk Browser. |
+| Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh state after an amount of idle time since the last user interaction. |
+
+To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer:
+
+1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer
+1. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18)
+1. Insert the null character string in between each URL (e.g www.bing.com``www.contoso.com)
+1. Save the XML file
+1. Open the project again in Windows Configuration Designer
+1. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed
-> [!IMPORTANT]
-> To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer:
->
-> 1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer.
-> 2. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18).
-> 3. Insert the null character string in between each URL (e.g www.bing.com``www.contoso.com).
-> 4. Save the XML file.
-> 5. Open the project again in Windows Configuration Designer.
-> 6. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed.
->
->
> [!TIP]
+>
> To enable the **End Session** button for Kiosk Browser in Intune, you must [create a custom OMA-URI policy](/intune/custom-settings-windows-10) with the following information:
+>
> - OMA-URI: ./Vendor/MSFT/Policy/Config/KioskBrowser/EnableEndSessionButton
> - Data type: Integer
> - Value: 1
-
#### Rules for URLs in Kiosk Browser settings
Kiosk Browser filtering rules are based on the [Chromium Project](https://www.chromium.org/Home).
URLs can include:
+
- A valid port value from 1 to 65,535.
- The path to the resource.
- Query parameters.
More guidelines for URLs:
-- If a period precedes the host, the policy filters exact host matches only.
-- You can't use user:pass fields.
-- When both blocked URL and blocked URL exceptions apply with the same path length, the exception takes precedence.
-- The policy searches wildcards (*) last.
-- The optional query is a set of key-value and key-only tokens delimited by '&'.
-- Key-value tokens are separated by '='.
-- A query token can optionally end with a '*' to indicate prefix match. Token order is ignored during matching.
+- If a period precedes the host, the policy filters exact host matches only
+- You can't use user:pass fields
+- When both blocked URL and blocked URL exceptions apply with the same path length, the exception takes precedence
+- The policy searches wildcards (*) last
+- The optional query is a set of key-value and key-only tokens delimited by '&'
+- Key-value tokens are separated by '='
+- A query token can optionally end with a '*' to indicate prefix match. Token order is ignored during matching
### Examples of blocked URLs and exceptions
The following table describes the results for different combinations of blocked URLs and blocked URL exceptions.
-Blocked URL rule | Block URL exception rule | Result
---- | --- | ---
-`*` | `contoso.com`
`fabrikam.com` | All requests are blocked unless it's to contoso.com, fabrikam.com, or any of their subdomains.
-`contoso.com` | `mail.contoso.com`
`.contoso.com`
`.www.contoso.com` | Block all requests to contoso.com, except for the main page and its mail subdomain.
-`youtube.com` | `youtube.com/watch?v=v1`
`youtube.com/watch?v=v2` | Blocks all access to youtube.com except for the specified videos (v1 and v2).
+| Blocked URL rule | Block URL exception rule | Result |
+|--|--|--|
+| `*` | `contoso.com`
`fabrikam.com` | All requests are blocked unless it's to contoso.com, fabrikam.com, or any of their subdomains. |
+| `contoso.com` | `mail.contoso.com`
`.contoso.com`
`.www.contoso.com` | Block all requests to contoso.com, except for the main page and its mail subdomain. |
+| `youtube.com` | `youtube.com/watch?v=v1`
`youtube.com/watch?v=v2` | Blocks all access to youtube.com except for the specified videos (v1 and v2). |
-The following table gives examples for blocked URLs.
+The following table gives examples for blocked URLs.
-
-| Entry | Result |
-|--------------------------|-------------------------------------------------------------------------------|
-| `contoso.com` | Blocks all requests to contoso.com, www.contoso.com, and sub.www.contoso.com |
-| `https://*` | Blocks all HTTPS requests to any domain. |
-| `mail.contoso.com` | Blocks requests to mail.contoso.com but not to www.contoso.com or contoso.com |
-| `.contoso.com` | Blocks contoso.com but not its subdomains, like subdomain.contoso.com. |
-| `.www.contoso.com` | Blocks www.contoso.com but not its subdomains. |
-| `*` | Blocks all requests except for URLs in the Blocked URL Exceptions list. |
-| `*:8080` | Blocks all requests to port 8080. |
-| `contoso.com/stuff` | Blocks all requests to contoso.com/stuff and its subdomains. |
-| `192.168.1.2` | Blocks requests to 192.168.1.2. |
-| `youtube.com/watch?v=V1` | Blocks YouTube video with id V1. |
+| Entry | Result |
+|--|--|
+| `contoso.com` | Blocks all requests to contoso.com, www.contoso.com, and sub.www.contoso.com |
+| `https://*` | Blocks all HTTPS requests to any domain. |
+| `mail.contoso.com` | Blocks requests to mail.contoso.com but not to www.contoso.com or contoso.com |
+| `.contoso.com` | Blocks contoso.com but not its subdomains, like subdomain.contoso.com. |
+| `.www.contoso.com` | Blocks www.contoso.com but not its subdomains. |
+| `*` | Blocks all requests except for URLs in the Blocked URL Exceptions list. |
+| `*:8080` | Blocks all requests to port 8080. |
+| `contoso.com/stuff` | Blocks all requests to contoso.com/stuff and its subdomains. |
+| `192.168.1.2` | Blocks requests to 192.168.1.1. |
+| `youtube.com/watch?v=V1` | Blocks YouTube video with id V1. |
### Other browsers
-
-
You can create your own web browser Windows app by using the WebView class. Learn more about developing your own web browser app:
-- [Creating your own browser with HTML and JavaScript](https://blogs.windows.com/msedgedev/2015/08/27/creating-your-own-browser-with-html-and-javascript/)
+
+- [Creating your own browser with HTML and JavaScript](https://blogs.windows.com/msedgedev/2015/08/27/creating-your-own-browser-with-html-and-javascript/)
- [WebView class](/uwp/api/Windows.UI.Xaml.Controls.WebView)
- [A web browser built with JavaScript as a Windows app](https://github.com/MicrosoftEdge/JSBrowser/tree/v1.0)
-
-
## Secure your information
Avoid selecting Windows apps that may expose the information you don't want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access.
## App configuration
-Some apps may require more configurations before they can be used appropriately in assigned access. For example, Microsoft OneNote requires you to set up a Microsoft account for the assigned access user account before OneNote will open in assigned access.
+Some apps may require more configurations before they can be used appropriately in assigned access. For example, Microsoft OneNote requires you to set up a Microsoft account for the assigned access user account before OneNote will open in assigned access.
-Check the guidelines published by your selected app and set up accordingly.
+Check the guidelines published by your selected app and set up accordingly.
## Develop your kiosk app
-Assigned access in Windows client uses the new lock framework. When an assigned access user signs in, the selected kiosk app is launched above the lock screen. The kiosk app is running as an above lock screen app.
+Assigned access in Windows client uses the new lock framework. When an assigned access user signs in, the selected kiosk app is launched above the lock screen. The kiosk app is running as an above lock screen app.
-Follow the [best practices guidance for developing a kiosk app for assigned access](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access).
+Follow the [best practices guidance for developing a kiosk app for assigned access](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access).
## Test your assigned access experience
diff --git a/windows/configuration/kiosk/images/account-management-details.PNG b/windows/configuration/kiosk/images/account-management-details.PNG
new file mode 100644
index 0000000000..e4307d8f7b
Binary files /dev/null and b/windows/configuration/kiosk/images/account-management-details.PNG differ
diff --git a/windows/configuration/kiosk/images/add-applications-details.PNG b/windows/configuration/kiosk/images/add-applications-details.PNG
new file mode 100644
index 0000000000..2efd3483ae
Binary files /dev/null and b/windows/configuration/kiosk/images/add-applications-details.PNG differ
diff --git a/windows/configuration/kiosk/images/add-certificates-details.PNG b/windows/configuration/kiosk/images/add-certificates-details.PNG
new file mode 100644
index 0000000000..78cd783282
Binary files /dev/null and b/windows/configuration/kiosk/images/add-certificates-details.PNG differ
diff --git a/windows/configuration/images/apprule.png b/windows/configuration/kiosk/images/apprule.png
similarity index 100%
rename from windows/configuration/images/apprule.png
rename to windows/configuration/kiosk/images/apprule.png
diff --git a/windows/configuration/images/appwarning.png b/windows/configuration/kiosk/images/appwarning.png
similarity index 100%
rename from windows/configuration/images/appwarning.png
rename to windows/configuration/kiosk/images/appwarning.png
diff --git a/windows/configuration/images/aumid-file-explorer.png b/windows/configuration/kiosk/images/aumid-file-explorer.png
similarity index 100%
rename from windows/configuration/images/aumid-file-explorer.png
rename to windows/configuration/kiosk/images/aumid-file-explorer.png
diff --git a/windows/configuration/images/auto-signin.png b/windows/configuration/kiosk/images/auto-signin.png
similarity index 100%
rename from windows/configuration/images/auto-signin.png
rename to windows/configuration/kiosk/images/auto-signin.png
diff --git a/windows/configuration/images/enable-assigned-access-log.png b/windows/configuration/kiosk/images/enable-assigned-access-log.png
similarity index 100%
rename from windows/configuration/images/enable-assigned-access-log.png
rename to windows/configuration/kiosk/images/enable-assigned-access-log.png
diff --git a/windows/configuration/images/finish-details.png b/windows/configuration/kiosk/images/finish-details.png
similarity index 100%
rename from windows/configuration/images/finish-details.png
rename to windows/configuration/kiosk/images/finish-details.png
diff --git a/windows/configuration/images/genrule.png b/windows/configuration/kiosk/images/genrule.png
similarity index 100%
rename from windows/configuration/images/genrule.png
rename to windows/configuration/kiosk/images/genrule.png
diff --git a/windows/configuration/kiosk/images/kiosk-account-details.PNG b/windows/configuration/kiosk/images/kiosk-account-details.PNG
new file mode 100644
index 0000000000..53c31880ea
Binary files /dev/null and b/windows/configuration/kiosk/images/kiosk-account-details.PNG differ
diff --git a/windows/configuration/kiosk/images/kiosk-common-details.PNG b/windows/configuration/kiosk/images/kiosk-common-details.PNG
new file mode 100644
index 0000000000..5eda9b293e
Binary files /dev/null and b/windows/configuration/kiosk/images/kiosk-common-details.PNG differ
diff --git a/windows/configuration/images/kiosk-fullscreen-sm.png b/windows/configuration/kiosk/images/kiosk-fullscreen-sm.png
similarity index 100%
rename from windows/configuration/images/kiosk-fullscreen-sm.png
rename to windows/configuration/kiosk/images/kiosk-fullscreen-sm.png
diff --git a/windows/configuration/kiosk/images/kiosk-settings.PNG b/windows/configuration/kiosk/images/kiosk-settings.PNG
new file mode 100644
index 0000000000..51a4338371
Binary files /dev/null and b/windows/configuration/kiosk/images/kiosk-settings.PNG differ
diff --git a/windows/configuration/images/kiosk-wizard.png b/windows/configuration/kiosk/images/kiosk-wizard.png
similarity index 100%
rename from windows/configuration/images/kiosk-wizard.png
rename to windows/configuration/kiosk/images/kiosk-wizard.png
diff --git a/windows/configuration/images/lockdownapps.png b/windows/configuration/kiosk/images/lockdownapps.png
similarity index 100%
rename from windows/configuration/images/lockdownapps.png
rename to windows/configuration/kiosk/images/lockdownapps.png
diff --git a/windows/configuration/images/multiappassignedaccesssettings.png b/windows/configuration/kiosk/images/multiappassignedaccesssettings.png
similarity index 100%
rename from windows/configuration/images/multiappassignedaccesssettings.png
rename to windows/configuration/kiosk/images/multiappassignedaccesssettings.png
diff --git a/windows/configuration/images/profile-config.png b/windows/configuration/kiosk/images/profile-config.png
similarity index 100%
rename from windows/configuration/images/profile-config.png
rename to windows/configuration/kiosk/images/profile-config.png
diff --git a/windows/configuration/images/sample-start.png b/windows/configuration/kiosk/images/sample-start.png
similarity index 100%
rename from windows/configuration/images/sample-start.png
rename to windows/configuration/kiosk/images/sample-start.png
diff --git a/windows/configuration/images/set-assignedaccess.png b/windows/configuration/kiosk/images/set-assignedaccess.png
similarity index 100%
rename from windows/configuration/images/set-assignedaccess.png
rename to windows/configuration/kiosk/images/set-assignedaccess.png
diff --git a/windows/configuration/kiosk/images/set-up-device-details.PNG b/windows/configuration/kiosk/images/set-up-device-details.PNG
new file mode 100644
index 0000000000..031dac6fe6
Binary files /dev/null and b/windows/configuration/kiosk/images/set-up-device-details.PNG differ
diff --git a/windows/configuration/kiosk/images/set-up-network-details.PNG b/windows/configuration/kiosk/images/set-up-network-details.PNG
new file mode 100644
index 0000000000..778b8497c4
Binary files /dev/null and b/windows/configuration/kiosk/images/set-up-network-details.PNG differ
diff --git a/windows/configuration/images/slv2-oma-uri.png b/windows/configuration/kiosk/images/slv2-oma-uri.png
similarity index 100%
rename from windows/configuration/images/slv2-oma-uri.png
rename to windows/configuration/kiosk/images/slv2-oma-uri.png
diff --git a/windows/configuration/images/vm-kiosk-connect.png b/windows/configuration/kiosk/images/vm-kiosk-connect.png
similarity index 100%
rename from windows/configuration/images/vm-kiosk-connect.png
rename to windows/configuration/kiosk/images/vm-kiosk-connect.png
diff --git a/windows/configuration/images/vm-kiosk.png b/windows/configuration/kiosk/images/vm-kiosk.png
similarity index 100%
rename from windows/configuration/images/vm-kiosk.png
rename to windows/configuration/kiosk/images/vm-kiosk.png
diff --git a/windows/configuration/kiosk/kiosk-additional-reference.md b/windows/configuration/kiosk/kiosk-additional-reference.md
new file mode 100644
index 0000000000..d652bf9874
--- /dev/null
+++ b/windows/configuration/kiosk/kiosk-additional-reference.md
@@ -0,0 +1,22 @@
+---
+title: More kiosk methods and reference information
+description: Find more information for configuring, validating, and troubleshooting kiosk configuration.
+ms.topic: reference
+ms.date: 12/31/2017
+---
+
+# More kiosk methods and reference information
+
+## In this section
+
+| Topic | Description |
+|--|--|
+| [Find the Application User Model ID of an installed app](find-the-application-user-model-id-of-an-installed-app.md) | This topic explains how to get the AUMID for an app. |
+| [Validate your kiosk configuration](kiosk-validate.md) | This topic explains what to expect on a multi-app kiosk. |
+| [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | These guidelines will help you choose an appropriate Windows app for your assigned access experience. |
+| [Policies enforced on kiosk devices](kiosk-policies.md) | Learn about the policies enforced on a device when you configure it as a kiosk. |
+| [Assigned access XML reference](kiosk-xml.md) | The XML and XSD for kiosk device configuration. |
+| [Use AppLocker to create a Windows client kiosk](lock-down-windows-10-applocker.md) | Learn how to use AppLocker to configure a Windows client kiosk device running Enterprise or Education so that users can only run a few specific apps. |
+| [Use Shell Launcher to create a Windows client kiosk](kiosk-shelllauncher.md) | Using Shell Launcher, you can configure a kiosk device that runs a Windows application as the user interface. |
+| [Use MDM Bridge WMI Provider to create a Windows client kiosk](kiosk-mdm-bridge.md) | Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. |
+| [Troubleshoot kiosk mode issues](/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting) | Tips for troubleshooting multi-app kiosk configuration. |
diff --git a/windows/configuration/kiosk-mdm-bridge.md b/windows/configuration/kiosk/kiosk-mdm-bridge.md
similarity index 74%
rename from windows/configuration/kiosk-mdm-bridge.md
rename to windows/configuration/kiosk/kiosk-mdm-bridge.md
index 4b2f8a1fe8..7725923709 100644
--- a/windows/configuration/kiosk-mdm-bridge.md
+++ b/windows/configuration/kiosk/kiosk-mdm-bridge.md
@@ -1,42 +1,30 @@
---
-title: Use MDM Bridge WMI Provider to create a Windows 10/11 kiosk (Windows 10/11)
+title: Use MDM Bridge WMI Provider to create a Windows kiosk
description: Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class.
-ms.reviewer: sybruckm
-manager: aaroncz
-ms.author: lizlong
-ms.prod: windows-client
-author: lizgt2000
-ms.localizationpriority: medium
ms.topic: article
-ms.technology: itpro-configure
-ms.date: 12/31/2017
+ms.date: 1/26/2024
+zone_pivot_groups: windows-versions-11-10
+appliesto:
---
# Use MDM Bridge WMI Provider to create a Windows client kiosk
-
-**Applies to**
-
-- Windows 10 Pro, Enterprise, and Education
-- Windows 11
-
-Environments that use [Windows Management Instrumentation (WMI)](/windows/win32/wmisdk/wmi-start-page) can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the MDM_AssignedAccess class. For more information about using a PowerShell script to configure AssignedAccess, see [PowerShell Scripting with WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider).
+Environments that use [Windows Management Instrumentation (WMI)](/windows/win32/wmisdk/wmi-start-page) can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the MDM_AssignedAccess class. For more information about using a PowerShell script to configure AssignedAccess, see [PowerShell Scripting with WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider).
Here's an example to set AssignedAccess configuration:
-1. Download the [psexec tool](/sysinternals/downloads/psexec).
-2. Run `psexec.exe -i -s cmd.exe`.
-3. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell.
+1. [Download PsTools][PSTools]
+1. Open an elevated command prompt and run: `psexec.exe -i -s powershell.exe`
+1. In the PowerShell session launched by `psexec.exe`, execute the following script:
-Step 4 is different for Windows 10 or Windows 11
+::: zone pivot="windows-10"
-4. Execute the following script for Windows 10:
-
-```xml
+```PowerShell
$nameSpaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
Add-Type -AssemblyName System.Web
+
$obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@"
**Disabled** is using EnableSharedPCModeWithOneDriveSync |
| Windows Components/Windows Hello for Business/Use biometrics | Disabled |
| Windows Components/Windows Hello for Business/Use Windows Hello for Business | Disabled |
-| Windows Components/Windows Logon Options/Sign-in and lock last interactive user automatically after a restart | Disabled |
+| Windows Components/Windows Logon Options/Sign-in and lock last interactive user automatically after a restart | Disabled |
| Extra registry setting | Status |
|-------------------------------------------------------------------------------------------------------------------|----------|
| Software\Policies\Microsoft\PassportForWork\Remote\Enabled (Phone sign-in/Use phone sign-in) | 0 |
-| Software\Policies\Microsoft\Windows\PreviewBuilds\AllowBuildPreview () | 0 |
+| Software\Policies\Microsoft\Windows\PreviewBuilds\AllowBuildPreview () | 0 |
-## SetEDUPolicy
+## SetEDUPolicy
-By enabling SetEDUPolicy, the following settings in the local GPO are configured:
+By enabling SetEDUPolicy, the following settings in the local GPO are configured:
| Policy setting | Status |
|--|--|
| System/User Profiles/Turn off the advertising ID | Enabled |
| Windows Components/Cloud Content/Do not show Windows tips | Enabled |
-| Windows Components/Cloud Content/Turn off Microsoft consumer experiences | Enabled |
+| Windows Components/Cloud Content/Turn off Microsoft consumer experiences | Enabled |
-## SetPowerPolicies
+## SetPowerPolicies
-By enabling SetPowerPolicies, the following settings in the local GPO are configured:
+By enabling SetPowerPolicies, the following settings in the local GPO are configured:
| Policy setting | Status|
|--|--|
@@ -83,41 +77,42 @@ By enabling SetPowerPolicies, the following settings in the local GPO are config
| System/Power Management/Sleep Settings/Specify the system hibernate timeout (on battery) | 0 (Hibernation disabled) |
| System/Power Management/Sleep Settings/Specify the system hibernate timeout (plugged in) | 0 (Hibernation disabled) |
| System/Power Management/Sleep Settings/Turn off hybrid sleep (on battery) | Enabled |
-| System/Power Management/Sleep Settings/Turn off hybrid sleep (plugged in) | Enabled |
+| System/Power Management/Sleep Settings/Turn off hybrid sleep (plugged in) | Enabled |
-## MaintenanceStartTime
+## MaintenanceStartTime
-By enabling MaintenanceStartTime, the following settings in the local GPO are configured:
+By enabling MaintenanceStartTime, the following settings in the local GPO are configured:
| Policy setting | Status|
|--------------------------------------------------------------------------------------|--------------------------------|
| Windows Components/Maintenance Scheduler/Automatic Maintenance Activation Boundary | 2000-01-01T00:00:00 (midnight) |
| Windows Components/Maintenance Scheduler/Automatic Maintenance Random Delay | Enabled PT2H (2 hours) |
-| Windows Components/Maintenance Scheduler/Automatic Maintenance WakeUp Policy | Enabled |
+| Windows Components/Maintenance Scheduler/Automatic Maintenance WakeUp Policy | Enabled |
-## SignInOnResume
+## SignInOnResume
-By enabling SignInOnResume, the following settings in the local GPO are configured:
+By enabling SignInOnResume, the following settings in the local GPO are configured:
| Policy setting | Status|
|--|--|
| System/Logon/Allow users to select when a password is required when resuming from connected standby | Disabled |
| System/Power Management/Sleep Settings/Require a password when a computer wakes (on battery) | Enabled |
-| System/Power Management/Sleep Settings/Require a password when a computer wakes (plugged in) | Enabled |
+| System/Power Management/Sleep Settings/Require a password when a computer wakes (plugged in) | Enabled |
-## EnableAccountManager
+## EnableAccountManager
-By enabling Enableaccountmanager, the following schedule task is turned on: `\Microsoft\Windows\SharedPC\Account Cleanup`.
+By enabling Enableaccountmanager, the following schedule task is turned on: `\Microsoft\Windows\SharedPC\Account Cleanup`.
-## Shared PC APIs and app behavior
+## Shared PC APIs and app behavior
-Applications can take advantage of Shared PC mode with the following three APIs:
+Applications can take advantage of Shared PC mode with the following three APIs:
- [**IsEnabled**][API-1] - This API informs applications when the device is configured for shared use scenarios. For example, an app might only download content on demand on a device in shared PC mode, or might skip first run experiences.
- [**ShouldAvoidLocalStorage**][API-2] - This API informs applications when the PC has been configured to not allow the user to save to the local storage of the PC. Instead, only cloud save locations should be offered by the app or saved automatically by the app.
-- [**IsEducationEnvironment**][API-3] - This API informs applications when the PC is used in an education environment. Apps may want to handle diagnostic data differently or hide advertising functionality.
------------
+- [**IsEducationEnvironment**][API-3] - This API informs applications when the PC is used in an education environment. Apps may want to handle diagnostic data differently or hide advertising functionality.
+
+-----------
[API-1]: /uwp/api/windows.system.profile.sharedmodesettings.isenabled
[API-2]: /uwp/api/windows.system.profile.sharedmodesettings.shouldavoidlocalstorage
diff --git a/windows/configuration/shared-pc/toc.yml b/windows/configuration/shared-pc/toc.yml
new file mode 100644
index 0000000000..87e0ba65f6
--- /dev/null
+++ b/windows/configuration/shared-pc/toc.yml
@@ -0,0 +1,7 @@
+items:
+- name: Shared devices concepts
+ href: shared-devices-concepts.md
+- name: Configure shared devices with Shared PC
+ href: set-up-shared-or-guest-pc.md
+- name: Shared PC technical reference
+ href: shared-pc-technical.md
\ No newline at end of file
diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/start/customize-and-export-start-layout.md
similarity index 78%
rename from windows/configuration/customize-and-export-start-layout.md
rename to windows/configuration/start/customize-and-export-start-layout.md
index 2173e2ee20..725c7c8756 100644
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/start/customize-and-export-start-layout.md
@@ -1,25 +1,16 @@
---
title: Customize and export Start layout
description: The easiest method for creating a customized Start layout is to set up the Start screen and export the layout.
-ms.reviewer:
-manager: aaroncz
-ms.prod: windows-client
-author: lizgt2000
-ms.author: lizlong
ms.topic: how-to
-ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 10
ms.date: 08/18/2023
ms.collection:
- tier1
-ms.technology: itpro-configure
---
# Customize and export Start layout
-**Applies to**:
-
-- Windows 10
-
>**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
The easiest method for creating a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test computer and then export the layout.
@@ -36,37 +27,28 @@ When [a partial Start layout](#configure-a-partial-start-layout) is applied, the
You can deploy the resulting .xml file to devices using one of the following methods:
- [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
-
- [Windows Configuration Designer provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
-
- [Mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
-### Customize the Start screen on your test computer
+## Customize the Start screen on your test computer
To prepare a Start layout for export, you simply customize the Start layout on a test computer.
-**To prepare a test computer**
+To prepare a test computer:
1. Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users' computers (Windows 10 Pro, Enterprise, or Education). Install all apps and services that the Start layout should display.
-
1. Create a new user account that you'll use to customize the Start layout.
-**To customize Start**
+To customize Start:
1. Sign in to your test computer with the user account that you created.
-
1. Customize the Start layout as you want users to see it by using the following techniques:
- **Pin apps to Start**. From Start, type the name of the app. When the app appears in the search results, right-click the app, and then select **Pin to Start**.
-
To view all apps, select **All apps** in the bottom-left corner of Start. Right-click any app, and pin or unpin it from Start.
-
- **Unpin apps** that you don't want to display. To unpin an app, right-click the app, and then select **Unpin from Start**.
-
- **Drag tiles** on Start to reorder or group apps.
-
- **Resize tiles**. To resize tiles, right-click the tile and then select **Resize.**
-
- **Create your own app groups**. Drag the apps to an empty area. To name a group, select above the group of tiles and then type the name in the **Name group** field that appears above the group.
> [!IMPORTANT]
@@ -81,10 +63,9 @@ When you have the Start layout that you want your users to see, use the [Export-
> [!IMPORTANT]
> If you include secondary Microsoft Edge tiles (tiles that link to specific websites in Microsoft Edge), see [Add custom images to Microsoft Edge secondary tiles](start-secondary-tiles.md) for instructions.
-**To export the Start layout to an .xml file**
+To export the Start layout to an .xml file:
1. While signed in with the same account that you used to customize Start, right-click Start, and select **Windows PowerShell**.
-
1. On a device running Windows 10, version 1607, 1703, or 1803, at the Windows PowerShell command prompt, enter the following command:
`Export-StartLayout -path
Parent:
start:Group | Name (in Windows 10, version 1809 and later only)
Size
Row
Column
LocalizedNameResourcetag | Use to specify a folder of icons; can include [Tile](#start-tile), [SecondaryTile](#start-secondarytile), and [DesktopApplicationTile](#start-desktopapplicationtile). |
| start:DesktopApplicationTileParent:AppendGroup | DesktopApplicationIDDesktopApplicationLinkPathSizeRowColumn | Use to specify any of the following:- A Windows desktop application with a known AppUserModelID- An application in a known folder with a link in a legacy Start Menu folder- A Windows desktop application link in a legacy Start Menu folder- A Web link tile with an associated `.url` file that is in a legacy Start Menu folder |
| start:SecondaryTileParent:AppendGroup | AppUserModelIDTileIDArgumentsDisplayNameSquare150x150LogoUriShowNameOnSquare150x150LogoShowNameOnWide310x150LogoWide310x150LogoUriBackgroundColorForegroundTextIsSuggestedAppSizeRowColumn | Use to pin a Web link through a Microsoft Edge secondary tile. Note that AppUserModelID is case-sensitive. |
-| TopMFUAppsParent:LayoutModificationTemplate | n/a | Use to add up to three default apps to the frequently used apps section in the system area.**Note**: Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. |
-| TileParent:TopMFUApps | AppUserModelID | Use with the TopMFUApps tags to specify an app with a known AppUserModelID. **Note**: Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. |
-| DesktopApplicationTileParent:TopMFUApps | LinkFilePath | Use with the TopMFUApps tags to specify an app without a known AppUserModelID.**Note**: Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. |
+| TopMFUAppsParent:LayoutModificationTemplate | n/a | Use to add up to three default apps to the frequently used apps section in the system area.**Note**: Only applies to versions of Windows 10 earlier than version 1701. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. |
+| TileParent:TopMFUApps | AppUserModelID | Use with the TopMFUApps tags to specify an app with a known AppUserModelID. **Note**: Only applies to versions of Windows 10 earlier than version 1701. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. |
+| DesktopApplicationTileParent:TopMFUApps | LinkFilePath | Use with the TopMFUApps tags to specify an app without a known AppUserModelID.**Note**: Only applies to versions of Windows 10 earlier than version 1701. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. |
| AppendOfficeSuiteParent:LayoutModificationTemplate | n/a | Use to add the in-box installed Office suite to Start. For more information, see [Customize the Office suite of tiles](/windows-hardware/customize/desktop/customize-start-layout#customize-the-office-suite-of-tiles).Don't use this tag with AppendDownloadOfficeTile. |
| AppendDownloadOfficeTileParent:LayoutModificationTemplate | n/a | Use to add a specific **Download Office** tile to a specific location in StartDo not use this tag with AppendOfficeSuite |
@@ -89,11 +77,11 @@ The following table lists the supported elements and attributes for the LayoutMo
New devices running Windows 10 for desktop editions will default to a Start menu with two columns of tiles unless boot to tablet mode is enabled. Devices with screens that are under 10" have boot to tablet mode enabled by default. For these devices, users see the full screen Start on the desktop. You can adjust the following features:
-- Boot to tablet mode can be set on or off.
-- Set full screen Start on desktop to on or off.
- To do this, add the LayoutOptions element in your LayoutModification.xml file and set the FullScreenStart attribute to true or false.
-- Specify the number of columns in the Start menu to 1 or 2.
- To do this, add the LayoutOptions element in your LayoutModification.xml file and set the StartTileGroupsColumnCount attribute to 1 or 2.
+- Boot to tablet mode can be set on or off
+- Set full screen Start on desktop to on or off
+ To do this, add the LayoutOptions element in your LayoutModification.xml file and set the FullScreenStart attribute to true or false
+- Specify the number of columns in the Start menu to 1 or 2
+ To do this, add the LayoutOptions element in your LayoutModification.xml file and set the StartTileGroupsColumnCount attribute to 1 or 2
The following example shows how to use the LayoutOptions element to specify full screen Start on the desktop and to use one column in the Start menu:
@@ -117,33 +105,33 @@ For devices being upgraded to Windows 10 for desktop editions:
### RequiredStartGroups
-The **RequiredStartGroups** tag contains **AppendGroup** tags that represent groups that you can append to the default Start layout.
+The **RequiredStartGroups** tag contains **AppendGroup** tags that represent groups that you can append to the default Start layout.
>[!IMPORTANT]
->For Windows 10 for desktop editions, you can add a maximum of two (2) **AppendGroup** tags per **RequiredStartGroups** tag.
+>For Windows 10 for desktop editions, you can add a maximum of two (2) **AppendGroup** tags per **RequiredStartGroups** tag.
-You can also assign regions to the append groups in the **RequiredStartGroups** tag's using the optional **Region** attribute or you can use the multivariant capabilities in Windows provisioning. If you're using the **Region** attribute, you must use a two-letter country code to specify the country/region that the append group(s) apply to. To specify more than one country/region, use a pipe ("|") delimiter as shown in the following example:
+You can also assign regions to the append groups in the **RequiredStartGroups** tag's using the optional **Region** attribute or you can use the multivariant capabilities in Windows provisioning. If you're using the **Region** attribute, you must use a two-letter country code to specify the country/region that the append group(s) apply to. To specify more than one country/region, use a pipe ("|") delimiter as shown in the following example:
```XML
The setting values for **desktop applications** are stored when the user closes the application.
Values for **Windows settings** are stored when the user logs off, when the computer is locked, or when the user disconnects remotely from a computer.
The sync provider determines when the application or operating system settings are read from the **Settings Packages** and synchronized. |
-| **Settings storage location** | This is a standard network share that your users can access. The UE-V service verifies the location and creates a hidden system folder in which to store and retrieve user settings. |
-| **Settings location templates** | UE-V uses XML files as settings location templates to monitor and synchronize desktop application settings and Windows desktop settings between user computers. By default, some settings location templates are included in UE-V. You can also create, edit, or validate custom settings location templates by [managing settings synchronization for custom applications](#manage-settings-synchronization-for-custom-applications).
**Note** Settings location templates are not required for Windows applications. |
-| **Universal Windows applications list** | Settings for Windows applications are captured and applied dynamically. The app developer specifies the settings that are synchronized for each app. UE-V determines which Windows applications are enabled for settings synchronization using a managed list of applications. By default, this list includes most Windows applications.
You can add or remove applications in the Windows app list by following the procedures in [Managing UE-V Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md). |
+| **Component** | **Function** |
+|--|--|
+| **UE-V service** | Enabled on every device that needs to synchronize settings, the **UE-V service** monitors registered applications and Windows for any settings changes, then synchronizes those settings between devices. |
+| **Settings packages** | Application settings and Windows settings are stored in **settings packages** created by the UE-V service. Settings packages are built, locally stored, and copied to the settings storage location.
The setting values for **desktop applications** are stored when the user closes the application.
Values for **Windows settings** are stored when the user logs off, when the computer is locked, or when the user disconnects remotely from a computer.
The sync provider determines when the application or operating system settings are read from the **Settings Packages** and synchronized. |
+| **Settings storage location** | This is a standard network share that your users can access. The UE-V service verifies the location and creates a hidden system folder in which to store and retrieve user settings. |
+| **Settings location templates** | UE-V uses XML files as settings location templates to monitor and synchronize desktop application settings and Windows desktop settings between user computers. By default, some settings location templates are included in UE-V. You can also create, edit, or validate custom settings location templates by [managing settings synchronization for custom applications](#manage-settings-synchronization-for-custom-applications).
**Note** Settings location templates are not required for Windows applications. |
+| **Universal Windows applications list** | Settings for Windows applications are captured and applied dynamically. The app developer specifies the settings that are synchronized for each app. UE-V determines which Windows applications are enabled for settings synchronization using a managed list of applications. By default, this list includes most Windows applications.
You can add or remove applications in the Windows app list by following the procedures in [Managing UE-V Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md). |
## Manage settings synchronization for custom applications
Use these UE-V components to create and manage custom templates for your third-party or line-of-business applications.
-| Component | Description |
-|-------------------------------|---------------|
-| **UE-V template generator** | Use the **UE-V template generator** to create custom settings location templates that you can then distribute to user computers. The UE-V template generator also lets you edit an existing template or validate a template that was created with a different XML editor.
With the Windows 10, version 1607 release, the UE-V template generator is installed with the [Windows Assessment and Deployment kit for Windows 10, version 1607](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) (Windows ADK).
If you are upgrading from an existing UE-V installation, you’ll need to use the new generator to create new settings location templates. Application templates created with previous versions of the UE-V template generator are still supported, however. |
-| **Settings template catalog** | The **settings template catalog** is a folder path on UE-V computers or a Server Message Block (SMB) network share that stores the custom settings location templates. The UE-V service checks this location once a day, retrieves new or updated templates, and updates its synchronization behavior.
If you use only the UE-V default settings location templates, then a settings template catalog is unnecessary. For more information about settings deployment catalogs, see [Deploy a UE-V settings template catalog](uev-deploy-uev-for-custom-applications.md).|
+| Component | Description |
+|--|--|
+| **UE-V template generator** | Use the **UE-V template generator** to create custom settings location templates that you can then distribute to user computers. The UE-V template generator also lets you edit an existing template or validate a template that was created with a different XML editor.
With the Windows 10, version 1607 release, the UE-V template generator is installed with the [Windows Assessment and Deployment kit for Windows 10, version 1607](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) (Windows ADK).
If you are upgrading from an existing UE-V installation, you'll need to use the new generator to create new settings location templates. Application templates created with previous versions of the UE-V template generator are still supported, however. |
+| **Settings template catalog** | The **settings template catalog** is a folder path on UE-V computers or a Server Message Block (SMB) network share that stores the custom settings location templates. The UE-V service checks this location once a day, retrieves new or updated templates, and updates its synchronization behavior.
If you use only the UE-V default settings location templates, then a settings template catalog is unnecessary. For more information about settings deployment catalogs, see [Deploy a UE-V settings template catalog](uev-deploy-uev-for-custom-applications.md). |
-### Planning a UE-V deployment
+### Planning a UE-V deployment
Review the following articles to determine which UE-V components you'll be deploying.
-- [Decide whether to synchronize settings for custom applications](#decide-whether-to-synchronize-settings-for-custom-applications)
+- [Decide whether to synchronize settings for custom applications](#decide-whether-to-synchronize-settings-for-custom-applications)
If you want to synchronize settings for custom applications, you'll need to install the UE-V template generator. Use the generator to create custom settings location templates, which involve the following tasks:
- - Review the [settings that are synchronized automatically in a UE-V deployment](#settings-automatically-synchronized-in-a-ue-v-deployment).
+ - Review the [settings that are synchronized automatically in a UE-V deployment](#settings-automatically-synchronized-in-a-ue-v-deployment).
+ - [Determine whether you need settings synchronized for other applications](#determine-whether-you-need-settings-synchronized-for-other-applications).
- - [Determine whether you need settings synchronized for other applications](#determine-whether-you-need-settings-synchronized-for-other-applications).
-
-- Review [other considerations for deploying UE-V](#other-considerations-when-preparing-a-ue-v-deployment), including high availability and capacity planning.
-
-- [Confirm prerequisites and supported configurations for UE-V](#confirm-prerequisites-and-supported-configurations-for-ue-v)
+- Review [other considerations for deploying UE-V](#other-considerations-when-preparing-a-ue-v-deployment), including high availability and capacity planning.
+- [Confirm prerequisites and supported configurations for UE-V](#confirm-prerequisites-and-supported-configurations-for-ue-v)
## Decide whether to synchronize settings for custom applications
@@ -77,11 +60,9 @@ Deciding if you want UE-V to synchronize settings for custom applications is an
This section explains which settings are synchronized by default in UE-V, including:
-- Desktop applications that are synchronized by default
-
-- Windows desktop settings that are synchronized by default
-
-- A statement of support for Windows applications setting synchronization
+- Desktop applications that are synchronized by default
+- Windows desktop settings that are synchronized by default
+- A statement of support for Windows applications setting synchronization
For downloadable UE-V templates, see: [User Experience Virtualization (UE-V) settings templates for Microsoft Office](https://www.microsoft.com/download/details.aspx?id=46367)
@@ -90,16 +71,15 @@ For downloadable UE-V templates, see: [User Experience Virtualization (UE-V) set
When you enable the UE-V service on user devices, it registers a default group of settings location templates that capture settings values for these common Microsoft applications.
| Application category | Description |
-|-----------------------------|-------------------|
+|--|--|
| Microsoft Office 2016 applications | Microsoft Access 2016
Microsoft Lync 2016
Microsoft Excel 2016
Microsoft OneNote 2016
Microsoft Outlook 2016
Microsoft PowerPoint 2016
Microsoft Project 2016
Microsoft Publisher 2016
Microsoft SharePoint Designer 2013 (not updated for 2016)
Microsoft Visio 2016
Microsoft Word 2016
Microsoft Office Upload Manager
Microsoft Infopath has been removed (deprecated) from the Office 2016 suite |
-| Microsoft Office 2013 applications
[Download a list of all settings synced](https://www.microsoft.com/download/details.aspx?id=46367) | Microsoft Word 2013
Microsoft Excel 2013
Microsoft Outlook 2013
Microsoft Access 2013
Microsoft Project 2013
Microsoft PowerPoint 2013
Microsoft Publisher 2013
Microsoft Visio 2013
Microsoft InfoPath 2013
Microsoft Lync 2013
Microsoft OneNote 2013
Microsoft SharePoint Designer 2013
Microsoft Office 2013 Upload Center
Microsoft OneDrive for Business 2013
-| Microsoft Office 2010 applications
[Download a list of all settings synced](https://www.microsoft.com/download/details.aspx?id=46367) | Microsoft Word 2010
Microsoft Excel 2010
Microsoft Outlook 2010
Microsoft Access 2010
Microsoft Project 2010
Microsoft PowerPoint 2010
Microsoft Publisher 2010
Microsoft Visio 2010
Microsoft SharePoint Workspace 2010
Microsoft InfoPath 2010
Microsoft Lync 2010
Microsoft OneNote 2010
Microsoft SharePoint Designer 2010 |
+| Microsoft Office 2013 applications
[Download a list of all settings synced](https://www.microsoft.com/download/details.aspx?id=46367) | Microsoft Word 2013
Microsoft Excel 2013
Microsoft Outlook 2013
Microsoft Access 2013
Microsoft Project 2013
Microsoft PowerPoint 2013
Microsoft Publisher 2013
Microsoft Visio 2013
Microsoft InfoPath 2013
Microsoft Lync 2013
Microsoft OneNote 2013
Microsoft SharePoint Designer 2013
Microsoft Office 2013 Upload Center
Microsoft OneDrive for Business 2013 |
+| Microsoft Office 2010 applications
[Download a list of all settings synced](https://www.microsoft.com/download/details.aspx?id=46367) | Microsoft Word 2010
Microsoft Excel 2010
Microsoft Outlook 2010
Microsoft Access 2010
Microsoft Project 2010
Microsoft PowerPoint 2010
Microsoft Publisher 2010
Microsoft Visio 2010
Microsoft SharePoint Workspace 2010
Microsoft InfoPath 2010
Microsoft Lync 2010
Microsoft OneNote 2010
Microsoft SharePoint Designer 2010 |
| Browser options: Internet Explorer 11 and 10 | Synchronize favorites, home page, tabs, and toolbars.
**Note**
UE-V doesn't roam settings for Internet Explorer cookies. |
| Windows accessories | Microsoft NotePad, WordPad |
> [!NOTE]
> - An Outlook profile must be created for any device on which a user wants to sync their Outlook signature. If the profile is not already created, the user can create one and then restart Outlook on that device to enable signature synchronization.
->
> - UE-V doesn't synchronize settings between the Microsoft Calculator in Windows 10 and the Microsoft Calculator in previous operating systems.
### Windows settings synchronized by default
@@ -107,22 +87,22 @@ When you enable the UE-V service on user devices, it registers a default group o
UE-V includes settings location templates that capture settings values for these Windows settings.
| Windows settings | Description | Apply on | Export on | Default state |
-|----------------------|-----------------|--------------|---------------|-------------------|
-| Desktop background | Currently active desktop background or wallpaper | Log on, unlock, remote connect, Scheduled Task events | Log off, lock, remote disconnect, or scheduled task interval | Enabled |
-| Ease of Access | Accessibility and input settings, Microsoft Magnifier, Narrator, and on-Screen Keyboard | Log on only | Log off or scheduled task interval | Enabled |
-| Desktop settings | Start menu and Taskbar settings, folder options, default desktop icons, more clocks, and region and language settings | Log on only | Log off or scheduled task | Enabled |
+|--|--|--|--|--|
+| Desktop background | Currently active desktop background or wallpaper | Log on, unlock, remote connect, Scheduled Task events | Log off, lock, remote disconnect, or scheduled task interval | Enabled |
+| Ease of Access | Accessibility and input settings, Microsoft Magnifier, Narrator, and on-Screen Keyboard | Log on only | Log off or scheduled task interval | Enabled |
+| Desktop settings | Start menu and Taskbar settings, folder options, default desktop icons, more clocks, and region and language settings | Log on only | Log off or scheduled task | Enabled |
> [!IMPORTANT]
> UE-V roams taskbar settings between Windows 10 devices. However, UE-V doesn't synchronize taskbar settings between Windows 10 devices and devices running previous operating systems versions.
| Settings group | Category | Capture | Apply |
-|--------------------------|----------------|----------------|--------------|
-| **Application Settings** | Windows applications | Close application
Windows application settings change event | Start the UE-V App Monitor at startup
Open app
Windows application settings change event
Arrival of a settings package |
-| | Desktop applications | Application closes | Application opens and closes |
-| **Desktop settings** | Desktop background | Lock or log off | Log on, unlock, remote connect, notification of new package arrival, or scheduled task runs |
-| | Ease of Access (Common - Accessibility, Narrator, Magnifier, On-Screen-Keyboard) | Lock or Log off | Log on |
-| | Ease of Access (Shell - Audio, Accessibility, Keyboard, Mouse) | Lock or log off | Log on, unlock, remote connect, notification of new package arrival, or scheduled task runs |
-| | Desktop settings | Lock or log off | Log on |
+|--|--|--|--|
+| **Application Settings** | Windows applications | Close application
Windows application settings change event | Start the UE-V App Monitor at startup
Open app
Windows application settings change event
Arrival of a settings package |
+| | Desktop applications | Application closes | Application opens and closes |
+| **Desktop settings** | Desktop background | Lock or log off | Log on, unlock, remote connect, notification of new package arrival, or scheduled task runs |
+| | Ease of Access (Common - Accessibility, Narrator, Magnifier, On-Screen-Keyboard) | Lock or Log off | Log on |
+| | Ease of Access (Shell - Audio, Accessibility, Keyboard, Mouse) | Lock or log off | Log on, unlock, remote connect, notification of new package arrival, or scheduled task runs |
+| | Desktop settings | Lock or log off | Log on |
### UE-V-support for Windows applications
@@ -139,28 +119,24 @@ Users can print to their saved network printers, including their default network
Printer roaming in UE-V requires one of these scenarios:
-- The print server can download the required driver when it roams to a new device.
-
-- The driver for the roaming network printer is pre-installed on any device that needs to access that network printer.
-
-- The printer driver can be imported from Windows Update.
+- The print server can download the required driver when it roams to a new device.
+- The driver for the roaming network printer is pre-installed on any device that needs to access that network printer.
+- The printer driver can be imported from Windows Update.
> [!NOTE]
> The UE-V printer roaming feature doesn't roam printer settings or preferences, such as printing double-sided.
### Determine whether you need settings synchronized for other applications
-After you've reviewed the settings that are synchronized automatically in a UE-V deployment, you’ll need to decide whether to synchronize settings for other applications as your decision will determine how you deploy UE-V throughout your enterprise.
+After you've reviewed the settings that are synchronized automatically in a UE-V deployment, you'll need to decide whether to synchronize settings for other applications as your decision will determine how you deploy UE-V throughout your enterprise.
As an administrator, when you consider which desktop applications to include in your UE-V solution, consider which settings can be customized by users, and how and where the application stores its settings. Not all desktop applications have settings that can be customized or that are routinely customized by users. In addition, not all desktop applications settings can be synchronized safely across multiple devices or environments.
In general, you can synchronize settings that meet the following criteria:
-- Settings that are stored in user-accessible locations. For example, don't synchronize settings that are stored in System32 or outside the HKEY\_CURRENT\_USER (HKCU) section of the registry.
-
-- Settings that aren't specific to the particular device. For example, exclude network shortcuts or hardware configurations.
-
-- Settings that can be synchronized between computers without risk of corrupted data. For example, don't use settings that are stored in a database file.
+- Settings that are stored in user-accessible locations. For example, don't synchronize settings that are stored in System32 or outside the HKEY\_CURRENT\_USER (HKCU) section of the registry.
+- Settings that aren't specific to the particular device. For example, exclude network shortcuts or hardware configurations.
+- Settings that can be synchronized between computers without risk of corrupted data. For example, don't use settings that are stored in a database file.
### Checklist for evaluating custom applications
@@ -172,7 +148,7 @@ If you've decided that you need to synchronize settings for custom applications,
|  | Is it important for the user that these settings are synchronized? |
|  | Are these user settings already managed by an application management or settings policy solution? UE-V applies application settings at application startup and Windows settings at logon, unlock, or remote connect events. If you use UE-V with other settings sharing solutions, users might experience inconsistency across synchronized settings. |
|  | Are the application settings specific to the computer? Application preferences and customizations that are associated with hardware or specific computer configurations don't consistently synchronize across sessions and can cause a poor application experience. |
-|  | Does the application store settings in the Program Files directory or in the file directory that is located in the **Users**\\ \[User name\] \\**AppData**\\**LocalLow** directory? Application data that is stored in either of these locations usually shouldn't synchronize with the user, because this data is specific to the computer or because the data is too large to synchronize. |
+|  | Does the application store settings in the Program Files directory or in the file directory that is located in the **Users**\ \[User name\] \**AppData**\**LocalLow** directory? Application data that is stored in either of these locations usually shouldn't synchronize with the user, because this data is specific to the computer or because the data is too large to synchronize. |
|  | Does the application store any settings in a file that contains other application data that shouldn't synchronize? UE-V synchronizes files as a single unit. If settings are stored in files that include application data other than settings, then synchronizing this extra data can cause a poor application experience.|
|  | How large are the files that contain the settings? The performance of the settings synchronization can be affected by large files. Including large files can affect the performance of settings synchronization. |
@@ -180,21 +156,15 @@ If you've decided that you need to synchronize settings for custom applications,
You should also consider these things when you're preparing to deploy UE-V:
-- [Managing credentials synchronization](#managing-credentials-synchronization-in-ue-v)
+- [Managing credentials synchronization](#managing-credentials-synchronization-in-ue-v)
+- [Windows applications settings synchronization](#windows-applications-settings-synchronization)
+- [Custom UE-V settings location templates](#custom-ue-v-settings-location-templates)
+- [Unintentional user settings configurations](#prevent-unintentional-user-settings-configuration)
+- [Performance and capacity](#performance-and-capacity-planning)
+- [High availability](#high-availability-for-ue-v)
+- [Computer clock synchronization](#synchronize-computer-clocks-for-ue-v-settings-synchronization)
-- [Windows applications settings synchronization](#windows-applications-settings-synchronization)
-
-- [Custom UE-V settings location templates](#custom-ue-v-settings-location-templates)
-
-- [Unintentional user settings configurations](#prevent-unintentional-user-settings-configuration)
-
-- [Performance and capacity](#performance-and-capacity-planning)
-
-- [High availability](#high-availability-for-ue-v)
-
-- [Computer clock synchronization](#synchronize-computer-clocks-for-ue-v-settings-synchronization)
-
-### Managing credentials synchronization in UE-V
+### Managing credentials synchronization in UE-V
Many enterprise applications, including Microsoft Outlook, Lync, and Skype for Business prompt users for their domain credentials when they log in. Users have the option of saving their credentials to disk to prevent having to enter them every time they open these applications. Enabling roaming credentials synchronization lets users save their credentials on one computer and avoid reentering them on every computer they use in their environment. Users can synchronize some domain credentials with UE-V.
@@ -230,25 +200,19 @@ Copy
[Group Policy](uev-configuring-uev-with-group-policy-objects.md)**:** You must edit the Group Policy administrative template for UE-V, which is included in Windows 10, version 1607, to enable credential synchronization through group policy. Credentials synchronization is managed in Windows settings. To manage this feature with Group Policy, enable the **Synchronize Windows** settings policy.
-1. Open Group Policy Editor and navigate to **User Configuration > Administrative Templates > Windows Components > Microsoft User Experience Virtualization**.
-
-2. Double-click **Synchronize Windows settings**.
-
-3. If this policy is enabled, you can enable credentials synchronization by checking the **Roaming Credentials** check box, or disable credentials synchronization by unchecking it.
-
-4. Select **OK**.
+1. Open Group Policy Editor and navigate to **User Configuration > Administrative Templates > Windows Components > Microsoft User Experience Virtualization**.
+1. Double-click **Synchronize Windows settings**.
+1. If this policy is enabled, you can enable credentials synchronization by checking the **Roaming Credentials** check box, or disable credentials synchronization by unchecking it.
+1. Select **OK**.
### Credential locations synchronized by UE-V
Credential files saved by applications into the following locations are synchronized:
-- %UserProfile%\\AppData\\Roaming\\Microsoft\\Credentials\\
-
-- %UserProfile%\\AppData\\Roaming\\Microsoft\\Crypto\\
-
-- %UserProfile%\\AppData\\Roaming\\Microsoft\\Protect\\
-
-- %UserProfile%\\AppData\\Roaming\\Microsoft\\SystemCertificates\\
+- %UserProfile%\AppData\Roaming\Microsoft\Credentials\
+- %UserProfile%\AppData\Roaming\Microsoft\Crypto\
+- %UserProfile%\AppData\Roaming\Microsoft\Protect\
+- %UserProfile%\AppData\Roaming\Microsoft\SystemCertificates\
Credentials saved to other locations aren't synchronized by UE-V.
@@ -256,17 +220,15 @@ Credentials saved to other locations aren't synchronized by UE-V.
UE-V manages Windows application settings synchronization in three ways:
-- **Sync Windows applications:** Allow or deny any Windows application synchronization
-
-- **Windows applications list:** Synchronize a list of Windows applications
-
-- **Unlisted default sync behavior:** Determine the synchronization behavior of Windows applications that aren't in the Windows applications list.
+- **Sync Windows applications:** Allow or deny any Windows application synchronization
+- **Windows applications list:** Synchronize a list of Windows applications
+- **Unlisted default sync behavior:** Determine the synchronization behavior of Windows applications that aren't in the Windows applications list.
For more information, see the [Windows Application List](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md#win8applist).
### Custom UE-V settings location templates
-If you're deploying UE-V to synchronize settings for custom applications, you’ll use the UE-V template generator to create custom settings location templates for those desktop applications. After you create and test a custom settings location template in a test environment, you can deploy the settings location templates to user devices.
+If you're deploying UE-V to synchronize settings for custom applications, you'll use the UE-V template generator to create custom settings location templates for those desktop applications. After you create and test a custom settings location template in a test environment, you can deploy the settings location templates to user devices.
Custom settings location templates must be deployed with an existing deployment infrastructure, such as an enterprise software distribution method, including Microsoft Configuration Manager, with preferences, or by configuring a UE-V settings template catalog. Templates that are deployed with Configuration Manager or Group Policy must be registered using UE-V WMI or Windows PowerShell.
@@ -276,15 +238,11 @@ For more information about custom settings location templates, see [Deploy UE-V
UE-V downloads new user settings information from a settings storage location and applies the settings to the local device in these instances:
-- Each time an application is started that has a registered UE-V template
-
-- When a user signs in to a device
-
-- When a user unlocks a device
-
-- When a connection is made to a remote desktop device running UE-V
-
-- When the Sync Controller Application scheduled task is run
+- Each time an application is started that has a registered UE-V template
+- When a user signs in to a device
+- When a user unlocks a device
+- When a connection is made to a remote desktop device running UE-V
+- When the Sync Controller Application scheduled task is run
If UE-V is installed on computer A and computer B, and the settings that you want for the application are on computer A, then computer A should open and close the application first. If the application is opened and closed on computer B first, then the application settings on computer A are configured to the application settings on computer B. Settings are synchronized between computers on per-application basis. Over time, settings become consistent between computers as they're opened and closed with preferred settings.
@@ -306,21 +264,16 @@ By default, UE-V synchronization times out after 2 seconds to prevent excessive
The UE-V settings storage location and settings template catalog support storing user data on any writable share. To ensure high availability, follow these criteria:
-- Format the storage volume with an NTFS file system.
-
-- The share can use Distributed File System (DFS) replication, but Distributed File System Replication (DFSR) isn't supported. Distributed File System Namespaces (DFSN) are supported. For detailed information, see:
-
+- Format the storage volume with an NTFS file system.
+- The share can use Distributed File System (DFS) replication, but Distributed File System Replication (DFSR) isn't supported. Distributed File System Namespaces (DFSN) are supported. For detailed information, see:
- [Deploying Roaming User Profiles](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles)
-
- [Information about Microsoft support policy for a DFS-R and DFS-N deployment scenario](/troubleshoot/windows-server/networking/support-policy-for-dfsr-dfsn-deployment)
In addition, because SYSVOL uses DFSR for replication, SYSVOL can't be used for UE-V data file replication.
-- Configure the share permissions and NTFS access control lists (ACLs) as specified in [Deploying the settings storage location for UE-V](uev-deploy-required-features.md).
-
-- Use file server clustering along with the UE-V service to provide access to copies of user state data if communications failures occur.
-
-- You can store the settings storage path data (user data) and settings template catalog templates on clustered shares, on DFSN shares, or on both.
+- Configure the share permissions and NTFS access control lists (ACLs) as specified in [Deploying the settings storage location for UE-V](uev-deploy-required-features.md).
+- Use file server clustering along with the UE-V service to provide access to copies of user state data if communications failures occur.
+- You can store the settings storage path data (user data) and settings template catalog templates on clustered shares, on DFSN shares, or on both.
### Synchronize computer clocks for UE-V settings synchronization
@@ -331,15 +284,14 @@ Computers that run the UE-V service must use a time server to maintain a consist
Before you proceed, ensure that your environment meets these requirements for using UE-V.
| Operating system | Edition | Service pack | System architecture | Windows PowerShell | Microsoft .NET Framework |
-|--------------------------|---------------|------------------|-------------------------|--------------------------|--------------------------------|
-| Windows 10, version 1607 | Windows 10 for Enterprise | NA | 32-bit or 64-bit | Windows PowerShell 3.0 or higher | .NET Framework 4.5 or higher |
-| Windows 8 and Windows 8.1 | Enterprise or Pro | None | 32-bit or 64-bit | Windows PowerShell 3.0 or higher | .NET Framework 4.5 or higher |
-| Windows Server 2012 and Windows Server 2012 R2 | Standard or Datacenter | None | 64-bit | Windows PowerShell 3.0 or higher | .NET Framework 4.5 or higher |
+|--|--|--|--|--|--|
+| Windows 10, version 1607 | Windows 10 for Enterprise | NA | 32-bit or 64-bit | Windows PowerShell 3.0 or higher | .NET Framework 4.5 or higher |
+| Windows 8 and Windows 8.1 | Enterprise or Pro | None | 32-bit or 64-bit | Windows PowerShell 3.0 or higher | .NET Framework 4.5 or higher |
+| Windows Server 2012 and Windows Server 2012 R2 | Standard or Datacenter | None | 64-bit | Windows PowerShell 3.0 or higher | .NET Framework 4.5 or higher |
> [!NOTE]
> - Windows Server 2012 operating systems come with .NET Framework 4.5 installed. The Windows 10 operating system comes with .NET Framework 4.6 installed.
->
-> - The “Delete Roaming Cache” policy for mandatory profiles isn't supported with UE-V and shouldn't be used.
+> - The "Delete Roaming Cache" policy for mandatory profiles isn't supported with UE-V and shouldn't be used.
There are no special random access memory (RAM) requirements specific to UE-V.
@@ -347,13 +299,10 @@ There are no special random access memory (RAM) requirements specific to UE-V.
Sync Provider is the default setting for users and synchronizes a local cache with the settings storage location in these instances:
-- Log on/log off
-
-- Lock/unlock
-
-- Remote desktop connect/disconnect
-
-- Application open/close
+- Log on/log off
+- Lock/unlock
+- Remote desktop connect/disconnect
+- Application open/close
A scheduled task manages this synchronization of settings every 30 minutes or through trigger events for certain applications. For more information, see [Changing the frequency of UE-V scheduled tasks](uev-changing-the-frequency-of-scheduled-tasks.md).
@@ -364,7 +313,6 @@ The UE-V service synchronizes user settings for devices that aren't always conne
Enable this configuration using one of these methods:
- After you enable the UE-V service, use the Settings Management feature in Microsoft Configuration Manager or the UE-V ADMX templates (installed with Windows 10, version 1607) to push the SyncMethod = None configuration.
-
- Use Windows PowerShell or Windows Management Instrumentation (WMI) to set the SyncMethod = None configuration.
Restart the device to allow the settings to synchronize.
@@ -372,7 +320,6 @@ Restart the device to allow the settings to synchronize.
> [!NOTE]
> These methods do not work for pooled virtual desktop infrastructure (VDI) environments.
-
> [!NOTE]
> If you set *SyncMethod = None*, any settings changes are saved directly to the server. If the network connection to the settings storage path is not found, then the settings changes are cached on the device and are synchronized the next time that the sync provider runs. If the settings storage path is not found and the user profile is removed from a pooled VDI environment on log off, settings changes are lost and the user must reapply the change when the computer is reconnected to the settings storage path.
@@ -389,22 +336,13 @@ The VDI template is provided with UE-V and is typically available here after ins
Install the UE-V template generator on the device that is used to create custom settings location templates. This device should be able to run the applications that you want to synchronize settings for. You must be a member of the Administrators group on the device that runs the UE-V template generator software.
-The UE-V template generator must be installed on a device that uses an NTFS file system. The UE-V template generator software requires .NET Framework 4. For more information, see [Use UE-V with custom applications](uev-deploy-uev-for-custom-applications.md).
-
-
-
-
+The UE-V template generator must be installed on a device that uses an NTFS file system. The UE-V template generator software requires .NET Framework 1. For more information, see [Use UE-V with custom applications](uev-deploy-uev-for-custom-applications.md).
## Other resources for this feature
-- [User Experience Virtualization overview](uev-for-windows.md)
-
-- [Get started with UE-V](uev-getting-started.md)
-
-- [Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md)
-
-- [Administering UE-V](uev-administering-uev.md)
-
-- [Troubleshooting UE-V](uev-troubleshooting.md)
-
-- [Technical Reference for UE-V](uev-technical-reference.md)
+- [User Experience Virtualization overview](uev-for-windows.md)
+- [Get started with UE-V](uev-getting-started.md)
+- [Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md)
+- [Administering UE-V](uev-administering-uev.md)
+- [Troubleshooting UE-V](uev-troubleshooting.md)
+- [Technical Reference for UE-V](uev-technical-reference.md)
diff --git a/windows/configuration/ue-v/uev-release-notes-1607.md b/windows/configuration/ue-v/uev-release-notes-1607.md
index 995f79f988..b59b289e49 100644
--- a/windows/configuration/ue-v/uev-release-notes-1607.md
+++ b/windows/configuration/ue-v/uev-release-notes-1607.md
@@ -1,24 +1,12 @@
---
title: User Experience Virtualization (UE-V) Release Notes
description: Read the latest information required to successfully install and use User Experience Virtualization (UE-V) that isn't included in the UE-V documentation.
-author: aczechowski
-ms.prod: windows-client
-ms.collection:
- - tier3
- - must-keep
-ms.date: 04/19/2017
-ms.reviewer:
-manager: aaroncz
-ms.author: aaroncz
+ms.date: 1/25/2024
ms.topic: article
-ms.technology: itpro-configure
---
# User Experience Virtualization (UE-V) Release Notes
-**Applies to**
-- Windows 10, version 1607
-
This topic includes information required to successfully install and use UE-V that isn't included in the User Experience Virtualization (UE-V) documentation. If there are differences between the information in this topic and other UE-V topics, the latest change should be considered authoritative.
### Company Settings Center removed in UE-V for Windows 10, version 1607
@@ -62,7 +50,7 @@ WORKAROUND: Install only one version of Office or limit which settings are synch
### Uninstallation and reinstallation of Windows 8 applications reverts settings to initial state
-While UE-V settings synchronization is being used for a Windows 8 application, if the user uninstalls the application and then reinstalls the application, the application’s settings revert to their default values. This result happens because the uninstall removes the local (cached) copy of the application’s settings but doesn't remove the local UE-V settings package. When the application is reinstalled and launched, UE-V gathers the application settings that were reset to the application defaults and then uploads the default settings to the central storage location. Other computers running the application then download the default settings. This behavior is identical to the behavior of desktop applications.
+While UE-V settings synchronization is being used for a Windows 8 application, if the user uninstalls the application and then reinstalls the application, the application's settings revert to their default values. This result happens because the uninstall removes the local (cached) copy of the application's settings but doesn't remove the local UE-V settings package. When the application is reinstalled and launched, UE-V gathers the application settings that were reset to the application defaults and then uploads the default settings to the central storage location. Other computers running the application then download the default settings. This behavior is identical to the behavior of desktop applications.
WORKAROUND: None.
@@ -103,17 +91,10 @@ WORKAROUND: None
**Additional resources for this feature**
- [UE-V Registry Settings](/troubleshoot/windows-client/ue-v/ue-v-registry-settings)
-
- [How To Enable Debug Logging in Microsoft User Experience Virtualization (UE-V)](/troubleshoot/windows-client/ue-v/enable-debug-logging)
-
-- [User Experience Virtualization](uev-for-windows.md)
-
-- [Prepare a UE-V Deployment](uev-prepare-for-deployment.md)
-
-- [Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md)
-
-- [Administering UE-V](uev-administering-uev.md)
-
-- [Troubleshooting UE-V](uev-troubleshooting.md)
-
-- [Technical Reference for UE-V](uev-technical-reference.md)
+- [User Experience Virtualization](uev-for-windows.md)
+- [Prepare a UE-V Deployment](uev-prepare-for-deployment.md)
+- [Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md)
+- [Administering UE-V](uev-administering-uev.md)
+- [Troubleshooting UE-V](uev-troubleshooting.md)
+- [Technical Reference for UE-V](uev-technical-reference.md)
diff --git a/windows/configuration/ue-v/uev-security-considerations.md b/windows/configuration/ue-v/uev-security-considerations.md
index 0f2220b76e..b0ba65c8c5 100644
--- a/windows/configuration/ue-v/uev-security-considerations.md
+++ b/windows/configuration/ue-v/uev-security-considerations.md
@@ -1,48 +1,33 @@
---
title: Security Considerations for UE-V
description: Learn about accounts and groups, log files, and other security-related considerations for User Experience Virtualization (UE-V).
-author: aczechowski
-ms.prod: windows-client
-ms.collection:
- - tier3
- - must-keep
-ms.date: 04/19/2017
-ms.reviewer:
-manager: aaroncz
-ms.author: aaroncz
+ms.date: 1/25/2024
ms.topic: article
-ms.technology: itpro-configure
---
# Security Considerations for UE-V
-**Applies to**
-- Windows 10, version 1607
-
This topic contains a brief overview of accounts and groups, log files, and other security-related considerations for User Experience Virtualization (UE-V). For more information, follow the links that are provided here.
## Security considerations for UE-V configuration
-
> [!IMPORTANT]
> When you create the settings storage share, limit the share access to users who require access.
Because settings packages might contain personal information, you should take care to protect them as much as possible. In general, do the following steps:
-- Restrict the share to only those users who require access. Create a security group for users who have redirected folders on a particular share and limit access to only those users.
+- Restrict the share to only those users who require access. Create a security group for users who have redirected folders on a particular share and limit access to only those users.
+- When you create the share, hide the share by putting a $ after the share name. This addition hides the share from casual browsers, and the share isn't visible in My Network Places.
+- Only give users the minimum number of permissions that they must have. The following tables show the required permissions.
-- When you create the share, hide the share by putting a $ after the share name. This addition hides the share from casual browsers, and the share isn't visible in My Network Places.
-
-- Only give users the minimum number of permissions that they must have. The following tables show the required permissions.
-
-1. Set the following share-level SMB permissions for the setting storage location folder.
+1. Set the following share-level SMB permissions for the setting storage location folder.
|User account|Recommended permissions|
|--- |--- |
|Everyone|No permissions|
|Security group of UE-V|Full control|
-2. Set the following NTFS file system permissions for the settings storage location folder.
+1. Set the following NTFS file system permissions for the settings storage location folder.
|User account|Recommended permissions|Folder|
|--- |--- |--- |
@@ -51,7 +36,7 @@ Because settings packages might contain personal information, you should take ca
|Security group of UE-V users|List folder/read data, create folders/append data|This folder only|
|Everyone|Remove all permissions|No permissions|
-3. Set the following share-level SMB permissions for the settings template catalog folder.
+1. Set the following share-level SMB permissions for the settings template catalog folder.
|User account|Recommend permissions|
|--- |--- |
@@ -59,7 +44,7 @@ Because settings packages might contain personal information, you should take ca
|Domain computers|Read permission Levels|
|Administrators|Read/write permission levels|
-4. Set the following NTFS permissions for the settings template catalog folder.
+1. Set the following NTFS permissions for the settings template catalog folder.
|User account|Recommended permissions|Apply to|
|--- |--- |--- |
@@ -68,25 +53,23 @@ Because settings packages might contain personal information, you should take ca
|Everyone|No permissions|No permissions|
|Administrators|Full Control|This folder, subfolders, and files|
-### Use Windows Server as of Windows Server 2003 to host redirected file shares
+### Use Windows Server as of Windows Server 2003 to host redirected file shares
User settings package files contain personal information that is transferred between the client computer and the server that stores the settings packages. Because of this process, you should ensure that the data is protected while it travels over the network.
User settings data is vulnerable to these potential threats: interception of the data as it passes over the network, tampering with the data as it passes over the network, and spoofing of the server that hosts the data.
-As of Windows Server 2003, several features of the Windows Server operating system can help secure user data:
+As of Windows Server 2003, several features of the Windows Server operating system can help secure user data:
-- **Kerberos** - Kerberos is standard on all versions of Microsoft Windows 2000 Server and Windows Server beginning with Windows Server 2003. Kerberos ensures the highest level of security to network resources. NTLM authenticates the client only; Kerberos authenticates the server and the client. When NTLM is used, the client doesn't know whether the server is valid. This difference is important if the client exchanges personal files with the server, as is the case with Roaming User Profiles. Kerberos provides better security than NTLM. Kerberos isn't available on the Microsoft Windows NT Server 4.0 or earlier operating systems.
+- **Kerberos** - Kerberos is standard on all versions of Microsoft Windows 2000 Server and Windows Server beginning with Windows Server 2001. Kerberos ensures the highest level of security to network resources. NTLM authenticates the client only; Kerberos authenticates the server and the client. When NTLM is used, the client doesn't know whether the server is valid. This difference is important if the client exchanges personal files with the server, as is the case with Roaming User Profiles. Kerberos provides better security than NTLM. Kerberos isn't available on the Microsoft Windows NT Server 4.0 or earlier operating systems.
-- **IPsec** - The IP Security Protocol (IPsec) provides network-level authentication, data integrity, and encryption. IPsec ensures that:
+- **IPsec** - The IP Security Protocol (IPsec) provides network-level authentication, data integrity, and encryption. IPsec ensures that:
- - Roamed data is safe from data modification while data is en route.
+ - Roamed data is safe from data modification while data is en route.
+ - Roamed data is safe from interception, viewing, or copying.
+ - Roamed data is safe from access by unauthenticated parties.
- - Roamed data is safe from interception, viewing, or copying.
-
- - Roamed data is safe from access by unauthenticated parties.
-
-- **SMB Signing** - The Server Message Block (SMB) authentication protocol supports message authentication, which prevents active message and "man-in-the-middle" attacks. SMB signing provides this authentication by placing a digital signature into each SMB. The digital signature is then verified by both the client and the server. In order to use SMB signing, you must first either enable it, or you must require it on both the SMB client and the SMB server. The SMB signing imposes a performance penalty. It doesn't consume any more network bandwidth, but it uses more CPU cycles on the client and server side.
+- **SMB Signing** - The Server Message Block (SMB) authentication protocol supports message authentication, which prevents active message and "man-in-the-middle" attacks. SMB signing provides this authentication by placing a digital signature into each SMB. The digital signature is then verified by both the client and the server. In order to use SMB signing, you must first either enable it, or you must require it on both the SMB client and the SMB server. The SMB signing imposes a performance penalty. It doesn't consume any more network bandwidth, but it uses more CPU cycles on the client and server side.
### Always use the NTFS file system for volumes that hold user data
@@ -107,20 +90,18 @@ This permission configuration enables users to create folders for settings stora
> [!NOTE]
> Additional security can be configured when a Windows Server is used for the settings storage share. UE-V can be configured to verify that either the local Administrators group or the current user is the owner of the folder where settings packages are stored. To enable additional security, use the following command:
-1. Add the REG\_DWORD registry key RepositoryOwnerCheckEnabled to `HKEY_LOCAL_MACHINE\Software\Microsoft\UEV\Agent\Configuration`.
-
-2. Set the registry key value to *1*.
+1. Add the REG\_DWORD registry key RepositoryOwnerCheckEnabled to `HKEY_LOCAL_MACHINE\Software\Microsoft\UEV\Agent\Configuration`.
+1. Set the registry key value to *1*.
When this configuration setting is in place, the UE-V service verifies that the local Administrators group or current user is the owner of the settings package folder. If not, then the UE-V service doesn't grant access to the folder.
-
If you must create folders for the users, ensure that you have the correct permissions set.
We strongly recommend that you don't pre-create folders. Instead, let the UE-V service create the folder for the user.
### Ensure correct permissions to store UE-V 2 settings in a home directory or custom directory
-If you redirect UE-V settings to a user’s home directory or a custom Active Directory (AD) directory, ensure that the permissions on the directory are set appropriately for your organization.
+If you redirect UE-V settings to a user's home directory or a custom Active Directory (AD) directory, ensure that the permissions on the directory are set appropriately for your organization.
### Review the contents of settings location templates and control access to them as needed
@@ -128,9 +109,8 @@ When a settings location template is being created, the UE-V generator uses a Li
If you plan to share settings location templates with anyone outside your organization, you should review all the settings locations and ensure the settings location templates don't contain any personal or company information. You can view the contents by opening the settings location template files using any XML viewer. The following are ways you can view and remove any personal or company information from the settings location template files before sharing with anyone outside your company:
-- **Template Author Name** – Specify a general, non-identifying name for the template author name or exclude this data from the template.
-
-- **Template Author Email** – Specify a general, non-identifying template author email or exclude this data from the template.
+- **Template Author Name** - Specify a general, non-identifying name for the template author name or exclude this data from the template.
+- **Template Author Email** - Specify a general, non-identifying template author email or exclude this data from the template.
To remove the template author name or template author email, you can use the UE-V generator application. From the generator, select **Edit a Settings Location Template**. Select the settings location template to edit from the recently used templates or Browse to the settings template file. Select **Next** to continue. On the Properties page, remove the data from the Template author name or Template author email text fields. Save the settings location template.
diff --git a/windows/configuration/ue-v/uev-sync-methods.md b/windows/configuration/ue-v/uev-sync-methods.md
index 17d2bba46f..c009f76e63 100644
--- a/windows/configuration/ue-v/uev-sync-methods.md
+++ b/windows/configuration/ue-v/uev-sync-methods.md
@@ -1,50 +1,26 @@
---
title: Sync Methods for UE-V
-description: Learn how User Experience Virtualization (UE-V) service sync methods let you synchronize users’ application and Windows settings with the settings storage location.
-author: aczechowski
-ms.prod: windows-client
-ms.collection:
- - tier3
- - must-keep
-ms.date: 04/19/2017
-ms.reviewer:
-manager: aaroncz
-ms.author: aaroncz
+description: Learn how User Experience Virtualization (UE-V) service sync methods let you synchronize users' application and Windows settings with the settings storage location.
+ms.date: 1/25/2024
ms.topic: article
-ms.technology: itpro-configure
---
# Sync Methods for UE-V
-**Applies to**
-- Windows 10, version 1607
-
-The User Experience Virtualization (UE-V) service lets you synchronize users’ application and Windows settings with the settings storage location. The *Sync Method* configuration defines how the UE-V service uploads and downloads those settings to the settings storage location. UE-V includes a SyncMethod called the *SyncProvider*. For more information about trigger events that start the synchronization of application and Windows settings, see [Sync Trigger Events for UE-V](uev-sync-trigger-events.md).
+The User Experience Virtualization (UE-V) service lets you synchronize users' application and Windows settings with the settings storage location. The *Sync Method* configuration defines how the UE-V service uploads and downloads those settings to the settings storage location. UE-V includes a SyncMethod called the *SyncProvider*. For more information about trigger events that start the synchronization of application and Windows settings, see [Sync Trigger Events for UE-V](uev-sync-trigger-events.md).
## SyncMethod Configuration
This table provides a description of each SyncMethod configuration:
-| **SyncMethod Configuration** | **Description** |
-|------------------------------|---------------------|
-| SyncProvider (Default) | Settings changes for a specific application or for global Windows desktop settings are saved locally to a cache folder. These changes are then synchronized with the settings storage location when a synchronization trigger event takes place. Pushing out changes will save the local changes to the settings storage path.
This default setting is the gold standard for computers. This option attempts to synchronize the setting and times out after a short delay to ensure that the application or operating system startup isn’t delayed for a long period of time.
This functionality is also tied to the Scheduled task – Sync Controller Application. The administrator controls the frequency of the Scheduled task. By default, computers synchronize their settings every 30 min after logging on. |
-| External | This configuration method specifies that if UE-V settings are written to a local folder on the user computer, then any external sync engine (such as OneDrive for Business, Work Folders, Sharepoint, or Dropbox) can be used to apply these settings to the different computers that users access. |
-| None | This configuration setting is designed for the Virtual Desktop Infrastructure (VDI) and Streamed Application experience primarily. This setting should be used on computers running the Windows Server operating system in a datacenter, where the connection will always be available.
Any settings changes are saved directly to the server. If the network connection to the settings storage path isn't available, then the settings changes are cached on the device and are synchronized the next time that the Sync Provider runs. If the settings storage path isn't found and the user profile is removed from a pooled VDI environment on sign out, then these settings changes are lost, and the user must reapply the change when the computer can again reach the settings storage path.
Apps and OS will wait indefinitely for the location to be present. This waiting period could cause App load or OS sign-in time to dramatically increase if the location isn't found. |
+| **SyncMethod Configuration** | **Description** |
+|--|--|
+| SyncProvider (Default) | Settings changes for a specific application or for global Windows desktop settings are saved locally to a cache folder. These changes are then synchronized with the settings storage location when a synchronization trigger event takes place. Pushing out changes will save the local changes to the settings storage path.
This default setting is the gold standard for computers. This option attempts to synchronize the setting and times out after a short delay to ensure that the application or operating system startup isn't delayed for a long period of time.
This functionality is also tied to the Scheduled task - Sync Controller Application. The administrator controls the frequency of the Scheduled task. By default, computers synchronize their settings every 30 min after logging on. |
+| External | This configuration method specifies that if UE-V settings are written to a local folder on the user computer, then any external sync engine (such as OneDrive for Business, Work Folders, Sharepoint, or Dropbox) can be used to apply these settings to the different computers that users access. |
+| None | This configuration setting is designed for the Virtual Desktop Infrastructure (VDI) and Streamed Application experience primarily. This setting should be used on computers running the Windows Server operating system in a datacenter, where the connection will always be available.
Any settings changes are saved directly to the server. If the network connection to the settings storage path isn't available, then the settings changes are cached on the device and are synchronized the next time that the Sync Provider runs. If the settings storage path isn't found and the user profile is removed from a pooled VDI environment on sign out, then these settings changes are lost, and the user must reapply the change when the computer can again reach the settings storage path.
Apps and OS will wait indefinitely for the location to be present. This waiting period could cause App load or OS sign-in time to dramatically increase if the location isn't found. |
You can configure the sync method in these ways:
-- Through [Group Policy](uev-configuring-uev-with-group-policy-objects.md) settings
-
-- With the [Configuration Manager Pack](uev-configuring-uev-with-system-center-configuration-manager.md) for UE-V
-
-- With [Windows PowerShell or Windows Management Instrumentation (WMI)](uev-administering-uev-with-windows-powershell-and-wmi.md)
-
-
-
-
-
-## Related topics
-
-[Deploy Required UE-V Features](uev-deploy-required-features.md)
-
-[Technical Reference for UE-V](uev-technical-reference.md)
+- Through [Group Policy](uev-configuring-uev-with-group-policy-objects.md) settings
+- With the [Configuration Manager Pack](uev-configuring-uev-with-system-center-configuration-manager.md) for UE-V
+- With [Windows PowerShell or Windows Management Instrumentation (WMI)](uev-administering-uev-with-windows-powershell-and-wmi.md)
diff --git a/windows/configuration/ue-v/uev-sync-trigger-events.md b/windows/configuration/ue-v/uev-sync-trigger-events.md
index 6cae6d66bf..a7347846ca 100644
--- a/windows/configuration/ue-v/uev-sync-trigger-events.md
+++ b/windows/configuration/ue-v/uev-sync-trigger-events.md
@@ -1,24 +1,12 @@
---
title: Sync Trigger Events for UE-V
description: Learn how User Experience Virtualization (UE-V) lets you synchronize your application and Windows settings across all your domain-joined devices.
-author: aczechowski
-ms.prod: windows-client
-ms.collection:
- - tier3
- - must-keep
-ms.date: 04/19/2017
-ms.reviewer:
-manager: aaroncz
-ms.author: aaroncz
+ms.date: 1/25/2024
ms.topic: article
-ms.technology: itpro-configure
---
# Sync Trigger Events for UE-V
-**Applies to**
-- Windows 10, version 1607
-
User Experience Virtualization (UE-V) lets you synchronize your application and Windows settings across all your domain-joined devices. *Sync trigger events* define when the UE-V service synchronizes those settings with the settings storage location. For more information about Sync Method configuration, see [Sync Methods for UE-V](uev-sync-methods.md).
## UE-V Sync Trigger Events
@@ -38,18 +26,6 @@ The following table explains the trigger events for classic applications and Win
## Related topics
-
[Technical Reference for UE-V](uev-technical-reference.md)
-
[Changing the Frequency of UE-V Scheduled Tasks](uev-changing-the-frequency-of-scheduled-tasks.md)
-
[Choose the Configuration Method for UE-V](uev-deploy-required-features.md)
-
-
-
-
-
-
-
-
-
diff --git a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
index e06e33e471..8fb7fae374 100644
--- a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
+++ b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
@@ -1,37 +1,22 @@
---
title: Synchronizing Microsoft Office with UE-V
description: Learn how User Experience Virtualization (UE-V) supports the synchronization of Microsoft Office application settings.
-author: aczechowski
-ms.prod: windows-client
-ms.collection:
- - tier3
- - must-keep
-ms.date: 04/19/2017
-ms.reviewer:
-manager: aaroncz
-ms.author: aaroncz
+ms.date: 1/25/2024
ms.topic: article
-ms.technology: itpro-configure
---
# Synchronizing Office with UE-V
-**Applies to**
-- Windows 10, version 1607
-
Microsoft User Experience Virtualization (UE-V) supports the synchronization of Microsoft Office application settings. The combination of UE-V and App-V support for Office enables the same experience on virtualized instances of Office from any UE-V-enabled device or virtualized desktop.
-To synchronize Office applications settings, you can download Office templates from the [User Experience Virtualization (UE-V) Template Gallery](https://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=UE-V&f%5B0%5D.Text=UE-V). This resource provides Microsoft-authored UE-V settings location templates and community-developed settings location templates.
-
## Microsoft Office support in UE-V
-UE-V includes settings location templates for Microsoft Office 2016, 2013, and 2010. In previous versions of UE-V, settings location templates for Office 2013 and Office 2010 were distributed and registered when you installed the UE-V agent. Now that UE-V is a feature in Windows 10, version 1607, settings location templates are installed when you install or upgrade to the new operating system.
+UE-V includes settings location templates for Microsoft Office 2016, 2013, and 201. In previous versions of UE-V, settings location templates for Office 2013 and Office 2010 were distributed and registered when you installed the UE-V agent. Now that UE-V is a feature in Windows 10, version 1607, settings location templates are installed when you install or upgrade to the new operating system.
-These templates help synchronize users’ Office experience between devices. Microsoft Office 2016 settings roamed by Office 365 experience aren't included in these settings. For a list of Office 365-specific settings, see [Overview of user and roaming settings for Office](/previous-versions/office/office-2013-resource-kit/jj733593(v=office.15)).
+These templates help synchronize users' Office experience between devices. Microsoft Office 2016 settings roamed by Office 365 experience aren't included in these settings. For a list of Office 365-specific settings, see [Overview of user and roaming settings for Office](/previous-versions/office/office-2013-resource-kit/jj733593(v=office.15)).
## Synchronized Office Settings
-
Review the following tables for details about Office support in UE-V:
### Supported UE-V templates for Microsoft Office
@@ -50,14 +35,11 @@ Review the following tables for details about Office support in UE-V:
You can deploy UE-V settings location template with the following methods:
-- **Registering template with PowerShell**. If you use Windows PowerShell to manage computers, run the following Windows PowerShell command as Administrator to register this settings location template:
-
+- **Registering template with PowerShell**. If you use Windows PowerShell to manage computers, run the following Windows PowerShell command as Administrator to register this settings location template:
```powershell
Register-UevTemplate -Path
For example, if you want people to be limited to `contoso.com` only, you would add `contoso.com` to blocked URL exception list and then block all other URLs.
-Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards.
If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list.
-Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make sure your blocked URLs don't include your default URL.
-Enable Home Button | Show a Home button in Kiosk Browser. Home will return the browser to the default URL.
-Enable Navigation Buttons | Show forward and back buttons in Kiosk Browser.
-Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh state after an amount of idle time since the last user interaction.
+| Kiosk Browser settings | Use this setting to |
+|--|--|
+| Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards.
For example, if you want people to be limited to `contoso.com` only, you would add `contoso.com` to blocked URL exception list and then block all other URLs. |
+| Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards.
If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list. |
+| Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make sure your blocked URLs don't include your default URL. |
+| Enable Home Button | Show a Home button in Kiosk Browser. Home will return the browser to the default URL. |
+| Enable Navigation Buttons | Show forward and back buttons in Kiosk Browser. |
+| Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh state after an amount of idle time since the last user interaction. |
-> [!IMPORTANT]
-> To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer:
->
-> 1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer.
-> 2. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18).
-> 3. Insert the null character string in between each URL (e.g www.bing.com``www.contoso.com).
-> 4. Save the XML file.
-> 5. Open the project again in Windows Configuration Designer.
-> 6. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed.
+To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer:
+
+1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer.
+1. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18).
+1. Insert the null character string in between each URL (e.g https://www.bing.com``https://www.contoso.com).
+1. Save the XML file.
+1. Open the project again in Windows Configuration Designer.
+1. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed.
diff --git a/windows/configuration/wcd/wcd-licensing.md b/windows/configuration/wcd/wcd-licensing.md
index a2135a483b..183f46a056 100644
--- a/windows/configuration/wcd/wcd-licensing.md
+++ b/windows/configuration/wcd/wcd-licensing.md
@@ -1,28 +1,20 @@
---
-title: Licensing (Windows 10)
+title: Licensing
description: This section describes the Licensing settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
ms.topic: reference
-ms.collection: must-keep
-ms.date: 09/06/2017
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
+ms.date: 01/25/2024
---
# Licensing (Windows Configuration Designer reference)
-Use for settings related to Microsoft licensing programs.
+Use for settings related to Microsoft licensing programs.
## Applies to
| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: |
-| [AllowWindowsEntitlementReactivation](#allowwindowsentitlementreactivation) | ✔️ | | | |
-| [DisallowKMSClientOnlineAVSValidation](#disallowkmsclientonlineavsvalidation) | ✔️ | | | |
+| [AllowWindowsEntitlementReactivation](#allowwindowsentitlementreactivation) | ✅ | | | |
+| [DisallowKMSClientOnlineAVSValidation](#disallowkmsclientonlineavsvalidation) | ✅ | | | |
## AllowWindowsEntitlementReactivation
@@ -30,4 +22,5 @@ Enable or disable Windows license reactivation.
## DisallowKMSClientOnlineAVSValidation
-Enable this setting to prevent the device from sending data to Microsoft regarding its activation state.
+Enable this setting to prevent the device from sending data to Microsoft regarding its activation state.
+
diff --git a/windows/configuration/wcd/wcd-location.md b/windows/configuration/wcd/wcd-location.md
index bbc00f2648..577c704fa4 100644
--- a/windows/configuration/wcd/wcd-location.md
+++ b/windows/configuration/wcd/wcd-location.md
@@ -1,16 +1,8 @@
---
-title: Location (Windows 10)
+title: Location
description: This section describes the Location settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
ms.topic: reference
-ms.collection: must-keep
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
-ms.date: 12/31/2017
+ms.date: 01/25/2024
---
# Location (Windows Configuration Designer reference)
@@ -21,7 +13,7 @@ Use Location settings to configure location services.
| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: |
-| [EnableLocation](#enablelocation) | | | | ✔️ |
+| [EnableLocation](#enablelocation) | | | | ✅ |
## EnableLocation
diff --git a/windows/configuration/wcd/wcd-maps.md b/windows/configuration/wcd/wcd-maps.md
index bf3aeccaf3..df82391f94 100644
--- a/windows/configuration/wcd/wcd-maps.md
+++ b/windows/configuration/wcd/wcd-maps.md
@@ -1,30 +1,21 @@
---
-title: Maps (Windows 10)
+title: Maps
description: This section describes the Maps settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
ms.topic: reference
-ms.collection: must-keep
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
-ms.date: 12/31/2017
+ms.date: 01/25/2024
---
# Maps (Windows Configuration Designer reference)
-Use for settings related to Maps.
+Use for settings related to Maps.
## Applies to
-| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: |
-| [ChinaVariantWin10](#chinavariantwin10) | ✔️ | ✔️ | | |
-| [UseExternalStorage](#useexternalstorage) | ✔️ | ✔️ | | |
-| [UseSmallerCache](#usesmallercache) | ✔️ | ✔️ | | |
-
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+|--|:-:|:-:|:-:|:-:|
+| [ChinaVariantWin10](#chinavariantwin10) | ✅ | ✅ | | |
+| [UseExternalStorage](#useexternalstorage) | ✅ | ✅ | | |
+| [UseSmallerCache](#usesmallercache) | ✅ | ✅ | | |
## ChinaVariantWin10
@@ -32,7 +23,6 @@ Use **ChinaVariantWin10** to specify that the Windows device is intended to ship
This customization may result in different maps, servers, or other configuration changes on the device.
-
## UseExternalStorage
Use to store map data on an SD card.
diff --git a/windows/configuration/wcd/wcd-networkproxy.md b/windows/configuration/wcd/wcd-networkproxy.md
index 3e2ac6dce1..6f49b60792 100644
--- a/windows/configuration/wcd/wcd-networkproxy.md
+++ b/windows/configuration/wcd/wcd-networkproxy.md
@@ -1,35 +1,26 @@
---
-title: NetworkProxy (Windows 10)
+title: NetworkProxy
description: This section describes the NetworkProxy settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
ms.topic: reference
-ms.collection: must-keep
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
-ms.date: 12/31/2017
+ms.date: 01/25/2024
---
# NetworkProxy (Windows Configuration Designer reference)
-Use for settings related to NetworkProxy.
+Use for settings related to NetworkProxy.
## Applies to
-| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: |
-| All settings | | ✔️ | | |
-
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+|--|:-:|:-:|:-:|:-:|
+| All settings | | ✅ | | |
## AutoDetect
-Automatically detect network proxy settings.
+Automatically detect network proxy settings.
-| Value | Description |
-| --- | --- |
+| Value | Description |
+|--|--|
| 0 | Disabled. Don't automatically detect settings. |
| 1 | Enabled. Automatically detect settings. |
@@ -38,16 +29,14 @@ Automatically detect network proxy settings.
Node for configuring a static proxy for Ethernet and Wi-Fi connections. The same proxy server is used for all protocols - including HTTP, HTTPS, FTP, and SOCKS. These settings don't apply to VPN connections.
| Setting | Description |
-| --- | --- |
+|--|--|
| ProxyAddress | Address to the proxy server. Specify an address in the format `server:port`. |
| ProxyExceptions | Addresses that shouldn't use the proxy server. The system won't use the proxy server for addresses that begin with the values specified in this node. Use semicolons (;) to separate entries. |
-| UseProxyForLocalAddresses | Whether the proxy server should be used for local (intranet) addresses.- 0 = Disabled. Don't use the proxy server for local addresses.- 1 = Enabled. Use the proxy server for local addresses. |
-
+| UseProxyForLocalAddresses | Whether the proxy server should be used for local (intranet) addresses.- 0 = Disabled. Don't use the proxy server for local addresses.- 1 = Enabled. Use the proxy server for local addresses. |
## SetupScriptUrl
-Address to the PAC script you want to use.
-
+Address to the PAC script you want to use.
## Related topics
diff --git a/windows/configuration/wcd/wcd-networkqospolicy.md b/windows/configuration/wcd/wcd-networkqospolicy.md
index eb78b8e3fe..1eac44b82c 100644
--- a/windows/configuration/wcd/wcd-networkqospolicy.md
+++ b/windows/configuration/wcd/wcd-networkqospolicy.md
@@ -1,38 +1,30 @@
---
-title: NetworkQoSPolicy (Windows 10)
+title: NetworkQoSPolicy
description: This section describes the NetworkQoSPolicy settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
ms.topic: reference
-ms.collection: must-keep
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
-ms.date: 12/31/2017
+ms.date: 01/25/2024
---
# NetworkQoSPolicy (Windows Configuration Designer reference)
-Use to create network Quality of Service (QoS) policies. A QoS policy performs a set of actions on network traffic based on a set of matching conditions.
+Use to create network Quality of Service (QoS) policies. A QoS policy performs a set of actions on network traffic based on a set of matching conditions.
## Applies to
-| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: |
-| All settings | | ✔️ | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+|--|:-:|:-:|:-:|:-:|
+| All settings | | ✅ | | |
1. In **Available customizations**, select **NetworkQoSPolicy**, enter a friendly name for the account, and then click **Add**.
-2. In **Available customizations**, select the name that you just created. The following table describes the settings you can configure.
+1. In **Available customizations**, select the name that you just created. The following table describes the settings you can configure.
| Setting | Description |
-| --- | --- |
-| AppPathNameMatchCondition | Enter the name of an application to be sued to match the network traffic, such as application.exe or %ProgramFiles%\application.exe. |
+|--|--|
+| AppPathNameMatchCondition | Enter the name of an application to be sued to match the network traffic, such as application.exe or %ProgramFiles%\application.exe. |
| DestinationPortMatchCondition | Specify a port or a range of ports to be used to match the network traffic. Valid values are [first port number]-[last port number], or [port number]. |
-| DSCPAction | Enter the differentiated services code point (DSCP) value to apply to match with network traffic. Valid values are 0-63. |
-| IPProtocolMatchCondition | Select between **Both TCP and UDP**, **TCP**, and **UDP** to specify the IP protocol used to match the network traffic. |
-| PriorityValue8021Action | Specify the IEEE 802.1p value. Valid values are 0 through 7. |
+| DSCPAction | Enter the differentiated services code point (DSCP) value to apply to match with network traffic. Valid values are 0-61. |
+| IPProtocolMatchCondition | Select between **Both TCP and UDP**, **TCP**, and **UDP** to specify the IP protocol used to match the network traffic. |
+| PriorityValue8021Action | Specify the IEEE 802.1p value. Valid values are 0 through 1. |
| SourcePortMatchCondition | Specify a single port or range of ports. Valid values are [first port number]-[last port number], or [port number]. |
## Related topics
diff --git a/windows/configuration/wcd/wcd-oobe.md b/windows/configuration/wcd/wcd-oobe.md
index 61c6c77b95..b5c47a481d 100644
--- a/windows/configuration/wcd/wcd-oobe.md
+++ b/windows/configuration/wcd/wcd-oobe.md
@@ -1,16 +1,8 @@
---
-title: OOBE (Windows 10)
-ms.reviewer:
-manager: aaroncz
+title: OOBE
description: This section describes the OOBE settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
ms.topic: reference
-ms.collection: must-keep
-ms.technology: itpro-configure
-ms.date: 12/31/2017
+ms.date: 01/25/2024
---
# OOBE (Windows Configuration Designer reference)
@@ -19,10 +11,10 @@ Use to configure settings for the [Out Of Box Experience (OOBE)](/windows-hardwa
## Applies to
-| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: |
-| [Desktop > EnableCortanaVoice](#enablecortanavoice) | ✔️ | | | |
-| [Desktop > HideOobe](#hideoobe-for-desktop) | ✔️ | | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+|--|:-:|:-:|:-:|:-:|
+| [Desktop > EnableCortanaVoice](#enablecortanavoice) | ✅ | | | |
+| [Desktop > HideOobe](#hideoobe-for-desktop) | ✅ | | | |
## EnableCortanaVoice
@@ -30,10 +22,9 @@ Use this setting to control whether Cortana voice-over is enabled during OOBE. T
## HideOobe for desktop
-When set to **True**, it hides the interactive OOBE flow for Windows 10.
+When set to **True**, it hides the interactive OOBE flow for Windows 1.
> [!NOTE]
> You must create a user account if you set the value to true or the device will not be usable.
When set to **False**, the OOBE screens are displayed.
-
diff --git a/windows/configuration/wcd/wcd-personalization.md b/windows/configuration/wcd/wcd-personalization.md
index c6ab55142e..839b03e277 100644
--- a/windows/configuration/wcd/wcd-personalization.md
+++ b/windows/configuration/wcd/wcd-personalization.md
@@ -1,16 +1,8 @@
---
-title: Personalization (Windows 10)
+title: Personalization
description: This section describes the Personalization settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
ms.topic: reference
-ms.collection: must-keep
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
-ms.date: 12/31/2017
+ms.date: 01/25/2024
---
# Personalization (Windows Configuration Designer reference)
@@ -21,16 +13,16 @@ Use to configure settings to personalize a PC.
| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: |
-| [DeployDesktopImage](#deploydesktopimage) | ✔️ | | | |
-| [DeployLockScreenImage](#deploylockscreenimage) | ✔️ | | | |
-| [DesktopImageUrl](#desktopimageurl) | ✔️ | | | |
-| [LockScreenImageUrl](#lockscreenimageurl) | ✔️ | | | |
+| [DeployDesktopImage](#deploydesktopimage) | ✅ | | | |
+| [DeployLockScreenImage](#deploylockscreenimage) | ✅ | | | |
+| [DesktopImageUrl](#desktopimageurl) | ✅ | | | |
+| [LockScreenImageUrl](#lockscreenimageurl) | ✅ | | | |
## DeployDesktopImage
Deploy a .jpg, .jpeg, or .png image to the device to be used as a desktop image. If you have a local file and want to embed it into the package being deployed, you configure this setting and [DesktopImageUrl](#desktopimageurl).
-When using **DeployDesktopImage** and [DeployLockScreenImageFile](#deploylockscreenimage, the file names need to be different.
+When using **DeployDesktopImage** and [DeployLockScreenImageFile](#deploylockscreenimage, the file names need to be different.
## DeployLockScreenImage
diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md
index 449ba3ba75..6ef6203e11 100644
--- a/windows/configuration/wcd/wcd-policies.md
+++ b/windows/configuration/wcd/wcd-policies.md
@@ -1,351 +1,328 @@
---
-title: Policies (Windows 10)
-ms.reviewer:
-manager: aaroncz
+title: Policies
description: This section describes the Policies settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
ms.topic: reference
-ms.collection: must-keep
-ms.technology: itpro-configure
-ms.date: 12/31/2017
+ms.date: 01/25/2024
---
# Policies (Windows Configuration Designer reference)
-This section describes the **Policies** settings that you can configure in [provisioning packages](../provisioning-packages/provisioning-packages.md) for Windows 10 using Windows Configuration Designer. Each setting below links to its supported values, as documented in the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider).
+This section describes the **Policies** settings that you can configure in [provisioning packages](../provisioning-packages/provisioning-packages.md) for Windows 10 using Windows Configuration Designer. Each setting below links to its supported values, as documented in the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider).
## AboveLock
-| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: |
-| [AllowActionCenterNotifications](/windows/client-management/mdm/policy-configuration-service-provider#abovelock-allowactioncenternotifications) | Allow Action Center notifications above the device lock screen. | | | | |
-| [AllowToasts](/windows/client-management/mdm/policy-configuration-service-provider#abovelock-allowtoasts) | Allow toast notifications above the device lock screen. | ✔️ | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+|--|--|:-:|:-:|:-:|:-:|
+| [AllowActionCenterNotifications](/windows/client-management/mdm/policy-configuration-service-provider#abovelock-allowactioncenternotifications) | Allow Action Center notifications above the device lock screen. | | | | |
+| [AllowToasts](/windows/client-management/mdm/policy-configuration-service-provider#abovelock-allowtoasts) | Allow toast notifications above the device lock screen. | ✅ | | | |
## Accounts
-| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: |
-| [AllowAddingNonMicrosoftAccountManually](/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowaddingnonmicrosoftaccountsmanually) | Whether users can add non-Microsoft email accounts | ✔️ | | | |
-| [AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountconnection) | Whether users can use a Microsoft account for non-email-related connection authentication and services | ✔️ | | ✔️ | |
-| [AllowMicrosoftAccountSigninAssistant](/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountsigninassistant) | Disable the **Microsoft Account Sign-In Assistant** (wlidsvc) NT service | ✔️ | | | |
-| [DomainNamesForEmailSync](/windows/client-management/mdm/policy-configuration-service-provider#accounts-domainnamesforemailsync) | List of domains that are allowed to sync email on the devices | ✔️ | | | |
-
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+|--|--|:-:|:-:|:-:|:-:|
+| [AllowAddingNonMicrosoftAccountManually](/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowaddingnonmicrosoftaccountsmanually) | Whether users can add non-Microsoft email accounts | ✅ | | | |
+| [AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountconnection) | Whether users can use a Microsoft account for non-email-related connection authentication and services | ✅ | | ✅ | |
+| [AllowMicrosoftAccountSigninAssistant](/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountsigninassistant) | Disable the **Microsoft Account Sign-In Assistant** (wlidsvc) NT service | ✅ | | | |
+| [DomainNamesForEmailSync](/windows/client-management/mdm/policy-configuration-service-provider#accounts-domainnamesforemailsync) | List of domains that are allowed to sync email on the devices | ✅ | | | |
## ApplicationDefaults
| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: |
-| [DefaultAssociationsConfiguration](/windows/client-management/mdm/policy-configuration-service-provider#applicationdefaults-defaultassociationsconfiguration) | Set default file type and protocol associations | ✔️ | | | |
-
+|--|--|:-:|:-:|:-:|:-:|
+| [DefaultAssociationsConfiguration](/windows/client-management/mdm/policy-configuration-service-provider#applicationdefaults-defaultassociationsconfiguration) | Set default file type and protocol associations | ✅ | | | |
## ApplicationManagement
-
| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: |
-| [AllowAllTrustedApps](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowalltrustedapps) | Whether non-Microsoft Store apps are allowed | ✔️ | | | ✔️ |
-| [AllowAppStoreAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowappstoreautoupdate) | Whether automatic update of apps from Microsoft Store is allowed | ✔️ | | | ✔️ |
-| [AllowDeveloperUnlock](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowdeveloperunlock) | Whether developer unlock of device is allowed | ✔️ | ✔️ | ✔️ | ✔️ |
-| [AllowGameDVR](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowgamedvr) |Whether DVR and broadcasting are allowed | ✔️ | | | |
-| [AllowSharedUserAppData](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowshareduserappdata) | Whether multiple users of the same app can share data | ✔️ | | | |
-| [AllowStore](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowstore) | Whether app store is allowed at device | | | | |
-| [ApplicationRestrictions](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-applicationrestrictions) | An XML blob that specifies app restrictions, such as an allowlist, disallow list, etc. | | | | |
-| [LaunchAppAfterLogOn](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-launchappafterlogon) |Whether to launch an app or apps when the user signs in. | ✔️ | | | |
-| [RestrictAppDataToSystemVolume](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-restrictappdatatosystemvolume) | Whether app data is restricted to the system drive | ✔️ | | | ✔️ |
-| [RestrictAppToSystemVolume](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-restrictapptosystemvolume) | Whether the installation of apps is restricted to the system drive | ✔️ | | | ✔️ |
-
-
-
+|--|--|:-:|:-:|:-:|:-:|
+| [AllowAllTrustedApps](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowalltrustedapps) | Whether non-Microsoft Store apps are allowed | ✅ | | | ✅ |
+| [AllowAppStoreAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowappstoreautoupdate) | Whether automatic update of apps from Microsoft Store is allowed | ✅ | | | ✅ |
+| [AllowDeveloperUnlock](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowdeveloperunlock) | Whether developer unlock of device is allowed | ✅ | ✅ | ✅ | ✅ |
+| [AllowGameDVR](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowgamedvr) | Whether DVR and broadcasting are allowed | ✅ | | | |
+| [AllowSharedUserAppData](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowshareduserappdata) | Whether multiple users of the same app can share data | ✅ | | | |
+| [AllowStore](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowstore) | Whether app store is allowed at device | | | | |
+| [ApplicationRestrictions](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-applicationrestrictions) | An XML blob that specifies app restrictions, such as an allowlist, disallow list, etc. | | | | |
+| [LaunchAppAfterLogOn](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-launchappafterlogon) | Whether to launch an app or apps when the user signs in. | ✅ | | | |
+| [RestrictAppDataToSystemVolume](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-restrictappdatatosystemvolume) | Whether app data is restricted to the system drive | ✅ | | | ✅ |
+| [RestrictAppToSystemVolume](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-restrictapptosystemvolume) | Whether the installation of apps is restricted to the system drive | ✅ | | | ✅ |
## Authentication
-| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: |
-| [AllowFastReconnect](/windows/client-management/mdm/policy-csp-authentication#authentication-allowfastreconnect) | Allows EAP Fast Reconnect from being attempted for EAP Method TLS. | ✔️ | ✔️ | ✔️ | ✔️ |
-| [EnableFastFirstSignin](/windows/client-management/mdm/policy-csp-authentication#authentication-enablefastfirstsignin) | Enables a quick first sign-in experience for a user by automatically connecting new non-admin Azure AD accounts to the pre-configured candidate local accounts. | ✔️ | ✔️ | | ✔️ |
-| [EnableWebSignin](/windows/client-management/mdm/policy-csp-authentication#authentication-enablewebsignin) | Enables Windows sign-in support for non-ADFS federated providers (for example, SAML). | ✔️ | ✔️ | | ✔️ |
-| [PreferredAadTenantDomainName](/windows/client-management/mdm/policy-csp-authentication#authentication-preferredaadtenantdomainname) | Specifies the preferred domain among available domains in the Azure AD tenant. | ✔️ | ✔️ | | ✔️ |
-
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+|--|--|:-:|:-:|:-:|:-:|
+| [AllowFastReconnect](/windows/client-management/mdm/policy-csp-authentication#authentication-allowfastreconnect) | Allows EAP Fast Reconnect from being attempted for EAP Method TLS. | ✅ | ✅ | ✅ | ✅ |
+| [EnableFastFirstSignin](/windows/client-management/mdm/policy-csp-authentication#authentication-enablefastfirstsignin) | Enables a quick first sign-in experience for a user by automatically connecting new non-admin Azure AD accounts to the pre-configured candidate local accounts. | ✅ | ✅ | | ✅ |
+| [EnableWebSignin](/windows/client-management/mdm/policy-csp-authentication#authentication-enablewebsignin) | Enables Windows sign-in support for non-ADFS federated providers (for example, SAML). | ✅ | ✅ | | ✅ |
+| [PreferredAadTenantDomainName](/windows/client-management/mdm/policy-csp-authentication#authentication-preferredaadtenantdomainname) | Specifies the preferred domain among available domains in the Azure AD tenant. | ✅ | ✅ | | ✅ |
## BitLocker
| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: |
-| [EncryptionMethod](/windows/client-management/mdm/policy-configuration-service-provider#bitlocker-encryptionmethod) | Specify BitLocker drive encryption method and cipher strength | ✔️ | | | |
-
+|--|--|:-:|:-:|:-:|:-:|
+| [EncryptionMethod](/windows/client-management/mdm/policy-configuration-service-provider#bitlocker-encryptionmethod) | Specify BitLocker drive encryption method and cipher strength | ✅ | | | |
## Bluetooth
-| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: |
-| [AllowAdvertising](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowadvertising) | Whether the device can send out Bluetooth advertisements | ✔️ | ✔️ | ✔️ | ✔️ |
-| [AllowDiscoverableMode](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowdiscoverablemode) | Whether other Bluetooth-enabled devices can discover the device | ✔️ | ✔️ | ✔️ | ✔️ |
-| [AllowPrepairing](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowprepairing) | Whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device | ✔️ | ✔️ | ✔️ | ✔️ |
-| AllowPromptedProximalConnections | Whether Windows will prompt users when Bluetooth devices that are connectable are in range of the user's device | ✔️ | ✔️ | ✔️ | ✔️ |
-| [LocalDeviceName](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-localdevicename) | Set the local Bluetooth device name | ✔️ | ✔️ | ✔️ | ✔️ |
-| [ServicesAllowedList](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-servicesallowedlist) | Set a list of allowable services and profiles | ✔️ | ✔️ | ✔️ | ✔️ |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+|--|--|:-:|:-:|:-:|:-:|
+| [AllowAdvertising](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowadvertising) | Whether the device can send out Bluetooth advertisements | ✅ | ✅ | ✅ | ✅ |
+| [AllowDiscoverableMode](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowdiscoverablemode) | Whether other Bluetooth-enabled devices can discover the device | ✅ | ✅ | ✅ | ✅ |
+| [AllowPrepairing](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowprepairing) | Whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device | ✅ | ✅ | ✅ | ✅ |
+| AllowPromptedProximalConnections | Whether Windows will prompt users when Bluetooth devices that are connectable are in range of the user's device | ✅ | ✅ | ✅ | ✅ |
+| [LocalDeviceName](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-localdevicename) | Set the local Bluetooth device name | ✅ | ✅ | ✅ | ✅ |
+| [ServicesAllowedList](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-servicesallowedlist) | Set a list of allowable services and profiles | ✅ | ✅ | ✅ | ✅ |
## Browser
| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: |
-| [AllowAddressBarDropdown](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowaddressbardropdown) | Specify whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality. | ✔️ | | | |
-| [AllowAutofill](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowautofill) | Specify whether autofill on websites is allowed. | ✔️ | ✔️ | | ✔️ |
-| [AllowBrowser](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowbrowser) | Specify whether the browser is allowed on the device (for Windows 10, version 1803 and earlier only). | ✔️ | | | |
-[AllowConfigurationUpdateForBooksLibrary](/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) | Specify whether Microsoft Edge can automatically update the configuration data for the Books Library. | ✔️ | | | |
-| [AllowCookies](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowcookies) | Specify whether cookies are allowed. | ✔️ | ✔️ | | ✔️ |
-| [AllowDeveloperTools](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowdevelopertools) | Specify whether employees can use F12 Developer Tools on Microsoft Edge. | ✔️ | | | |
-| [AllowDoNotTrack](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowdonottrack) | Specify whether Do not Track headers are allowed. | ✔️ | ✔️ | | ✔️ |
-| [AllowExtensions](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowextensions) | Specify whether Microsoft Edge extensions are allowed. | ✔️ | | | |
-| [AllowFlash](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowflash) | Specify whether Adobe Flash can run in Microsoft Edge. | ✔️ | | | |
-| [AllowFlashClickToRun](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowflashclicktorun) | Specify whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. | ✔️ | | | |
-| [AllowFullScreenMode](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowfullscreenmode) | Specify whether full-screen mode is allowed. | ✔️ | ✔️ | | ✔️ |
-| [AllowInPrivate](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowinprivate) | Specify whether InPrivate browsing is allowed on corporate networks. | ✔️ | ✔️ | | ✔️ |
-| [AllowMicrosoftCompatibilityList](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowmicrosoftcompatibilitylist) | Specify whether to use the Microsoft compatibility list in Microsoft Edge. | ✔️ | ✔️ | | ✔️ |
-| [AllowPasswordManager](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowpasswordmanager) | Specify whether saving and managing passwords locally on the device is allowed. | ✔️ | ✔️ | | ✔️ |
-| [AllowPopups](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowpopups) | Specify whether pop-up blocker is allowed or enabled. | ✔️ | | ✔️ | |
-| [AllowPrelaunch](/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch) | Specify whether Microsoft Edge can pre-launch as a background process during Windows startup when the system is idle waiting to be launched by the user. | ✔️ | | | |
-| [AllowPrinting](/windows/client-management/mdm/policy-csp-browser#browser-allowprinting) | Specify whether users can print web content in Microsoft Edge. | ✔️ | ✔️ | | ✔️ |
-| [AllowSavingHistory](/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory) | Specify whether Microsoft Edge saves the browsing history. | ✔️ | | | |
-| [AllowSearchEngineCustomization](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsearchenginecustomization) | Allow search engine customization for MDM-enrolled devices. | ✔️ | ✔️ | | ✔️ |
-| [AllowSearchSuggestionsinAddressBar](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsearchsuggestionsinaddressbar) | Specify whether search suggestions are allowed in the address bar. | ✔️ | ✔️ | | ✔️ |
-| [AllowSideloadingOfExtensions](/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions) | Specify whether extensions can be sideloaded in Microsoft Edge. | ✔️ | | | |
-| [AllowSmartScreen](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsmartscreen) | Specify whether Windows Defender SmartScreen is allowed. | ✔️ | ✔️ | ✔️ | ✔️ |
-| [AllowTabPreloading](/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading) | Specify whether preloading the Start and New tab pages during Windows sign-in is allowed. | ✔️ | | | |
-| [AllowWebContentOnNewTabPage](/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage) | Specify whether a New tab page opens with the default content or a blank page. | ✔️ | ✔️ | | ✔️ |
-[AlwaysEnableBooksLibrary](/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) | Always show the Books Library in Microsoft Edge. | ✔️ | | | |
-| [ClearBrowsingDataOnExit](/windows/client-management/mdm/policy-configuration-service-provider#browser-clearbrowsingdataonexit) | Specify whether to clear browsing data when exiting Microsoft Edge. | ✔️ | | | |
-| [ConfigureAdditionalSearchEngines](/windows/client-management/mdm/policy-configuration-service-provider#browser-configureadditionalsearchengines) | Allows you to add up to five more search engines for MDM-enrolled devices. | ✔️ | ✔️ | | ✔️ |
-| [ConfigureFavoritesBar](/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar) | Specify whether the Favorites bar is shown or hidden on all pages. | ✔️ | | | |
-| [ConfigureHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) | Configure whether the Home button will be shown, and what should happen when it's selected. You should also configure the [SetHomeButtonURL](/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) setting. To configure this setting and also allow users to make changes to the Home button, see the [UnlockHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) setting. | ✔️ | | | |
-| [ConfigureKioskMode](/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode) | Configure how Microsoft Edge operates when it's running in kiosk mode, either as a single-app kiosk or as one of multiple apps running on the kiosk device. | ✔️ | | | |
-| [ConfigureKioskResetAfterIdleTimeout](/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout) | Specify the time, in minutes, after which Microsoft Edge running in kiosk mode resets to the default kiosk configuration. | ✔️ | | | |
-| [ConfigureOpenMicrosoftEdgeWith](/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) | Specify which pages should load when Microsoft Edge opens. You should also configure the [ConfigureStartPages](/windows/client-management/mdm/policy-csp-browser#browser-configurestartpages) setting and [DisableLockdownOfStartPages](/windows/client-management/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) setting. | ✔️ | | | |
-| [ConfigureTelemetryForMicrosoft365Analytics](/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics) | Specify whether to send Microsoft Edge browsing history data to Microsoft 365 Analytics. | ✔️ | | | |
-| [DisableLockdownOfStartPages](/windows/client-management/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) | Specify whether the lockdown on the Start pages is disabled. | ✔️ | | | |
-[EnableExtendedBooksTelemetry](/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | Enable this setting to send more diagnostic data, on top of the basic diagnostic data, from the Books tab. | ✔️ | ✔️ | | |
-| [EnterpriseModeSiteList](/windows/client-management/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist) | Allow the user to specify a URL of an enterprise site list. | ✔️ | | | |
-| [EnterpriseSiteListServiceUrl](/windows/client-management/mdm/policy-csp-browser#browser-enterprisesitelistserviceurl) | This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](/windows/client-management/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist). | ✔️ | | | |
-| [FirstRunURL](/windows/client-management/mdm/policy-configuration-service-provider#browser-firstrunurl) | Specify the URL that Microsoft Edge will use when it's opened for the first time. | ✔️ | | | |
-| [HomePages](/windows/client-management/mdm/policy-configuration-service-provider#browser-homepages) | Specify your Start pages for MDM-enrolled devices. | ✔️ | | | |
-[LockdownFavorites](/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | Configure whether employees can add, import, sort, or edit the Favorites list in Microsoft Edge. | ✔️ | | | |
-| [PreventAccessToAboutFlagsInMicrosoftEdge](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventaccesstoaboutflagsinmicrosoftedge) | Specify whether users can access the **about:flags** page, which is used to change developer settings and to enable experimental features. | ✔️ | ✔️ | | ✔️ |
-| [PreventCertErrorOverrides](/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides) | Specify whether to override security warnings about sites that have SSL errors. | ✔️ | ✔️ | | ✔️ |
-| [PreventFirstRunPage](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventfirstrunpage) | Specify whether to enable or disable the First Run webpage. | ✔️ | | | |
-| [PreventLiveTileDataCollection](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventlivetiledatacollection) | Specify whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. | ✔️ | ✔️ | | ✔️ |
-| [PreventSmartScreenPromptOverride](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverride) | Specify whether users can override the Windows Defender SmartScreen warnings about potentially malicious websites. | ✔️ | ✔️ | | ✔️ |
-| [PreventSmartScreenPromptOverrideForFiles](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverrideforfiles) | Specify whether users can override the Windows Defender SmartScreen warnings about downloading unverified files. | ✔️ | ✔️ | | ✔️ |
-PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. Applies to Windows 10, version 1803 and earlier only. | ✔️ | | | |
-| [PreventTurningOffRequiredExtensions](/windows/client-management/mdm/policy-configuration-service-provider#browser-forceenabledextensions) | Enter a list of extensions in Microsoft Edge that users can't turn off, using a semi-colon delimited list of extension package family names. | ✔️ | | | |
-| [PreventUsingLocalHostIPAddressForWebRTC](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventusinglocalhostipaddressforwebrtc) | Specify whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. | ✔️ | ✔️ | | ✔️ |
-[ProvisionFavorites](/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | Configure a default set of favorites that will appear for employees. | ✔️ | | | |
-| [SendIntranetTraffictoInternetExplorer](/windows/client-management/mdm/policy-configuration-service-provider#browser-sendintranettraffictointernetexplorer) | Specify whether to send intranet traffic to Internet Explorer. | ✔️ | | | |
-| [SetDefaultSearchEngine](/windows/client-management/mdm/policy-configuration-service-provider#browser-setdefaultsearchengine) | Configure the default search engine for your employees. | ✔️ | ✔️ | | ✔️ |
-| [SetHomeButtonURL](/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) | Specify a custom URL for the Home button. You should also enable the [ConfigureHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) setting and select the **Show the home button; clicking the home button loads a specific URL** option. | ✔️ | | | |
-| [SetNewTabPageURL](/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl) | Specify a custom URL for a New tab page. | ✔️ | | | |
-| [ShowMessageWhenOpeningSitesInInternetExplorer](/windows/client-management/mdm/policy-configuration-service-provider#browser-showmessagewhenopeningsitesininternetexplorer) | Specify whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site list. | ✔️ | | | |
-| [SyncFavoritesBetweenIEAndMicrosoftEdge](/windows/client-management/mdm/policy-configuration-service-provider#browser-syncfavoritesbetweenieandmicrosoftedge) | Specify whether favorites are kept in sync between Internet Explorer and Microsoft Edge. | ✔️ | | | |
-| [UnlockHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) | Specify whether users can make changes to the Home button. | ✔️ | | | |
-[UseSharedFolderForBooks](/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | Specify whether organizations should use a folder shared across users to store books from the Books Library. | ✔️ | | | |
-
+|--|--|:-:|:-:|:-:|:-:|
+| [AllowAddressBarDropdown](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowaddressbardropdown) | Specify whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality. | ✅ | | | |
+| [AllowAutofill](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowautofill) | Specify whether autofill on websites is allowed. | ✅ | ✅ | | ✅ |
+| [AllowBrowser](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowbrowser) | Specify whether the browser is allowed on the device (for Windows 10, version 1803 and earlier only). | ✅ | | | |
+| [AllowConfigurationUpdateForBooksLibrary](/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) | Specify whether Microsoft Edge can automatically update the configuration data for the Books Library. | ✅ | | | |
+| [AllowCookies](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowcookies) | Specify whether cookies are allowed. | ✅ | ✅ | | ✅ |
+| [AllowDeveloperTools](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowdevelopertools) | Specify whether employees can use F12 Developer Tools on Microsoft Edge. | ✅ | | | |
+| [AllowDoNotTrack](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowdonottrack) | Specify whether Do not Track headers are allowed. | ✅ | ✅ | | ✅ |
+| [AllowExtensions](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowextensions) | Specify whether Microsoft Edge extensions are allowed. | ✅ | | | |
+| [AllowFlash](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowflash) | Specify whether Adobe Flash can run in Microsoft Edge. | ✅ | | | |
+| [AllowFlashClickToRun](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowflashclicktorun) | Specify whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. | ✅ | | | |
+| [AllowFullScreenMode](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowfullscreenmode) | Specify whether full-screen mode is allowed. | ✅ | ✅ | | ✅ |
+| [AllowInPrivate](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowinprivate) | Specify whether InPrivate browsing is allowed on corporate networks. | ✅ | ✅ | | ✅ |
+| [AllowMicrosoftCompatibilityList](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowmicrosoftcompatibilitylist) | Specify whether to use the Microsoft compatibility list in Microsoft Edge. | ✅ | ✅ | | ✅ |
+| [AllowPasswordManager](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowpasswordmanager) | Specify whether saving and managing passwords locally on the device is allowed. | ✅ | ✅ | | ✅ |
+| [AllowPopups](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowpopups) | Specify whether pop-up blocker is allowed or enabled. | ✅ | | ✅ | |
+| [AllowPrelaunch](/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch) | Specify whether Microsoft Edge can pre-launch as a background process during Windows startup when the system is idle waiting to be launched by the user. | ✅ | | | |
+| [AllowPrinting](/windows/client-management/mdm/policy-csp-browser#browser-allowprinting) | Specify whether users can print web content in Microsoft Edge. | ✅ | ✅ | | ✅ |
+| [AllowSavingHistory](/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory) | Specify whether Microsoft Edge saves the browsing history. | ✅ | | | |
+| [AllowSearchEngineCustomization](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsearchenginecustomization) | Allow search engine customization for MDM-enrolled devices. | ✅ | ✅ | | ✅ |
+| [AllowSearchSuggestionsinAddressBar](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsearchsuggestionsinaddressbar) | Specify whether search suggestions are allowed in the address bar. | ✅ | ✅ | | ✅ |
+| [AllowSideloadingOfExtensions](/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions) | Specify whether extensions can be sideloaded in Microsoft Edge. | ✅ | | | |
+| [AllowSmartScreen](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsmartscreen) | Specify whether Windows Defender SmartScreen is allowed. | ✅ | ✅ | ✅ | ✅ |
+| [AllowTabPreloading](/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading) | Specify whether preloading the Start and New tab pages during Windows sign-in is allowed. | ✅ | | | |
+| [AllowWebContentOnNewTabPage](/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage) | Specify whether a New tab page opens with the default content or a blank page. | ✅ | ✅ | | ✅ |
+| [AlwaysEnableBooksLibrary](/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) | Always show the Books Library in Microsoft Edge. | ✅ | | | |
+| [ClearBrowsingDataOnExit](/windows/client-management/mdm/policy-configuration-service-provider#browser-clearbrowsingdataonexit) | Specify whether to clear browsing data when exiting Microsoft Edge. | ✅ | | | |
+| [ConfigureAdditionalSearchEngines](/windows/client-management/mdm/policy-configuration-service-provider#browser-configureadditionalsearchengines) | Allows you to add up to five more search engines for MDM-enrolled devices. | ✅ | ✅ | | ✅ |
+| [ConfigureFavoritesBar](/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar) | Specify whether the Favorites bar is shown or hidden on all pages. | ✅ | | | |
+| [ConfigureHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) | Configure whether the Home button will be shown, and what should happen when it's selected. You should also configure the [SetHomeButtonURL](/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) setting. To configure this setting and also allow users to make changes to the Home button, see the [UnlockHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) setting. | ✅ | | | |
+| [ConfigureKioskMode](/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode) | Configure how Microsoft Edge operates when it's running in kiosk mode, either as a single-app kiosk or as one of multiple apps running on the kiosk device. | ✅ | | | |
+| [ConfigureKioskResetAfterIdleTimeout](/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout) | Specify the time, in minutes, after which Microsoft Edge running in kiosk mode resets to the default kiosk configuration. | ✅ | | | |
+| [ConfigureOpenMicrosoftEdgeWith](/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) | Specify which pages should load when Microsoft Edge opens. You should also configure the [ConfigureStartPages](/windows/client-management/mdm/policy-csp-browser#browser-configurestartpages) setting and [DisableLockdownOfStartPages](/windows/client-management/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) setting. | ✅ | | | |
+| [ConfigureTelemetryForMicrosoft365Analytics](/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics) | Specify whether to send Microsoft Edge browsing history data to Microsoft 365 Analytics. | ✅ | | | |
+| [DisableLockdownOfStartPages](/windows/client-management/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) | Specify whether the lockdown on the Start pages is disabled. | ✅ | | | |
+| [EnableExtendedBooksTelemetry](/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | Enable this setting to send more diagnostic data, on top of the basic diagnostic data, from the Books tab. | ✅ | ✅ | | |
+| [EnterpriseModeSiteList](/windows/client-management/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist) | Allow the user to specify a URL of an enterprise site list. | ✅ | | | |
+| [EnterpriseSiteListServiceUrl](/windows/client-management/mdm/policy-csp-browser#browser-enterprisesitelistserviceurl) | This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](/windows/client-management/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist). | ✅ | | | |
+| [FirstRunURL](/windows/client-management/mdm/policy-configuration-service-provider#browser-firstrunurl) | Specify the URL that Microsoft Edge will use when it's opened for the first time. | ✅ | | | |
+| [HomePages](/windows/client-management/mdm/policy-configuration-service-provider#browser-homepages) | Specify your Start pages for MDM-enrolled devices. | ✅ | | | |
+| [LockdownFavorites](/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | Configure whether employees can add, import, sort, or edit the Favorites list in Microsoft Edge. | ✅ | | | |
+| [PreventAccessToAboutFlagsInMicrosoftEdge](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventaccesstoaboutflagsinmicrosoftedge) | Specify whether users can access the **about:flags** page, which is used to change developer settings and to enable experimental features. | ✅ | ✅ | | ✅ |
+| [PreventCertErrorOverrides](/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides) | Specify whether to override security warnings about sites that have SSL errors. | ✅ | ✅ | | ✅ |
+| [PreventFirstRunPage](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventfirstrunpage) | Specify whether to enable or disable the First Run webpage. | ✅ | | | |
+| [PreventLiveTileDataCollection](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventlivetiledatacollection) | Specify whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. | ✅ | ✅ | | ✅ |
+| [PreventSmartScreenPromptOverride](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverride) | Specify whether users can override the Windows Defender SmartScreen warnings about potentially malicious websites. | ✅ | ✅ | | ✅ |
+| [PreventSmartScreenPromptOverrideForFiles](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverrideforfiles) | Specify whether users can override the Windows Defender SmartScreen warnings about downloading unverified files. | ✅ | ✅ | | ✅ |
+| PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. Applies to Windows 10, version 1803 and earlier only. | ✅ | | | |
+| [PreventTurningOffRequiredExtensions](/windows/client-management/mdm/policy-configuration-service-provider#browser-forceenabledextensions) | Enter a list of extensions in Microsoft Edge that users can't turn off, using a semi-colon delimited list of extension package family names. | ✅ | | | |
+| [PreventUsingLocalHostIPAddressForWebRTC](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventusinglocalhostipaddressforwebrtc) | Specify whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. | ✅ | ✅ | | ✅ |
+| [ProvisionFavorites](/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | Configure a default set of favorites that will appear for employees. | ✅ | | | |
+| [SendIntranetTraffictoInternetExplorer](/windows/client-management/mdm/policy-configuration-service-provider#browser-sendintranettraffictointernetexplorer) | Specify whether to send intranet traffic to Internet Explorer. | ✅ | | | |
+| [SetDefaultSearchEngine](/windows/client-management/mdm/policy-configuration-service-provider#browser-setdefaultsearchengine) | Configure the default search engine for your employees. | ✅ | ✅ | | ✅ |
+| [SetHomeButtonURL](/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) | Specify a custom URL for the Home button. You should also enable the [ConfigureHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) setting and select the **Show the home button; clicking the home button loads a specific URL** option. | ✅ | | | |
+| [SetNewTabPageURL](/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl) | Specify a custom URL for a New tab page. | ✅ | | | |
+| [ShowMessageWhenOpeningSitesInInternetExplorer](/windows/client-management/mdm/policy-configuration-service-provider#browser-showmessagewhenopeningsitesininternetexplorer) | Specify whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site list. | ✅ | | | |
+| [SyncFavoritesBetweenIEAndMicrosoftEdge](/windows/client-management/mdm/policy-configuration-service-provider#browser-syncfavoritesbetweenieandmicrosoftedge) | Specify whether favorites are kept in sync between Internet Explorer and Microsoft Edge. | ✅ | | | |
+| [UnlockHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) | Specify whether users can make changes to the Home button. | ✅ | | | |
+| [UseSharedFolderForBooks](/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | Specify whether organizations should use a folder shared across users to store books from the Books Library. | ✅ | | | |
## Camera
-| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: |
-| [AllowCamera](/windows/client-management/mdm/policy-configuration-service-provider#camera-allowcamera) | Disable or enable the camera. | ✔️ | ✔️ | | |
-
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+|--|--|:-:|:-:|:-:|:-:|
+| [AllowCamera](/windows/client-management/mdm/policy-configuration-service-provider#camera-allowcamera) | Disable or enable the camera. | ✅ | ✅ | | |
## Connectivity
| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: |
-| [AllowBluetooth](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowbluetooth) | Allow the user to enable Bluetooth or restrict access. | ✔️ | ✔️ | ✔️ | ✔️ |
-| [AllowCellularData](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowcellulardata) | Allow the cellular data channel on the device. | ✔️ | ✔️ | | ✔️ |
-| [AllowCellularDataRoaming](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowcellulardataroaming) | Allow or disallow cellular data roaming on the device. | ✔️ | ✔️ | | ✔️ |
-| [AllowConnectedDevices](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowconnecteddevices) | Allows IT admins the ability to disable the Connected Devices Platform component. | ✔️ | ✔️ | | ✔️ |
-| [AllowNFC](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allownfc) | Allow or disallow near field communication (NFC) on the device. | | | | ✔️ |
-| [AllowUSBConnection](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowusbconnection) | Enable USB connection between the device and a computer to sync files with the device or to use developer tools or to deploy or debug applications. | | | | ✔️ |
-| [AllowVPNOverCellular](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowvpnovercellular) | Specify what type of underlying connections VPN is allowed to use. |✔️ | ✔️ | | ✔️ |
-| [AllowVPNRoamingOverCellular](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowvpnroamingovercellular) | Prevent the device from connecting to VPN when the device roams over cellular networks. | ✔️ | ✔️ | | ✔️ |
-| HideCellularConnectionMode | Hide the checkbox that lets the user change the connection mode. | ✔️ | ✔️ | | ✔️ |
-| HideCellularRoamingOption | Hide the dropdown menu that lets the user change the roaming preferences. | ✔️ | ✔️ | | ✔️ |
+|--|--|:-:|:-:|:-:|:-:|
+| [AllowBluetooth](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowbluetooth) | Allow the user to enable Bluetooth or restrict access. | ✅ | ✅ | ✅ | ✅ |
+| [AllowCellularData](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowcellulardata) | Allow the cellular data channel on the device. | ✅ | ✅ | | ✅ |
+| [AllowCellularDataRoaming](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowcellulardataroaming) | Allow or disallow cellular data roaming on the device. | ✅ | ✅ | | ✅ |
+| [AllowConnectedDevices](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowconnecteddevices) | Allows IT admins the ability to disable the Connected Devices Platform component. | ✅ | ✅ | | ✅ |
+| [AllowNFC](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allownfc) | Allow or disallow near field communication (NFC) on the device. | | | | ✅ |
+| [AllowUSBConnection](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowusbconnection) | Enable USB connection between the device and a computer to sync files with the device or to use developer tools or to deploy or debug applications. | | | | ✅ |
+| [AllowVPNOverCellular](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowvpnovercellular) | Specify what type of underlying connections VPN is allowed to use. | ✅ | ✅ | | ✅ |
+| [AllowVPNRoamingOverCellular](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowvpnroamingovercellular) | Prevent the device from connecting to VPN when the device roams over cellular networks. | ✅ | ✅ | | ✅ |
+| HideCellularConnectionMode | Hide the checkbox that lets the user change the connection mode. | ✅ | ✅ | | ✅ |
+| HideCellularRoamingOption | Hide the dropdown menu that lets the user change the roaming preferences. | ✅ | ✅ | | ✅ |
## CredentialProviders
-| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: |
-[DisableAutomaticReDeploymentCredentials](/windows/client-management/mdm/policy-csp-credentialproviders) | This setting disables the visibility of the credential provider that triggers the PC refresh on a device. This policy doesn't actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. The Windows 10 Autopilot Reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered, the devices are for ready for use by information workers or students. | ✔️ | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+|--|--|:-:|:-:|:-:|:-:|
+| [DisableAutomaticReDeploymentCredentials](/windows/client-management/mdm/policy-csp-credentialproviders) | This setting disables the visibility of the credential provider that triggers the PC refresh on a device. This policy doesn't actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. The Windows 10 Autopilot Reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered, the devices are for ready for use by information workers or students. | ✅ | | | |
## Cryptography
| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: |
-| [AllowFipsAlgorithmPolicy](/windows/client-management/mdm/policy-configuration-service-provider#cryptography-allowfipsalgorithmpolicy) | Allow or disallow the Federal Information Processing Standard (FIPS) policy. | ✔️ | | | |
-| [TLSCiperSuites](/windows/client-management/mdm/policy-configuration-service-provider#cryptography-tlsciphersuites) | List the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. | ✔️ | | | |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowFipsAlgorithmPolicy](/windows/client-management/mdm/policy-configuration-service-provider#cryptography-allowfipsalgorithmpolicy) | Allow or disallow the Federal Information Processing Standard (FIPS) policy. | ✅ | | | |
+| [TLSCiperSuites](/windows/client-management/mdm/policy-configuration-service-provider#cryptography-tlsciphersuites) | List the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. | ✅ | | | |
## Defender
| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: |
-| [AllowArchiveScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowarchivescanning) | Allow or disallow scanning of archives. | ✔️ | | | |
-| [AllowBehaviorMonitoring](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowbehaviormonitoring) | Allow or disallow Windows Defender Behavior Monitoring functionality. | ✔️ | | | |
-| [AllowCloudProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowcloudprotection) | To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions. | ✔️ | | | |
-| [AllowEmailScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowemailscanning) | Allow or disallow scanning of email. | ✔️ | | | |
-| [AllowFullScanOnMappedNetworkDrives](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowfullscanonmappednetworkdrives) | Allow or disallow a full scan of mapped network drives. | ✔️ | | | |
-| [AllowFullScanRemovableDriveScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowfullscanremovabledrivescanning) | Allow or disallow a full scan of removable drives. | ✔️ | | | |
-| [AllowIntrusionPreventionSystem](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowintrusionpreventionsystem) | Allow or disallow Windows Defender Intrusion Prevention functionality. | ✔️ | | | |
-| [AllowIOAVProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowioavprotection) | Allow or disallow Windows Defender IOAVP Protection functionality. | ✔️ | | | |
-| [AllowOnAccessProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowonaccessprotection) | Allow or disallow Windows Defender On Access Protection functionality. | ✔️ | | | |
-| [AllowRealtimeMonitoring](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowrealtimemonitoring) | Allow or disallow Windows Defender Realtime Monitoring functionality. | ✔️ | | | |
-| [AllowScanningNetworkFiles](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowscanningnetworkfiles) | Allow or disallow scanning of network files. | ✔️ | | | |
-| [AllowScriptScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowscriptscanning) | Allow or disallow Windows Defender Script Scanning functionality. | ✔️ | | | |
-| [AllowUserUIAccess](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowuseruiaccess) | Allow or disallow user access to the Windows Defender UI. | ✔️ | | | |
-| [AvgCPULoadFactor](/windows/client-management/mdm/policy-configuration-service-provider#defender-avgcpuloadfactor) | Represents the average CPU load factor for the Windows Defender scan (in percent). | ✔️ | | | |
-| [DaysToRetainCleanedMalware](/windows/client-management/mdm/policy-configuration-service-provider#defender-daystoretaincleanedmalware) | Specify time period (in days) that quarantine items will be stored on the system. | ✔️ | | | |
-| [ExcludedExtensions](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedextensions) | Specify a list of file type extensions to ignore during a scan. Separate each file type in the list by using \|. | ✔️ | | | |
-| [ExcludedPaths](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedpaths) | Specify a list of directory paths to ignore during a scan. Separate each path in the list by using \|. | ✔️ | | | |
-| [ExcludedProcesses](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedprocesses) | Specify a list of files opened by processes to ignore during a scan. Separate each file type in the list by using \|. The process itself isn't excluded from the scan, but can be excluded by using the [Defender/ExcludedPaths](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedpaths) policy to exclude its path. | ✔️ | | | |
-| [RealTimeScanDirection](/windows/client-management/mdm/policy-configuration-service-provider#defender-realtimescandirection) | Control which sets of files should be monitored. | ✔️ | | | |
-| [ScanParameter](/windows/client-management/mdm/policy-configuration-service-provider#defender-scanparameter) | Select whether to perform a quick scan or full scan. | ✔️ | | | |
-| [ScheduleQuickScanTime](/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulequickscantime) | Specify the time of day that Windows Defender quick scan should run. | ✔️ | | | |
-| [ScheduleScanDay](/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulescanday) | Select the day that Windows Defender scan should run. | ✔️ | | | |
-| [ScheduleScanTime](/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulescantime) | Select the time of day that the Windows Defender scan should run. | ✔️ | | | |
-| [SignatureUpdateInterval](/windows/client-management/mdm/policy-configuration-service-provider#defender-signatureupdateinterval) | Specify the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. | ✔️ | | | |
-| [SubmitSamplesConsent](/windows/client-management/mdm/policy-configuration-service-provider#defender-submitsamplesconsent) | Checks for the user consent level in Windows Defender to send data. | ✔️ | | | |
-| [ThreatSeverityDefaultAction](/windows/client-management/mdm/policy-configuration-service-provider#defender-threatseveritydefaultaction) | Specify any valid threat severity levels and the corresponding default action ID to take. | ✔️ | | | |
+| [AllowArchiveScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowarchivescanning) | Allow or disallow scanning of archives. | ✅ | | | |
+| [AllowBehaviorMonitoring](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowbehaviormonitoring) | Allow or disallow Windows Defender Behavior Monitoring functionality. | ✅ | | | |
+| [AllowCloudProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowcloudprotection) | To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions. | ✅ | | | |
+| [AllowEmailScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowemailscanning) | Allow or disallow scanning of email. | ✅ | | | |
+| [AllowFullScanOnMappedNetworkDrives](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowfullscanonmappednetworkdrives) | Allow or disallow a full scan of mapped network drives. | ✅ | | | |
+| [AllowFullScanRemovableDriveScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowfullscanremovabledrivescanning) | Allow or disallow a full scan of removable drives. | ✅ | | | |
+| [AllowIntrusionPreventionSystem](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowintrusionpreventionsystem) | Allow or disallow Windows Defender Intrusion Prevention functionality. | ✅ | | | |
+| [AllowIOAVProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowioavprotection) | Allow or disallow Windows Defender IOAVP Protection functionality. | ✅ | | | |
+| [AllowOnAccessProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowonaccessprotection) | Allow or disallow Windows Defender On Access Protection functionality. | ✅ | | | |
+| [AllowRealtimeMonitoring](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowrealtimemonitoring) | Allow or disallow Windows Defender Realtime Monitoring functionality. | ✅ | | | |
+| [AllowScanningNetworkFiles](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowscanningnetworkfiles) | Allow or disallow scanning of network files. | ✅ | | | |
+| [AllowScriptScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowscriptscanning) | Allow or disallow Windows Defender Script Scanning functionality. | ✅ | | | |
+| [AllowUserUIAccess](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowuseruiaccess) | Allow or disallow user access to the Windows Defender UI. | ✅ | | | |
+| [AvgCPULoadFactor](/windows/client-management/mdm/policy-configuration-service-provider#defender-avgcpuloadfactor) | Represents the average CPU load factor for the Windows Defender scan (in percent). | ✅ | | | |
+| [DaysToRetainCleanedMalware](/windows/client-management/mdm/policy-configuration-service-provider#defender-daystoretaincleanedmalware) | Specify time period (in days) that quarantine items will be stored on the system. | ✅ | | | |
+| [ExcludedExtensions](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedextensions) | Specify a list of file type extensions to ignore during a scan. Separate each file type in the list by using \|. | ✅ | | | |
+| [ExcludedPaths](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedpaths) | Specify a list of directory paths to ignore during a scan. Separate each path in the list by using \|. | ✅ | | | |
+| [ExcludedProcesses](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedprocesses) | Specify a list of files opened by processes to ignore during a scan. Separate each file type in the list by using \|. The process itself isn't excluded from the scan, but can be excluded by using the [Defender/ExcludedPaths](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedpaths) policy to exclude its path. | ✅ | | | |
+| [RealTimeScanDirection](/windows/client-management/mdm/policy-configuration-service-provider#defender-realtimescandirection) | Control which sets of files should be monitored. | ✅ | | | |
+| [ScanParameter](/windows/client-management/mdm/policy-configuration-service-provider#defender-scanparameter) | Select whether to perform a quick scan or full scan. | ✅ | | | |
+| [ScheduleQuickScanTime](/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulequickscantime) | Specify the time of day that Windows Defender quick scan should run. | ✅ | | | |
+| [ScheduleScanDay](/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulescanday) | Select the day that Windows Defender scan should run. | ✅ | | | |
+| [ScheduleScanTime](/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulescantime) | Select the time of day that the Windows Defender scan should run. | ✅ | | | |
+| [SignatureUpdateInterval](/windows/client-management/mdm/policy-configuration-service-provider#defender-signatureupdateinterval) | Specify the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. | ✅ | | | |
+| [SubmitSamplesConsent](/windows/client-management/mdm/policy-configuration-service-provider#defender-submitsamplesconsent) | Checks for the user consent level in Windows Defender to send data. | ✅ | | | |
+| [ThreatSeverityDefaultAction](/windows/client-management/mdm/policy-configuration-service-provider#defender-threatseveritydefaultaction) | Specify any valid threat severity levels and the corresponding default action ID to take. | ✅ | | | |
## DeliveryOptimization
| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: |
-| [DOAbsoluteMaxCacheSize](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-doabsolutemaxcachesize) | Specify the maximum size in GB of Delivery Optimization cache. | ✔️ | | | |
-| [DOAllowVPNPeerCaching](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-doallowvpnpeercaching) | Specify whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. | ✔️ | | | |
-| [DODelayBackgroundDownloadFromHttp](/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodelaybackgrounddownloadfromhttp) | Allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. | ✔️ | | | |
-| [DODelayForegroundDownloadFromHttp](/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodelayforegrounddownloadfromhttp) | Allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. | ✔️ | | | |
-| [DODownloadMode](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dodownloadmode) | Specify the download method that Delivery Optimization can use in downloads of Windows Updates, apps, and app updates. | ✔️ | | | |
-| [DOGroupId](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dogroupid) | Specify an arbitrary group ID that the device belongs to. | ✔️ | | | |
-| [DOGroupIdSource](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dogroupidsource) | Set this policy to restrict peer selection to a specific source | ✔️ | | | |
-| [DOMaxCacheAge](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcacheage) | Specify the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. | ✔️ | | | |
-| [DOMaxCacheSize](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcachesize) | Specify the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). | ✔️ | | | |
-| [DOMaxDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxdownloadbandwidth) | Specify the maximum download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization. | ✔️ | | | |
-| [DOMaxUploadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxuploadbandwidth) | Specify the maximum upload bandwidth in kilobytes/second that a device will use across all concurrent upload activity using Delivery Optimization. | ✔️ | | | |
-| [DOMinBackgroundQos](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominbackgroundqos) | Specify the minimum download QoS (Quality of Service or speed) i kilobytes/second for background downloads. | ✔️ | | | |
-| [DOMinBatteryPercentageAllowedToUpload](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominbatterypercentageallowedtoupload) | Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and group peers while on battery power. | ✔️ | | | |
-| [DOMinDiskSizeAllowedToPeer](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domindisksizeallowedtopeer) | Specify the required minimum disk size (capacity in GB) for the device to use Peer Caching. | ✔️ | | | |
-| [DOMinFileSizeToCache](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominfilesizetocache) | Specify the minimum content file size in MB enabled to use Peer Caching. | ✔️ | | | |
-| [DOMinRAMAllowedToPeer](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominramallowedtopeer) | Specify the minimum RAM size in GB required to use Peer Caching. | ✔️ | | | |
-| [DOModifyCacheDrive](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domodifycachedrive) | Specify the drive that Delivery Optimization should use for its cache. | ✔️ | | | |
-| [DOMonthlyUploadDataCap](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domonthlyuploaddatacap) | Specify the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. | ✔️ | | | |
-| [DOPercentageMaxBackDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxbackgroundbandwidth) | Specify the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | |
-| [DOPercentageMaxDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxdownloadbandwidth) | Specify the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | |
-| [DOPercentageMaxForeDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxforegroundbandwidth) | Specify the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | |
-| [DORestrictPeerSelectionBy](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dorestrictpeerselectionby) | Set this policy to restrict peer selection by the selected option. | ✔️ | | | |
-| [DOSetHoursToLimitBackgroundDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) | Specify the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | |
-| [DOSetHoursToLimitForegroundDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) | Specify the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | |
+| [DOAbsoluteMaxCacheSize](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-doabsolutemaxcachesize) | Specify the maximum size in GB of Delivery Optimization cache. | ✅ | | | |
+| [DOAllowVPNPeerCaching](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-doallowvpnpeercaching) | Specify whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. | ✅ | | | |
+| [DODelayBackgroundDownloadFromHttp](/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodelaybackgrounddownloadfromhttp) | Allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. | ✅ | | | |
+| [DODelayForegroundDownloadFromHttp](/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodelayforegrounddownloadfromhttp) | Allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. | ✅ | | | |
+| [DODownloadMode](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dodownloadmode) | Specify the download method that Delivery Optimization can use in downloads of Windows Updates, apps, and app updates. | ✅ | | | |
+| [DOGroupId](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dogroupid) | Specify an arbitrary group ID that the device belongs to. | ✅ | | | |
+| [DOGroupIdSource](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dogroupidsource) | Set this policy to restrict peer selection to a specific source | ✅ | | | |
+| [DOMaxCacheAge](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcacheage) | Specify the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. | ✅ | | | |
+| [DOMaxCacheSize](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcachesize) | Specify the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). | ✅ | | | |
+| [DOMaxDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxdownloadbandwidth) | Specify the maximum download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization. | ✅ | | | |
+| [DOMaxUploadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxuploadbandwidth) | Specify the maximum upload bandwidth in kilobytes/second that a device will use across all concurrent upload activity using Delivery Optimization. | ✅ | | | |
+| [DOMinBackgroundQos](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominbackgroundqos) | Specify the minimum download QoS (Quality of Service or speed) i kilobytes/second for background downloads. | ✅ | | | |
+| [DOMinBatteryPercentageAllowedToUpload](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominbatterypercentageallowedtoupload) | Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and group peers while on battery power. | ✅ | | | |
+| [DOMinDiskSizeAllowedToPeer](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domindisksizeallowedtopeer) | Specify the required minimum disk size (capacity in GB) for the device to use Peer Caching. | ✅ | | | |
+| [DOMinFileSizeToCache](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominfilesizetocache) | Specify the minimum content file size in MB enabled to use Peer Caching. | ✅ | | | |
+| [DOMinRAMAllowedToPeer](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominramallowedtopeer) | Specify the minimum RAM size in GB required to use Peer Caching. | ✅ | | | |
+| [DOModifyCacheDrive](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domodifycachedrive) | Specify the drive that Delivery Optimization should use for its cache. | ✅ | | | |
+| [DOMonthlyUploadDataCap](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domonthlyuploaddatacap) | Specify the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. | ✅ | | | |
+| [DOPercentageMaxBackDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxbackgroundbandwidth) | Specify the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | ✅ | | | |
+| [DOPercentageMaxDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxdownloadbandwidth) | Specify the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | ✅ | | | |
+| [DOPercentageMaxForeDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxforegroundbandwidth) | Specify the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | ✅ | | | |
+| [DORestrictPeerSelectionBy](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dorestrictpeerselectionby) | Set this policy to restrict peer selection by the selected option. | ✅ | | | |
+| [DOSetHoursToLimitBackgroundDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) | Specify the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. | ✅ | | | |
+| [DOSetHoursToLimitForegroundDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) | Specify the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. | ✅ | | | |
## DeviceGuard
| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: |
-[EnableVirtualizationBasedSecurity](/windows/client-management/mdm/policy-csp-deviceguard) | Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. | ✔️ | | | |
+[EnableVirtualizationBasedSecurity](/windows/client-management/mdm/policy-csp-deviceguard) | Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. | ✅ | | | |
## DeviceLock
| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: |
+| --- | --- | :---: | :---: | :---: | :---: |
| [AllowIdleReturnWithoutPassword](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowidlereturnwithoutpassword) | Specify whether the user must input a PIN or password when the device resumes from an idle state. | | | | |
| [AllowScreenTimeoutWhileLockedUserConfig](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowscreentimeoutwhilelockeduserconfig) | Specify whether to show a user-configurable setting to control the screen timeout while on the lock screen. | | | | |
-| [AllowSimpleDevicePassword](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowsimpledevicepassword) | Specify whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. | ✔️ | | ✔️ | |
-|[AlphanumericDevicePasswordRequired](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-alphanumericdevicepasswordrequired) | Select the type of PIN or password required. | ✔️ | | ✔️ | |
-| [DevicePasswordEnabled](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordenabled) | Specify whether device password is enabled. | ✔️ | | ✔️ | |
-| [DevicePasswordExpiration](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordexpiration) | Specify when the password expires (in days). | ✔️ | | ✔️ | |
-| [DevicePasswordHistory](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordhistory) | Specify how many passwords can be stored in the history that can't be reused. | ✔️ | | ✔️ | |
-| [MaxDevicePasswordFailedAttempts](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-maxdevicepasswordfailedattempts) | Specify the number of authentication failures allowed before the device will be wiped. | ✔️ | | ✔️ | |
-| [MaxInactivityTimeDeviceLock](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-maxinactivitytimedevicelock) |Specify the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. | ✔️ | | ✔️ | |
-| [MinDevicePasswordComplexCharacters](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordcomplexcharacters) | Specify the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. | ✔️ | | ✔️ | |
-| [MinDevicePasswordLength](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordlength) | Specify the minimum number or characters required in the PIN or password. | ✔️ | | ✔️ | |
+| [AllowSimpleDevicePassword](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowsimpledevicepassword) | Specify whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. | ✅ | | ✅ | |
+|[AlphanumericDevicePasswordRequired](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-alphanumericdevicepasswordrequired) | Select the type of PIN or password required. | ✅ | | ✅ | |
+| [DevicePasswordEnabled](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordenabled) | Specify whether device password is enabled. | ✅ | | ✅ | |
+| [DevicePasswordExpiration](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordexpiration) | Specify when the password expires (in days). | ✅ | | ✅ | |
+| [DevicePasswordHistory](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordhistory) | Specify how many passwords can be stored in the history that can't be reused. | ✅ | | ✅ | |
+| [MaxDevicePasswordFailedAttempts](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-maxdevicepasswordfailedattempts) | Specify the number of authentication failures allowed before the device will be wiped. | ✅ | | ✅ | |
+| [MaxInactivityTimeDeviceLock](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-maxinactivitytimedevicelock) |Specify the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. | ✅ | | ✅ | |
+| [MinDevicePasswordComplexCharacters](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordcomplexcharacters) | Specify the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. | ✅ | | ✅ | |
+| [MinDevicePasswordLength](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordlength) | Specify the minimum number or characters required in the PIN or password. | ✅ | | ✅ | |
| [ScreenTimeoutWhileLocked](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-screentimeoutwhilelocked) | Specify the duration in seconds for the screen timeout while on the lock screen. | | | | |
-
## DeviceManagement
| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: |
-| DisableMDMEnrollment | Use this setting to prevent the device from enrolling in MDM. | ✔️ | | | |
-
-
+| DisableMDMEnrollment | Use this setting to prevent the device from enrolling in MDM. | ✅ | | | |
## Experience
| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: |
| [AllowCopyPaste](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcopypaste) | Specify whether copy and paste are allowed. | | | | |
-| [AllowCortana](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcortana) | Specify whether Cortana is allowed on the device. | ✔️ | | ✔️ | |
-| [AllowDeviceDiscovery](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowdevicediscovery) | Allow users to turn device discovery on or off in the UI. | ✔️ | | | |
-| [AllowFindMyDevice](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowfindmydevice) | Turn on **Find my device** feature. | ✔️ | | | |
-| [AllowManualMDMUnenrollment](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowmanualmdmunenrollment) | Specify whether the user is allowed to delete the workplace account. | ✔️ | | ✔️ | |
+| [AllowCortana](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcortana) | Specify whether Cortana is allowed on the device. | ✅ | | ✅ | |
+| [AllowDeviceDiscovery](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowdevicediscovery) | Allow users to turn device discovery on or off in the UI. | ✅ | | | |
+| [AllowFindMyDevice](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowfindmydevice) | Turn on **Find my device** feature. | ✅ | | | |
+| [AllowManualMDMUnenrollment](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowmanualmdmunenrollment) | Specify whether the user is allowed to delete the workplace account. | ✅ | | ✅ | |
| [AllowScreenCapture](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowscreencapture) | Specify whether screen capture is allowed. | | | | |
| [AllowSIMErrorDialogPromptWhenNoSIM](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowsimerrordialogpromptwhennosim) | Specify whether to display a dialog prompt when no SIM card is detected. | | | | |
-| [AllowSyncMySettings](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowsyncmysettings) | Allow or disallow all Windows sync settings on the device. | ✔️ | | | |
-| [AllowTailoredExperiencesWithDiagnosticData](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowtailoredexperienceswithdiagnosticdata) | Prevent Windows from using diagnostic data to provide customized experiences to the user. | ✔️ | | | |
+| [AllowSyncMySettings](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowsyncmysettings) | Allow or disallow all Windows sync settings on the device. | ✅ | | | |
+| [AllowTailoredExperiencesWithDiagnosticData](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowtailoredexperienceswithdiagnosticdata) | Prevent Windows from using diagnostic data to provide customized experiences to the user. | ✅ | | | |
| [AllowTaskSwitcher](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowtaskswitcher) | Allow or disallow task switching on the device. | | | | |
-| [AllowThirdPartySuggestionsInWindowsSpotlight](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowthirdpartysuggestionsinwindowsspotlight) | Specify whether to allow app and content suggestions from third-party software publishers in Windows Spotlight. | ✔️ | | | |
+| [AllowThirdPartySuggestionsInWindowsSpotlight](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowthirdpartysuggestionsinwindowsspotlight) | Specify whether to allow app and content suggestions from third-party software publishers in Windows Spotlight. | ✅ | | | |
| [AllowVoiceRecording](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowvoicerecording) | Specify whether voice recording is allowed for apps. | | | | |
-| [AllowWindowsConsumerFeatures](/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) | Turn on experiences that are typically for consumers only, such as Start suggestions, membership notifications, post-OOBE app install, and redirect tiles. | ✔️ | | | |
-| [AllowWindowsSpotlight](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlight) |Specify whether to turn off all Windows Spotlight features at once. | ✔️ | | | |
-| [AllowWindowsSpotlightOnActionCenter](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightonactioncenter) | Prevent Windows Spotlight notifications from being displayed in the Action Center. | ✔️ | | | |
-| [AllowWindowsSpotlightWindowsWelcomeExperience](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightwindowswelcomeexperience) | Turn off the Windows Spotlight Windows welcome experience feature. | ✔️ | | | |
-| [AllowWindowsTips](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowstips) | Enable or disable Windows Tips. | ✔️ | | | |
-| [ConfigureWindowsSpotlightOnLockScreen](/windows/client-management/mdm/policy-configuration-service-provider#experience-configurewindowsspotlightonlockscreen) | Specify whether Spotlight should be used on the user's lock screen. | ✔️ | | | |
+| [AllowWindowsConsumerFeatures](/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) | Turn on experiences that are typically for consumers only, such as Start suggestions, membership notifications, post-OOBE app install, and redirect tiles. | ✅ | | | |
+| [AllowWindowsSpotlight](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlight) |Specify whether to turn off all Windows Spotlight features at once. | ✅ | | | |
+| [AllowWindowsSpotlightOnActionCenter](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightonactioncenter) | Prevent Windows Spotlight notifications from being displayed in the Action Center. | ✅ | | | |
+| [AllowWindowsSpotlightWindowsWelcomeExperience](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightwindowswelcomeexperience) | Turn off the Windows Spotlight Windows welcome experience feature. | ✅ | | | |
+| [AllowWindowsTips](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowstips) | Enable or disable Windows Tips. | ✅ | | | |
+| [ConfigureWindowsSpotlightOnLockScreen](/windows/client-management/mdm/policy-configuration-service-provider#experience-configurewindowsspotlightonlockscreen) | Specify whether Spotlight should be used on the user's lock screen. | ✅ | | | |
## ExploitGuard
| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: |
-| [ExploitProtectionSettings](/windows/client-management/mdm/policy-csp-exploitguard) | See the [explanation of ExploitProtectionSettings](/windows/client-management/mdm/policy-csp-exploitguard) in the Policy CSP for instructions. In the **ExploitProtectionSettings** field, you can enter a path (local, UNC, or URI) to the mitigation options config, or you can enter the XML for the config. | ✔️ | | | |
-
+| --- | --- | :---: | :---: | :---: | :---: |
+| [ExploitProtectionSettings](/windows/client-management/mdm/policy-csp-exploitguard) | See the [explanation of ExploitProtectionSettings](/windows/client-management/mdm/policy-csp-exploitguard) in the Policy CSP for instructions. In the **ExploitProtectionSettings** field, you can enter a path (local, UNC, or URI) to the mitigation options config, or you can enter the XML for the config. | ✅ | | | |
## Games
| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: |
-| [AllowAdvancedGamingServices](/windows/client-management/mdm/policy-configuration-service-provider#games-allowadvancedgamingservices) | Currently not supported. | ✔️ | | | |
-
+| [AllowAdvancedGamingServices](/windows/client-management/mdm/policy-configuration-service-provider#games-allowadvancedgamingservices) | Currently not supported. | ✅ | | | |
## KioskBrowser
-These settings apply to the **Kiosk Browser** app available in Microsoft Store. For more information, see [Guidelines for web browsers](../guidelines-for-assigned-access-app.md#guidelines-for-web-browsers).
+These settings apply to the **Kiosk Browser** app available in Microsoft Store. For more information, see [Guidelines for web browsers](../kiosk/guidelines-for-assigned-access-app.md#guidelines-for-web-browsers).
| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: |
-|[BlockedUrlExceptions](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurlexceptions) | List of exceptions to the blocked website URLs (with wildcard support). This setting is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. | ✔️ | | | |
-|[BlockedUrls](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurls) | List of blocked website URLs (with wildcard support). This setting is used to configure blocked URLs kiosk browsers can't navigate to. | ✔️ | | | |
-|[DefaultURL](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-defaulturl) | Configures the default URL kiosk browsers to navigate on launch and restart. | ✔️ | | | |
-|[EnableEndSessionButton](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enableendsessionbutton) | Enable/disable kiosk browser's end session button. | ✔️ | | | |
-|[EnableHomeButton](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablehomebutton) | Enable/disable kiosk browser's home button. | ✔️ | | | |
-|[EnableNavigationButtons](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablenavigationbuttons) | Enable/disable kiosk browser's navigation buttons (forward/back). | ✔️ | | | |
-|[RestartOnIdleTime](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-restartonidletime) | Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. The value is an int 1-1440 that specifies the number of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty, which means there's no idle timeout within the kiosk browser. | ✔️ | | | |
+| --- | --- | :---: | :---: | :---: | :---: |
+|[BlockedUrlExceptions](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurlexceptions) | List of exceptions to the blocked website URLs (with wildcard support). This setting is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. | ✅ | | | |
+|[BlockedUrls](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurls) | List of blocked website URLs (with wildcard support). This setting is used to configure blocked URLs kiosk browsers can't navigate to. | ✅ | | | |
+|[DefaultURL](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-defaulturl) | Configures the default URL kiosk browsers to navigate on launch and restart. | ✅ | | | |
+|[EnableEndSessionButton](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enableendsessionbutton) | Enable/disable kiosk browser's end session button. | ✅ | | | |
+|[EnableHomeButton](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablehomebutton) | Enable/disable kiosk browser's home button. | ✅ | | | |
+|[EnableNavigationButtons](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablenavigationbuttons) | Enable/disable kiosk browser's navigation buttons (forward/back). | ✅ | | | |
+|[RestartOnIdleTime](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-restartonidletime) | Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. The value is an int 1-1440 that specifies the number of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty, which means there's no idle timeout within the kiosk browser. | ✅ | | | |
To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer:
1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer.
-2. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18).
-3. Insert the null character string in between each URL (e.g www.bing.comwww.contoso.com).
-4. Save the XML file.
-5. Open the project again in Windows Configuration Designer.
-6. Export the package. Ensure you don't revisit the created policies under Kiosk Browser or else the null character will be removed.
+1. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18).
+1. Insert the null character string in between each URL (e.g https://www.bing.comwww.contoso.com).
+1. Save the XML file.
+1. Open the project again in Windows Configuration Designer.
+1. Export the package. Ensure you don't revisit the created policies under Kiosk Browser or else the null character will be removed.
## LocalPoliciesSecurityOptions
| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: |
-| [InteractiveLogon_DoNotDisplayLastSignedIn](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin) | Specify whether the Windows sign-in screen will show the username of the last person who signed in. | ✔️ | | | |
-| [Shutdown_AllowSystemtobeShutDownWithoutHavingToLogOn](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon) | Specify whether a computer can be shut down without signing in. | ✔️ | | | |
-| [UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers) | Configure how an elevation prompt should behave for standard users. | ✔️ | | | |
+| [InteractiveLogon_DoNotDisplayLastSignedIn](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin) | Specify whether the Windows sign-in screen will show the username of the last person who signed in. | ✅ | | | |
+| [Shutdown_AllowSystemtobeShutDownWithoutHavingToLogOn](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon) | Specify whether a computer can be shut down without signing in. | ✅ | | | |
+| [UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers) | Configure how an elevation prompt should behave for standard users. | ✅ | | | |
## Location
@@ -356,69 +333,66 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in
## Power
| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: |
-| [AllowStandbyStatesWhenSleepingOnBattery](/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingonbattery) | Specify whether Windows can use standby states when putting the computer in a sleep state while on battery. | ✔️ | | | |
-| [AllowStandbyWhenSleepingPluggedIn](/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingpluggedin) | Specify whether Windows can use standby states when putting the computer in a sleep state while plugged in. | ✔️ | | | |
-| [DisplayOffTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#displayofftimeoutonbattery) | Specify the period of inactivity before Windows turns off the display while on battery. | ✔️ | | | |
-| [DisplayOffTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#displayofftimeoutpluggedin) | Specify the period of inactivity before Windows turns off the display while plugged in. | ✔️ | | | |
-| [EnergySaverBatteryThresholdOnBattery](/windows/client-management/mdm/policy-csp-power#energysaverbatterythresholdonbattery) | Specify the battery charge level at which Energy Saver is turned on while on battery. | ✔️ | | | |
-| [EnergySaverBatteryThresholdPluggedIn](/windows/client-management/mdm/policy-csp-power#EnergySaverBatteryThresholdPluggedIn) | Specify the battery charge level at which Energy Saver is turned on while plugged in. | ✔️ | | | |
-| [HibernateTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#hibernatetimeoutonbattery) | Specify the period of inactivity before Windows transitions the system to hibernate while on battery. | ✔️ | | | |
-| [HibernateTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#hibernatetimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to hibernate while plugged in. | ✔️ | | | |
-| [RequirePasswordWhenComputerWakesOnBattery](/windows/client-management/mdm/policy-csp-power#requirepasswordwhencomputerwakesonbattery) | Specify whether the user is prompted for a password when the system resumes from sleep while on battery. | ✔️ | | | |
-| [RequirePasswordWhenComputerWakesPluggedIn](/windows/client-management/mdm/policy-csp-power#requirepasswordwhencomputerwakespluggedin) | Specify whether the user is prompted for a password when the system resumes from sleep while plugged in. | ✔️ | | | |
-| [SelectLidCloseActionBattery](/windows/client-management/mdm/policy-csp-power#selectlidcloseactionpluggedin) | Select the action to be taken when a user closes the lid on a mobile device while on battery. | ✔️ | | | |
-| [SelectLidCloseActionPluggedIn](/windows/client-management/mdm/policy-csp-power#selectlidcloseactionpluggedin) | Select the action to be taken when a user closes the lid on a mobile device while on plugged in. | ✔️ | | | |
-| [SelectPowerButtonActionOnBattery](/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactiononbattery) | Select the action to be taken when the user presses the power button while on battery. | ✔️ | | | |
-| [SelectPowerButtonActionPluggedIn](/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactionpluggedin) | Select the action to be taken when the user presses the power button while on plugged in. | ✔️ | | | |
-| [SelectSleepButtonActionOnBattery](/windows/client-management/mdm/policy-csp-power#selectsleepbuttonactiononbattery) | Select the action to be taken when the user presses the sleep button while on battery. | ✔️ | | | |
-| [SelectSleepButtonActionPluggedIn](/windows/client-management/mdm/policy-csp-power#selectsleepbuttonactionpluggedin) | Select the action to be taken when the user presses the sleep button while plugged in. | ✔️ | | | |
-| [StandbyTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#StandbyTimeoutOnBattery) | Specify the period of inactivity before Windows transitions the system to sleep while on battery. | ✔️ | | | |
-| [StandbyTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#standbytimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to sleep while plugged in. | ✔️ | | | |
-| [TurnOffHybridSleepOnBattery](/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeponbattery) | Turn off hybrid sleep while on battery. | ✔️ | | | |
-| [TurnOffHybridSleepPluggedIn](/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeppluggedin) | Turn off hybrid sleep while plugged in. | ✔️ | | | |
-| [UnattendedSleepTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutonbattery) | Specify the period of inactivity before Windows transitions the system to sleep automatically when a user isn't present while on battery. | ✔️ | | | |
-| [UnattendedSleepTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to sleep automatically when a user isn't present while plugged in. | ✔️ | | | |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowStandbyStatesWhenSleepingOnBattery](/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingonbattery) | Specify whether Windows can use standby states when putting the computer in a sleep state while on battery. | ✅ | | | |
+| [AllowStandbyWhenSleepingPluggedIn](/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingpluggedin) | Specify whether Windows can use standby states when putting the computer in a sleep state while plugged in. | ✅ | | | |
+| [DisplayOffTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#displayofftimeoutonbattery) | Specify the period of inactivity before Windows turns off the display while on battery. | ✅ | | | |
+| [DisplayOffTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#displayofftimeoutpluggedin) | Specify the period of inactivity before Windows turns off the display while plugged in. | ✅ | | | |
+| [EnergySaverBatteryThresholdOnBattery](/windows/client-management/mdm/policy-csp-power#energysaverbatterythresholdonbattery) | Specify the battery charge level at which Energy Saver is turned on while on battery. | ✅ | | | |
+| [EnergySaverBatteryThresholdPluggedIn](/windows/client-management/mdm/policy-csp-power#EnergySaverBatteryThresholdPluggedIn) | Specify the battery charge level at which Energy Saver is turned on while plugged in. | ✅ | | | |
+| [HibernateTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#hibernatetimeoutonbattery) | Specify the period of inactivity before Windows transitions the system to hibernate while on battery. | ✅ | | | |
+| [HibernateTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#hibernatetimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to hibernate while plugged in. | ✅ | | | |
+| [RequirePasswordWhenComputerWakesOnBattery](/windows/client-management/mdm/policy-csp-power#requirepasswordwhencomputerwakesonbattery) | Specify whether the user is prompted for a password when the system resumes from sleep while on battery. | ✅ | | | |
+| [RequirePasswordWhenComputerWakesPluggedIn](/windows/client-management/mdm/policy-csp-power#requirepasswordwhencomputerwakespluggedin) | Specify whether the user is prompted for a password when the system resumes from sleep while plugged in. | ✅ | | | |
+| [SelectLidCloseActionBattery](/windows/client-management/mdm/policy-csp-power#selectlidcloseactionpluggedin) | Select the action to be taken when a user closes the lid on a mobile device while on battery. | ✅ | | | |
+| [SelectLidCloseActionPluggedIn](/windows/client-management/mdm/policy-csp-power#selectlidcloseactionpluggedin) | Select the action to be taken when a user closes the lid on a mobile device while on plugged in. | ✅ | | | |
+| [SelectPowerButtonActionOnBattery](/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactiononbattery) | Select the action to be taken when the user presses the power button while on battery. | ✅ | | | |
+| [SelectPowerButtonActionPluggedIn](/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactionpluggedin) | Select the action to be taken when the user presses the power button while on plugged in. | ✅ | | | |
+| [SelectSleepButtonActionOnBattery](/windows/client-management/mdm/policy-csp-power#selectsleepbuttonactiononbattery) | Select the action to be taken when the user presses the sleep button while on battery. | ✅ | | | |
+| [SelectSleepButtonActionPluggedIn](/windows/client-management/mdm/policy-csp-power#selectsleepbuttonactionpluggedin) | Select the action to be taken when the user presses the sleep button while plugged in. | ✅ | | | |
+| [StandbyTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#StandbyTimeoutOnBattery) | Specify the period of inactivity before Windows transitions the system to sleep while on battery. | ✅ | | | |
+| [StandbyTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#standbytimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to sleep while plugged in. | ✅ | | | |
+| [TurnOffHybridSleepOnBattery](/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeponbattery) | Turn off hybrid sleep while on battery. | ✅ | | | |
+| [TurnOffHybridSleepPluggedIn](/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeppluggedin) | Turn off hybrid sleep while plugged in. | ✅ | | | |
+| [UnattendedSleepTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutonbattery) | Specify the period of inactivity before Windows transitions the system to sleep automatically when a user isn't present while on battery. | ✅ | | | |
+| [UnattendedSleepTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to sleep automatically when a user isn't present while plugged in. | ✅ | | | |
## Privacy
| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: |
| [AllowAutoAcceptPairingAndPrivacyConsentPrompts](/windows/client-management/mdm/policy-configuration-service-provider#privacy-allowautoacceptpairingandprivacyconsentprompts) | Allow or disallow the automatic acceptance of the pairing and privacy user consent dialog boxes when launching apps. | | | | |
-| [AllowInputPersonalization](/windows/client-management/mdm/policy-configuration-service-provider#privacy-allowinputpersonalization) | Allow the use of cloud-based speech services for Cortana, dictation, or Store apps. | ✔️ | | ✔️ | |
-
+| [AllowInputPersonalization](/windows/client-management/mdm/policy-configuration-service-provider#privacy-allowinputpersonalization) | Allow the use of cloud-based speech services for Cortana, dictation, or Store apps. | ✅ | | ✅ | |
## Search
-| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: |
-[AllowCloudSearch](/windows/client-management/mdm/policy-csp-search#search-allowcloudsearch) | Allow search and Cortana to search cloud sources like OneDrive and SharePoint. T | ✔️ | | | |
-[AllowCortanaInAAD](/windows/client-management/mdm/policy-csp-search#search-allowcortanainaad) | This setting specifies whether the Cortana consent page can appear in the Azure Active Directory (AAD) device out-of-box-experience (OOBE) flow. | ✔️ | | | |
-| [AllowIndexingEncryptedStoresOrItems](/windows/client-management/mdm/policy-configuration-service-provider#search-allowindexingencryptedstoresoritems) | Allow or disallow the indexing of items. | ✔️ | | | |
-| [AllowSearchToUseLocation](/windows/client-management/mdm/policy-configuration-service-provider#search-allowsearchtouselocation) | Specify whether search can use location information. | ✔️ | | ✔️ | |
-| [AllowUsingDiacritics](/windows/client-management/mdm/policy-configuration-service-provider#search-allowusingdiacritics) | Allow the use of diacritics. | ✔️ | | | |
-| [AllowWindowsIndexer](/windows/client-management/mdm/policy-csp-search#search-allowwindowsindexer) | The indexer provides fast file, email, and web history search for apps and system components including Cortana, Outlook, file explorer, and Edge. To provide these features, it requires access to the file system and app data stores such as Outlook OST files.- **Off** setting disables Windows indexer- **EnterpriseSecure** setting stops the indexer from indexing encrypted files or stores, and is recommended for enterprises using Windows Information Protection (WIP)- **Enterprise** setting reduces potential network loads for enterprises- **Standard** setting is appropriate for consumers | ✔️ | | | |
-| [AlwaysUseAutoLangDetection](/windows/client-management/mdm/policy-configuration-service-provider#search-alwaysuseautolangdetection) | Specify whether to always use automatic language detection when indexing content and properties. | ✔️ | | | |
-| [DoNotUseWebResults](/windows/client-management/mdm/policy-configuration-service-provider#search-donotusewebresults) | Specify whether to allow Search to perform queries on the web. | ✔️ | | | |
-| [DisableBackoff](/windows/client-management/mdm/policy-configuration-service-provider#search-disablebackoff) | If enabled, the search indexer backoff feature will be disabled. | ✔️ | | | |
-| [DisableRemovableDriveIndexing](/windows/client-management/mdm/policy-configuration-service-provider#search-disableremovabledriveindexing) | Configure whether locations on removable drives can be added to libraries. | ✔️ | | | |
-| [PreventIndexingLowDiskSpaceMB](/windows/client-management/mdm/policy-configuration-service-provider#search-preventindexinglowdiskspacemb) | Prevent indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. | ✔️ | | | |
-| [PreventRemoteQueries](/windows/client-management/mdm/policy-configuration-service-provider#search-preventremotequeries) | If enabled, clients will be unable to query this device's index remotely. | ✔️ | | | |
-| [SafeSearchPermissions](/windows/client-management/mdm/policy-configuration-service-provider#search-safesearchpermissions) | Specify the level of safe search (filtering adult content) required. | | | | |
-
-
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+|--|--|:-:|:-:|:-:|:-:|
+| [AllowCloudSearch](/windows/client-management/mdm/policy-csp-search#search-allowcloudsearch) | Allow search and Cortana to search cloud sources like OneDrive and SharePoint. T | ✅ | | | |
+| [AllowCortanaInAAD](/windows/client-management/mdm/policy-csp-search#search-allowcortanainaad) | This setting specifies whether the Cortana consent page can appear in the Azure Active Directory (AAD) device out-of-box-experience (OOBE) flow. | ✅ | | | |
+| [AllowIndexingEncryptedStoresOrItems](/windows/client-management/mdm/policy-configuration-service-provider#search-allowindexingencryptedstoresoritems) | Allow or disallow the indexing of items. | ✅ | | | |
+| [AllowSearchToUseLocation](/windows/client-management/mdm/policy-configuration-service-provider#search-allowsearchtouselocation) | Specify whether search can use location information. | ✅ | | ✅ | |
+| [AllowUsingDiacritics](/windows/client-management/mdm/policy-configuration-service-provider#search-allowusingdiacritics) | Allow the use of diacritics. | ✅ | | | |
+| [AllowWindowsIndexer](/windows/client-management/mdm/policy-csp-search#search-allowwindowsindexer) | The indexer provides fast file, email, and web history search for apps and system components including Cortana, Outlook, file explorer, and Edge. To provide these features, it requires access to the file system and app data stores such as Outlook OST files.- **Off** setting disables Windows indexer- **EnterpriseSecure** setting stops the indexer from indexing encrypted files or stores, and is recommended for enterprises using Windows Information Protection (WIP)- **Enterprise** setting reduces potential network loads for enterprises- **Standard** setting is appropriate for consumers | ✅ | | | |
+| [AlwaysUseAutoLangDetection](/windows/client-management/mdm/policy-configuration-service-provider#search-alwaysuseautolangdetection) | Specify whether to always use automatic language detection when indexing content and properties. | ✅ | | | |
+| [DoNotUseWebResults](/windows/client-management/mdm/policy-configuration-service-provider#search-donotusewebresults) | Specify whether to allow Search to perform queries on the web. | ✅ | | | |
+| [DisableBackoff](/windows/client-management/mdm/policy-configuration-service-provider#search-disablebackoff) | If enabled, the search indexer backoff feature will be disabled. | ✅ | | | |
+| [DisableRemovableDriveIndexing](/windows/client-management/mdm/policy-configuration-service-provider#search-disableremovabledriveindexing) | Configure whether locations on removable drives can be added to libraries. | ✅ | | | |
+| [PreventIndexingLowDiskSpaceMB](/windows/client-management/mdm/policy-configuration-service-provider#search-preventindexinglowdiskspacemb) | Prevent indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. | ✅ | | | |
+| [PreventRemoteQueries](/windows/client-management/mdm/policy-configuration-service-provider#search-preventremotequeries) | If enabled, clients will be unable to query this device's index remotely. | ✅ | | | |
+| [SafeSearchPermissions](/windows/client-management/mdm/policy-configuration-service-provider#search-safesearchpermissions) | Specify the level of safe search (filtering adult content) required. | | | | |
## Security
| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: |
-| [AllowAddProvisioningPackage](/windows/client-management/mdm/policy-configuration-service-provider#security-allowaddprovisioningpackage) | Specify whether to allow installation of provisioning packages. | ✔️ | ✔️ | | ✔️ |
+| [AllowAddProvisioningPackage](/windows/client-management/mdm/policy-configuration-service-provider#security-allowaddprovisioningpackage) | Specify whether to allow installation of provisioning packages. | ✅ | ✅ | | ✅ |
| [AllowManualRootCertificateInstallation](/windows/client-management/mdm/policy-configuration-service-provider#security-allowmanualrootcertificateinstallation) | Specify whether the user is allowed to manually install root and intermediate CA certificates. | | | | |
-| [AllowRemoveProvisioningPackage](/windows/client-management/mdm/policy-configuration-service-provider#security-allowremoveprovisioningpackage) | Specify whether removal of provisioning packages is allowed. | ✔️ | ✔️ | | ✔️ |
+| [AllowRemoveProvisioningPackage](/windows/client-management/mdm/policy-configuration-service-provider#security-allowremoveprovisioningpackage) | Specify whether removal of provisioning packages is allowed. | ✅ | ✅ | | ✅ |
| [AntiTheftMode](/windows/client-management/mdm/policy-configuration-service-provider#security-antitheftmode) | Allow or disallow Anti Theft Mode on the device. | | | | |
-| [RequireDeviceEncryption](/windows/client-management/mdm/policy-configuration-service-provider#security-requiredeviceencryption) | Specify whether encryption is required. | ✔️ | ✔️ | ✔️ | ✔️ |
-| [RequireProvisioningPackageSignature](/windows/client-management/mdm/policy-configuration-service-provider#security-requireprovisioningpackagesignature) | Specify whether provisioning packages must have a certificate signed by a device-trusted authority. | ✔️ | ✔️ | | ✔️ |
-| [RequireRetrieveHealthCertificateOnBoot](/windows/client-management/mdm/policy-configuration-service-provider#security-requireretrievehealthcertificateonboot) | Specify whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service when a device boots or reboots. | ✔️ | | | |
+| [RequireDeviceEncryption](/windows/client-management/mdm/policy-configuration-service-provider#security-requiredeviceencryption) | Specify whether encryption is required. | ✅ | ✅ | ✅ | ✅ |
+| [RequireProvisioningPackageSignature](/windows/client-management/mdm/policy-configuration-service-provider#security-requireprovisioningpackagesignature) | Specify whether provisioning packages must have a certificate signed by a device-trusted authority. | ✅ | ✅ | | ✅ |
+| [RequireRetrieveHealthCertificateOnBoot](/windows/client-management/mdm/policy-configuration-service-provider#security-requireretrievehealthcertificateonboot) | Specify whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service when a device boots or reboots. | ✅ | | | |
## Settings
@@ -426,168 +400,163 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in
| --- | --- | :---: | :---: | :---: | :---: |
| [AllowAutoPlay](/windows/client-management/mdm/policy-configuration-service-provider#settings-allowautoplay) | Allow the user to change AutoPlay settings. | | | | |
| [AllowDataSense](/windows/client-management/mdm/policy-configuration-service-provider#settings-allowdatasense) | Allow the user to change Data Sense settings. | | | | |
-| [AllowVPN](/windows/client-management/mdm/policy-configuration-service-provider#settings-allowvpn) | Allow the user to change VPN settings. | | | ✔️ | |
-| [ConfigureTaskbarCalendar](/windows/client-management/mdm/policy-configuration-service-provider#settings-configuretaskbarcalendar) | Configure the default setting for showing other calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. | ✔️ | | | |
-[PageVisiblityList](/windows/client-management/mdm/policy-csp-settings#settings-pagevisibilitylist) | Allows IT admins to prevent specific pages in the System Settings app from being visible or accessible. Pages are identified by a shortened version of their already [published URIs](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference), which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons. | ✔️ | | | |
+| [AllowVPN](/windows/client-management/mdm/policy-configuration-service-provider#settings-allowvpn) | Allow the user to change VPN settings. | | | ✅ | |
+| [ConfigureTaskbarCalendar](/windows/client-management/mdm/policy-configuration-service-provider#settings-configuretaskbarcalendar) | Configure the default setting for showing other calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. | ✅ | | | |
+[PageVisiblityList](/windows/client-management/mdm/policy-csp-settings#settings-pagevisibilitylist) | Allows IT admins to prevent specific pages in the System Settings app from being visible or accessible. Pages are identified by a shortened version of their already [published URIs](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference), which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons. | ✅ | | | |
## Start
| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: |
-| [AllowPinnedFolderDocuments](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdocuments) | Control the visibility of the Documents shortcut on the Start menu. | ✔️ | | | |
-| [AllowPinnedFolderDownloads](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdownloads) | Control the visibility of the Downloads shortcut on the Start menu. | ✔️ | | | |
-| [AllowPinnedFolderFileExplorer](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderfileexplorer) | Control the visibility of the File Explorer shortcut on the Start menu. | ✔️ | | | |
-| [AllowPinnedFolderHomeGroup](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderhomegroup) | Control the visibility of the Home Group shortcut on the Start menu. | ✔️ | | | |
-| [AllowPinnedFolderMusic](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldermusic) | Control the visibility of the Music shortcut on the Start menu. | ✔️ | | | |
-| [AllowPinnedFolderNetwork](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldernetwork) | Control the visibility of the Network shortcut on the Start menu. | ✔️ | | | |
-| [AllowPinnedFolderPersonalFolder](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpersonalfolder) | Control the visibility of the Personal Folder shortcut on the Start menu. | ✔️ | | | |
-| [AllowPinnedFolderPictures](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpictures) | Control the visibility of the Pictures shortcut on the Start menu. | ✔️ | | | |
-| [AllowPinnedFolderSettings](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | Control the visibility of the Settings shortcut on the Start menu. | ✔️ | | | |
-| [AllowPinnedFolderVideos](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldervideos) |Control the visibility of the Videos shortcut on the Start menu. | ✔️ | | | |
-| DisableContextMenus | Prevent context menus from being invoked in the Start menu. | ✔️ | | | |
-| [ForceStartSize](/windows/client-management/mdm/policy-configuration-service-provider#start-forcestartsize) | Force the size of the Start screen. | ✔️ | | | |
-| [HideAppList](/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist) | Collapse or remove the all apps list. | ✔️ | | | |
-| [HideChangeAccountSettings](/windows/client-management/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) | Hide **Change account settings** from appearing in the user tile. | ✔️ | | | |
-| [HideFrequentlyUsedApps](/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps) | Hide **Most used** section of Start. | ✔️ | | | |
-| [HideHibernate](/windows/client-management/mdm/policy-configuration-service-provider#start-hidehibernate) | Prevent **Hibernate** option from appearing in the Power button. | ✔️ | | | |
-| [HideLock](/windows/client-management/mdm/policy-configuration-service-provider#start-hidelock) | Prevent **Lock** from appearing in the user tile. | ✔️ | | | |
-| HidePeopleBar | Remove the people icon from the taskbar, and the corresponding settings toggle. It also prevents users from pinning people to the taskbar. | ✔️ | | | |
-| [HidePowerButton](/windows/client-management/mdm/policy-configuration-service-provider#start-hidepowerbutton) | Hide the **Power** button. | ✔️ | | | |
-| [HideRecentJumplists](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists) | Hide jumplists of recently opened items. | ✔️ | | | |
-| [HideRecentlyAddedApps](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps) | Hide **Recently added** section of Start. | ✔️ | | | |
-| [HideRestart](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderestart) | Prevent **Restart** and **Update and restart** from appearing in the Power button. | ✔️ | | | |
-| [HideShutDown](/windows/client-management/mdm/policy-configuration-service-provider#start-hideshutdown) | Prevent **Shut down** and **Update and shut down** from appearing in the Power button. | ✔️ | | | |
-| [HideSignOut](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesignout) | Prevent **Sign out** from appearing in the user tile. | ✔️ | | | |
-| [HideSleep](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesleep) | Prevent **Sleep** from appearing in the Power button. | ✔️ | | | |
-| [HideSwitchAccount](/windows/client-management/mdm/policy-configuration-service-provider#start-hideswitchaccount) | Prevent **Switch account** from appearing in the user tile. | ✔️ | | | |
-| [HideUserTile](/windows/client-management/mdm/policy-configuration-service-provider#start-hideusertile) | Hide the user tile. | ✔️ | | | |
-| [ImportEdgeAssets](/windows/client-management/mdm/policy-configuration-service-provider#start-importedgeassets) | Import Edge assets for secondary tiles. For more information, see [Add image for secondary Microsoft Edge tiles](../start-secondary-tiles.md). | ✔️ | | | |
-| [NoPinningToTaskbar](/windows/client-management/mdm/policy-configuration-service-provider#start-nopinningtotaskbar) | Prevent users from pinning and unpinning apps on the taskbar. | ✔️ | | | |
-| [StartLayout](/windows/client-management/mdm/policy-configuration-service-provider#start-startlayout) | Apply a custom Start layout. For more information, see [Customize Windows 10 Start and taskbar with provisioning packages](../customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) | ✔️ | | | |
+| [AllowPinnedFolderDocuments](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdocuments) | Control the visibility of the Documents shortcut on the Start menu. | ✅ | | | |
+| [AllowPinnedFolderDownloads](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdownloads) | Control the visibility of the Downloads shortcut on the Start menu. | ✅ | | | |
+| [AllowPinnedFolderFileExplorer](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderfileexplorer) | Control the visibility of the File Explorer shortcut on the Start menu. | ✅ | | | |
+| [AllowPinnedFolderHomeGroup](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderhomegroup) | Control the visibility of the Home Group shortcut on the Start menu. | ✅ | | | |
+| [AllowPinnedFolderMusic](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldermusic) | Control the visibility of the Music shortcut on the Start menu. | ✅ | | | |
+| [AllowPinnedFolderNetwork](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldernetwork) | Control the visibility of the Network shortcut on the Start menu. | ✅ | | | |
+| [AllowPinnedFolderPersonalFolder](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpersonalfolder) | Control the visibility of the Personal Folder shortcut on the Start menu. | ✅ | | | |
+| [AllowPinnedFolderPictures](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpictures) | Control the visibility of the Pictures shortcut on the Start menu. | ✅ | | | |
+| [AllowPinnedFolderSettings](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | Control the visibility of the Settings shortcut on the Start menu. | ✅ | | | |
+| [AllowPinnedFolderVideos](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldervideos) |Control the visibility of the Videos shortcut on the Start menu. | ✅ | | | |
+| DisableContextMenus | Prevent context menus from being invoked in the Start menu. | ✅ | | | |
+| [ForceStartSize](/windows/client-management/mdm/policy-configuration-service-provider#start-forcestartsize) | Force the size of the Start screen. | ✅ | | | |
+| [HideAppList](/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist) | Collapse or remove the all apps list. | ✅ | | | |
+| [HideChangeAccountSettings](/windows/client-management/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) | Hide **Change account settings** from appearing in the user tile. | ✅ | | | |
+| [HideFrequentlyUsedApps](/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps) | Hide **Most used** section of Start. | ✅ | | | |
+| [HideHibernate](/windows/client-management/mdm/policy-configuration-service-provider#start-hidehibernate) | Prevent **Hibernate** option from appearing in the Power button. | ✅ | | | |
+| [HideLock](/windows/client-management/mdm/policy-configuration-service-provider#start-hidelock) | Prevent **Lock** from appearing in the user tile. | ✅ | | | |
+| HidePeopleBar | Remove the people icon from the taskbar, and the corresponding settings toggle. It also prevents users from pinning people to the taskbar. | ✅ | | | |
+| [HidePowerButton](/windows/client-management/mdm/policy-configuration-service-provider#start-hidepowerbutton) | Hide the **Power** button. | ✅ | | | |
+| [HideRecentJumplists](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists) | Hide jumplists of recently opened items. | ✅ | | | |
+| [HideRecentlyAddedApps](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps) | Hide **Recently added** section of Start. | ✅ | | | |
+| [HideRestart](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderestart) | Prevent **Restart** and **Update and restart** from appearing in the Power button. | ✅ | | | |
+| [HideShutDown](/windows/client-management/mdm/policy-configuration-service-provider#start-hideshutdown) | Prevent **Shut down** and **Update and shut down** from appearing in the Power button. | ✅ | | | |
+| [HideSignOut](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesignout) | Prevent **Sign out** from appearing in the user tile. | ✅ | | | |
+| [HideSleep](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesleep) | Prevent **Sleep** from appearing in the Power button. | ✅ | | | |
+| [HideSwitchAccount](/windows/client-management/mdm/policy-configuration-service-provider#start-hideswitchaccount) | Prevent **Switch account** from appearing in the user tile. | ✅ | | | |
+| [HideUserTile](/windows/client-management/mdm/policy-configuration-service-provider#start-hideusertile) | Hide the user tile. | ✅ | | | |
+| [ImportEdgeAssets](/windows/client-management/mdm/policy-configuration-service-provider#start-importedgeassets) | Import Edge assets for secondary tiles. For more information, see [Add image for secondary Microsoft Edge tiles](../start-secondary-tiles.md). | ✅ | | | |
+| [NoPinningToTaskbar](/windows/client-management/mdm/policy-configuration-service-provider#start-nopinningtotaskbar) | Prevent users from pinning and unpinning apps on the taskbar. | ✅ | | | |
+| [StartLayout](/windows/client-management/mdm/policy-configuration-service-provider#start-startlayout) | Apply a custom Start layout. For more information, see [Customize Windows 10 Start and taskbar with provisioning packages](../customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) | ✅ | | | |
## System
| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: |
-| [AllowBuildPreview](/windows/client-management/mdm/policy-configuration-service-provider#system-allowbuildpreview) | Specify whether users can access the Insider build controls in the **Advanced Options** for Windows Update. | ✔️ | | | |
-| [AllowEmbeddedMode](/windows/client-management/mdm/policy-configuration-service-provider#system-allowembeddedmode) | Specify whether to set general purpose device to be in embedded mode. | ✔️ | ✔️ | | ✔️ |
-| [AllowExperimentation](/windows/client-management/mdm/policy-configuration-service-provider#system-allowexperimentation) | Determine the level that Microsoft can experiment with the product to study user preferences or device behavior. | ✔️ | | | |
-| [AllowLocation](/windows/client-management/mdm/policy-configuration-service-provider#system-allowlocation) | Specify whether to allow app access to the Location service. | ✔️ | ✔️ | ✔️ | ✔️ |
-| [AllowStorageCard](/windows/client-management/mdm/policy-configuration-service-provider#system-allowstoragecard) | Specify whether the user is allowed to use the storage card for device storage. | ✔️ | ✔️ | | ✔️ |
-| [AllowTelemetry](/windows/client-management/mdm/policy-configuration-service-provider#system-allowtelemetry) | Allow the device to send diagnostic and usage data. | ✔️ | | ✔️ | |
-| [AllowUserToResetPhone](/windows/client-management/mdm/policy-configuration-service-provider#system-allowusertoresetphone) | Allow the user to factory reset the phone. | ✔️ | | | |
-ConfigureTelemetryOptInChangeNotification | This policy setting determines whether a device shows notifications about telemetry levels to people on first sign-in or when changes occur in Settings. | ✔️ | | | |
-ConfigureTelemetryOptInSettingsUx | This policy setting determines whether people can change their own telemetry levels in Settings | ✔️ | | | |
-| DisableDeviceDelete | Specify whether the delete diagnostic data is enabled in the Diagnostic & Feedback Settings page. | ✔️ | | | |
-| DisableDataDiagnosticViewer | Configure whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & Feedback Settings page. | ✔️ | | | |
-| [DisableOneDriveFileSync](/windows/client-management/mdm/policy-configuration-service-provider#system-disableonedrivefilesync) | Prevent apps and features from working with files on OneDrive. | ✔️ | | | |
-| [LimitEnhancedDiagnosticDataWindowsAnalytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics) | This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must enable this policy setting, and set Allow Telemetry to level 2 (Enhanced). When you configure these policy settings, a basic level of diagnostic data plus other events that are required for Windows Analytics are sent to Microsoft. These events are documented in [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields). Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus other enhanced level diagnostic data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. | ✔️ | | | |
-
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowBuildPreview](/windows/client-management/mdm/policy-configuration-service-provider#system-allowbuildpreview) | Specify whether users can access the Insider build controls in the **Advanced Options** for Windows Update. | ✅ | | | |
+| [AllowEmbeddedMode](/windows/client-management/mdm/policy-configuration-service-provider#system-allowembeddedmode) | Specify whether to set general purpose device to be in embedded mode. | ✅ | ✅ | | ✅ |
+| [AllowExperimentation](/windows/client-management/mdm/policy-configuration-service-provider#system-allowexperimentation) | Determine the level that Microsoft can experiment with the product to study user preferences or device behavior. | ✅ | | | |
+| [AllowLocation](/windows/client-management/mdm/policy-configuration-service-provider#system-allowlocation) | Specify whether to allow app access to the Location service. | ✅ | ✅ | ✅ | ✅ |
+| [AllowStorageCard](/windows/client-management/mdm/policy-configuration-service-provider#system-allowstoragecard) | Specify whether the user is allowed to use the storage card for device storage. | ✅ | ✅ | | ✅ |
+| [AllowTelemetry](/windows/client-management/mdm/policy-configuration-service-provider#system-allowtelemetry) | Allow the device to send diagnostic and usage data. | ✅ | | ✅ | |
+| [AllowUserToResetPhone](/windows/client-management/mdm/policy-configuration-service-provider#system-allowusertoresetphone) | Allow the user to factory reset the phone. | ✅ | | | |
+ConfigureTelemetryOptInChangeNotification | This policy setting determines whether a device shows notifications about telemetry levels to people on first sign-in or when changes occur in Settings. | ✅ | | | |
+ConfigureTelemetryOptInSettingsUx | This policy setting determines whether people can change their own telemetry levels in Settings | ✅ | | | |
+| DisableDeviceDelete | Specify whether the delete diagnostic data is enabled in the Diagnostic & Feedback Settings page. | ✅ | | | |
+| DisableDataDiagnosticViewer | Configure whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & Feedback Settings page. | ✅ | | | |
+| [DisableOneDriveFileSync](/windows/client-management/mdm/policy-configuration-service-provider#system-disableonedrivefilesync) | Prevent apps and features from working with files on OneDrive. | ✅ | | | |
+| [LimitEnhancedDiagnosticDataWindowsAnalytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics) | This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must enable this policy setting, and set Allow Telemetry to level 2 (Enhanced). When you configure these policy settings, a basic level of diagnostic data plus other events that are required for Windows Analytics are sent to Microsoft. These events are documented in [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields). Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus other enhanced level diagnostic data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. | ✅ | | | |
## TextInput
| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: |
-| [AllowIMELogging](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowimelogging) | Allow the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input. | ✔️ | | | |
-| [AllowIMENetworkAccess](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowimenetworkaccess) | Allow the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that don't exist in the device's local dictionary. | ✔️ | | | |
-| [AllowInputPanel](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowinputpanel) | Disable the touch/handwriting keyboard. | ✔️ | | | |
-| [AllowJapaneseIMESurrogatePairCharacters](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseimesurrogatepaircharacters) | Allow the Japanese IME surrogate pair characters. | ✔️ | | | |
-| [AllowJapaneseIVSCharacters](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseivscharacters) | Allow Japanese Ideographic Variation Sequence (IVS) characters. | ✔️ | | | |
-| [AllJapaneseNonPublishingStandardGlyph](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapanesenonpublishingstandardglyph) | All the Japanese non-publishing standard glyph. | ✔️ | | | |
-| [AllowJapaneseUserDictionary](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseuserdictionary) | Allow the Japanese user dictionary. | ✔️ | | | |
-| [AllowKeyboardTextSuggestions](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowkeyboardtextsuggestions) | Specify whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. | ✔️ | | | |
-| [AllowLanguageFeaturesUninstall](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowlanguagefeaturesuninstall) | All language features to be uninstalled. | ✔️ | | | |
-| AllowUserInputsFromMiracastRecevier | Don't use. Instead, use [WirelessDisplay](#wirelessdisplay)/[AllowUserInputFromWirelessDisplayReceiver](/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | | | | |
-| [ExcludeJapaneseIMEExceptISO208](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208) | Allow users to restrict character code range of conversion by setting the character filter. | ✔️ | | | |
-| [ExcludeJapaneseIMEExceptISO208andEUDC](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208andeudc) | Allow users to restrict character code range of conversion by setting the character filter. | ✔️ | | | |
-| [ExcludeJapaneseIMEExceptShiftJIS](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptshiftjis) | Allow users to restrict character code range of conversion by setting the character filter. | ✔️ | | | |
-
+| [AllowIMELogging](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowimelogging) | Allow the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input. | ✅ | | | |
+| [AllowIMENetworkAccess](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowimenetworkaccess) | Allow the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that don't exist in the device's local dictionary. | ✅ | | | |
+| [AllowInputPanel](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowinputpanel) | Disable the touch/handwriting keyboard. | ✅ | | | |
+| [AllowJapaneseIMESurrogatePairCharacters](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseimesurrogatepaircharacters) | Allow the Japanese IME surrogate pair characters. | ✅ | | | |
+| [AllowJapaneseIVSCharacters](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseivscharacters) | Allow Japanese Ideographic Variation Sequence (IVS) characters. | ✅ | | | |
+| [AllJapaneseNonPublishingStandardGlyph](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapanesenonpublishingstandardglyph) | All the Japanese non-publishing standard glyph. | ✅ | | | |
+| [AllowJapaneseUserDictionary](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseuserdictionary) | Allow the Japanese user dictionary. | ✅ | | | |
+| [AllowKeyboardTextSuggestions](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowkeyboardtextsuggestions) | Specify whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. | ✅ | | | |
+| [AllowLanguageFeaturesUninstall](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowlanguagefeaturesuninstall) | All language features to be uninstalled. | ✅ | | | |
+| AllowUserInputsFromMiracastRecevier | Don't use. Instead, use [WirelessDisplay](#wirelessdisplay)/[AllowUserInputFromWirelessDisplayReceiver](/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | | | | |
+| [ExcludeJapaneseIMEExceptISO208](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208) | Allow users to restrict character code range of conversion by setting the character filter. | ✅ | | | |
+| [ExcludeJapaneseIMEExceptISO208andEUDC](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208andeudc) | Allow users to restrict character code range of conversion by setting the character filter. | ✅ | | | |
+| [ExcludeJapaneseIMEExceptShiftJIS](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptshiftjis) | Allow users to restrict character code range of conversion by setting the character filter. | ✅ | | | |
## TimeLanguageSettings
| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: |
+| --- | --- | :---: | :---: | :---: | :---: |
| [AllowSet24HourClock](/windows/client-management/mdm/policy-configuration-service-provider#timelanguagesettings-allowset24hourclock) | Configure the default clock setting to be the 24 hour format. | | | | |
-
## Update
| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
|---------|-------------|:--------------:|:-----------:|:--------:|:--------:|
-| [ActiveHoursEnd](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update reboots aren't scheduled. | ✔️ | ✔️ | | ✔️ |
-| [ActiveHoursMaxRange](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | ✔️ | ✔️ | | ✔️ |
-| [ActiveHoursStart](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots aren't scheduled. | ✔️ | ✔️ | | ✔️ |
-| [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | ✔️ | ✔️ | ✔️ | ✔️ |
-| [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](/windows/client-management/mdm/policy-csp-update#update-allowautowindowsupdatedownloadovermeterednetwork) | Option to download updates automatically over metered connections (off by default). Enter `0` for not allowed, or `1` for allowed. | ✔️ | ✔️ | | ✔️ |
-| [AllowMUUpdateService](/windows/client-management/mdm/policy-configuration-service-provider#update-allowmuupdateservice) | Manage whether to scan for app updates from Microsoft Update. | ✔️ | ✔️ | ✔️ | ✔️ |
-| [AllowNonMicrosoftSignedUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. | ✔️ | ✔️ | | ✔️ |
-| [AllowUpdateService](/windows/client-management/mdm/policy-configuration-service-provider#update-allowupdateservice) | Specify whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. | ✔️ | ✔️ | ✔️ | ✔️ |
-| [AutoRestartDeadlinePeriodInDays](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | ✔️ | ✔️ | | ✔️ |
-| [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindaysforfeatureupdates) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | ✔️ | ✔️ | | ✔️ |
-| [AutoRestartNotificationSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartnotificationschedule) | Specify the period for auto-restart reminder notifications. | ✔️ | ✔️ | | ✔️ |
-| [AutoRestartRequiredNotificationDismissal](/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartrequirednotificationdismissal) | Specify the method by which the auto-restart required notification is dismissed. | ✔️ | ✔️ | | ✔️ |
-| [BranchReadinessLevel](/windows/client-management/mdm/policy-configuration-service-provider#update-branchreadinesslevel) | Select which branch a device receives their updates from. | ✔️ | ✔️ | ✔️ | ✔️ |
-| [DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-configuration-service-provider#update-deferfeatureupdatesperiodindays) | Defer Feature Updates for the specified number of days. | ✔️ | ✔️ | | ✔️ |
-| [DeferQualityUpdatesPeriodInDays](/windows/client-management/mdm/policy-configuration-service-provider#update-deferqualityupdatesperiodindays) | Defer Quality Updates for the specified number of days. | ✔️ | ✔️ | | ✔️ |
-| [DeferUpdatePeriod](/windows/client-management/mdm/policy-csp-update#update-deferupdateperiod) | Specify update delays for up to 4 weeks. | ✔️ | ✔️ | ✔️ | ✔️ |
-| [DeferUpgradePeriod](/windows/client-management/mdm/policy-csp-update#update-deferupgradeperiod) | Specify upgrade delays for up to 8 months. | ✔️ | ✔️ | ✔️ | ✔️ |
-| [DetectionFrequency](/windows/client-management/mdm/policy-configuration-service-provider#update-detectionfrequency) | Specify the frequency to scan for updates, from every 1-22 hours. | ✔️ | ✔️ | ✔️ | ✔️ |
-| [DisableDualScan](/windows/client-management/mdm/policy-csp-update#update-disabledualscan) | Don't allow update deferral policies to cause scans against Windows Update. | ✔️ | ✔️ | | ✔️ |
-| [EngagedRestartDeadline](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadline) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | ✔️ | ✔️ | | ✔️ |
-| [EngagedRestartDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadlineforfeatureupdates) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | ✔️ | ✔️ | | ✔️ |
-| [EngagedRestartSnoozeSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozeschedule) | Specify the number of days a user can snooze Engaged restart reminder notifications. | ✔️ | ✔️ | | ✔️ |
-| [EngagedRestartSnoozeScheduleForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozescheduleforfeatureupdates) | Specify the number of days a user can snooze Engaged restart reminder notifications. | ✔️ | ✔️ | | ✔️ |
-| [EngagedRestartTransitionSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionschedule) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | ✔️ | ✔️ | | ✔️ |
-| [EngagedRestartTransitionScheduleForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionscheduleforfeatureupdates) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | ✔️ | ✔️ | | ✔️ |
-| [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | Exclude Windows Update (WU) drivers during quality updates. | ✔️ | ✔️ | | ✔️ |
-| [FillEmptyContentUrls](/windows/client-management/mdm/policy-configuration-service-provider#update-fillemptycontenturls) | Allow Windows Update Agent to determine the download URL when it's missing from the metadata. | ✔️ | ✔️ | | ✔️ |
-| ManagePreviewBuilds | Use to enable or disable preview builds. | ✔️ | ✔️ | ✔️ | ✔️ |
-| PhoneUpdateRestrictions | Deprecated | | ✔️ | | |
-| [RequireDeferUpgrade](/windows/client-management/mdm/policy-configuration-service-provider#update-requiredeferupgrade) | Configure device to receive updates from Current Branch for Business (CBB). | ✔️ | ✔️ | ✔️ | ✔️ |
-| [ScheduledInstallDay](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstallday) | Schedule the day for update installation. | ✔️ | ✔️ | ✔️ | ✔️ |
-| [ScheduledInstallEveryWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek) | To schedule update installation every week, set the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ |
-| [ScheduledInstallFirstWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfirstweek) | To schedule update installation the first week of the month, see the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ |
-| [ScheduledInstallFourthWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfourthweek) | To schedule update installation the fourth week of the month, see the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ |
-| [ScheduledInstallSecondWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallsecondweek) | To schedule update installation the second week of the month, see the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ |
-| [ScheduledInstallThirdWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallthirdweek) | To schedule update installation the third week of the month, see the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ |
-| [ScheduledInstallTime](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstalltime) | Schedule the time for update installation. | ✔️ | ✔️ | ✔️ | ✔️ |
-| [ScheduleImminentRestartWarning](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduleimminentrestartwarning) | Specify the period for auto-restart imminent warning notifications. | ✔️ | ✔️ | | ✔️ |
-| [ScheduleRestartWarning](/windows/client-management/mdm/policy-configuration-service-provider#update-schedulerestartwarning) | Specify the period for auto-restart warning reminder notifications. | ✔️ | ✔️ | | ✔️ |
-| [SetAutoRestartNotificationDisable](/windows/client-management/mdm/policy-configuration-service-provider#update-setautorestartnotificationdisable) | Disable auto-restart notifications for update installations. | ✔️ | ✔️ | | ✔️ |
-| [SetDisablePauseUXAccess](/windows/client-management/mdm/policy-configuration-service-provider#update-setdisablepauseuxaccess) | Disable access to scan Windows Update. | ✔️ | ✔️ | | ✔️ |
-| [SetDisableUXWUAccess](/windows/client-management/mdm/policy-configuration-service-provider#update-setdisableuxwuaccess) | Disable the **Pause updates** feature. | ✔️ | ✔️ | | ✔️ |
-| [SetEDURestart](/windows/client-management/mdm/policy-configuration-service-provider#update-setedurestart) | Skip the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. | ✔️ | ✔️ | | ✔️ |
-| UpdateNotificationLevel | Specify whether to enable or disable Windows Update notifications, including restart warnings. | ✔️ | ✔️ | | ✔️ |
-| [UpdateServiceUrl](/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurl) | Configure the device to check for updates from a WSUS server instead of Microsoft Update. | ✔️ | ✔️ | ✔️ | ✔️ |
-| [UpdateServiceUrlAlternate](/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | Specify an alternate intranet server to host updates from Microsoft Update. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [ActiveHoursEnd](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update reboots aren't scheduled. | ✅ | ✅ | | ✅ |
+| [ActiveHoursMaxRange](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | ✅ | ✅ | | ✅ |
+| [ActiveHoursStart](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots aren't scheduled. | ✅ | ✅ | | ✅ |
+| [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | ✅ | ✅ | ✅ | ✅ |
+| [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](/windows/client-management/mdm/policy-csp-update#update-allowautowindowsupdatedownloadovermeterednetwork) | Option to download updates automatically over metered connections (off by default). Enter `0` for not allowed, or `1` for allowed. | ✅ | ✅ | | ✅ |
+| [AllowMUUpdateService](/windows/client-management/mdm/policy-configuration-service-provider#update-allowmuupdateservice) | Manage whether to scan for app updates from Microsoft Update. | ✅ | ✅ | ✅ | ✅ |
+| [AllowNonMicrosoftSignedUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. | ✅ | ✅ | | ✅ |
+| [AllowUpdateService](/windows/client-management/mdm/policy-configuration-service-provider#update-allowupdateservice) | Specify whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. | ✅ | ✅ | ✅ | ✅ |
+| [AutoRestartDeadlinePeriodInDays](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | ✅ | ✅ | | ✅ |
+| [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindaysforfeatureupdates) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | ✅ | ✅ | | ✅ |
+| [AutoRestartNotificationSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartnotificationschedule) | Specify the period for auto-restart reminder notifications. | ✅ | ✅ | | ✅ |
+| [AutoRestartRequiredNotificationDismissal](/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartrequirednotificationdismissal) | Specify the method by which the auto-restart required notification is dismissed. | ✅ | ✅ | | ✅ |
+| [BranchReadinessLevel](/windows/client-management/mdm/policy-configuration-service-provider#update-branchreadinesslevel) | Select which branch a device receives their updates from. | ✅ | ✅ | ✅ | ✅ |
+| [DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-configuration-service-provider#update-deferfeatureupdatesperiodindays) | Defer Feature Updates for the specified number of days. | ✅ | ✅ | | ✅ |
+| [DeferQualityUpdatesPeriodInDays](/windows/client-management/mdm/policy-configuration-service-provider#update-deferqualityupdatesperiodindays) | Defer Quality Updates for the specified number of days. | ✅ | ✅ | | ✅ |
+| [DeferUpdatePeriod](/windows/client-management/mdm/policy-csp-update#update-deferupdateperiod) | Specify update delays for up to 4 weeks. | ✅ | ✅ | ✅ | ✅ |
+| [DeferUpgradePeriod](/windows/client-management/mdm/policy-csp-update#update-deferupgradeperiod) | Specify upgrade delays for up to 8 months. | ✅ | ✅ | ✅ | ✅ |
+| [DetectionFrequency](/windows/client-management/mdm/policy-configuration-service-provider#update-detectionfrequency) | Specify the frequency to scan for updates, from every 1-22 hours. | ✅ | ✅ | ✅ | ✅ |
+| [DisableDualScan](/windows/client-management/mdm/policy-csp-update#update-disabledualscan) | Don't allow update deferral policies to cause scans against Windows Update. | ✅ | ✅ | | ✅ |
+| [EngagedRestartDeadline](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadline) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | ✅ | ✅ | | ✅ |
+| [EngagedRestartDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadlineforfeatureupdates) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | ✅ | ✅ | | ✅ |
+| [EngagedRestartSnoozeSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozeschedule) | Specify the number of days a user can snooze Engaged restart reminder notifications. | ✅ | ✅ | | ✅ |
+| [EngagedRestartSnoozeScheduleForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozescheduleforfeatureupdates) | Specify the number of days a user can snooze Engaged restart reminder notifications. | ✅ | ✅ | | ✅ |
+| [EngagedRestartTransitionSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionschedule) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | ✅ | ✅ | | ✅ |
+| [EngagedRestartTransitionScheduleForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionscheduleforfeatureupdates) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | ✅ | ✅ | | ✅ |
+| [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | Exclude Windows Update (WU) drivers during quality updates. | ✅ | ✅ | | ✅ |
+| [FillEmptyContentUrls](/windows/client-management/mdm/policy-configuration-service-provider#update-fillemptycontenturls) | Allow Windows Update Agent to determine the download URL when it's missing from the metadata. | ✅ | ✅ | | ✅ |
+| ManagePreviewBuilds | Use to enable or disable preview builds. | ✅ | ✅ | ✅ | ✅ |
+| PhoneUpdateRestrictions | Deprecated | | ✅ | | |
+| [RequireDeferUpgrade](/windows/client-management/mdm/policy-configuration-service-provider#update-requiredeferupgrade) | Configure device to receive updates from Current Branch for Business (CBB). | ✅ | ✅ | ✅ | ✅ |
+| [ScheduledInstallDay](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstallday) | Schedule the day for update installation. | ✅ | ✅ | ✅ | ✅ |
+| [ScheduledInstallEveryWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek) | To schedule update installation every week, set the value as `1`. | ✅ | ✅ | ✅ | ✅ |
+| [ScheduledInstallFirstWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfirstweek) | To schedule update installation the first week of the month, see the value as `1`. | ✅ | ✅ | ✅ | ✅ |
+| [ScheduledInstallFourthWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfourthweek) | To schedule update installation the fourth week of the month, see the value as `1`. | ✅ | ✅ | ✅ | ✅ |
+| [ScheduledInstallSecondWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallsecondweek) | To schedule update installation the second week of the month, see the value as `1`. | ✅ | ✅ | ✅ | ✅ |
+| [ScheduledInstallThirdWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallthirdweek) | To schedule update installation the third week of the month, see the value as `1`. | ✅ | ✅ | ✅ | ✅ |
+| [ScheduledInstallTime](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstalltime) | Schedule the time for update installation. | ✅ | ✅ | ✅ | ✅ |
+| [ScheduleImminentRestartWarning](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduleimminentrestartwarning) | Specify the period for auto-restart imminent warning notifications. | ✅ | ✅ | | ✅ |
+| [ScheduleRestartWarning](/windows/client-management/mdm/policy-configuration-service-provider#update-schedulerestartwarning) | Specify the period for auto-restart warning reminder notifications. | ✅ | ✅ | | ✅ |
+| [SetAutoRestartNotificationDisable](/windows/client-management/mdm/policy-configuration-service-provider#update-setautorestartnotificationdisable) | Disable auto-restart notifications for update installations. | ✅ | ✅ | | ✅ |
+| [SetDisablePauseUXAccess](/windows/client-management/mdm/policy-configuration-service-provider#update-setdisablepauseuxaccess) | Disable access to scan Windows Update. | ✅ | ✅ | | ✅ |
+| [SetDisableUXWUAccess](/windows/client-management/mdm/policy-configuration-service-provider#update-setdisableuxwuaccess) | Disable the **Pause updates** feature. | ✅ | ✅ | | ✅ |
+| [SetEDURestart](/windows/client-management/mdm/policy-configuration-service-provider#update-setedurestart) | Skip the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. | ✅ | ✅ | | ✅ |
+| UpdateNotificationLevel | Specify whether to enable or disable Windows Update notifications, including restart warnings. | ✅ | ✅ | | ✅ |
+| [UpdateServiceUrl](/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurl) | Configure the device to check for updates from a WSUS server instead of Microsoft Update. | ✅ | ✅ | ✅ | ✅ |
+| [UpdateServiceUrlAlternate](/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | Specify an alternate intranet server to host updates from Microsoft Update. | ✅ | ✅ | ✅ | ✅ |
## WiFi
| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: |
-| [AllowAutoConnectToWiFiSenseHotspots](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowautoconnecttowifisensehotspots) | Allow the device to connect automatically to Wi-Fi hotspots. | ✔️ | | | |
-| [AllowInternetSharing](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowinternetsharing) | Allow Internet sharing. | ✔️ | | | |
+| [AllowAutoConnectToWiFiSenseHotspots](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowautoconnecttowifisensehotspots) | Allow the device to connect automatically to Wi-Fi hotspots. | ✅ | | | |
+| [AllowInternetSharing](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowinternetsharing) | Allow Internet sharing. | ✅ | | | |
| [AllowManualWiFiConfiguration](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowmanualwificonfiguration) | Allow connecting to Wi-Fi outside of MDM server-installed networks. | | | | |
| [AllowWiFi](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowwifi) | Allow Wi-Fi connections. | | | | |
-| [WLANScanMode](/windows/client-management/mdm/policy-configuration-service-provider#wifi-wlanscanmode) | Configure the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. | ✔️ | ✔️ | | ✔️ |
+| [WLANScanMode](/windows/client-management/mdm/policy-configuration-service-provider#wifi-wlanscanmode) | Configure the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. | ✅ | ✅ | | ✅ |
## WindowsInkWorkspace
| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: |
-| [AllowSuggestedAppsInWindowsInkWorkspace](/windows/client-management/mdm/policy-configuration-service-provider#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace) | Show recommended app suggestions in the ink workspace. | ✔️ | | | |
-| [AllowWindowsInkWorkspace](/windows/client-management/mdm/policy-configuration-service-provider#windowsinkworkspace-allowwindowsinkworkspace) | Specify whether to allow the user to access the ink workspace. | ✔️ | | | |
-
+| [AllowSuggestedAppsInWindowsInkWorkspace](/windows/client-management/mdm/policy-configuration-service-provider#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace) | Show recommended app suggestions in the ink workspace. | ✅ | | | |
+| [AllowWindowsInkWorkspace](/windows/client-management/mdm/policy-configuration-service-provider#windowsinkworkspace-allowwindowsinkworkspace) | Specify whether to allow the user to access the ink workspace. | ✅ | | | |
## WindowsLogon
-
| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: |
-| [HideFastUserSwitching](/windows/client-management/mdm/policy-configuration-service-provider#windowslogon-hidefastuserswitching) | Hide the **Switch account** button on the sign-in screen, Start, and the Task Manager. | ✔️ | | | |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [HideFastUserSwitching](/windows/client-management/mdm/policy-configuration-service-provider#windowslogon-hidefastuserswitching) | Hide the **Switch account** button on the sign-in screen, Start, and the Task Manager. | ✅ | | | |
## WirelessDisplay
| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: |
-| [AllowUserInputFromWirelessDisplayReceiver](/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | This policy controls whether or not the wireless display can send input (keyboard, mouse, pen, and touch, dependent upon display support) back to the source device. For example, a Surface Laptop is projecting wirelessly to a Surface Hub. If input from the wireless display receiver is allowed, users can draw with a pen on the Surface Hub. | ✔️ | | | |
+| [AllowUserInputFromWirelessDisplayReceiver](/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | This policy controls whether or not the wireless display can send input (keyboard, mouse, pen, and touch, dependent upon display support) back to the source device. For example, a Surface Laptop is projecting wirelessly to a Surface Hub. If input from the wireless display receiver is allowed, users can draw with a pen on the Surface Hub. | ✅ | | | |
diff --git a/windows/configuration/wcd/wcd-privacy.md b/windows/configuration/wcd/wcd-privacy.md
index 13962db09d..f1cf11e992 100644
--- a/windows/configuration/wcd/wcd-privacy.md
+++ b/windows/configuration/wcd/wcd-privacy.md
@@ -1,15 +1,8 @@
---
-title: Privacy (Windows 10)
+title: Privacy
description: This section describes the Privacy settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
-manager: aaroncz
ms.topic: reference
-ms.collection: must-keep
-ms.technology: itpro-configure
-ms.date: 12/31/2017
+ms.date: 01/25/2024
---
# Privacy (Windows Configuration Designer reference)
@@ -20,7 +13,7 @@ Use **Privacy** to configure settings for app activation with voice.
| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: |
-| All settings | ✔️ | ✔️ | | ✔️ |
+| All settings | ✅ | ✅ | | ✅ |
## LetAppsActivateWithVoice
diff --git a/windows/configuration/wcd/wcd-provisioningcommands.md b/windows/configuration/wcd/wcd-provisioningcommands.md
index e79eb9f7f3..f10116f137 100644
--- a/windows/configuration/wcd/wcd-provisioningcommands.md
+++ b/windows/configuration/wcd/wcd-provisioningcommands.md
@@ -1,30 +1,19 @@
---
-title: ProvisioningCommands (Windows 10)
+title: ProvisioningCommands
description: This section describes the ProvisioningCommands settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
ms.topic: reference
-ms.collection: must-keep
-ms.date: 09/06/2017
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
+ms.date: 01/25/2024
+
---
# ProvisioningCommands (Windows Configuration Designer reference)
-Use ProvisioningCommands settings to install Windows desktop applications using a provisioning package.
+Use ProvisioningCommands settings to install Windows desktop applications using a provisioning package.
## Applies to
| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: |
-| All settings | ✔️ | | | |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | ✅ | | | |
For instructions on adding apps to provisioning packages, see [Provision PCs with apps](../provisioning-packages/provision-pcs-with-apps.md).
-
-
-
-
diff --git a/windows/configuration/wcd/wcd-sharedpc.md b/windows/configuration/wcd/wcd-sharedpc.md
index 9bff17847b..64e884bf46 100644
--- a/windows/configuration/wcd/wcd-sharedpc.md
+++ b/windows/configuration/wcd/wcd-sharedpc.md
@@ -1,16 +1,8 @@
---
title: SharedPC
description: This section describes the SharedPC settings that you can configure in provisioning packages for Windows using Windows Configuration Designer.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
ms.topic: reference
-ms.collection: must-keep
-ms.date: 10/16/2017
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
+ms.date: 01/25/2024
---
# SharedPC (Windows Configuration Designer reference)
@@ -20,8 +12,8 @@ Use SharedPC settings to optimize Windows devices for shared use scenarios, such
## Applies to
| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: |
-| All settings | ✔️ | | | |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | ✅ | | | |
## AccountManagement
@@ -46,7 +38,6 @@ Set as **True** to enable **Shared PC Mode**. This setting controls this API: [I
Set as **True** to enable **Shared PC Mode**. This setting controls this API: [IsEnabled](/uwp/api/windows.system.profile.sharedmodesettings).
-
## PolicyCustomization
Use these settings to configure additional Shared PC policies.
diff --git a/windows/configuration/wcd/wcd-smisettings.md b/windows/configuration/wcd/wcd-smisettings.md
index 1e5fe77243..a1b396a24b 100644
--- a/windows/configuration/wcd/wcd-smisettings.md
+++ b/windows/configuration/wcd/wcd-smisettings.md
@@ -1,16 +1,8 @@
---
-title: SMISettings (Windows 10)
+title: SMISettings
description: This section describes the SMISettings settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
ms.topic: reference
-ms.collection: must-keep
ms.date: 03/30/2018
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
---
# SMISettings (Windows Configuration Designer reference)
@@ -20,8 +12,8 @@ Use SMISettings settings to customize the device with custom shell, suppress Win
## Applies to
| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: |
-| All settings | ✔️ | | | |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | ✅ | | | |
## All settings in SMISettings
@@ -59,7 +51,7 @@ The default value is **17**, which disables all Welcome screen UI elements and t
| 8 | Disables the Ease of access button |
| 16 | Disables the Switch user button |
| 32 | Disables the blocked shutdown resolver (BSDR) screen. Restarting or shutting down the system causes the OS to immediately force close any applications that are blocking the system shutdown. No UI is displayed, and users aren't given a chance to cancel the shutdown process. This value can result in a loss of data if any open applications have unsaved data. |
-
+
## CrashDumpEnabled values
If the system stops unexpectedly, choose the type of information to capture in a dump (.dmp) file.
@@ -73,10 +65,10 @@ Set CrashDumpEnabled to one of the following values:
| 1 | Records all the contents of system memory. This dump file may contain data from processes that were running when the information was collected. |
| 2 | Records only the kernel memory. This dump file includes only memory that's allocated to the kernel, kernel-mode drivers, and other kernel-mode programs. It doesn't include unallocated memory, or any memory that's allocated to user-mode programs. For most purposes, this kind of dump file is the most useful because it's smaller than the complete memory dump file. It also includes information that's most likely involved in the issue. If a second problem occurs, the dump file is overwritten with new information. |
| 3 | Records the smallest amount of useful information that may help identify why the device stopped unexpectedly. This type of dump file includes the following information:- A list of loaded drivers- The processor context (PRCB) for the processor that stopped- The process information and kernel context (EPROCESS) for the process that stopped- The process information and kernel context (ETHREAD) for the thread that stopped- The kernel-mode call stack for the thread that stoppedThis dump file can be useful when space is limited. Because of the limited information, errors that aren't directly caused by the running thread at the time of the problem may not be discovered by analyzing this file. The date is encoded in the file name. If a second problem occurs, the previous file is preserved and the new file is given a distinct name. A list of all small memory dump files is kept in the %SystemRoot%\Minidump folder. |
-| 4 | Records the smallest amount of useful information. This value produces the same results as entering a value of 3. |
-| 7 | Records only the kernel memory. This value produces the same results as entering a value of 2. This is the default value. |
+| 4 | Records the smallest amount of useful information. This value produces the same results as entering a value of 1. |
+| 7 | Records only the kernel memory. This value produces the same results as entering a value of 1. This is the default value. |
| Any other value | Disables crash dump and doesn't record anything. |
-
+
## KeyboardFilter settings
Use these settings to suppress undesirable key presses or key combinations. KeyboardFilter works with physical keyboards, the Windows on-screen keyboard, and the touch keyboard.
@@ -98,7 +90,7 @@ When you **enable** KeyboardFilter, many other settings become available for con
Use ShellLauncher to specify the application or executable to use as the default custom shell. One use of ShellLauncher is to [create a kiosk (fixed-purpose) device running a Windows desktop application](/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions#shell-launcher-for-classic-windows-applications).
>[!WARNING]
->Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image.
+>Windows 10 doesn't support setting a custom shell prior to OOBE. If you do, you won't be able to deploy the resulting image.
You can also configure ShellLauncher to launch different shell applications for different users or user groups.
diff --git a/windows/configuration/wcd/wcd-start.md b/windows/configuration/wcd/wcd-start.md
index b8d84f5b0c..aab20c09ae 100644
--- a/windows/configuration/wcd/wcd-start.md
+++ b/windows/configuration/wcd/wcd-start.md
@@ -1,16 +1,8 @@
---
-title: Start (Windows 10)
+title: Start
description: This section describes the Start settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
ms.topic: reference
-ms.collection: must-keep
-ms.date: 09/06/2017
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
+ms.date: 01/25/2024
---
# Start (Windows Configuration Designer reference)
@@ -19,9 +11,9 @@ Use Start settings to apply a customized Start screen to devices.
## Applies to
-| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: |
-| StartLayout | ✔️ | | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+|--|:-:|:-:|:-:|:-:|
+| StartLayout | ✅ | | | |
>[!IMPORTANT]
>The StartLayout setting is available in the advanced provisioning for Windows 10, but shouldn't be used. For Windows client, use [Policies > StartLayout](wcd-policies.md#start).
@@ -29,4 +21,3 @@ Use Start settings to apply a customized Start screen to devices.
## StartLayout
Use StartLayout to select the `LayoutModification.xml` file that applies a customized Start screen.
-
diff --git a/windows/configuration/wcd/wcd-startupapp.md b/windows/configuration/wcd/wcd-startupapp.md
index 55c8fcc8f3..7f4c1c4709 100644
--- a/windows/configuration/wcd/wcd-startupapp.md
+++ b/windows/configuration/wcd/wcd-startupapp.md
@@ -1,16 +1,8 @@
---
-title: StartupApp (Windows 10)
+title: StartupApp
description: This section describes the StartupApp settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
ms.topic: reference
-ms.collection: must-keep
-ms.date: 09/06/2017
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
+ms.date: 01/25/2024
---
# StartupApp (Windows Configuration Designer reference)
@@ -20,7 +12,7 @@ Use StartupApp settings to configure the default app that will run on start for
## Applies to
| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: |
-| Default | | | | ✔️ |
+| --- | :---: | :---: | :---: | :---: |
+| Default | | | | ✅ |
Enter the [Application User Model ID (AUMID)](/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the default app.
diff --git a/windows/configuration/wcd/wcd-startupbackgroundtasks.md b/windows/configuration/wcd/wcd-startupbackgroundtasks.md
index 6838b63730..95022798c2 100644
--- a/windows/configuration/wcd/wcd-startupbackgroundtasks.md
+++ b/windows/configuration/wcd/wcd-startupbackgroundtasks.md
@@ -1,16 +1,8 @@
---
-title: StartupBackgroundTasks (Windows 10)
+title: StartupBackgroundTasks
description: This section describes the StartupBackgroundTasks settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
ms.topic: reference
-ms.collection: must-keep
-ms.date: 09/06/2017
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
+ms.date: 01/25/2024
---
# StartupBackgroundTasks (Windows Configuration Designer reference)
@@ -21,5 +13,4 @@ Documentation not available at this time.
| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: |
-| All settings | | | | ✔️ |
-
+| All settings | | | | ✅ |
diff --git a/windows/configuration/wcd/wcd-storaged3inmodernstandby.md b/windows/configuration/wcd/wcd-storaged3inmodernstandby.md
index 397c14a4f5..7daa17c986 100644
--- a/windows/configuration/wcd/wcd-storaged3inmodernstandby.md
+++ b/windows/configuration/wcd/wcd-storaged3inmodernstandby.md
@@ -1,15 +1,8 @@
---
-title: StorageD3InModernStandby (Windows 10)
+title: StorageD3InModernStandby
description: This section describes the StorageD3InModernStandby settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
ms.topic: reference
-ms.collection: must-keep
-manager: aaroncz
-ms.technology: itpro-configure
-ms.date: 12/31/2017
+ms.date: 01/25/2024
---
# StorageD3InModernStandby (Windows Configuration Designer reference)
@@ -24,5 +17,5 @@ Use **StorageD3InModernStandby** to enable or disable low-power state (D3) durin
## Applies to
| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: |
-| All settings | ✔️ | ✔️ | | ✔️ |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | ✅ | ✅ | | ✅ |
diff --git a/windows/configuration/wcd/wcd-surfacehubmanagement.md b/windows/configuration/wcd/wcd-surfacehubmanagement.md
index cd0bdc4208..7a8db5a247 100644
--- a/windows/configuration/wcd/wcd-surfacehubmanagement.md
+++ b/windows/configuration/wcd/wcd-surfacehubmanagement.md
@@ -1,16 +1,8 @@
---
-title: SurfaceHubManagement (Windows 10)
+title: SurfaceHubManagement
description: This section describes the SurfaceHubManagement settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
ms.topic: reference
-ms.collection: must-keep
-ms.date: 09/06/2017
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
+ms.date: 01/25/2024
---
# SurfaceHubManagement (Windows Configuration Designer reference)
@@ -20,14 +12,11 @@ Use SurfaceHubManagement settings to set the administrator group that will manag
>[!IMPORTANT]
>These settings should be used only in provisioning packages that are applied during OOBE.
-
-
## Applies to
| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: |
-| All settings | | ✔️ | | |
-
+| --- | :---: | :---: | :---: | :---: |
+| All settings | | ✅ | | |
## GroupName
diff --git a/windows/configuration/wcd/wcd-tabletmode.md b/windows/configuration/wcd/wcd-tabletmode.md
index 9934c78fd0..04aeb1232a 100644
--- a/windows/configuration/wcd/wcd-tabletmode.md
+++ b/windows/configuration/wcd/wcd-tabletmode.md
@@ -1,16 +1,8 @@
---
-title: TabletMode (Windows 10)
+title: TabletMode
description: This section describes the TabletMode settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
ms.topic: reference
-ms.collection: must-keep
-ms.date: 04/30/2018
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
+ms.date: 01/25/2024
---
# TabletMode (Windows Configuration Designer reference)
@@ -21,11 +13,11 @@ Use TabletMode to configure settings related to tablet mode.
| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: |
-| All settings | ✔️ | ✔️ | | |
+| All settings | ✅ | ✅ | | |
## ConvertibleSlateModePromptPreference
-Set the default for hardware-based prompts.
+Set the default for hardware-based prompts.
## SignInMode
diff --git a/windows/configuration/wcd/wcd-takeatest.md b/windows/configuration/wcd/wcd-takeatest.md
index d5071fb0e0..79a7405207 100644
--- a/windows/configuration/wcd/wcd-takeatest.md
+++ b/windows/configuration/wcd/wcd-takeatest.md
@@ -1,16 +1,8 @@
---
-title: TakeATest (Windows 10)
+title: TakeATest
description: This section describes the TakeATest settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
ms.topic: reference
-ms.collection: must-keep
-ms.date: 09/06/2017
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
+ms.date: 01/25/2024
---
# TakeATest (Windows Configuration Designer reference)
@@ -21,7 +13,7 @@ Use TakeATest to configure the Take A Test app, a secure browser for test-taking
| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: |
-| All settings | ✔️ | | | |
+| All settings | ✅ | | | |
## AllowScreenMonitoring
diff --git a/windows/configuration/wcd/wcd-time.md b/windows/configuration/wcd/wcd-time.md
index 1bb981193e..39bb291ce0 100644
--- a/windows/configuration/wcd/wcd-time.md
+++ b/windows/configuration/wcd/wcd-time.md
@@ -1,26 +1,19 @@
---
-title: Time (Windows 10)
+title: Time
description: This section describes the Time settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
-manager: aaroncz
ms.topic: reference
-ms.collection: must-keep
-ms.technology: itpro-configure
-ms.date: 12/31/2017
+ms.date: 01/25/2024
---
# Time
-Use **Time** to configure settings for time zone setup for Windows 10, version (TBD) and later.
+Use **Time** to configure settings for time zone setup for Windows 10, version (TBD) and later.
## Applies to
| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: |
-| [ProvisionSetTimeZone](#provisionsettimezone) | ✔️ | | | |
+| [ProvisionSetTimeZone](#provisionsettimezone) | ✅ | | | |
## ProvisionSetTimeZone
@@ -33,6 +26,3 @@ Set to **False** for time zone assignment to occur when the first user signs in.
>[!NOTE]
>Do not set **Time > ProvisionSetTimeZone** to **False** and also set a time zone in **Policies > TimeLanguageSettings > ConfigureTimeZone**.
-
-
-
diff --git a/windows/configuration/wcd/wcd-unifiedwritefilter.md b/windows/configuration/wcd/wcd-unifiedwritefilter.md
index 2c03844e3f..a7aea5e4ed 100644
--- a/windows/configuration/wcd/wcd-unifiedwritefilter.md
+++ b/windows/configuration/wcd/wcd-unifiedwritefilter.md
@@ -1,21 +1,12 @@
---
-title: UnifiedWriteFilter (Windows 10)
+title: UnifiedWriteFilter
description: This section describes the UnifiedWriteFilter settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
ms.topic: reference
-ms.collection: must-keep
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
-ms.date: 12/31/2017
+ms.date: 01/25/2024
---
# UnifiedWriteFilter (reference)
-
Use UnifiedWriteFilter to configure settings for the Unified Write Filter (UWF). It helps protect your physical storage media, including most standard writable storage types that are supported by the OS, such as:
- Physical hard disks
@@ -34,16 +25,15 @@ UWF intercepts all write attempts to a protected volume and redirects these writ
The overlay doesn't mirror the entire volume. It dynamically grows to keep track of redirected writes. Generally, the overlay is stored in system memory. You can cache a portion of the overlay on a physical volume.
>[!NOTE]
->UWF fully supports the NTFS system; however, during device startup, NTFS file system journal files can write to a protected volume before UWF has loaded and started protecting the volume.
+>UWF fully supports the NTFS system; however, during device startup, NTFS file system journal files can write to a protected volume before UWF has loaded and started protecting the volume.
[Learn more about the Unified Write Filter feature.](/windows-hardware/customize/enterprise/unified-write-filter)
-
## Applies to
| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: |
-| All settings | ✔️ | | | ✔️ |
+| All settings | ✅ | | | ✅ |
## FilterEnabled
@@ -51,7 +41,7 @@ Set to **True** to enable UWF.
## OverlayFlags
-OverlayFlags specifies whether to allow writes to unused space on the volume to pass through, and not redirect to the overlay file. Enabling this setting helps conserve space on the overlay file.
+OverlayFlags specifies whether to allow writes to unused space on the volume to pass through, and not redirect to the overlay file. Enabling this setting helps conserve space on the overlay file.
- Value `0` (default value when [OverlayType](#overlaytype) isn't **Disk**): writes are redirected to the overlay file
- Value `1`(default value when [OverlayType](#overlaytype) is **Disk**): writes to unused space on the volume are allowed to pass through without being redirected to the overlay file.
@@ -65,7 +55,7 @@ Enter the maximum overlay size, in megabytes (MB), for the UWF overlay. The mini
## OverlayType
-OverlayType specifies where the overlay is stored. Select between **RAM** (default) and **Disk** (pre-allocated file on the system volume).
+OverlayType specifies where the overlay is stored. Select between **RAM** (default) and **Disk** (pre-allocated file on the system volume).
## RegistryExclusions
@@ -81,7 +71,7 @@ Set to **True** to reset UWF settings to the original state that was captured at
## Volumes
-Enter a drive letter for a volume to be protected by UWF.
+Enter a drive letter for a volume to be protected by UWF.
>[!NOTE]
>In the current OS release, Windows Configuration Designer contains a validation bug. To work around this issue, you must include a ":" after the drive letter when specifying the value for the setting. For example, if you are specifying the C drive, you must set DriveLetter to "C:" instead of just "C".
diff --git a/windows/configuration/wcd/wcd-universalappinstall.md b/windows/configuration/wcd/wcd-universalappinstall.md
index 2e3a68fe9f..2afe56cfb4 100644
--- a/windows/configuration/wcd/wcd-universalappinstall.md
+++ b/windows/configuration/wcd/wcd-universalappinstall.md
@@ -1,35 +1,26 @@
---
-title: UniversalAppInstall (Windows 10)
+title: UniversalAppInstall
description: This section describes the UniversalAppInstall settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
ms.topic: reference
-ms.collection: must-keep
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
-ms.date: 12/31/2017
+ms.date: 01/25/2024
---
# UniversalAppInstall (reference)
-
-Use UniversalAppInstall settings to install Windows apps from the Microsoft Store or a hosted location.
+Use UniversalAppInstall settings to install Windows apps from the Microsoft Store or a hosted location.
>[!NOTE]
>You can only use the Windows provisioning settings and provisioning packages for apps where you have the available installation files, namely with sideloaded apps that have an offline license. [Learn more about offline app distribution.](/microsoft-store/distribute-offline-apps)
## Applies to
-| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: |
-| [DeviceContextApp](#devicecontextapp) | ✔️ | ✔️ | | |
-| [DeviceContextAppLicense](#devicecontextapplicense) | ✔️ | ✔️ | | |
-| [StoreInstall](#storeinstall) | ✔️ | ✔️ | | ✔️ |
-| [UserContextApp](#usercontextapp) | ✔️ | ✔️ | | ✔️ |
-| [UserContextAppLicense](#usercontextapplicense) | ✔️ | ✔️ | | ✔️ |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+|--|:-:|:-:|:-:|:-:|
+| [DeviceContextApp](#devicecontextapp) | ✅ | ✅ | | |
+| [DeviceContextAppLicense](#devicecontextapplicense) | ✅ | ✅ | | |
+| [StoreInstall](#storeinstall) | ✅ | ✅ | | ✅ |
+| [UserContextApp](#usercontextapp) | ✅ | ✅ | | ✅ |
+| [UserContextAppLicense](#usercontextapplicense) | ✅ | ✅ | | ✅ |
## DeviceContextApp
@@ -41,56 +32,52 @@ Enter an app package family name to install an app for all device users. You can
For each app that you add to the package, configure the settings in the following table.
| Setting | Value | Description |
-| --- | --- | --- |
-| ApplicationFile | `.appx` or `.appxbundle` | Set the value to the app file that you want to install on the device. Also enable the [AllowAllTrustedApps setting](wcd-policies.md#applicationmanagement) and add a root certificate or license file. |
-| DependencyAppxFiles | Any required frameworks | In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. |
-| DeploymentOptions | - None-Force application shutdown: If this package, or any package that depends on this package is currently in use, then the processes associated with the package are forcibly shut down. The registration can continue. - Development mode: Don't use. - Install all resources: When you set this option, the app is instructed to skip resource applicability checks.- Force target application shutdown: If this package is currently in use, the processes associated with the package are shut down forcibly so that registration can continue | Select a deployment option. |
-| LaunchAppAtLogin | - Don't launch app- Launch app | Set the value for app behavior when a user signs in. |
-| OptionalPackageFiles | Additional files required by the package | Browse to, select, and add the optional package files. |
+|--|--|--|
+| ApplicationFile | `.appx` or `.appxbundle` | Set the value to the app file that you want to install on the device. Also enable the [AllowAllTrustedApps setting](wcd-policies.md#applicationmanagement) and add a root certificate or license file. |
+| DependencyAppxFiles | Any required frameworks | In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. |
+| DeploymentOptions | - None-Force application shutdown: If this package, or any package that depends on this package is currently in use, then the processes associated with the package are forcibly shut down. The registration can continue. - Development mode: Don't use. - Install all resources: When you set this option, the app is instructed to skip resource applicability checks.- Force target application shutdown: If this package is currently in use, the processes associated with the package are shut down forcibly so that registration can continue | Select a deployment option. |
+| LaunchAppAtLogin | - Don't launch app- Launch app | Set the value for app behavior when a user signs in. |
+| OptionalPackageFiles | Additional files required by the package | Browse to, select, and add the optional package files. |
For more information on deployment options, see [DeploymentOptions Enum](/uwp/api/windows.management.deployment.deploymentoptions).
## DeviceContextAppLicense
-Use to specify the license file for the provisioned app.
+Use to specify the license file for the provisioned app.
1. Specify a **LicenseProductId** for the app. You can find the license ID in the root header of the license file. For example, enter `LicenseID="aaaaaaaa-dddd-8848-f8d0-7d6a93dfcccc"`. Enter it in the LicenseProductId field, and select **Add**.
-
-2. Select the LicenseProductId in the Available Customizations pane, and then browse to and select the app license file.
-
+1. Select the LicenseProductId in the Available Customizations pane, and then browse to and select the app license file.
## StoreInstall
Use to install an app from the Microsoft Store for Business.
1. Enter a package family name, and then select **Add**.
-2. Configure the following required settings for the app package.
+1. Configure the following required settings for the app package.
-Setting | Description
---- | ---
-Flags | Description not available at this time.
-ProductID | Enter the product ID. [Learn how to find the product ID.](/microsoft-store/microsoft-store-for-business-education-powershell-module#view-items-in-products-and-services)
-SkuID | Enter the SKU ID. [Learn how to find the SKU ID.](/microsoft-store/microsoft-store-for-business-education-powershell-module#view-items-in-products-and-services)
+| Setting | Description |
+|--|--|
+| Flags | Description not available at this time. |
+| ProductID | Enter the product ID. [Learn how to find the product ID.](/microsoft-store/microsoft-store-for-business-education-powershell-module#view-items-in-products-and-services) |
+| SkuID | Enter the SKU ID. [Learn how to find the SKU ID.](/microsoft-store/microsoft-store-for-business-education-powershell-module#view-items-in-products-and-services) |
## UserContextApp
Use to add a new user context app.
1. Specify a **PackageFamilyName** for the app, and then select **Add**.
-2. Select the PackageFamilyName in the Available Customizations pane, and then configure the following settings.
-
-Setting | Value | Description
---- | --- | ---
-ApplicationFile | App file | Browse to, select, and add the application file,
-DependencyAppxFiles | Additional files required by the app | Browse to, select, and add dependency files.
-DeploymentOptions | - None- Force application shutdown- Development mode- Install all resources- Force target application shutdown | Select a deployment option.
-LaunchAppAtLogin | - Don't launch app- Launch app | Select whether the app should be started when a user signs in.
+1. Select the PackageFamilyName in the Available Customizations pane, and then configure the following settings.
+| Setting | Value | Description |
+|--|--|--|
+| ApplicationFile | App file | Browse to, select, and add the application file, |
+| DependencyAppxFiles | Additional files required by the app | Browse to, select, and add dependency files. |
+| DeploymentOptions | - None- Force application shutdown- Development mode- Install all resources- Force target application shutdown | Select a deployment option. |
+| LaunchAppAtLogin | - Don't launch app- Launch app | Select whether the app should be started when a user signs in. |
## UserContextAppLicense
-Use to specify the license file for the user context app.
+Use to specify the license file for the user context app.
1. Specify a **LicenseProductId** for the app. You can find the license ID in the root header of the license file. For example, enter `LicenseID="aaaaaaaa-dddd-8848-f8d0-7d6a93dfcccc"`. Enter it in the LicenseProductId field, and select **Add**.
-
-2. Select the LicenseProductId in the Available Customizations pane, and then browse to and select the app license file.
+1. Select the LicenseProductId in the Available Customizations pane, and then browse to and select the app license file.
diff --git a/windows/configuration/wcd/wcd-universalappuninstall.md b/windows/configuration/wcd/wcd-universalappuninstall.md
index 5889dc2d7e..1d4aec5200 100644
--- a/windows/configuration/wcd/wcd-universalappuninstall.md
+++ b/windows/configuration/wcd/wcd-universalappuninstall.md
@@ -1,43 +1,33 @@
---
-title: UniversalAppUninstall (Windows 10)
+title: UniversalAppUninstall
description: This section describes the UniversalAppUninstall settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
ms.topic: reference
-ms.collection: must-keep
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
-ms.date: 12/31/2017
+ms.date: 01/25/2024
---
# UniversalAppUninstall (reference)
-
Use UniversalAppUninstall settings to uninstall or remove Windows apps.
-
## Applies to
-| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: |
-| [RemoveProvisionedApp](#removeprovisionedapp) | ✔️ | | | |
-| [Uninstall](#uninstall) | ✔️ | ✔️ | | ✔️ |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+|--|:-:|:-:|:-:|:-:|
+| [RemoveProvisionedApp](#removeprovisionedapp) | ✅ | | | |
+| [Uninstall](#uninstall) | ✅ | ✅ | | ✅ |
## RemoveProvisionedApp
-Universal apps can be *provisioned*. Provisioned means that they're available on the device for installation in user context. When a user runs the provisioned app, the app is then installed for that user.
+Universal apps can be *provisioned*. Provisioned means that they're available on the device for installation in user context. When a user runs the provisioned app, the app is then installed for that user.
Use **RemoveProvisionedApp** to remove app packages that are available on the device. Any instances of the app that have already been installed by a user aren't uninstalled. To uninstall provisioned apps that have been installed by a user, use the [Uninstall](#uninstall) setting.
1. Enter the PackageFamilyName for the app package, and then select **Add**.
-2. Select the PackageFamilyName in the Available Customizations pane, and then select **RemoveProvisionedApp**.
+1. Select the PackageFamilyName in the Available Customizations pane, and then select **RemoveProvisionedApp**.
## Uninstall
Use **Uninstall** to remove provisioned apps that have been installed by a user.
1. Enter the PackageFamilyName for the app package, and then select **Add**.
-2. Select the PackageFamilyName in the Available Customizations pane, and then select **Uninstall**.
+1. Select the PackageFamilyName in the Available Customizations pane, and then select **Uninstall**.
diff --git a/windows/configuration/wcd/wcd-usberrorsoemoverride.md b/windows/configuration/wcd/wcd-usberrorsoemoverride.md
index 9869da77b4..ac5ff4d4ee 100644
--- a/windows/configuration/wcd/wcd-usberrorsoemoverride.md
+++ b/windows/configuration/wcd/wcd-usberrorsoemoverride.md
@@ -1,29 +1,19 @@
---
-title: UsbErrorsOEMOverride (Windows 10)
+title: UsbErrorsOEMOverride
description: This section describes the UsbErrorsOEMOverride settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
ms.topic: reference
-ms.collection: must-keep
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
-ms.date: 12/31/2017
+ms.date: 01/25/2024
---
# UsbErrorsOEMOverride (reference)
-
-Allows an OEM to hide the USB option UI in Settings and all USB device errors.
-
+Allows an OEM to hide the USB option UI in Settings and all USB device errors.
## Applies to
-| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: |
-| [HideUsbErrorNotifyOptionUI](#hideusberrornotifyoptionui) | ✔️ | ✔️ | ✔️ | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+|--|:-:|:-:|:-:|:-:|
+| [HideUsbErrorNotifyOptionUI](#hideusberrornotifyoptionui) | ✅ | ✅ | ✅ | |
## HideUsbErrorNotifyOptionUI
diff --git a/windows/configuration/wcd/wcd-weakcharger.md b/windows/configuration/wcd/wcd-weakcharger.md
index 211d170ce0..b9f60ef6bb 100644
--- a/windows/configuration/wcd/wcd-weakcharger.md
+++ b/windows/configuration/wcd/wcd-weakcharger.md
@@ -1,35 +1,24 @@
---
-title: WeakCharger (Windows 10)
+title: WeakCharger
description: This section describes the WeakCharger settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
ms.topic: reference
-ms.collection: must-keep
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
-ms.date: 12/31/2017
+ms.date: 01/25/2024
---
# WeakCharger (reference)
-
Use WeakCharger settings to configure the charger notification UI.
-
## Applies to
-| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: |
-| [HideWeakChargerNotifyOptionUI](#hideweakchargernotifyoptionui) | ✔️ | ✔️ | | |
-| [NotifyOnWeakCharger](#notifyonweakcharger) | ✔️ | ✔️ | | |
-
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+|--|:-:|:-:|:-:|:-:|
+| [HideWeakChargerNotifyOptionUI](#hideweakchargernotifyoptionui) | ✅ | ✅ | | |
+| [NotifyOnWeakCharger](#notifyonweakcharger) | ✅ | ✅ | | |
## HideWeakChargerNotifyOptionUI
-This setting determines whether the user sees the dialog that's displayed when the user connects the device to an incompatible charging source. By default, the OS shows the weak charger notification option UI.
+This setting determines whether the user sees the dialog that's displayed when the user connects the device to an incompatible charging source. By default, the OS shows the weak charger notification option UI.
Select between **Show Weak Charger Notifications UI** and **Hide Weak Charger Notifications UI**.
@@ -40,10 +29,9 @@ This setting shows a warning when the user connects the device to an incompatibl
An incompatible charging source is one that doesn't behave like one of the following port types:
- Charging downstream port
-- Standard downstream port
+- Standard downstream port
- Dedicated charging port
The port types are defined by the USB Battery Charging Specification, Revision 1.2, available at `USB.org`.
Select between **Disable Weak Charger Notifications UI** and **Enable Weak Charger Notifications UI**.
-
diff --git a/windows/configuration/wcd/wcd-windowshelloforbusiness.md b/windows/configuration/wcd/wcd-windowshelloforbusiness.md
index f69695122b..d4daca497d 100644
--- a/windows/configuration/wcd/wcd-windowshelloforbusiness.md
+++ b/windows/configuration/wcd/wcd-windowshelloforbusiness.md
@@ -1,28 +1,19 @@
---
-title: WindowsHelloForBusiness (Windows 10)
+title: WindowsHelloForBusiness
description: This section describes the Windows Hello for Business settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
ms.topic: reference
-ms.collection: must-keep
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
-ms.date: 12/31/2017
+ms.date: 01/25/2024
---
# WindowsHelloForBusiness (Windows Configuration Designer reference)
-
Use WindowsHelloForBusiness settings to specify whether [FIDO2 security keys for Windows Hello](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/) can be used to sign in to a Windows device configured for [Shared PC mode](wcd-sharedpc.md).
## Applies to
| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: |
-| [SecurityKeys](#securitykeys) | ✔️ | | | |
+| --- | :---: | :---: | :---: | :---: |
+| [SecurityKeys](#securitykeys) | ✅ | | | |
## SecurityKeys
diff --git a/windows/configuration/wcd/wcd-windowsteamsettings.md b/windows/configuration/wcd/wcd-windowsteamsettings.md
index f2ae2c2447..2615a85f97 100644
--- a/windows/configuration/wcd/wcd-windowsteamsettings.md
+++ b/windows/configuration/wcd/wcd-windowsteamsettings.md
@@ -1,36 +1,26 @@
---
-title: WindowsTeamSettings (Windows 10)
+title: WindowsTeamSettings
description: This section describes the WindowsTeamSettings settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
ms.topic: reference
-ms.collection: must-keep
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
-ms.date: 12/31/2017
+ms.date: 01/25/2024
---
# WindowsTeamSettings (reference)
-
Use WindowsTeamSettings settings to configure Surface Hub.
-
## Applies to
-| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: |
-| All settings | | ✔️ | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+|--|:-:|:-:|:-:|:-:|
+| All settings | | ✅ | | |
## Connect
| Setting | Value | Description |
| --- | --- | --- |
| AutoLaunch | True or false | Open the Connect app automatically when someone projects. |
-| Channel | - 1, 3, 4, 5, 6, 7, 8, 9, 10, 11 (works with all Miracast senders in all regions)- 36, 40, 44, 48 (works with all 5ghz band Miracast senders in all regions)- 149, 153, 157, 161, 165 (works with all 5ghz band Miracast senders in all regions except Japan) | Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification. Integer specifying the channel. The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly, the driver won't boot. Or, it will broadcast on the wrong channel, which senders won't be looking for. |
+| Channel | - 1, 3, 4, 5, 6, 7, 8, 9, 10, 11 (works with all Miracast senders in all regions)- 36, 40, 44, 48 (works with all 5ghz band Miracast senders in all regions)- 149, 153, 157, 161, 165 (works with all 5ghz band Miracast senders in all regions except Japan) | Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification. Integer specifying the channel. The default value is 251. Outside of regulatory concerns, if the channel is configured incorrectly, the driver won't boot. Or, it will broadcast on the wrong channel, which senders won't be looking for. |
| Enabled | True or false | Enables wireless projection to the device. |
| PINRequired | True or false | Requires presenters to enter a PIN to connect wirelessly to the device. |
@@ -55,8 +45,6 @@ A device account is a Microsoft Exchange account that's connected with Skype for
Use these settings to configure 802.1x wired authentication. For details, see [Enable 802.1x wired authentication](/surface-hub/enable-8021x-wired-authentication).
-
-
## FriendlyName
Enter the name that users will see when they want to project wirelessly to the device.
@@ -72,7 +60,7 @@ Maintenance hours are the period of time when automatic maintenance tasks are ru
## OMSAgent
-Configures the Operations Management Suite workspace.
+Configures the Operations Management Suite workspace.
| Setting | Value | Description |
| --- | --- | --- |
diff --git a/windows/configuration/wcd/wcd-wlan.md b/windows/configuration/wcd/wcd-wlan.md
index 6a2da109c1..6cfa3adaa3 100644
--- a/windows/configuration/wcd/wcd-wlan.md
+++ b/windows/configuration/wcd/wcd-wlan.md
@@ -1,27 +1,16 @@
---
-title: WLAN (Windows 10)
-ms.reviewer:
-manager: aaroncz
+title: WLAN
description: This section describes the WLAN settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
ms.topic: reference
-ms.collection: must-keep
-ms.technology: itpro-configure
-ms.date: 12/31/2017
+ms.date: 01/25/2024
---
# WLAN (reference)
-
Do not use at this time. Instead, use [ConnectivityProfiles > WLAN](wcd-connectivityprofiles.md#wlan)
-
## Applies to
| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: |
| All settings | | | | |
-
diff --git a/windows/configuration/wcd/wcd-workplace.md b/windows/configuration/wcd/wcd-workplace.md
index 8e21def9dd..8f7a6dcdac 100644
--- a/windows/configuration/wcd/wcd-workplace.md
+++ b/windows/configuration/wcd/wcd-workplace.md
@@ -1,28 +1,19 @@
---
-title: Workplace (Windows 10)
+title: Workplace
description: This section describes the Workplace settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
ms.topic: reference
-ms.collection: must-keep
-ms.date: 04/30/2018
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
+ms.date: 01/25/2024
---
# Workplace (reference)
-
Use Workplace settings to configure bulk user enrollment to a mobile device management (MDM) service. For more information, see [Bulk enrollment step-by-step](/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool).
## Applies to
| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: |
-| [Enrollments](#enrollments) | ✔️ | ✔️ | | ✔️ |
+| --- | :---: | :---: | :---: | :---: |
+| [Enrollments](#enrollments) | ✅ | ✅ | | ✅ |
## Enrollments
@@ -36,6 +27,3 @@ Select **Enrollments**, enter a UPN, and then select **Add** to configure the se
| PolicyServiceFullUrl | URL | The full URL for the policy service |
| Secret | - Password string for on-premises authentication enrollment- Federated security token for federated enrollment- Certificate thumb print for certificate-based enrollment | Enter the appropriate value for the selected AuthPolicy. |
-## Related articles
-
-- [Provisioning configuration service provider (CSP)](/windows/client-management/mdm/provisioning-csp)
diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md
index 3fe32ffa9b..3cbabeba2c 100644
--- a/windows/configuration/wcd/wcd.md
+++ b/windows/configuration/wcd/wcd.md
@@ -1,76 +1,67 @@
---
-title: Windows Configuration Designer provisioning settings (Windows 10)
+title: Windows Configuration Designer provisioning settings
description: This section describes the settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
ms.topic: reference
-ms.collection: must-keep
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
-ms.date: 12/31/2017
+ms.date: 01/25/2024
---
# Windows Configuration Designer provisioning settings (reference)
-This section describes the settings that you can configure in [provisioning packages](../provisioning-packages/provisioning-packages.md) for Windows 10 using Windows Configuration Designer.
+This section describes the settings that you can configure in [provisioning packages](../provisioning-packages/provisioning-packages.md) for Windows 10 using Windows Configuration Designer.
## Edition that each group of settings applies to
| Setting group | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: |
-| [AccountManagement](wcd-accountmanagement.md) | | | ✔️ | |
-| [Accounts](wcd-accounts.md) | ✔️ | ✔️ | ✔️ | ✔️ |
-| [ADMXIngestion](wcd-admxingestion.md) | ✔️ | | | |
-| [AssignedAccess](wcd-assignedaccess.md) | ✔️ | | ✔️ | |
-| [Browser](wcd-browser.md) | ✔️ | ✔️ | | |
-| [CellCore](wcd-cellcore.md) | ✔️ | | | |
-| [Cellular](wcd-cellular.md) | ✔️ | | | |
-| [Certificates](wcd-certificates.md) | ✔️ | ✔️ | ✔️ | ✔️ |
-| [CleanPC](wcd-cleanpc.md) | ✔️ | | | |
-| [Connections](wcd-connections.md) | ✔️ | ✔️ | | |
-| [ConnectivityProfiles](wcd-connectivityprofiles.md) | ✔️ | ✔️ | ✔️ | |
-| [CountryAndRegion](wcd-countryandregion.md) | ✔️ | ✔️ | | |
-| [DesktopBackgroundAndColors](wcd-desktopbackgroundandcolors.md) | ✔️ | | | |
-| [DeveloperSetup](wcd-developersetup.md) | | | ✔️ | |
-| [DeviceFormFactor](wcd-deviceformfactor.md) | ✔️ | ✔️ | | |
-| [DeviceManagement](wcd-devicemanagement.md) | ✔️ | ✔️ | ✔️ | |
-| [DeviceUpdateCenter](wcd-deviceupdatecenter.md) | ✔️ | | | |
-| [DMClient](wcd-dmclient.md) | ✔️ | ✔️ | | ✔️ |
-| [EditionUpgrade](wcd-editionupgrade.md) | ✔️ | | ✔️ | |
+| --- | :---: | :---: | :---: | :---: |
+| [AccountManagement](wcd-accountmanagement.md) | | | ✅ | |
+| [Accounts](wcd-accounts.md) | ✅ | ✅ | ✅ | ✅ |
+| [ADMXIngestion](wcd-admxingestion.md) | ✅ | | | |
+| [AssignedAccess](wcd-assignedaccess.md) | ✅ | | ✅ | |
+| [Browser](wcd-browser.md) | ✅ | ✅ | | |
+| [CellCore](wcd-cellcore.md) | ✅ | | | |
+| [Cellular](wcd-cellular.md) | ✅ | | | |
+| [Certificates](wcd-certificates.md) | ✅ | ✅ | ✅ | ✅ |
+| [CleanPC](wcd-cleanpc.md) | ✅ | | | |
+| [Connections](wcd-connections.md) | ✅ | ✅ | | |
+| [ConnectivityProfiles](wcd-connectivityprofiles.md) | ✅ | ✅ | ✅ | |
+| [CountryAndRegion](wcd-countryandregion.md) | ✅ | ✅ | | |
+| [DesktopBackgroundAndColors](wcd-desktopbackgroundandcolors.md) | ✅ | | | |
+| [DeveloperSetup](wcd-developersetup.md) | | | ✅ | |
+| [DeviceFormFactor](wcd-deviceformfactor.md) | ✅ | ✅ | | |
+| [DeviceManagement](wcd-devicemanagement.md) | ✅ | ✅ | ✅ | |
+| [DeviceUpdateCenter](wcd-deviceupdatecenter.md) | ✅ | | | |
+| [DMClient](wcd-dmclient.md) | ✅ | ✅ | | ✅ |
+| [EditionUpgrade](wcd-editionupgrade.md) | ✅ | | ✅ | |
| [EmbeddedLockdownProfiles](https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5) | | | | |
-| [FirewallConfiguration](wcd-firewallconfiguration.md) | | | | ✔️ |
-| [FirstExperience](wcd-firstexperience.md) | | | ✔️ | |
-| [Folders](wcd-folders.md) |✔️ | ✔️ | | |
-| [KioskBrowser](wcd-kioskbrowser.md) | | | | ✔️ |
-| [Licensing](wcd-licensing.md) | ✔️ | | | |
-| [Location](wcd-location.md) | | | | ✔️ |
-| [Maps](wcd-maps.md) |✔️ | ✔️ | | |
-| [NetworkProxy](wcd-networkproxy.md) | | ✔️ | | |
-| [NetworkQOSPolicy](wcd-networkqospolicy.md) | | ✔️ | | |
-| [OOBE](wcd-oobe.md) | ✔️ | | | |
-| [Personalization](wcd-personalization.md) | ✔️ | | | |
-| [Policies](wcd-policies.md) | ✔️ | ✔️ | ✔️ | ✔️ |
-| [Privacy](wcd-folders.md) |✔️ | ✔️ | | ✔️ |
-| [ProvisioningCommands](wcd-provisioningcommands.md) | ✔️ | | | |
-| [SharedPC](wcd-sharedpc.md) | ✔️ | | | |
-| [SMISettings](wcd-smisettings.md) | ✔️ | | | |
-| [Start](wcd-start.md) | ✔️ | | | |
-| [StartupApp](wcd-startupapp.md) | | | | ✔️ |
-| [StartupBackgroundTasks](wcd-startupbackgroundtasks.md) | | | | ✔️ |
-| [StorageD3InModernStandby](wcd-storaged3inmodernstandby.md) |✔️ | ✔️ | | ✔️ |
-| [SurfaceHubManagement](wcd-surfacehubmanagement.md) | | ✔️ | | |
-| [TabletMode](wcd-tabletmode.md) |✔️ | ✔️ | | |
-| [TakeATest](wcd-takeatest.md) | ✔️ | | | |
-| [Time](wcd-time.md) | ✔️ | | | |
-| [UnifiedWriteFilter](wcd-unifiedwritefilter.md) | ✔️ | | | ✔️ |
-| [UniversalAppInstall](wcd-universalappinstall.md) | ✔️ | ✔️ | | ✔️ |
-| [UniversalAppUninstall](wcd-universalappuninstall.md) | ✔️ | ✔️ | | ✔️ |
-| [UsbErrorsOEMOverride](wcd-usberrorsoemoverride.md) | ✔️ | ✔️ | | |
-| [WeakCharger](wcd-weakcharger.md) |✔️ | ✔️ | | |
-| [WindowsHelloForBusiness](wcd-windowshelloforbusiness.md) | ✔️ | | | |
-| [WindowsTeamSettings](wcd-windowsteamsettings.md) | | ✔️ | | |
-| [Workplace](wcd-workplace.md) |✔️ | ✔️ | | ✔️ |
-
+| [FirewallConfiguration](wcd-firewallconfiguration.md) | | | | ✅ |
+| [FirstExperience](wcd-firstexperience.md) | | | ✅ | |
+| [Folders](wcd-folders.md) |✅ | ✅ | | |
+| [KioskBrowser](wcd-kioskbrowser.md) | | | | ✅ |
+| [Licensing](wcd-licensing.md) | ✅ | | | |
+| [Location](wcd-location.md) | | | | ✅ |
+| [Maps](wcd-maps.md) |✅ | ✅ | | |
+| [NetworkProxy](wcd-networkproxy.md) | | ✅ | | |
+| [NetworkQOSPolicy](wcd-networkqospolicy.md) | | ✅ | | |
+| [OOBE](wcd-oobe.md) | ✅ | | | |
+| [Personalization](wcd-personalization.md) | ✅ | | | |
+| [Policies](wcd-policies.md) | ✅ | ✅ | ✅ | ✅ |
+| [Privacy](wcd-folders.md) |✅ | ✅ | | ✅ |
+| [ProvisioningCommands](wcd-provisioningcommands.md) | ✅ | | | |
+| [SharedPC](wcd-sharedpc.md) | ✅ | | | |
+| [SMISettings](wcd-smisettings.md) | ✅ | | | |
+| [Start](wcd-start.md) | ✅ | | | |
+| [StartupApp](wcd-startupapp.md) | | | | ✅ |
+| [StartupBackgroundTasks](wcd-startupbackgroundtasks.md) | | | | ✅ |
+| [StorageD3InModernStandby](wcd-storaged3inmodernstandby.md) |✅ | ✅ | | ✅ |
+| [SurfaceHubManagement](wcd-surfacehubmanagement.md) | | ✅ | | |
+| [TabletMode](wcd-tabletmode.md) |✅ | ✅ | | |
+| [TakeATest](wcd-takeatest.md) | ✅ | | | |
+| [Time](wcd-time.md) | ✅ | | | |
+| [UnifiedWriteFilter](wcd-unifiedwritefilter.md) | ✅ | | | ✅ |
+| [UniversalAppInstall](wcd-universalappinstall.md) | ✅ | ✅ | | ✅ |
+| [UniversalAppUninstall](wcd-universalappuninstall.md) | ✅ | ✅ | | ✅ |
+| [UsbErrorsOEMOverride](wcd-usberrorsoemoverride.md) | ✅ | ✅ | | |
+| [WeakCharger](wcd-weakcharger.md) |✅ | ✅ | | |
+| [WindowsHelloForBusiness](wcd-windowshelloforbusiness.md) | ✅ | | | |
+| [WindowsTeamSettings](wcd-windowsteamsettings.md) | | ✅ | | |
+| [Workplace](wcd-workplace.md) |✅ | ✅ | | ✅ |
diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml
index 06776b853a..d96a476eb7 100644
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@@ -1,16 +1,14 @@
- name: Deploy and update Windows client
href: index.yml
- items:
+ items:
- name: Get started
- items:
- - name: What's new
- href: deploy-whats-new.md
+ items:
- name: Windows client deployment scenarios
href: windows-10-deployment-scenarios.md
- name: Quick guide to Windows as a service
- href: update/waas-quick-start.md
+ href: update/waas-quick-start.md
- name: Windows as a service overview
- href: update/waas-overview.md
+ href: update/waas-overview.md
- name: Update release cycle
href: update/release-cycle.md
- name: Basics of Windows updates, channels, and tools
@@ -18,7 +16,7 @@
- name: Prepare servicing strategy for Windows client updates
href: update/waas-servicing-strategy-windows-10-updates.md
- name: Deployment proof of concept
- items:
+ items:
- name: Deploy Windows 10 with MDT and Configuration Manager
items:
- name: 'Step by step guide: Configure a test lab to deploy Windows 10'
@@ -26,9 +24,9 @@
- name: Deploy Windows 10 in a test lab using MDT
href: windows-10-poc-mdt.md
- name: Deploy Windows 10 in a test lab using Configuration Manager
- href: windows-10-poc-sc-config-mgr.md
+ href: windows-10-poc-sc-config-mgr.md
- name: Deployment process posters
- href: windows-10-deployment-posters.md
+ href: windows-10-deployment-posters.md
- name: Plan
items:
@@ -41,7 +39,7 @@
- name: Evaluate infrastructure and tools
href: update/eval-infra-tools.md
- name: Determine application readiness
- href: update/plan-determine-app-readiness.md
+ href: update/plan-determine-app-readiness.md
- name: Define your servicing strategy
href: update/plan-define-strategy.md
- name: Delivery Optimization for Windows client updates
@@ -64,11 +62,11 @@
- name: Deprecated features
href: /windows/whats-new/deprecated-features?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
- name: Resources for deprecated features
- href: /windows/whats-new/deprecated-features-resources?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
+ href: /windows/whats-new/deprecated-features-resources?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
- name: Removed features
- href: /windows/whats-new/removed-features?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
+ href: /windows/whats-new/removed-features?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
- name: Prepare
- items:
+ items:
- name: Prepare for Windows 11
href: /windows/whats-new/windows-11-prepare?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
- name: Prepare to deploy Windows client updates
@@ -97,7 +95,7 @@
href: update/waas-manage-updates-wsus.md
- name: Deploy
- items:
+ items:
- name: Deploy Windows client
items:
- name: Deploy Windows client with Autopilot
@@ -139,11 +137,11 @@
- name: Safeguard holds
href: update/safeguard-holds.md
- name: Manage the Windows client update experience
- items:
+ items:
- name: Manage device restarts after updates
href: update/waas-restart.md
- name: Manage additional Windows Update settings
- href: update/waas-wu-settings.md
+ href: update/waas-wu-settings.md
- name: Use Windows Update for Business
items:
- name: What is Windows Update for Business?
@@ -151,7 +149,7 @@
- name: Configure Windows Update for Business
href: update/waas-configure-wufb.md
- name: Use Windows Update for Business and WSUS
- href: update/wufb-wsus.md
+ href: update/wufb-wsus.md
- name: Enforcing compliance deadlines for updates
href: update/wufb-compliancedeadlines.md
- name: Integrate Windows Update for Business with management solutions
@@ -165,7 +163,7 @@
- name: Prerequisites for Windows Update for Business deployment service
href: update/deployment-service-prerequisites.md
- name: Deploy updates with the deployment service
- items:
+ items:
- name: Deploy feature updates using Graph Explorer
href: update/deployment-service-feature-updates.md
- name: Deploy expedited updates using Graph Explorer
@@ -184,21 +182,21 @@
href: vda-subscription-activation.md
- name: Deploy Windows Enterprise licenses
href: deploy-enterprise-licenses.md
- - name: Volume Activation
+ - name: Volume Activation
items:
- name: Overview
href: volume-activation/volume-activation-windows-10.md
- - name: Plan for volume activation
+ - name: Plan for volume activation
href: volume-activation/plan-for-volume-activation-client.md
- - name: Activate using Key Management Service
+ - name: Activate using Key Management Service
href: volume-activation/activate-using-key-management-service-vamt.md
- - name: Activate using Active Directory-based activation
+ - name: Activate using Active Directory-based activation
href: volume-activation/activate-using-active-directory-based-activation-client.md
- name: Activate clients running Windows 10
href: volume-activation/activate-windows-10-clients-vamt.md
- - name: Monitor activation
+ - name: Monitor activation
href: volume-activation/monitor-activation-client.md
- - name: Use the Volume Activation Management Tool
+ - name: Use the Volume Activation Management Tool
href: volume-activation/use-the-volume-activation-management-tool-client.md
href: volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
- name: Volume Activation Management Tool (VAMT)
@@ -282,19 +280,19 @@
- name: Windows Update for Business reports
items:
- name: Windows Update for Business reports overview
- href: update/wufb-reports-overview.md
+ href: update/wufb-reports-overview.md
- name: Enable Windows Update for Business reports
- items:
+ items:
- name: Windows Update for Business reports prerequisites
href: update/wufb-reports-prerequisites.md
- name: Enable Windows Update for Business reports
- href: update/wufb-reports-enable.md
+ href: update/wufb-reports-enable.md
- name: Configure clients with a script
href: update/wufb-reports-configuration-script.md
- name: Configure clients manually
href: update/wufb-reports-configuration-manual.md
- name: Configure clients with Microsoft Intune
- href: update/wufb-reports-configuration-intune.md
+ href: update/wufb-reports-configuration-intune.md
- name: Use Windows Update for Business reports
items:
- name: Windows Update for Business reports workbook
@@ -302,13 +300,13 @@
- name: Delivery Optimization data in reports
href: update/wufb-reports-do.md
- name: Software updates in the Microsoft 365 admin center
- href: update/wufb-reports-admin-center.md
+ href: update/wufb-reports-admin-center.md
- name: Use Windows Update for Business reports data
href: update/wufb-reports-use.md
- name: FAQ for Windows Update for Business reports
- href: update/wufb-reports-faq.yml
- - name: Feedback and support
- href: update/wufb-reports-help.md
+ href: update/wufb-reports-faq.yml
+ - name: Feedback and support
+ href: update/wufb-reports-help.md
- name: Windows Update for Business reports schema reference
items:
- name: Windows Update for Business reports schema reference
@@ -316,27 +314,27 @@
- name: UCClient
href: update/wufb-reports-schema-ucclient.md
- name: UCClientReadinessStatus
- href: update/wufb-reports-schema-ucclientreadinessstatus.md
+ href: update/wufb-reports-schema-ucclientreadinessstatus.md
- name: UCClientUpdateStatus
href: update/wufb-reports-schema-ucclientupdatestatus.md
- name: UCDeviceAlert
href: update/wufb-reports-schema-ucdevicealert.md
- name: UCDOAggregatedStatus
- href: update/wufb-reports-schema-ucdoaggregatedstatus.md
+ href: update/wufb-reports-schema-ucdoaggregatedstatus.md
- name: UCDOStatus
- href: update/wufb-reports-schema-ucdostatus.md
+ href: update/wufb-reports-schema-ucdostatus.md
- name: UCServiceUpdateStatus
href: update/wufb-reports-schema-ucserviceupdatestatus.md
- name: UCUpdateAlert
href: update/wufb-reports-schema-ucupdatealert.md
- name: Enumerated types
- href: update/wufb-reports-schema-enumerated-types.md
+ href: update/wufb-reports-schema-enumerated-types.md
- name: Troubleshooting
items:
- name: Resolve upgrade errors
items:
- - name: Resolve Windows client upgrade errors
- href: upgrade/resolve-windows-10-upgrade-errors.md
+ - name: Resolve Windows upgrade errors
+ href: upgrade/resolve-windows-upgrade-errors.md
- name: Quick fixes
href: /troubleshoot/windows-client/deployment/windows-10-upgrade-quick-fixes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
- name: SetupDiag
@@ -362,7 +360,7 @@
- name: Determine the source of Windows Updates
href: ./update/how-windows-update-works.md
- name: Windows Update security
- href: ./update/windows-update-security.md
+ href: ./update/windows-update-security.md
- name: Common Windows Update errors
href: /troubleshoot/windows-client/deployment/common-windows-update-errors?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
- name: Windows Update error code reference
@@ -385,7 +383,7 @@
- name: Servicing stack updates
href: update/servicing-stack-updates.md
- name: Update CSP policies
- href: /windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
+ href: /windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
- name: Additional Windows Update settings
href: update/waas-wu-settings.md
- name: Delivery Optimization reference
@@ -406,22 +404,6 @@
href: configure-a-pxe-server-to-load-windows-pe.md
- name: Windows ADK for Windows 10 scenarios for IT Pros
href: windows-adk-scenarios-for-it-pros.md
- - name: Windows To Go
- items:
- - name: Deploy Windows To Go in your organization
- href: deploy-windows-to-go.md
- - name: "Windows To Go: feature overview"
- href: planning/windows-to-go-overview.md
- - name: Best practice recommendations for Windows To Go
- href: planning/best-practice-recommendations-for-windows-to-go.md
- - name: Deployment considerations for Windows To Go
- href: planning/deployment-considerations-for-windows-to-go.md
- - name: Prepare your organization for Windows To Go
- href: planning/prepare-your-organization-for-windows-to-go.md
- - name: Security and data protection considerations for Windows To Go
- href: planning/security-and-data-protection-considerations-for-windows-to-go.md
- - name: "Windows To Go: frequently asked questions"
- href: planning/windows-to-go-frequently-asked-questions.yml
- name: User State Migration Tool (USMT) technical reference
items:
- name: USMT overview articles
@@ -450,7 +432,7 @@
href: usmt/usmt-reroute-files-and-settings.md
- name: Verify the Condition of a Compressed Migration Store
href: usmt/verify-the-condition-of-a-compressed-migration-store.md
-
+
- name: USMT Reference
items:
- name: USMT Requirements
@@ -592,4 +574,4 @@
- name: Install fonts in Windows client
href: windows-10-missing-fonts.md
- name: Customize Windows PE boot images
- href: customize-boot-image.md
+ href: customize-boot-image.md
\ No newline at end of file
diff --git a/windows/deployment/Windows-AutoPilot-EULA-note.md b/windows/deployment/Windows-AutoPilot-EULA-note.md
deleted file mode 100644
index 674bd00551..0000000000
--- a/windows/deployment/Windows-AutoPilot-EULA-note.md
+++ /dev/null
@@ -1,21 +0,0 @@
----
-title: Windows Autopilot EULA dismissal – important information
-description: A notice about EULA dismissal through Windows Autopilot
-ms.prod: windows-client
-ms.localizationpriority: medium
-ms.date: 11/23/2022
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
-ROBOTS: NOINDEX
-ms.topic: article
-ms.technology: itpro-deploy
----
-# Windows Autopilot EULA dismissal – important information
-
-> [!IMPORTANT]
-> The information below isn't the EULA. It is a notice of awareness to the administrator that's configuring to skip End User License Agreement (EULA) during the OOBE (Out-of-Box Experience).
-
-Using this tool allows you to configure individual installations of Windows on devices managed by your organization. You may choose to suppress or hide certain set-up screens that are normally presented to users when setting up Windows, including the EULA acceptance screen.
-
-By using this function, you agree that suppressing or hiding any screens that are designed to provide users with notice or acceptance of terms means that you, on behalf of your organization or the individual user as the case may be, have consented to the notices and accepted the applicable terms. This consent includes your agreement to the terms and conditions of the license or notice that would be presented to the user if you didn't suppress or hide it using this tool. You and your users may not use the Windows software on those devices if you haven't validly acquired a license for the software from Microsoft or its licensed distributors.
diff --git a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
index f3f16802b4..8afd2c00f8 100644
--- a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
+++ b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
@@ -1,14 +1,14 @@
---
title: Configure a PXE server to load Windows PE (Windows 10)
description: This article describes how to configure a PXE server to load Windows PE so that it can be used with an image file to install Windows 10 from the network.
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
manager: aaroncz
ms.author: frankroj
ms.topic: article
ms.date: 11/23/2022
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Configure a PXE server to load Windows PE
diff --git a/windows/deployment/customize-boot-image.md b/windows/deployment/customize-boot-image.md
index 3b52b209f3..fc07e5a9ba 100644
--- a/windows/deployment/customize-boot-image.md
+++ b/windows/deployment/customize-boot-image.md
@@ -1,14 +1,14 @@
---
title: Customize Windows PE boot images
description: This article describes how to customize a Windows PE (WinPE) boot image including updating with the latest cumulative update, adding drivers, and adding optional components.
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
manager: aaroncz
ms.author: frankroj
ms.topic: article
ms.date: 09/05/2023
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md
index f94f31723e..8208704491 100644
--- a/windows/deployment/deploy-enterprise-licenses.md
+++ b/windows/deployment/deploy-enterprise-licenses.md
@@ -4,8 +4,8 @@ description: Steps to deploy Windows 10 Enterprise or Windows 11 Enterprise lice
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.prod: windows-client
-ms.technology: itpro-fundamentals
+ms.service: windows-client
+ms.subservice: itpro-fundamentals
ms.localizationpriority: medium
ms.topic: how-to
ms.collection:
diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md
index b8025d4dc9..08eca15252 100644
--- a/windows/deployment/deploy-m365.md
+++ b/windows/deployment/deploy-m365.md
@@ -3,12 +3,12 @@ title: Deploy Windows 10 with Microsoft 365
manager: aaroncz
ms.author: frankroj
description: Learn about deploying Windows 10 with Microsoft 365 and how to use a free 90-day trial account to review some of the benefits of Microsoft 365.
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.date: 11/23/2022
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Deploy Windows 10 with Microsoft 365
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
deleted file mode 100644
index d42a253d04..0000000000
--- a/windows/deployment/deploy-whats-new.md
+++ /dev/null
@@ -1,227 +0,0 @@
----
-title: What's new in Windows client deployment
-description: Use this article to learn about new solutions and online content related to deploying Windows in your organization.
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.technology: itpro-deploy
-author: frankroj
-manager: aaroncz
-ms.author: frankroj
-ms.topic: conceptual
-ms.collection:
- - highpri
- - tier2
-ms.date: 11/17/2023
-appliesto:
- - ✅ Windows 11
- - ✅ Windows 10
----
-
-# What's new in Windows client deployment
-
-This article provides an overview of new solutions and online content related to deploying Windows client in your organization.
-
-- For an all-up overview of new features in Windows 10, see [What's new in Windows 10](/windows/whats-new/index).
-
-## [Preview] Windows Autopilot diagnostics page
-
-When you deploy Windows 11 with Autopilot, you can enable users to view additional information about the Autopilot provisioning process. A new **Windows Autopilot diagnostics Page** is available to provide IT admins and end users with a user-friendly view to troubleshoot Autopilot failures. For more information, see [Windows Autopilot: What's new](/mem/autopilot/windows-autopilot-whats-new#preview-windows-autopilot-diagnostics-page).
-
-## Windows 11
-
-Check out the following new articles about Windows 11:
-
-- [Overview of Windows 11](/windows/whats-new/windows-11).
-- [Plan for Windows 11](/windows/whats-new/windows-11-plan).
-- [Prepare for Windows 11](/windows/whats-new/windows-11-prepare).
-- [Windows ADK for Windows 11](/windows-hardware/get-started/adk-install) is available.
-
-## Deployment tools
-
-- [SetupDiag](#setupdiag) is included with all currently supported versions of Windows.
-- New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).
-- VPN support is added to [Windows Autopilot](#windows-autopilot).
-- An in-place upgrade wizard is available in [Configuration Manager](#microsoft-configuration-manager).
-
-## The Modern Desktop Deployment Center
-
-The [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home) has content to help you with large-scale deployment of supported version of Windows and Microsoft 365 Apps for enterprise.
-
-## Microsoft 365
-
-Microsoft 365 is a new offering from Microsoft that combines:
-
-- A currently supported version of Windows.
-- Office 365.
-- Enterprise Mobility and Security (EMS).
-
-See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, which now includes a link to download a [Microsoft 365 Enterprise poster](deploy-m365.md#microsoft-365-enterprise-poster).
-
-## Windows servicing and support
-
-### Delivery Optimization
-
-Windows PowerShell cmdlets for Delivery Optimization is improved:
-
-- **Get-DeliveryOptimizationStatus** has the **-PeerInfo** option for a real-time peek behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent).
-- **Get-DeliveryOptimizationLogAnalysis** is a new cmdlet that provides a summary of the activity in your DO log (# of downloads, downloads from peers, overall peer efficiency). Use the **-ListConnections** option to for in-depth look at peer-to-peer connections.
-- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to help in troubleshooting.
-
-Other improvements in [Delivery Optimization](./do/waas-delivery-optimization.md) include:
-
-- Enterprise network [throttling is enhanced](/windows-insider/archive/new-for-business#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling.
-- Automatic cloud-based congestion detection is available for PCs with cloud service support.
-- Improved peer efficiency for enterprises and educational institutions with complex networks is enabled with [new policies](/windows/client-management/mdm/policy-csp-deliveryoptimization). These policies now support Microsoft 365 Apps for enterprise updates and Intune content.
-
-The following Delivery Optimization policies are removed in the Windows 10, version 2004 release:
-
-- Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth).
- - Reason: Replaced with separate policies for foreground and background.
-- Max Upload Bandwidth (DOMaxUploadBandwidth).
- - Reason: impacts uploads to internet peers only, which isn't used in enterprises.
-- Absolute max throttle (DOMaxDownloadBandwidth).
- - Reason: separated to foreground and background.
-
-### Windows Update for Business
-
-[Windows Update for Business](./update/waas-manage-updates-wufb.md) enhancements in this release include:
-
-- **Intune console updates**: target version is now available allowing you to specify which supported version of Windows you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy.
-
-- **Validation improvements**: To ensure devices and end users stay productive and protected, Microsoft blocks devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, a new policy is available that enables admins to opt devices out of the built-in safeguard holds.
-
-- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows automatically signs in as the user and locks their device in order to complete the update. This automatic sign-on ensures that when the user returns and unlocks the device, the update is completed.
-
-- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There's now a single, common start date for phased deployments (no more SAC-T designation). In addition, there's a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
-
-- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
-
-- **Pause updates**: The ability to pause updates for both feature and monthly updates is extended. This extension ability is for all currently supported editions of Windows, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, the device needs to update before pausing again.
-
-- **Improved update notifications**: When there's an update requiring you to restart your device, a colored dot appears on the Power button in the Start menu and on the Windows icon in the taskbar.
-
-- **Intelligent active hours**: To further enhance active hours, users now can let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
-
-- **Improved update orchestration to improve system responsiveness**: This feature improves system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.
-
-Microsoft previously announced that we're [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. These editions include all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Microsoft 365 Apps for enterprise will continue to be supported for 18 months (there's no change for these editions). These support policies are summarized in the following table:
-
-
-
-## Windows 10 Enterprise upgrade
-
-Windows 10 version 1703 includes a Windows 10 Enterprise E3 and E5 benefit to Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA). These customers can now subscribe users to Windows 10 Enterprise E3 or E5 and activate their subscriptions on up to five devices. Virtual machines can also be activated. For more information, see [Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md).
-
-Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. With Windows 10 Enterprise E3 in CSP, small and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features.
-
-For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
-
-## Deployment solutions and tools
-
-### Windows Autopilot
-
-[Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose, and recover devices.
-
-With the release of Windows 10, version 2004 you can configure [Windows Autopilot user-driven](/windows/deployment/windows-autopilot/user-driven) Microsoft Entra hybrid join with VPN support.
-
-If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios now skip the language, locale, and keyboard pages. In previous versions, these language settings were only supported with self-deploying profiles.
-
-The following Windows Autopilot features are available in Windows 10, version 1903 and later:
-
-- [Windows Autopilot for pre-provisioned deployment](/autopilot/pre-provision) is new in Windows 10, version 1903. Pre-provisioned deployment enables partners or IT staff to pre-provision devices so they're fully configured and business ready for your users.
-- The Intune [enrollment status page](/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions.
-- [Cortana voiceover](/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
-- Windows Autopilot is self-updating during OOBE. From Windows 10 onward, version 1903 Autopilot functional and critical updates begin downloading automatically during OOBE.
-- Windows Autopilot sets the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
-
-### Microsoft Configuration Manager
-
-An in-place upgrade wizard is available in Configuration Manager. For more information, see [Simplifying Windows 10 deployment with Configuration Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-windows-10-deployment-with-configuration-manager/ba-p/1214364).
-
-### Windows 10 Subscription Activation
-
-Windows 10 Education support is added to Windows 10 Subscription Activation.
-
-With Windows 10, version 1903, you can step up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions - Windows 10 Education. For more information, see [Windows 10 Subscription Activation](./windows-10-subscription-activation.md).
-
-### SetupDiag
-
-[SetupDiag](upgrade/setupdiag.md) is a command-line tool that can help diagnose why an update of Windows failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues.
-
-During the upgrade process, Windows Setup extracts all its sources files to the `%SystemDrive%\$Windows.~bt\Sources` directory. **SetupDiag.exe** is also installed to this directory. If there's an issue with the upgrade, SetupDiag automatically runs to determine the cause of the failure. If the upgrade process proceeds normally, this directory is moved under `%SystemDrive%\Windows.Old` for cleanup.
-
-### Upgrade Readiness
-
-Upgrade Readiness helps you ensure that applications and drivers are ready for an upgrade of Windows. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details.
-
-Input from the community heavily influenced the development of Upgrade Readiness and the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
-
-For more information about Upgrade Readiness, see the following articles:
-
-- [Windows Analytics blog](https://aka.ms/blog/WindowsAnalytics/)
-- [Manage Windows upgrades with Upgrade Readiness](/mem/configmgr/desktop-analytics/overview)
-
-### Update Compliance
-
-Update Compliance helps you to keep supported Windows devices in your organization secure and up-to-date.
-
-Update Compliance is a solution built using OMS Logs and Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
-
-For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md).
-
-### Device Health
-
-Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by helping to identify devices crashes and the cause. Device drivers that are causing crashes are identified along with alternative drivers that might reduce the number of crashes. Windows Information Protection misconfigurations are also identified. For more information, see [Monitor the health of devices with Device Health](/mem/configmgr/desktop-analytics/overview).
-
-### MBR2GPT
-
-MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. Previously, it was necessary to image, then wipe and reload a disk to change from MBR format to GPT.
-
-There are many benefits to converting the partition style of a disk to GPT, including the use of larger disk partitions, added data reliability, and faster boot and shutdown speeds. The GPT format also enables you to use the Unified Extensible Firmware Interface (UEFI) which replaces the Basic Input/Output System (BIOS) firmware interface. Security features of supported versions of Windows that require UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
-
-For more information, see [MBR2GPT.EXE](mbr-to-gpt.md).
-
-### Microsoft Deployment Toolkit (MDT)
-
-MDT version 8456 supports Windows 10, version 2004 and earlier operating systems, including Windows Server 2019.
-
-For the latest information about MDT, see the [MDT release notes](/mem/configmgr/mdt/release-notes).
-
-> [!IMPORTANT]
->
-> MDT doesn't support versions of Windows after Windows 10 and Windows Server 2019.
-
-### Windows Assessment and Deployment Kit (ADK)
-
-IT Pros can use the tools in the Windows Assessment and Deployment Kit (Windows ADK) to deploy Windows.
-
-Download the Windows ADK and Windows PE add-on for Windows 11 [here](/windows-hardware/get-started/adk-install).
-
-For information about what's new in the ADK, see [What's new in the Windows ADK](/windows-hardware/get-started/what-s-new-in-kits-and-tools).
-
-Also see [Windows ADK for Windows scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
-
-## Testing and validation guidance
-
-### Windows 10 deployment proof of concept (PoC)
-
-The Windows 10 PoC guide enables you to test Windows 10 deployment in a virtual environment and become familiar with deployment tools such as MDT and Configuration Manager. The PoC guide provides step-by-step instructions for installing and using Hyper-V to create a virtual lab environment. The guide makes extensive use of Windows PowerShell to streamline each phase of the installation and setup.
-
-For more information, see the following guides:
-
-- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md).
-- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md).
-- [Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md).
-
-## Troubleshooting guidance
-
-[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) was published in October of 2016 and continues to be updated with new fixes. The article provides a detailed explanation of the Windows upgrade process and instructions on how to locate, interpret, and resolve specific errors that can be encountered during the upgrade process.
-
-## Related articles
-
-- [Overview of Windows as a service](update/waas-overview.md).
-- [Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md).
-- [Windows 10 release information](/windows/windows-10/release-information).
-- [Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications).
-- [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md).
-- [Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md).
diff --git a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
index 94c3d4ad20..c5ed56316b 100644
--- a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
@@ -3,11 +3,11 @@ title: Add a Windows 10 operating system image using Configuration Manager
description: Operating system images are typically the production image used for deployment throughout the organization.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/27/2022
---
diff --git a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
index 49a76b890d..40fdcea0df 100644
--- a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
@@ -3,11 +3,11 @@ title: Add drivers to a Windows 10 deployment with Windows PE using Configuratio
description: Learn how to configure the Windows Preinstallation Environment (Windows PE) to include required network and storage drivers.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/27/2022
---
diff --git a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
index 8c9f73f7e0..da7c70c515 100644
--- a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
@@ -3,11 +3,11 @@ title: Create a custom Windows PE boot image with Configuration Manager (Windows
description: Learn how to create custom Windows Preinstallation Environment (Windows PE) boot images in Microsoft Configuration Manager.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/27/2022
---
diff --git a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md
index 95074a8b3d..af5baf8233 100644
--- a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md
+++ b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md
@@ -3,11 +3,11 @@ title: Create a task sequence with Configuration Manager (Windows 10)
description: Create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/27/2022
---
diff --git a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
index 8c8f05cc7c..7159edcbe3 100644
--- a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
@@ -3,11 +3,11 @@ title: Create an app to deploy with Windows 10 using Configuration Manager
description: Microsoft Configuration Manager supports deploying applications as part of the Windows 10 deployment process.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/27/2022
---
diff --git a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
index e3a76f89f8..648a274ad0 100644
--- a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
@@ -3,11 +3,11 @@ title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10)
description: In this article, you'll learn how to deploy Windows 10 using Microsoft Configuration Manager deployment packages and task sequences.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/27/2022
---
diff --git a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
index 603cdd71f6..4929876f5a 100644
--- a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
@@ -3,11 +3,11 @@ title: Finalize operating system configuration for Windows 10 deployment
description: This article provides a walk-through to finalize the configuration of your Windows 10 operating deployment.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/27/2022
---
diff --git a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
index 2cbc8a589e..42526dd62d 100644
--- a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
@@ -3,11 +3,11 @@ title: Prepare for Zero Touch Installation of Windows 10 with Configuration Mana
description: Learn how to prepare a Zero Touch Installation of Windows 10 with Configuration Manager, by integrating Configuration Manager with Microsoft Deployment Toolkit.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: how-to
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/27/2022
---
diff --git a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
index 2ea7c6d6a7..e31c4ebfb5 100644
--- a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -3,11 +3,11 @@ title: Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manage
description: Learn how to use Configuration Manager and Microsoft Deployment Toolkit (MDT) to refresh a Windows 7 SP1 client with Windows 10.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/27/2022
---
diff --git a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
index f2a38e6125..48c9e2bcbb 100644
--- a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -3,11 +3,11 @@ title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manage
description: In this article, you'll learn how to replace a Windows 7 SP1 computer using Microsoft Configuration Manager.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/27/2022
---
diff --git a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md
index 9de18e31aa..f74e065856 100644
--- a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md
@@ -3,11 +3,11 @@ title: Perform in-place upgrade to Windows 10 via Configuration Manager
description: Learn how to perform an in-place upgrade to Windows 10 by automating the process with a Microsoft Configuration Manager task sequence.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/27/2022
---
diff --git a/windows/deployment/deploy-windows-mdt/TOC.yml b/windows/deployment/deploy-windows-mdt/TOC.yml
deleted file mode 100644
index 51493a1083..0000000000
--- a/windows/deployment/deploy-windows-mdt/TOC.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-- name: Deploy Windows 10 with the Microsoft Deployment Toolkit (MDT)
- items:
- - name: Get started with MDT
- href: get-started-with-the-microsoft-deployment-toolkit.md
- - name: Deploy Windows 10 with MDT
- items:
- - name: Prepare for deployment with MDT
- href: prepare-for-windows-deployment-with-mdt.md
- - name: Create a Windows 10 reference image
- href: create-a-windows-10-reference-image.md
- - name: Deploy a Windows 10 image using MDT
- href: deploy-a-windows-10-image-using-mdt.md
- - name: Build a distributed environment for Windows 10 deployment
- href: build-a-distributed-environment-for-windows-10-deployment.md
- - name: Refresh a Windows 7 computer with Windows 10
- href: refresh-a-windows-7-computer-with-windows-10.md
- - name: Replace a Windows 7 computer with a Windows 10 computer
- href: replace-a-windows-7-computer-with-a-windows-10-computer.md
- - name: Perform an in-place upgrade to Windows 10 with MDT
- href: upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
- - name: Customize MDT
- items:
- - name: Configure MDT settings
- href: configure-mdt-settings.md
- - name: Set up MDT for BitLocker
- href: set-up-mdt-for-bitlocker.md
- - name: Configure MDT deployment share rules
- href: configure-mdt-deployment-share-rules.md
- - name: Configure MDT for UserExit scripts
- href: configure-mdt-for-userexit-scripts.md
- - name: Simulate a Windows 10 deployment in a test environment
- href: simulate-a-windows-10-deployment-in-a-test-environment.md
- - name: Use the MDT database to stage Windows 10 deployment information
- href: use-the-mdt-database-to-stage-windows-10-deployment-information.md
- - name: Assign applications using roles in MDT
- href: assign-applications-using-roles-in-mdt.md
- - name: Use web services in MDT
- href: use-web-services-in-mdt.md
- - name: Use Orchestrator runbooks with MDT
- href: use-orchestrator-runbooks-with-mdt.md
diff --git a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
deleted file mode 100644
index 1f8a403732..0000000000
--- a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
+++ /dev/null
@@ -1,136 +0,0 @@
----
-title: Assign applications using roles in MDT (Windows 10)
-description: This article will show you how to add applications to a role in the MDT database and then assign that role to a computer.
-manager: aaroncz
-ms.author: frankroj
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.topic: article
-ms.technology: itpro-deploy
-ms.date: 11/28/2022
----
-
-# Assign applications using roles in MDT
-
-This article will show you how to add applications to a role in the MDT database and then assign that role to a computer. For the purposes of this article, the application we're adding is Adobe Reader XI. In addition to using computer-specific entries in the database, you can use roles in MDT to group settings together.
-
-## Create and assign a role entry in the database
-
-1. On MDT01, using Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration** and then expand **Database**.
-
-2. In the **Database** node, right-click **Role**, select **New**, and create a role entry with the following settings:
-
- 1. Role name: Standard PC
- 2. Applications / Lite Touch Applications:
- 3. Install - Adobe Reader XI - x86
-
-
-
-Figure 12. The Standard PC role with the application added
-
-## Associate the role with a computer in the database
-
-After creating the role, you can associate it with one or more computer entries.
-
-1. Using Deployment Workbench, expand **MDT Production**, expand **Advanced Configuration**, expand **Database**, and select **Computers**.
-
-2. In the **Computers** node, double-click the **PC00075** entry, and add the following setting:
- - Roles: Standard PC
-
-
-
-Figure 13. The Standard PC role added to PC00075 (having ID 1 in the database).
-
-## Verify database access in the MDT simulation environment
-
-When the database is populated, you can use the MDT simulation environment to simulate a deployment. The applications aren't installed, but you can see which applications would be installed if you did a full deployment of the computer.
-
-1. On PC0001, log on as **CONTOSO\\MDT\_BA**.
-
-2. Modify the C:\\MDT\\CustomSettings.ini file to look like below:
-
- ```ini
- [Settings]
- Priority=CSettings, CRoles, RApplications, Default
- [Default]
- _SMSTSORGNAME=Contoso
- OSInstall=Y
- UserDataLocation=AUTO
- TimeZoneName=Pacific Standard Time
- AdminPassword=P@ssw0rd
- JoinDomain=contoso.com
- DomainAdmin=CONTOSO\MDT_JD
- DomainAdminPassword=P@ssw0rd
- MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com
- SLShare=\\MDT01\Logs$
- ScanStateArgs=/ue:*\* /ui:CONTOSO\*
- USMTMigFiles001=MigApp.xml
- USMTMigFiles002=MigUser.xml
- HideShell=YES
- ApplyGPOPack=NO
- SkipAppsOnUpgrade=NO
- SkipAdminPassword=YES
- SkipProductKey=YES
- SkipComputerName=NO
- SkipDomainMembership=YES
- SkipUserData=NO
- SkipLocaleSelection=YES
- SkipTaskSequence=NO
- SkipTimeZone=YES
- SkipApplications=NO
- SkipBitLocker=YES
- SkipSummary=YES
- SkipCapture=YES
- SkipFinalSummary=NO
- EventService=http://MDT01:9800
- [CSettings]
- SQLServer=MDT01
- Instance=SQLEXPRESS
- Database=MDT
- Netlib=DBNMPNTW
- SQLShare=Logs$
- Table=ComputerSettings
- Parameters=UUID, AssetTag, SerialNumber, MacAddress
- ParameterCondition=OR
- [CRoles]
- SQLServer=MDT01
- Instance=SQLEXPRESS
- Database=MDT
- Netlib=DBNMPNTW
- SQLShare=Logs$
- Table=ComputerRoles
- Parameters=UUID, AssetTag, SerialNumber, MacAddress
- ParameterCondition=OR
- [RApplications]
- SQLServer=MDT01
- Instance=SQLEXPRESS
- Database=MDT
- Netlib=DBNMPNTW
- SQLShare=Logs$
- Table=RoleApplications
- Parameters=Role
- Order=Sequence
- ```
-
-3. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command:
-
- ```powershell
- Set-Location C:\MDT
- .\Gather.ps1
-
- ```
-
-
-
-Figure 14. ZTIGather.log displaying the application GUID belonging to the Adobe Reader XI application that would have been installed if you deployed this machine.
-
-## Related articles
-
-- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
-- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
-- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
-- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-- [Use web services in MDT](use-web-services-in-mdt.md)
-- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
deleted file mode 100644
index dbfe7666fd..0000000000
--- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
+++ /dev/null
@@ -1,304 +0,0 @@
----
-title: Build a distributed environment for Windows 10 deployment (Windows 10)
-description: In this article, you'll learn how to replicate your Windows 10 deployment shares to facilitate the deployment of Windows 10 in remote or branch locations.
-manager: aaroncz
-ms.author: frankroj
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.topic: article
-ms.technology: itpro-deploy
-ms.date: 11/28/2022
----
-
-# Build a distributed environment for Windows 10 deployment
-
-**Applies to:**
-
-- Windows 10
-
-Perform the steps in this article to build a distributed environment for Windows 10 deployment. A distributed environment for deployment is useful when you have a segmented network, for example one that is segmented geographically into two branch locations. If you work in a distributed environment, replicating the deployment shares is an important part of a deployment solution because images of 5 GB or more in size can present bandwidth issues when deployed over the wire. Replicating this content enables clients to do local deployments.
-
-Four computers are used in this article: DC01, MDT01, MDT02, and PC0006. DC01 is a domain controller, MDT01 and MDT02 are domain member computers running Windows Server 2019, and PC0006 is a blank device where we'll deploy Windows 10. The second deployment server (MDT02) will be configured for a remote site (Stockholm) by replicating the deployment share on MDT01 at the original site (New York). All devices are members of the domain contoso.com for the fictitious Contoso Corporation.
-
-For the purposes of this article, we assume that MDT02 is prepared with the same network and storage capabilities that were specified for MDT01, except that MDT02 is located on a different subnet than MDT01. For more information on the infrastructure setup for this article, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
-
-
-
-Computers used in this article.
-
-> [!NOTE]
-> HV01 is also used in this topic to host the PC0006 virtual machine.
-
-## Replicate deployment shares
-
-Replicating the content between MDT01 (New York) and MDT02 (Stockholm) can be done in different ways. The most common content replication solutions with Microsoft Deployment Toolkit (MDT) use either the Linked Deployment Shares (LDS) feature or Distributed File System Replication (DFS-R). Some organizations have used a simple robocopy script for replication of the content.
-
-> [!NOTE]
-> Robocopy has options that allow for synchronization between folders. It has a simple reporting function; it supports transmission retry; and, by default, it will only copy/remove files from the source that are newer than files on the target.
-
-### Linked deployment shares in MDT
-
-LDS is a built-in feature in MDT for replicating content. However, LDS works best with strong connections such as LAN connections with low latency. For most WAN links, DFS-R is the better option.
-
-### Why DFS-R is a better option
-
-DFS-R isn't only fast and reliable, but it also offers central monitoring, bandwidth control, and a great delta replication engine. DFS-R will work equally well whether you have 2 sites or 90. When using DFS-R for MDT, we recommend running your deployment servers on Windows Server 2008 R2 or higher. From that version on, you can configure the replication targets as read-only, which is exactly what you want for MDT. This way, you can have your main deployment share centralized and replicate out changes as they happen. DFS-R will quickly pick up changes at the central deployment share in MDT01 and replicate the delta changes to MDT02.
-
-## Set up Distributed File System Replication (DFS-R) for replication
-
-Setting up DFS-R for replication is a quick and straightforward process: Prepare the deployment servers, create a replication group, then configure some replication settings.
-
-### Prepare MDT01 for replication
-
-On **MDT01**:
-
-1. Install the DFS Replication role on MDT01 by entering the following at an elevated Windows PowerShell prompt:
-
- ```powershell
- Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
- ```
-
-2. Wait for installation to complete, and then verify that the installation was successful. See the following output:
-
-```output
-PS C:\> Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
-
-Success Restart Needed Exit Code Feature Result
-------- -------------- --------- --------------
-True No Success {DFS Replication, DFS Management Tools, Fi...
-```
-
-### Prepare MDT02 for replication
-
-On **MDT02**:
-
-1. Perform the same procedure on MDT02 by entering the following at an elevated Windows PowerShell prompt:
-
- ```powershell
- Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
- ```
-
-2. Wait for installation to complete, and then verify that the installation was successful. See the following output:
-
-```output
-PS C:\> Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
-
-Success Restart Needed Exit Code Feature Result
-------- -------------- --------- --------------
-True No Success {DFS Replication, DFS Management Tools, Fi...
-```
-
-### Create the MDTProduction folder on MDT02
-
-On **MDT02**:
-
-1. Create and share the **D:\\MDTProduction** folder using default permissions by entering the following at an elevated command prompt:
-
- ```powershell
- mkdir d:\MDTProduction
- New-SmbShare -Name "MDTProduction$" -Path "D:\MDTProduction"
- ```
-
-2. You should see the following output:
-
- ```output
- C:\> New-SmbShare -Name "MDTProduction$" -Path "D:\MDTProduction"
-
- Name ScopeName Path Description
- ---- --------- ---- -----------
- MDTProduction$ * D:\MDTProduction
- ```
-
-### Configure the deployment share
-
-When you have multiple deployment servers sharing the same content, you need to configure the Bootstrap.ini file with information about which server to connect to based on where the client is located. In MDT that can be done by using the **DefaultGateway** property.
-
-On **MDT01**:
-
-1. Using Notepad, navigate to the **D:\\MDTProduction\\Control** folder and modify the `Boostrap.ini` file as follows. Under `[DefaultGateway]` enter the IP addresses for the client's default gateway in New York and Stockholm, respectively (replace 10.10.10.1 and 10.10.20.1 with your default gateways). The default gateway setting is what tells the client which deployment share (that is, server) to use.
-
- ```ini
- [Settings]
- Priority=DefaultGateway, Default
-
- [DefaultGateway]
- 10.10.10.1=NewYork
- 10.10.20.1=Stockholm
-
- [NewYork]
- DeployRoot=\\MDT01\MDTProduction$
-
- [Stockholm]
- DeployRoot=\\MDT02\MDTProduction$
-
- [Default]
- UserDomain=CONTOSO
- UserID=MDT_BA
- UserPassword=pass@word1
- SkipBDDWelcome=YES
- ```
-
- > [!NOTE]
- > The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md).
-
-2. Save the `Bootstrap.ini` file.
-
-3. Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Update Deployment Share**. Use the default settings for the Update Deployment Share Wizard. This process will take a few minutes.
-
-4. After the update is complete, use the Windows Deployment Services console on MDT01. In the **Boot Images** node, right-click the **MDT Production x64** boot image and select **Replace Image**.
-
-5. Browse and select the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** boot image, and then complete Replace Boot Image Wizard using the default settings.
-
- 
-
- Replacing the updated boot image in WDS.
-
- > [!TIP]
- > If you modify bootstrap.ini again later, be sure to repeat the process of updating the deployment share in the Deployment Workbench and replacing the boot image in the WDS console.
-
-## Replicate the content
-
-Once the MDT01 and MDT02 servers are prepared, you're ready to configure the actual replication.
-
-### Create the replication group
-
-1. On MDT01, using DFS Management (dfsmgmt.msc), right-click **Replication**, and select **New Replication Group**.
-
-2. On the **Replication Group Type** page, select **Multipurpose replication group**, and select **Next**.
-
-3. On the **Name and Domain** page, assign the **MDTProduction** name, and select **Next**.
-
-4. On the **Replication Group Members** page, select **Add**, add **MDT01** and **MDT02**, and then select **Next**.
-
- 
-
- Adding the Replication Group Members.
-
-5. On the **Topology Selection** page, select the **Full mesh** option and select **Next**.
-
-6. On the **Replication Group Schedule and Bandwidth** page, accept the default settings and select **Next**.
-
-7. On the **Primary Member** page, select **MDT01** and select **Next**.
-
-8. On the **Folders to Replicate** page, select **Add**, enter **D:\\MDTProduction** as the folder to replicate, select **OK**, and then select **Next**.
-
-9. On the **Local Path of MDTProduction** on the **Other Members** page, select **MDT02**, and select **Edit**.
-
-10. On the **Edit** page, select the **Enabled** option, type in **D:\\MDTProduction** as the local path of folder, select the **Make the selected replicated folder on this member read-only** check box, select **OK**, and then select **Next**.
-
-11. On the **Review Settings and Create Replication Group** page, select **Create**.
-
-12. On the **Confirmation** page, select **Close**.
-
-### Configure replicated folders
-
-1. On **MDT01**, using DFS Management, expand **Replication** and then select **MDTProduction**.
-
-2. In the middle pane, right-click the **MDT01** member and select **Properties**.
-
-3. On the **MDT01 (MDTProduction) Properties** page, configure the following and then select **OK**:
-
- 1. In the **Staging** tab, set the quota to **20480 MB**.
-
- 2. In the **Advanced** tab, set the quota to **8192 MB**.
-
- In this scenario the size of the deployment share is known, but you might need to change the values for your environment. A good rule of thumb is to get the size of the 16 largest files and make sure they fit in the staging area. Below is a Windows PowerShell example that calculates the size of the 16 largest files in the D:\\MDTProduction deployment share:
-
- ```powershell
- (Get-ChildItem D:\MDTProduction -Recurse | Sort-Object Length -Descending | Select-Object -First 16 | Measure-Object -Property Length -Sum).Sum /1GB
- ```
-
-4. In the middle pane, right-click the **MDT02** member and select **Properties**.
-
-5. On the **MDT02 (MDTProduction) Properties** page, configure the following and then select **OK**:
- 1. In the **Staging** tab, set the quota to **20480 MB**.
-
- 2. In the **Advanced** tab, set the quota to **8192 MB**.
-
- > [!NOTE]
- > It will take some time for the replication configuration to be picked up by the replication members (MDT01 and MDT02). The time for the initial sync will depend on the WAN link speed between the sites. After that, delta changes are replicated quickly.
-
-6. Verify that MDT01 and MDT02 are members of the MDTProduction replication group, with MDT01 being primary as follows using an elevated command prompt:
-
- ```cmd
- C:\> dfsradmin membership list /rgname:MDTProduction /attr:MemName,IsPrimary
- MemName IsPrimary
- MDT01 Yes
- MDT02 No
- ```
-
-### Verify replication
-
-On **MDT02**:
-
-1. Wait until you start to see content appear in the **D:\\MDTProduction** folder.
-
-2. Using DFS Management, expand **Replication**, right-click **MDTProduction**, and select **Create Diagnostics Report**.
-
-3. In the Diagnostics Report Wizard, on the **Type of Diagnostics Report or Test** page, choose **Health report** and select **Next**.
-
-4. On the **Path and Name** page, accept the default settings and select **Next**.
-
-5. On the **Members to Include** page, accept the default settings and select **Next**.
-
-6. On the **Options** page, accept the default settings and select **Next**.
-
-7. On the **Review Settings and Create Report** page, select **Create**.
-
-8. Open the report in Internet Explorer, and if necessary, select the **Allow blocked content** option.
-
- 
- The DFS Replication Health Report.
-
- > [!NOTE]
- > If there are replication errors you can review the DFS event log in Event Viewer under **Applications and Services Logs**.
-
-## Configure Windows Deployment Services (WDS) in a remote site
-
-Like you did in the previous article for MDT01, you need to add the MDT Production Lite Touch x64 Boot image to Windows Deployment Services on MDT02. For the following steps, we assume that WDS has already been installed on MDT02.
-
-1. On MDT02, using the WDS console, right-click **Boot Images** and select **Add Boot Image**.
-
-2. Browse to the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** file and add the image with the default settings.
-
-## Deploy a Windows 10 client to the remote site
-
-Now you should have a solution ready for deploying the Windows 10 client to the remote site: Stockholm, using the MDTProduction deployment share replica on MDT02. You can test this deployment with the following optional procedure.
-
-> [!NOTE]
-> For demonstration purposes, the following procedure uses a virtual machine (PC0006) hosted by the Hyper-V server HV01. To use the remote site server (MDT02) the VM must be assigned a default gateway that matches the one you entered in the `Boostrap.ini` file.
-
-1. Create a virtual machine with the following settings:
-
- 1. **Name**: PC0006
- 2. **Location**: C:\\VMs
- 3. **Generation**: 2
- 4. **Memory**: 2048 MB
- 5. **Hard disk**: 60 GB (dynamic disk)
- 6. Install an operating system from a network-based installation server
-
-2. Start the PC0006 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The VM will now load the Windows PE boot image from the WDS server.
-
-3. After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings:
-
- 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
- 2. Computer Name: PC0006
- 3. Applications: Select the Install - Adobe Reader
-
-4. Setup will now start and perform the following steps:
-
- 1. Install the Windows 10 Enterprise operating system.
- 2. Install applications.
- 3. Update the operating system using your local Windows Server Update Services (WSUS) server.
-
-
-
-## Related articles
-
-- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
-- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
-- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-- [Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md
deleted file mode 100644
index 36f7e1544c..0000000000
--- a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md
+++ /dev/null
@@ -1,116 +0,0 @@
----
-title: Configure MDT deployment share rules (Windows 10)
-description: Learn how to configure the MDT rules engine to reach out to other resources for additional information instead of storing settings directly in the rules engine.
-manager: aaroncz
-ms.author: frankroj
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.topic: article
-ms.technology: itpro-deploy
-ms.date: 11/28/2022
----
-
-# Configure MDT deployment share rules
-
-In this article, you'll learn how to configure the MDT rules engine to reach out to other resources, including external scripts, databases, and web services, for additional information instead of storing settings directly in the rules engine. The rules engine in MDT is powerful: most of the settings used for operating system deployments are retrieved and assigned via the rules engine. In its simplest form, the rules engine is the CustomSettings.ini text file.
-
-## Assign settings
-
-When using MDT, you can assign setting in three distinct ways:
-
-- You can pre-stage the information before deployment.
-- You can prompt the user or technician for information.
-- You can have MDT generate the settings automatically.
-
-In order to illustrate these three options, let's look at some sample configurations.
-
-## Sample configurations
-
-Before adding the more advanced components like scripts, databases, and web services, consider the commonly used configurations below; they demonstrate the power of the rules engine.
-
-### Set computer name by MAC Address
-
-If you have a small test environment, or simply want to assign settings to a limited number of machines, you can edit the rules to assign settings directly for a given MAC Address. When you have many machines, it makes sense to use the database instead.
-
-```ini
-[Settings]
-Priority=MacAddress, Default
-[Default]
-OSInstall=YES
-[00:15:5D:85:6B:00]
-OSDComputerName=PC00075
-```
-
-In the preceding sample, you set the PC00075 computer name for a machine with a MAC Address of 00:15:5D:85:6B:00.
-
-### Set computer name by serial number
-
-Another way to assign a computer name is to identify the machine via its serial number.
-
-```ini
-[Settings]
-Priority=SerialNumber, Default
-[Default]
-OSInstall=YES
-[CND0370RJ7]
-OSDComputerName=PC00075
-```
-
-In this sample, you set the PC00075 computer name for a machine with a serial number of CND0370RJ7.
-
-### Generate a computer name based on a serial number
-
-You also can configure the rules engine to use a known property, like a serial number, to generate a computer name on the fly.
-
-```ini
-[Settings]
-Priority=Default
-[Default]
-OSInstall=YES
-OSDComputerName=PC-%SerialNumber%
-```
-
-In this sample, you configure the rules to set the computer name to a prefix (PC-) and then the serial number. If the serial number of the machine is CND0370RJ7, the preceding configuration sets the computer name to PC-CND0370RJ7.
-
-> [!NOTE]
-> Be careful when using the serial number to assign computer names. A serial number can contain more than 15 characters, but the Windows setup limits a computer name to 15 characters.
-
-### Generate a limited computer name based on a serial number
-
-To avoid assigning a computer name longer than 15 characters, you can configure the rules in more detail by adding VBScript functions, as follows:
-
-```ini
-[Settings]
-Priority=Default
-[Default]
-OSInstall=YES
-OSDComputerName=PC-#Left("%SerialNumber%",12)#
-```
-
-In the preceding sample, you still configure the rules to set the computer name to a prefix (PC-) followed by the serial number. However, by adding the Left VBScript function, you configure the rule to use only the first 12 serial-number characters for the name.
-
-### Add laptops to a different organizational unit (OU) in Active Directory
-
-In the rules, you find built-in properties that use a Windows Management Instrumentation (WMI) query to determine whether the machine you're deploying is a laptop, desktop, or server. In this sample, we assume you want to add laptops to different OUs in Active Directory. Note that ByLaptopType isn't a reserved word; rather, it's the name of the section to read.
-
-```ini
-[Settings]
-Priority=ByLaptopType, Default
-[Default]
-MachineObjectOU=OU=Workstations,OU=Contoso,DC=contoso,DC=com
-[ByLaptopType]
-Subsection=Laptop-%IsLaptop%
-[Laptop-True]
-MachineObjectOU=OU=Laptops,OU=Contoso,DC=contoso,DC=com
-```
-
-## Related articles
-
-- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
-- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
-- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
-- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
-- [Use web services in MDT](use-web-services-in-mdt.md)
-- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md
deleted file mode 100644
index 443854bdd5..0000000000
--- a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md
+++ /dev/null
@@ -1,64 +0,0 @@
----
-title: Configure MDT for UserExit scripts (Windows 10)
-description: In this article, you'll learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address.
-manager: aaroncz
-ms.author: frankroj
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.topic: article
-ms.technology: itpro-deploy
-ms.date: 11/28/2022
----
-
-# Configure MDT for UserExit scripts
-
-In this article, you'll learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address. MDT supports calling external VBScripts as part of the Gather process; these scripts are referred to as UserExit scripts. The script also removes the colons in the MAC Address.
-
-## Configure the rules to call a UserExit script
-
-You can call a UserExit by referencing the script in your rules. Then you can configure a property to be set to the result of a function of the VBScript. In this example, we have a VBScript named Setname.vbs (provided in the book sample files, in the UserExit folder).
-
-```ini
-[Settings]
-Priority=Default
-[Default]
-OSINSTALL=YES
-UserExit=Setname.vbs
-OSDComputerName=#SetName("%MACADDRESS%")#
-```
-
-The UserExit=Setname.vbs calls the script and then assigns the computer name to what the SetName function in the script returns. In this sample, the %MACADDRESS% variable is passed to the script
-
-## The Setname.vbs UserExit script
-
-The Setname.vbs script takes the MAC Address passed from the rules. The script then does some string manipulation to add a prefix (PC) and remove the semicolons from the MAC Address.
-
-```vb
-Function UserExit(sType, sWhen, sDetail, bSkip)
- UserExit = Success
-End Function
-Function SetName(sMac)
- Dim re
- Set re = new RegExp
- re.IgnoreCase = true
- re.Global = true
- re.Pattern = ":"
- SetName = "PC" & re.Replace(sMac, "")
-End Function
-```
-
-The first three lines of the script make up a header that all UserExit scripts have. The interesting part is the lines between Function and End Function. Those lines add a prefix (PC), remove the colons from the MAC Address, and return the value to the rules by setting the SetName value.
-
-> [!NOTE]
-> The purpose of this sample isn't to recommend that you use the MAC Address as a base for computer naming, but to show you how to take a variable from MDT, pass it to an external script, make some changes to it, and then return the new value to the deployment process.
-
-## Related articles
-
-- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
-- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
-- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
-- [Use web services in MDT](use-web-services-in-mdt.md)
-- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
deleted file mode 100644
index 167059f1e7..0000000000
--- a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
+++ /dev/null
@@ -1,41 +0,0 @@
----
-title: Configure MDT settings (Windows 10)
-description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there's virtually no limitation to what you can do in terms of customization.
-manager: aaroncz
-ms.author: frankroj
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.topic: article
-ms.technology: itpro-deploy
-ms.date: 11/28/2022
----
-
-# Configure MDT settings
-
-One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there's virtually no limitation to what you can do in terms of customization. In this article, you learn about configuring customizations for your environment.
-For the purposes of this article, we'll use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more information on the setup for this article, see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md).
-
-
-
-The computers used in this article.
-
-## In this section
-
-- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
-- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
-- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
-- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
-- [Use web services in MDT](use-web-services-in-mdt.md)
-- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
-
-## Related articles
-
-- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
-- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
-- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
-- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
deleted file mode 100644
index 7100f080ec..0000000000
--- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
+++ /dev/null
@@ -1,775 +0,0 @@
----
-title: Create a Windows 10 reference image (Windows 10)
-description: Creating a reference image is important because that image serves as the foundation for the devices in your organization.
-manager: aaroncz
-ms.author: frankroj
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.topic: article
-ms.technology: itpro-deploy
-ms.date: 11/28/2022
----
-
-# Create a Windows 10 reference image
-
-**Applies to:**
-
-- Windows 10
-
-Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this article, you 'll learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You 'll create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this article, you 'll have a Windows 10 reference image that can be used in your deployment solution.
-
-> [!NOTE]
-> For more information about the server, client, and network infrastructure used in this guide, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
-
-For the purposes of this article, we'll use three computers: DC01, MDT01, and HV01.
-
-- DC01 is a domain controller for the contoso.com domain.
-- MDT01 is a contoso.com domain member server.
-- HV01 is a Hyper-V server that will be used to build the reference image.
-
- 
- Computers used in this article.
-
-## The reference image
-
-The reference image described in this guide is designed primarily for deployment to physical devices. However, the reference image is typically created on a virtual platform, before being automatically run through the System Preparation (Sysprep) tool process and captured to a Windows Imaging (WIM) file. The reasons for creating the reference image on a virtual platform are:
-
-- To reduce development time and can use snapshots to test different configurations quickly.
-- To rule out hardware issues. You get the best possible image, and if you've a problem, it's not likely to be hardware related.
-- To ensure that you won't have unwanted applications that could be installed as part of a driver install but not removed by the Sysprep process.
-- The image is easy to move between lab, test, and production.
-
-## Set up the MDT build lab deployment share
-
-With Windows 10, there's no hard requirement to create reference images. However, to reduce the time needed for deployment, you might want to create a reference image that contains a few base applications and all of the latest updates. This section will show you how to create and configure the MDT Build Lab deployment share to create a Windows 10 reference image. Because reference images will be deployed only to virtual machines during the creation process and have specific settings (rules), you should always create a separate deployment share specifically for this process.
-
-### Create the MDT build lab deployment share
-
-On **MDT01**:
-
-1. Sign in as **contoso\\administrator** using a password of **pass@word1** (credentials from the [prepare for deployment](prepare-for-windows-deployment-with-mdt.md) article).
-
-2. Start the MDT deployment workbench, and pin this workbench to the taskbar for easy access.
-
-3. Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**.
-
-4. Use the following settings for the New Deployment Share Wizard:
-
- - Deployment share path: **D:\\MDTBuildLab**
- - Share name: **MDTBuildLab$**
- - Deployment share description: **MDT Build Lab**
-
-5. Accept the default selections on the Options page and select **Next**.
-
-6. Review the Summary page, select **Next**, wait for the deployment share to be created, then select **Finish**.
-
-7. Verify that you can access the **\\\\MDT01\\MDTBuildLab$** share.
-
- 
- The Deployment Workbench with the MDT Build Lab deployment share.
-
-### Enable monitoring
-
-To monitor the task sequence as it happens, right-click the **MDT Build Lab** deployment share, select **Properties**, select the **Monitoring** tab, and select **Enable monitoring for this deployment share**. This step is optional.
-
-### Configure permissions for the deployment share
-
-In order to read files in the deployment share and write the reference image back to it, you need to assign NTFS and SMB permissions to the MDT Build Account (MDT\_BA) for the **D:\\MDTBuildLab** folder
-
-On **MDT01**:
-
-1. Ensure you're signed in as **contoso\\administrator**.
-
-2. Modify the NTFS permissions for the **D:\\MDTBuildLab** folder by running the following command in an elevated Windows PowerShell prompt:
-
- ```powershell
- icacls "D:\MDTBuildLab" /grant '"CONTOSO\MDT_BA":(OI)(CI)(M)'
- grant-smbshareaccess -Name MDTBuildLab$ -AccountName "Contoso\MDT_BA" -AccessRight Full -force
- ```
-
-## Add setup files
-
-This section will show you how to populate the MDT deployment share with the Windows 10 operating system source files, commonly referred to as setup files, which will be used to create a reference image. Setup files are used during the reference image creation process and are the foundation for the reference image.
-
-### Add the Windows 10 installation files
-
-MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images that you've created. In this case, you create a reference image, so you add the full source setup files from Microsoft.
-
-> [!NOTE]
-> Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W10EX64RTM rather than a more descriptive name like Windows 10 Enterprise x64 RTM.
-
-### Add Windows 10 Enterprise x64 (full source)
-
-On **MDT01**:
-
-1. Sign in as **contoso\\administrator** and copy the content of a Windows 10 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 10 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01. The following example shows the files copied to the D:\\Downloads folder, but you can also choose to import the OS directly from an ISO or DVD.
-
- 
-
-2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Build Lab**.
-
-3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**.
-
-4. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard:
-
- - Full set of source files
- - Source directory: (location of your source files)
- - Destination directory name: **W10EX64RTM**
-
-5. After adding the operating system, in the **Operating Systems** > **Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**. See the following example.
-
- 
-
-> [!NOTE]
-> Depending on the DVD you used, there might be multiple editions available. For the purposes of this guide, we are using the Windows 10 Enterprise image, but other images will also work.
-
-## Add applications
-
-Before you create an MDT task sequence, you need to add applications and scripts you wish to install to the MDT Build Lab share.
-
-On **MDT01**:
-
-First, create an MDT folder to store the Microsoft applications that will be installed:
-
-1. In the MDT Deployment Workbench, expand **Deployment Shares \\ MDT Build Lab \\ Applications**
-
-2. Right-click **Applications** and then select **New Folder**.
-
-3. Under **Folder name**, type **Microsoft**.
-
-4. Select **Next** twice, and then select **Finish**.
-
-The steps in this section use a strict naming standard for your MDT applications.
-
-- Use the **Install -** prefix for typical application installations that run a setup installer of some kind.
-- Use the **Configure -** prefix when an application configures a setting in the operating system.
-- You also add an **- x86**, **- x64**, or **- x86-x64** suffix to indicate the application's architecture (some applications have installers for both architectures).
-
-Using a script naming standard is always recommended when using MDT as it helps maintain order and consistency.
-
-By storing configuration items as MDT applications, it's easy to move these objects between various solutions, or between test and production environments.
-
-In example sections, you 'll add the following applications:
-
-- Install - Microsoft Office 365 Pro Plus - x64
-- Install - Microsoft Visual C++ Redistributable 2019 - x86
-- Install - Microsoft Visual C++ Redistributable 2019 - x64
-
->The 64-bit version of Microsoft Office 365 Pro Plus is recommended unless you need legacy app support. For more information, see [Choose between the 64-bit or 32-bit version of Office](https://support.office.com/article/choose-between-the-64-bit-or-32-bit-version-of-office-2dee7807-8f95-4d0c-b5fe-6c6f49b8d261)
-
-Download links:
-
-- [Office Deployment Tool](https://www.microsoft.com/download/details.aspx?id=49117)
-- [Microsoft Visual C++ Redistributable 2019 - x86](https://aka.ms/vs/16/release/VC_redist.x86.exe)
-- [Microsoft Visual C++ Redistributable 2019 - x64](https://aka.ms/vs/16/release/VC_redist.x64.exe)
-
-Download all three items in this list to the D:\\Downloads folder on MDT01.
-
-> [!NOTE]
-> For the purposes of this lab, we'll leave the MSVC files in the D:\\Downloads folder and the Office365 files will be extracted to a child folder. If you prefer, you can place each application in its own separate child folder, and then modify the $ApplicationSourcePath below as needed (instead of just D:\\Downloads).
-
-> [!NOTE]
-> All the Microsoft Visual C++ downloads can be found on [The latest supported Visual C++ downloads](https://go.microsoft.com/fwlink/p/?LinkId=619523). Visual C++ 2015, 2017 and 2019 all share the same redistributable files.
-
-### Create configuration file: Microsoft Office 365 Professional Plus x64
-
-1. After downloading the most current version of the Office Deployment tool from the Microsoft Download Center using the link provided above, run the self-extracting executable file and extract the files to **D:\\Downloads\\Office365**. The Office Deployment Tool (setup.exe) and several sample configuration.xml files will be extracted.
-
-2. Using a text editor (such as Notepad), create an XML file in the D:\\Downloads\\Office365 directory with the installation settings for Microsoft 365 Apps for enterprise that are appropriate for your organization. The file uses an XML format, so the file you create must have an extension of .xml but the file can have any filename.
-
- For example, you can use the following configuration.xml file, which provides these configuration settings:
- - Install the 64-bit version of Microsoft 365 Apps for enterprise in English directly from the Office Content Delivery Network (CDN) on the internet.
- > [!NOTE]
- > 64-bit is now the default and recommended edition.
- - Use the General Availability Channel and get updates directly from the Office CDN on the internet.
- - Perform a silent installation. You won't see anything that shows the progress of the installation and you won't see any error messages.
-
- ```xml
-
- Expand to show PowerShell commands to partition an MBR disk
-
- ```powershell
- # The following command will set $Disk to all USB drives with >20 GB of storage
-
- $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot }
-
- #Clear the disk. This will delete any data on the disk. (and will fail if the disk is not yet initialized. If that happens, simply continue with 'New-Partition…) Validate that this is the correct disk that you want to completely erase.
- #
- # To skip the confirmation prompt, append -confirm:$False
- Clear-Disk -InputObject $Disk[0] -RemoveData
-
- # This command initializes a new MBR disk
- Initialize-Disk -InputObject $Disk[0] -PartitionStyle MBR
-
- # This command creates a 350 MB system partition
- $SystemPartition = New-Partition -InputObject $Disk[0] -Size (350MB) -IsActive
-
- # This formats the volume with a FAT32 Filesystem
- # To skip the confirmation dialog, append -Confirm:$False
- Format-Volume -NewFileSystemLabel "UFD-System" -FileSystem FAT32 `
- -Partition $SystemPartition
-
- # This command creates the Windows volume using the maximum space available on the drive. The Windows To Go drive should not be used for other file storage.
- $OSPartition = New-Partition -InputObject $Disk[0] -UseMaximumSize
- Format-Volume -NewFileSystemLabel "UFD-Windows" -FileSystem NTFS `
- -Partition $OSPartition
-
- # This command assigns drive letters to the new drive, the drive letters chosen should not already be in use.
- Set-Partition -InputObject $SystemPartition -NewDriveLetter "S"
- Set-Partition -InputObject $OSPartition -NewDriveLetter "W"
-
- # This command sets the NODEFAULTDRIVELETTER flag on the partition which prevents drive letters being assigned to either partition when inserted into a different computer.
- Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE
- ```
-
-
- Expand to show example san_policy.xml file
-
- ```xml
-
-
- Expand to show example san_policy.xml file
-
- ```xml
-
-
- Expand this section to show PowerShell commands to run
-
- ```powershell
- # The following command will set $Disk to all USB drives with >20 GB of storage
-
- $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot }
-
- #Clear the disk. This will delete any data on the disk. (and will fail if the disk is not yet initialized. If that happens, simply continue with 'New-Partition…) Validate that this is the correct disk that you want to completely erase.
- #
- # To skip the confirmation prompt, append -confirm:$False
- Clear-Disk -InputObject $Disk[0] -RemoveData
-
- # This command initializes a new MBR disk
- Initialize-Disk -InputObject $Disk[0] -PartitionStyle MBR
-
- # This command creates a 350 MB system partition
- $SystemPartition = New-Partition -InputObject $Disk[0] -Size (350MB) -IsActive
-
- # This formats the volume with a FAT32 Filesystem
- # To skip the confirmation dialog, append -Confirm:$False
- Format-Volume -NewFileSystemLabel "UFD-System" -FileSystem FAT32 `
- -Partition $SystemPartition
-
- # This command creates the Windows volume using the maximum space available on the drive. The Windows To Go drive should not be used for other file storage.
- $OSPartition = New-Partition -InputObject $Disk[0] -UseMaximumSize
- Format-Volume -NewFileSystemLabel "UFD-Windows" -FileSystem NTFS `
- -Partition $OSPartition
-
- # This command assigns drive letters to the new drive, the drive letters chosen should not already be in use.
- Set-Partition -InputObject $SystemPartition -NewDriveLetter "S"
- Set-Partition -InputObject $OSPartition -NewDriveLetter "W"
-
- # This command toggles the NODEFAULTDRIVELETTER flag on the partition which prevents drive letters being assigned to either partition when inserted into a different computer.
- Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE
- ```
-
-
- Expand this section to show example unattend.xml file
-
- ```xml
-
-
- Expand this section to show PowerShell commands to run
-
- ```powershell
- # The following command will set $Disk to all USB drives with >20 GB of storage
-
- $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot }
-
- #Clear the disk. This will delete any data on the disk. (and will fail if the disk is not yet initialized. If that happens, simply continue with 'New-Partition…) Validate that this is the correct disk that you want to completely erase.
- #
- # To skip the confirmation prompt, append -confirm:$False
- Clear-Disk -InputObject $Disk[0] -RemoveData
-
- # This command initializes a new MBR disk
- Initialize-Disk -InputObject $Disk[0] -PartitionStyle MBR
-
- # This command creates a 350 MB system partition
- $SystemPartition = New-Partition -InputObject $Disk[0] -Size (350MB) -IsActive
-
- # This formats the volume with a FAT32 Filesystem
- # To skip the confirmation dialog, append -Confirm:$False
- Format-Volume -NewFileSystemLabel "UFD-System" -FileSystem FAT32 `
- -Partition $SystemPartition
-
- # This command creates the Windows volume using the maximum space available on the drive. The Windows To Go drive should not be used for other file storage.
- $OSPartition = New-Partition -InputObject $Disk[0] -UseMaximumSize
- Format-Volume -NewFileSystemLabel "UFD-Windows" -FileSystem NTFS `
- -Partition $OSPartition
-
- # This command assigns drive letters to the new drive, the drive letters chosen should not already be in use.
- Set-Partition -InputObject $SystemPartition -NewDriveLetter "S"
- Set-Partition -InputObject $OSPartition -NewDriveLetter "W"
-
- # This command toggles the NODEFAULTDRIVELETTER flag on the partition which prevents drive letters being assigned to either partition when inserted into a different computer.
- Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE
- ```
-
-
-Expand this section to view Windows To Go multiple drive provisioning sample script
-
-```powershell
-<#
-.SYNOPSIS
-Windows To Go multiple drive provisioning sample script.
-
-.DESCRIPTION
-This sample script will provision one or more Windows To Go drives, configure offline domain join (using random machine names) and provides an option for BitLocker encryption. To provide a seamless first boot experience, an unattend file is created that will set the first run (OOBE) settings to defaults. To improve performance of the script, copy your install image to a local location on the computer used for provisioning the drives.
-
-.EXAMPLE
-.\WTG_MultiProvision.ps1 -InstallWIMPath c:\companyImages\amd64_enterprise.wim
-provision drives connected to your machine with the provided image.
-#>
-param (
- [parameter(Mandatory=$true)]
- [string]
-#Path to install wim. If you have the full path to the wim or want to use a local file.
- $InstallWIMPath,
-
- [string]
-#Domain to which to join the Windows To Go workspaces.
- $DomainName
-)
-
-
-<#
- In order to set BitLocker Group Policies for our offline WTG image we need to create a Registry.pol file
- in the System32\GroupPolicy folder. This file requires binary editing, which is not possible in PowerShell
- directly so we have some C# code that we can use to add a type in our PowerShell instance that will write
- the data for us.
-#>
-$Source = @"
-using System;
-using System.Collections.Generic;
-using System.IO;
-using System.Text;
-
-namespace MS.PolicyFileEditor
-{
- //The PolicyEntry represents the DWORD Registry Key/Value/Data entry that will
- //be written into the file.
- public class PolicyEntry
- {
- private List
-[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
-[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
-[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
-[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.yml)
-
-
-
-
-
-
-
-
-
diff --git a/windows/deployment/planning/compatibility-administrator-users-guide.md b/windows/deployment/planning/compatibility-administrator-users-guide.md
index 64ed4fae58..853283a0cc 100644
--- a/windows/deployment/planning/compatibility-administrator-users-guide.md
+++ b/windows/deployment/planning/compatibility-administrator-users-guide.md
@@ -3,10 +3,10 @@ title: Compatibility Administrator User's Guide (Windows 10)
manager: aaroncz
ms.author: frankroj
description: The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows.
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/28/2022
---
diff --git a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md
index 49fca85218..dd2905355f 100644
--- a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md
+++ b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md
@@ -3,11 +3,11 @@ title: Compatibility Fix Database Management Strategies and Deployment (Windows
manager: aaroncz
ms.author: frankroj
description: Learn how to deploy your compatibility fixes into an application-installation package or through a centralized compatibility-fix database.
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Compatibility Fix Database Management Strategies and Deployment
diff --git a/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md b/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
index 79207612a8..e9bc0caf59 100644
--- a/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
+++ b/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
@@ -3,11 +3,11 @@ title: Compatibility Fixes for Windows 10, Windows 8, Windows 7, & Windows Vista
description: Find compatibility fixes for all Windows operating systems that have been released from Windows Vista through Windows 10.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista
diff --git a/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md b/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
index 18f1b3e14e..c1946e6941 100644
--- a/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
+++ b/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
@@ -3,10 +3,10 @@ title: Creating a Custom Compatibility Fix in Compatibility Administrator (Windo
description: The Compatibility Administrator tool uses the term fix to describe the combination of compatibility information added to a customized database for a specific application.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/28/2022
---
diff --git a/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md b/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
index 80892aa2d5..9e8137b12b 100644
--- a/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
+++ b/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
@@ -3,11 +3,11 @@ title: Create a Custom Compatibility Mode (Windows 10)
description: Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Creating a Custom Compatibility Mode in Compatibility Administrator
diff --git a/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md b/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md
index 31f4cff7a1..a77208735d 100644
--- a/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md
+++ b/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md
@@ -3,11 +3,11 @@ title: Create AppHelp Message in Compatibility Administrator (Windows 10)
description: Create an AppHelp text message with Compatibility Administrator; a message that appears upon starting an app with major issues on the Windows® operating system.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Creating an AppHelp Message in Compatibility Administrator
diff --git a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
deleted file mode 100644
index e4cce0cd24..0000000000
--- a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
+++ /dev/null
@@ -1,179 +0,0 @@
----
-title: Deployment considerations for Windows To Go (Windows 10)
-description: Learn about deployment considerations for Windows To Go, such as the boot experience, deployment methods, and tools that you can use with Windows To Go.
-manager: aaroncz
-ms.author: frankroj
-ms.prod: windows-client
-author: frankroj
-ms.topic: article
-ms.technology: itpro-deploy
-ms.date: 10/28/2022
----
-
-# Deployment considerations for Windows To Go
-
-**Applies to**
-
-- Windows 10
-
-> [!IMPORTANT]
-> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
-
-From the start, Windows To Go was designed to minimize differences between the user experience of working on a laptop and Windows To Go booted from a USB drive. Given that Windows To Go was designed as an enterprise solution, extra consideration was given to the deployment workflows that enterprises already have in place. Additionally, there has been a focus on minimizing the number of differences in deployment between Windows To Go workspaces and laptop PCs.
-
-> [!NOTE]
-> Windows To Go does not support operating system upgrades. Windows To Go is designed as a feature that is managed centrally. IT departments that plan to transition from one operating system version to a later version will need to incorporate re-imaging their existing Windows To Go drives as part of their upgrade deployment process.
-
-The following sections discuss the boot experience, deployment methods, and tools that you can use with Windows To Go.
-
-- [Initial boot experiences](#wtg-initboot)
-- [Image deployment and drive provisioning considerations](#wtg-imagedep)
-- [Application installation and domain join](#wtg-appinstall)
-- [Management of Windows To Go using Group Policy](#bkmk-wtggp)
-- [Supporting booting from USB](#wtg-bootusb)
-- [Updating firmware](#stg-firmware)
-- [Configure Windows To Go startup options](#wtg-startup)
-- [Change firmware settings](#wtg-changefirmware)
-
-## Initial boot experiences
-
-The following diagrams illustrate the two different methods you could use to provide Windows To Go drives to your users. The experiences differ depending on whether the user will be booting the device initially on-premises or off-premises:
-
-
-
-When a Windows To Go workspace is first used at the workplace, the Windows To Go workspace can be joined to the domain through the normal procedures that occur when a new computer is introduced. It obtains a lease, applicable policies are applied and set, and user account tokens are placed appropriately. BitLocker protection can be applied and the BitLocker recovery key automatically stored in Active Directory Domain Services. The user can access network resources to install software and get access to data sources. When the workspace is subsequently booted at a different location either on or off premises, the configuration required for it to connect back to the work network using either DirectAccess or a virtual private network connection can be configured. It isn't necessary to configure the workspace for offline domain join. DirectAccess can make connecting to organizational resources easier, but isn't required.
-
-
-
-When the Windows To Go workspace is going to be used first on an off-premises computer, such as one at the employee's home, then the IT professional preparing the Windows To Go drives should configure the drive to be able to connect to organizational resources and to maintain the security of the workspace. In this situation, the Windows To Go workspace needs to be configured for offline domain join and BitLocker needs to be enabled before the workspace has been initialized.
-
-> [!TIP]
-> Applying BitLocker Drive Encryption to the drives before provisioning is a much faster process than encrypting the drives after data has already been stored on them due to a new feature called used-disk space only encryption. For more information, see [What's New in BitLocker](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn306081(v=ws.11)).
-
-DirectAccess can be used to ensure that the user can log in with their domain credentials without needing a local account. For instructions on setting up a DirectAccess solution, for a small pilot deployment see [Deploy a Single Remote Access Server using the Getting Started Wizard](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831520(v=ws.11)) for a larger scale deployment, see [Deploy Remote Access in an Enterprise](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj134200(v=ws.11)). If you don't want to use DirectAccess as an alternative user could log on using a local user account on the Windows To Go workspace and then use a virtual private network for remote access to your organizational network.
-
-### Image deployment and drive provisioning considerations
-
-The Image Deployment process can be accomplished either by a centralized IT process for your organization or by individual users creating their own Windows To Go workspaces. You must have local Administrator access and access to a Windows 10 Enterprise or Windows 10 Education image to create a Windows To Go workspace, or you must be using Configuration Manager Service Pack 1 or later to distribute Windows To Go workspaces to users. The image deployment process takes a blank USB drive and a Windows 10 Enterprise image (WIM) and turns it into a Windows To Go drive.
-
-
-
-The simplest way to provision a Windows To Go drive is to use the Windows To Go Creator. After a single Windows To Go workspace has been created, it can be duplicated as many times as necessary using widely available USB duplicator products as long as the device hasn't been booted. After the Windows To Go drive is initialized, it shouldn't be duplicated. Alternatively, Windows To Go Workspace Creator can be run multiple times to create multiple Windows To Go drives.
-
-> [!TIP]
-> When you create your Windows To Go image use sysprep /generalize, just as you do when you deploy Windows 10 to a standard PC. In fact, if appropriate, use the same image for both deployments.
-
-**Driver considerations**
-
-Windows includes most of the drivers that you'll need to support a wide variety of host computers. However, you'll occasionally need to download drivers from Windows Update to take advantage of the full functionality of a device. If you're using Windows To Go on a set of known host computers, you can add any more drivers to the image used on Windows To Go to make Windows To Go drives more quickly usable by your employees. Especially ensure that network drivers are available so that the user can connect to Windows Update to get more drivers if necessary.
-
-Wi-Fi network adapter drivers are one of the most important drivers to make sure that you include in your standard image so that users can easily connect to the internet for any additional updates. IT administrators that are attempting to build Windows 10 images for use with Windows To Go should consider adding additional Wi-Fi drivers to their image to ensure that their users have the best chance of still having basic network connectivity when roaming between systems.
-
-The following list of commonly used Wi-Fi network adapters that aren't supported by the default drivers provided with Windows 10 is provided to help you ascertain whether or not you need to add drivers to your image.
-
-|Vendor name|Product description|HWID|Windows Update availability|
-|--- |--- |--- |--- |
-|Broadcom|802.11abgn Wireless SDIO adapter|sd\vid_02d0&pid_4330&fn_1|Contact the system OEM or Broadcom for driver availability.|
-|Broadcom|802.11n Network Adapter|pci\ven_14e4&dev_4331&subsys_00d6106b&rev_02|Contact the system OEM or Broadcom for driver availability.|
-|Broadcom|802.11n Network Adapter|pci\ven_14e4&dev_4331&subsys_00f5106b&rev_02|Contact the system OEM or Broadcom for driver availability.|
-|Broadcom|802.11n Network Adapter|pci\ven_14e4&dev_4331&subsys_00ef106b&rev_02|Contact the system OEM or Broadcom for driver availability.|
-|Broadcom|802.11n Network Adapter|pci\ven_14e4&dev_4331&subsys_00f4106b&rev_02|Contact the system OEM or Broadcom for driver availability.|
-|Broadcom|802.11n Network Adapter|pci\ven_14e4&dev_4331&subsys_010e106b&rev_02|Contact the system OEM or Broadcom for driver availability.|
-|Broadcom|802.11n Network Adapter|pci\ven_14e4&dev_4331&subsys_00e4106b&rev_02|Contact the system OEM or Broadcom for driver availability.|
-|Broadcom|802.11n Network Adapter|pci\ven_14e4&dev_4331&subsys_433114e4&rev_02|Contact the system OEM or Broadcom for driver availability.|
-|Broadcom|802.11n Network Adapter|pci\ven_14e4&dev_4331&subsys_010f106b&rev_02|Contact the system OEM or Broadcom for driver availability.|
-|Marvell|Yukon 88E8001/8003/8010 PCI Gigabit Ethernet|pci\ven_11ab&dev_4320&subsys_811a1043|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619080)
[64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619082)|
-|Marvell|Libertas 802.11b/g Wireless|pci\ven_11ab&dev_1faa&subsys_6b001385&rev_03|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619128)
[64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619129)|
-|Qualcomm|Atheros AR6004 Wireless LAN Adapter|sd\vid_0271&pid_0401|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619086)
64-bit driver not available|
-|Qualcomm|Atheros AR5BWB222 Wireless Network Adapter|pci\ven_168c&dev_0034&subsys_20031a56|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619348)
64-bit driver not available|
-|Qualcomm|Atheros AR5BWB222 Wireless Network Adapter|pci\ven_168c&dev_0034&subsys_020a1028&rev_01|Contact the system OEM or Qualcom for driver availability.|
-|Qualcomm|Atheros AR5005G Wireless Network Adapter|pci\ven_168c&dev_001a&subsys_04181468&rev_01|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619349)
-[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
-[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
-[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.yml)
diff --git a/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md b/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
index a6299026c3..e37786a9a6 100644
--- a/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
+++ b/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
@@ -3,10 +3,10 @@ title: Enabling and Disabling Compatibility Fixes in Compatibility Administrator
description: You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/28/2022
---
diff --git a/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md b/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md
index a39866b132..7155581ea8 100644
--- a/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md
+++ b/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md
@@ -3,11 +3,11 @@ title: Fixing Applications by Using the SUA Tool (Windows 10)
description: On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Fixing Applications by Using the SUA Tool
diff --git a/windows/deployment/planning/images/wtg-first-boot-home.gif b/windows/deployment/planning/images/wtg-first-boot-home.gif
deleted file mode 100644
index 46cd605a2e..0000000000
Binary files a/windows/deployment/planning/images/wtg-first-boot-home.gif and /dev/null differ
diff --git a/windows/deployment/planning/images/wtg-first-boot-work.gif b/windows/deployment/planning/images/wtg-first-boot-work.gif
deleted file mode 100644
index c1a9a9d31d..0000000000
Binary files a/windows/deployment/planning/images/wtg-first-boot-work.gif and /dev/null differ
diff --git a/windows/deployment/planning/images/wtg-gpt-uefi.gif b/windows/deployment/planning/images/wtg-gpt-uefi.gif
deleted file mode 100644
index 2ff2079a3c..0000000000
Binary files a/windows/deployment/planning/images/wtg-gpt-uefi.gif and /dev/null differ
diff --git a/windows/deployment/planning/images/wtg-image-deployment.gif b/windows/deployment/planning/images/wtg-image-deployment.gif
deleted file mode 100644
index d622911f3e..0000000000
Binary files a/windows/deployment/planning/images/wtg-image-deployment.gif and /dev/null differ
diff --git a/windows/deployment/planning/images/wtg-mbr-bios.gif b/windows/deployment/planning/images/wtg-mbr-bios.gif
deleted file mode 100644
index b93796944a..0000000000
Binary files a/windows/deployment/planning/images/wtg-mbr-bios.gif and /dev/null differ
diff --git a/windows/deployment/planning/images/wtg-mbr-firmware-roaming.gif b/windows/deployment/planning/images/wtg-mbr-firmware-roaming.gif
deleted file mode 100644
index f21592c310..0000000000
Binary files a/windows/deployment/planning/images/wtg-mbr-firmware-roaming.gif and /dev/null differ
diff --git a/windows/deployment/planning/images/wtg-startup-options.gif b/windows/deployment/planning/images/wtg-startup-options.gif
deleted file mode 100644
index 302da78ea6..0000000000
Binary files a/windows/deployment/planning/images/wtg-startup-options.gif and /dev/null differ
diff --git a/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md b/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
index 2cf46ee778..a50feb249b 100644
--- a/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
+++ b/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
@@ -3,11 +3,11 @@ title: Install/Uninstall Custom Databases (Windows 10)
description: The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator
diff --git a/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md b/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md
index 9c90b3ca24..69b7bd6cd3 100644
--- a/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md
+++ b/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md
@@ -3,11 +3,11 @@ title: Managing Application-Compatibility Fixes and Custom Fix Databases (Window
description: Learn why you should use compatibility fixes, and how to deploy and manage custom-compatibility fix databases.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Managing Application-Compatibility Fixes and Custom Fix Databases
diff --git a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
deleted file mode 100644
index 5f5b94be3f..0000000000
--- a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
+++ /dev/null
@@ -1,106 +0,0 @@
----
-title: Prepare your organization for Windows To Go (Windows 10)
-description: Though Windows To Go is no longer being developed, you can find info here about the what, why, and when of deployment.
-manager: aaroncz
-ms.author: frankroj
-ms.prod: windows-client
-author: frankroj
-ms.topic: article
-ms.technology: itpro-deploy
-ms.date: 10/28/2022
----
-
-# Prepare your organization for Windows To Go
-
-**Applies to**
-
-- Windows 10
-
-> [!IMPORTANT]
-> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
-
-The following information is provided to help you plan and design a new deployment of a Windows To Go in your production environment. It provides answers to the "what", "why", and "when" questions an IT professional might have when planning to deploy Windows To Go.
-
-## What is Windows To Go?
-
-Windows To Go is a feature of Windows 10 Enterprise and Windows 10 Education that enables users to boot Windows from a USB-connected external drive. Windows To Go drives can use the same image that enterprises use for their desktops and laptops, and can be managed the same way. A Windows To Go workspace isn't intended to replace desktops or laptops, or supplant other mobility offerings.
-
-Enterprise customers utilizing Volume Activation Windows licensing will be able to deploy USB drives provisioned with Windows To Go workspace. These drives will be bootable on multiple compatible host computers. Compatible host computers are computers that are:
-
-- USB boot capable
-- Have USB boot enabled in the firmware
-- Meet Windows 7 minimum system requirements
-- Have compatible processor architectures (for example, x86 or AMD64) as the image used to create the Windows To Go workspace. ARM isn't a supported processor for Windows To Go.
-- Have firmware architecture that is compatible with the architecture of the image used for the Windows To Go workspace
-
-Booting a Windows To Go workspace requires no specific software on the host computer. PCs certified for Windows 7 and later can host Windows To Go.
-
-The following articles will familiarize you with how you can use a Windows To Go workspace. They also give you an overview of some of the things you should consider in your design.
-
-## Usage scenarios
-
-
-The following scenarios are examples of situations in which Windows To Go workspaces provide a solution for an IT implementer:
-
-- **Continuance of operations (COO).** In this scenario, selected employees receive a USB drive with a Windows To Go workspace, which includes all of the applications that the employees use at work. The employees can keep the device at home, in a briefcase, or wherever they want to store it until needed. When the users boot their home computer from the USB drive, it will create a corporate desktop experience so that they can quickly start working. On the first boot, the employee sees that Windows is installing devices; after that one time, the Windows To Go drive boots like a normal computer. If they have enterprise network access, employees can use a virtual private network (VPN) connection, or DirectAccess to access corporate resources. If the enterprise network is available, the Windows To Go workspace will automatically be updated using your standard client management processes.
-
-- **Contractors and temporary workers.** In this situation, an enterprise IT pro or manager would distribute the Windows To Go drive directly to the worker. Then they can be assisted with any necessary other user education needs or address any possible compatibility issues. While the worker is on assignment, they can boot their computer exclusively from the Windows To Go drive. And run all applications in that environment until the end of the assignment when the device is returned. No installation of software is required on the worker's personal computer.
-
-- **Managed free seating.** The employee is issued a Windows To Go drive. This drive is then used with the host computer assigned to that employee for a given session (this could be a vehicle, workspace, or standalone laptop). When the employee leaves the session, the next time they return, they use the same USB flash drive but use a different host computer.
-
-- **Work from home.** In this situation, the Windows To Go drive can be provisioned for employees using various methods including Microsoft Configuration Manager or other deployment tools and then distributed to employees. The employee is instructed to boot the Windows To Go drive initially at work. This boot caches the employee's credentials on the Windows To Go workspace and allows the initial data synchronization between the enterprise network and the Windows To Go workspace. The user can then bring the Windows To Go drive home where it can be used with their home computer, with or without enterprise network connectivity.
-
-- **Travel lightly.** In this situation, you have employees who are moving from site to site, but who always will have access to a compatible host computer on site. Using Windows To Go workspaces allows them to travel without the need to pack their PC.
-
-> [!NOTE]
-> If the employee wants to work offline for the majority of the time, but still maintain the ability to use the drive on the enterprise network, they should be informed of how often the Windows To Go workspace needs to be connected to the enterprise network. Doing so will ensure that the drive retains its access privileges and the workspace's computer object isn't potentially deleted from Active Directory Domain Services (AD DS).
-
- ## Infrastructure considerations
-
-Because Windows To Go requires no other software and minimal configuration, the same tools used to deploy images to other PCs can be used by an enterprise to install Windows To Go on a large group of USB devices. Moreover, because Windows To Go is compatible with connectivity and synchronization solutions already in use—such as Remote Desktop, DirectAccess and Folder Redirection—no other infrastructure or management is necessary for this deployment. A Windows To Go image can be created on a USB drive that is identical to the hard drive inside a desktop. However, you may wish to consider making some modifications to your infrastructure to help make management of Windows To Go drives easier and to be able to identify them as a distinct device group.
-
-## Activation considerations
-
-Windows To Go uses volume activation. You can use either Active Directory-based activation or KMS activation with Windows To Go. The Windows To Go workspace counts as another installation when assessing compliance with application licensing agreements.
-
-Microsoft software, such as Microsoft Office, distributed to a Windows To Go workspace must also be activated. Office deployment is fully supported on Windows To Go. Due to the retail subscription activation method associated with Microsoft 365 Apps for enterprise, Microsoft 365 Apps for enterprise subscribers are provided volume licensing activation rights for Office Professional Plus 2013 MSI for local installation on the Windows To Go drive. This method is available to organizations who purchase Microsoft 365 Apps for enterprise or Office 365 Enterprise SKUs containing Microsoft 365 Apps for enterprise via volume licensing channels. For more information about activating Microsoft Office, see [Volume activation methods in Office 2013](/DeployOffice/vlactivation/plan-volume-activation-of-office).
-
-You should investigate other software manufacturer's licensing requirements to ensure they're compatible with roaming usage before deploying them to a Windows To Go workspace.
-
-> [!NOTE]
-> Using Multiple Activation Key (MAK) activation isn't a supported activation method for Windows To Go as each different PC-host would require separate activation. MAK activation should not be used for activating Windows, Office, or any other application on a Windows To Go drive.
-
- For more information about these activation methods and how they can be used in your organization, see [Plan for Volume Activation](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj134042(v=ws.11)).
-
-## Organizational unit structure and use of Group Policy Objects
-
-You may find it beneficial to create other Active Directory organizational unit (OU) structures to support your Windows To Go deployment: one for host computer accounts and one for Windows To Go workspace computer accounts. Creating an organizational unit for host computers allows you to enable the Windows To Go Startup Options using Group Policy for only the computers that will be used as Windows To Go hosts. Setting this policy helps to prevent computers from being accidentally configured to automatically boot from USB devices and allows closer monitoring and control of those computers that can boot from a USB device. The organizational unit for Windows To Go workspaces allows you to apply specific policy controls to them, such as the ability to use the Store application, power state controls, and line-of-business application installation.
-
-If you're deploying Windows To Go workspaces for a scenario in which they're not going to be roaming, but are instead being used on the same host computer, such as with temporary or contract employees, you might wish to enable hibernation or the Windows Store.
-
-For more information about Group Policy settings that can be used with Windows To Go, see [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
-
-## Computer account management
-
-If you configure Windows To Go drives for scenarios where drives may remain unused for extended periods of time such as used in continuance of operations scenarios, the AD DS computer account objects that correspond to Windows To Go drives have the potential to become stale and be pruned during maintenance operations. To address this issue, you should either have users log on regularly according to a schedule, or modify any maintenance scripts to not clean computer accounts in the Windows To Go device organizational unit.
-
-## User account and data management
-
-People use computers to work with data and consume content - that is their core function. The data must be stored and retrievable for it to be useful. When users are working in a Windows To Go workspace, they need to be able to get to the data that they work with, and to keep it accessible when the workspace isn't being used. For this reason, we recommend that you use folder redirection and offline files to redirect the path of local folders (such as the Documents folder) to a network location, while caching the contents locally for increased speed and availability. We also recommend that you use roaming user profiles to synchronize user specific settings so that users receive the same operating system and application settings when using their Windows To Go workspace and their desktop computer. When a user signs in using a domain account that is set up with a file share as the profile path, the user's profile is downloaded to the local computer and merged with the local profile (if present). When the user logs off the computer, the local copy of their profile, including any changes, is merged with the server copy of the profile. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)).
-
-Windows To Go is fully integrated with your Microsoft account. Setting synchronization is accomplished by connecting a Microsoft account to a user account. Windows To Go devices fully support this feature and can be managed by Group Policy so that the customization and configurations you prefer will be applied to your Windows To Go workspace.
-
-## Remote connectivity
-
-If you want Windows To Go to be able to connect back to organizational resources when it's being used off-premises a remote connectivity solution must be enabled. Windows Server 2012 DirectAccess can be used as can a virtual private network (VPN) solution. For more information about configuring a remote access solution, see the [Remote Access (DirectAccess, Routing and Remote Access) Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn636119(v=ws.11)).
-
-## Related articles
-
-
-[Windows To Go: feature overview](windows-to-go-overview.md)
-
-[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
-
-[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
-
-[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.yml)
diff --git a/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md
index 826f2dfc4c..aa27616363 100644
--- a/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md
+++ b/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md
@@ -3,11 +3,11 @@ title: Searching for Fixed Applications in Compatibility Administrator (Windows
description: Compatibility Administrator can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Searching for Fixed Applications in Compatibility Administrator
diff --git a/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
index 4c0f2e2689..847fb0731b 100644
--- a/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
+++ b/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
@@ -3,10 +3,10 @@ title: Searching for Installed Compatibility Fixes with the Query Tool in Compat
description: You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/28/2022
---
diff --git a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md
deleted file mode 100644
index b376163521..0000000000
--- a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md
+++ /dev/null
@@ -1,68 +0,0 @@
----
-title: Security and data protection considerations for Windows To Go (Windows 10)
-description: Ensure that the data, content, and resources you work with in the Windows To Go workspace are protected and secure.
-manager: aaroncz
-ms.author: frankroj
-ms.prod: windows-client
-author: frankroj
-ms.topic: article
-ms.technology: itpro-deploy
-ms.date: 12/31/2017
----
-
-# Security and data protection considerations for Windows To Go
-
-**Applies to**
-
-- Windows 10
-
-> [!IMPORTANT]
-> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
-
-One of the most important requirements to consider when you plan your Windows To Go deployment is to ensure that the data, content, and resources you work with in the Windows To Go workspace is protected and secure.
-
-## Backup and restore
-
-When you don't save data on the Windows To Go drive, you don't need for a backup and restore solution for Windows To Go. If you're saving data on the drive and aren't using folder redirection and offline files, you should back up all of your data to a network location such as cloud storage or a network share, after each work session. Review the new and improved features described in [Supporting Information Workers with Reliable File Services and Storage](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831495(v=ws.11)) for different solutions you could implement.
-
-If the USB drive fails for any reason, the standard process to restore the drive to working condition is to reformat and reprovision the drive with Windows To Go, so all data and customization on the drive will be lost. This result is another reason why using roaming user profiles, folder redirection, and offline files with Windows To Go is recommended. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)).
-
-## BitLocker
-
-We recommend that you use BitLocker with your Windows To Go drives to protect the drive from being compromised if the drive is lost or stolen. When BitLocker is enabled, the user must provide a password to unlock the drive and boot the Windows To Go workspace. This password requirement helps prevent unauthorized users from booting the drive and using it to gain access to your network resources and confidential data. Because Windows To Go drives are meant to be roamed between computers, the Trusted Platform Module (TPM) can't be used by BitLocker to protect the drive. Instead, you'll be specifying a password that BitLocker will use for disk encryption and decryption. By default, this password must be eight characters in length and can enforce more strict requirements depending on the password complexity requirements defined by your organizations domain controller.
-
-You can enable BitLocker while using the Windows To Go Creator wizard as part of the drive provisioning process before first use; or it can be enabled afterward by the user from within the Windows To Go workspace.
-
-> [!Tip]
-> If the Windows To Go Creator wizard isn't able to enable BitLocker, see [Why can't I enable BitLocker from Windows To Go Creator?](windows-to-go-frequently-asked-questions.yml#why-can-t-i-enable-bitlocker-from-windows-to-go-creator-)
-
-When you use a host computer running Windows 7 that has BitLocker enabled, suspend BitLocker before changing the BIOS settings to boot from USB and then resume BitLocker protection. If BitLocker isn't suspended first, the next boot of the computer is in recovery mode.
-
-## Disk discovery and data leakage
-
-We recommend that you use the **NoDefaultDriveLetter** attribute when provisioning the USB drive to help prevent accidental data leakage. **NoDefaultDriveLetter** will prevent the host operating system from assigning a drive letter if a user inserts it into a running computer. This prevention means the drive won't appear in Windows Explorer and an Auto-Play prompt won't be displayed to the user. This non-display of the drive and the prompt reduces the likelihood that an end user will access the offline Windows To Go disk directly from another computer. If you use the Windows To Go Creator to provision a workspace, this attribute will automatically be set for you.
-
-To prevent accidental data leakage between Windows To Go and the host system Windows 8 has a new SAN policy—OFFLINE\_INTERNAL - "4" to prevent the operating system from automatically bringing online any internally connected disk. The default configuration for Windows To Go has this policy enabled. It's recommended you do not change this policy to allow mounting of internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 operating system, mounting the drive will lead to loss of hibernation state and, therefore, user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted.
-
-For more information, see [How to Configure Storage Area Network (SAN) Policy in Windows PE](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825063(v=win.10)).
-
-## Security certifications for Windows To Go
-
-Windows to Go is a core capability of Windows when it's deployed on the drive and is configured following the guidance for the applicable security certification. Solutions built using Windows To Go can be submitted for more certifications by the solution provider that cover the solution provider's specific hardware environment. For more information about Windows security certifications, see the following articles.
-
-- [Windows Platform Common Criteria Certification](/windows/security/threat-protection/windows-platform-common-criteria)
-
-- [FIPS 140 Evaluation](/windows/security/threat-protection/fips-140-validation)
-
-## Related articles
-
-[Windows To Go: feature overview](windows-to-go-overview.md)
-
-[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
-
-[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
-
-[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.yml)
-
-
-
diff --git a/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md b/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md
index 25850695fc..cb8a3ebc82 100644
--- a/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md
+++ b/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md
@@ -3,11 +3,11 @@ title: Showing Messages Generated by the SUA Tool (Windows 10)
description: On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Showing Messages Generated by the SUA Tool
diff --git a/windows/deployment/planning/sua-users-guide.md b/windows/deployment/planning/sua-users-guide.md
index 4f53104c76..47b4ffba5c 100644
--- a/windows/deployment/planning/sua-users-guide.md
+++ b/windows/deployment/planning/sua-users-guide.md
@@ -3,11 +3,11 @@ title: SUA User's Guide (Windows 10)
description: Learn how to use Standard User Analyzer (SUA). SUA can test your apps and monitor API calls to detect compatibility issues related to the Windows User Account Control (UAC) feature.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# SUA User's Guide
diff --git a/windows/deployment/planning/tabs-on-the-sua-tool-interface.md b/windows/deployment/planning/tabs-on-the-sua-tool-interface.md
index a2dff7087c..c6af910322 100644
--- a/windows/deployment/planning/tabs-on-the-sua-tool-interface.md
+++ b/windows/deployment/planning/tabs-on-the-sua-tool-interface.md
@@ -3,11 +3,11 @@ title: Tabs on the SUA Tool Interface (Windows 10)
description: The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Tabs on the SUA Tool Interface
diff --git a/windows/deployment/planning/testing-your-application-mitigation-packages.md b/windows/deployment/planning/testing-your-application-mitigation-packages.md
index b2ff9f8850..481d2ce883 100644
--- a/windows/deployment/planning/testing-your-application-mitigation-packages.md
+++ b/windows/deployment/planning/testing-your-application-mitigation-packages.md
@@ -3,11 +3,11 @@ title: Testing Your Application Mitigation Packages (Windows 10)
description: Learn how to test your application-mitigation packages, including how to report your information and how to resolve any outstanding issues.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Testing Your Application Mitigation Packages
diff --git a/windows/deployment/planning/understanding-and-using-compatibility-fixes.md b/windows/deployment/planning/understanding-and-using-compatibility-fixes.md
index ee6976fca5..7327ff75b9 100644
--- a/windows/deployment/planning/understanding-and-using-compatibility-fixes.md
+++ b/windows/deployment/planning/understanding-and-using-compatibility-fixes.md
@@ -3,10 +3,10 @@ title: Understanding and Using Compatibility Fixes (Windows 10)
description: As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/28/2022
---
diff --git a/windows/deployment/planning/using-the-compatibility-administrator-tool.md b/windows/deployment/planning/using-the-compatibility-administrator-tool.md
index cb156708b7..d3c2f77b38 100644
--- a/windows/deployment/planning/using-the-compatibility-administrator-tool.md
+++ b/windows/deployment/planning/using-the-compatibility-administrator-tool.md
@@ -3,11 +3,11 @@ title: Using the Compatibility Administrator Tool (Windows 10)
description: This section provides information about using the Compatibility Administrator tool.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Using the Compatibility Administrator Tool
diff --git a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
index f6e1a6fbee..2ae090b3f3 100644
--- a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
+++ b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
@@ -3,11 +3,11 @@ title: Using the Sdbinst.exe Command-Line Tool (Windows 10)
description: Learn how to deploy customized database (.sdb) files using the Sdbinst.exe Command-Line Tool. Review a list of command-line options.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Using the Sdbinst.exe Command-Line Tool
diff --git a/windows/deployment/planning/using-the-sua-tool.md b/windows/deployment/planning/using-the-sua-tool.md
index 5b72bfbc4b..043d002305 100644
--- a/windows/deployment/planning/using-the-sua-tool.md
+++ b/windows/deployment/planning/using-the-sua-tool.md
@@ -3,11 +3,11 @@ title: Using the SUA Tool (Windows 10)
description: The Standard User Analyzer (SUA) tool can test applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Using the SUA Tool
diff --git a/windows/deployment/planning/using-the-sua-wizard.md b/windows/deployment/planning/using-the-sua-wizard.md
index ce121c5440..8f7ed9170b 100644
--- a/windows/deployment/planning/using-the-sua-wizard.md
+++ b/windows/deployment/planning/using-the-sua-wizard.md
@@ -3,11 +3,11 @@ title: Using the SUA wizard (Windows 10)
description: The Standard User Analyzer (SUA) wizard, although it doesn't offer deep analysis, works much like the SUA tool to test for User Account Control (UAC) issues.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Using the SUA wizard
diff --git a/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md b/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md
index 44cf622430..38b8b8cf10 100644
--- a/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md
+++ b/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md
@@ -3,10 +3,10 @@ title: Viewing the Events Screen in Compatibility Administrator (Windows 10)
description: You can use the Events screen to record and view activities in the Compatibility Administrator tool.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/28/2022
---
diff --git a/windows/deployment/planning/windows-10-compatibility.md b/windows/deployment/planning/windows-10-compatibility.md
index e444794da2..83227970dd 100644
--- a/windows/deployment/planning/windows-10-compatibility.md
+++ b/windows/deployment/planning/windows-10-compatibility.md
@@ -3,11 +3,11 @@ title: Windows 10 compatibility (Windows 10)
description: Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/28/2022
---
diff --git a/windows/deployment/planning/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md
index b3911601ff..434b7da17f 100644
--- a/windows/deployment/planning/windows-10-deployment-considerations.md
+++ b/windows/deployment/planning/windows-10-deployment-considerations.md
@@ -3,11 +3,11 @@ title: Windows 10 deployment considerations (Windows 10)
description: There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/28/2022
---
diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
index 853855b43b..3dee852942 100644
--- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
+++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
@@ -3,8 +3,8 @@ metadata:
title: Windows 10 Enterprise FAQ for IT pros (Windows 10)
description: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise.
keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage updates, Windows as a service, servicing channels, deployment tools
- ms.prod: windows-client
- ms.technology: itpro-deploy
+ ms.service: windows-client
+ ms.subservice: itpro-deploy
ms.mktglfcycl: plan
ms.localizationpriority: medium
ms.sitesec: library
diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md
index 7341f4b302..06a835b0ba 100644
--- a/windows/deployment/planning/windows-10-infrastructure-requirements.md
+++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md
@@ -3,11 +3,11 @@ title: Windows 10 infrastructure requirements (Windows 10)
description: Review the infrastructure requirements for deployment and management of Windows 10, prior to significant Windows 10 deployments within your organization.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/28/2022
---
diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml
deleted file mode 100644
index 4907345be4..0000000000
--- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml
+++ /dev/null
@@ -1,455 +0,0 @@
-### YamlMime:FAQ
-metadata:
- title: Windows To Go frequently asked questions (Windows 10)
- description: Though Windows To Go is no longer being developed, these frequently asked questions (FAQ) can provide answers about the feature.
- ms.assetid: bfdfb824-4a19-4401-b369-22c5e6ca9d6e
- ms.reviewer:
- author: frankroj
- ms.author: frankroj
- manager: aaroncz
- keywords: FAQ, mobile, device, USB
- ms.prod: windows-client
- ms.technology: itpro-deploy
- ms.mktglfcycl: deploy
- ms.pagetype: mobility
- ms.sitesec: library
- audience: itpro
- ms.topic: faq
- ms.date: 10/28/2022
-title: 'Windows To Go: frequently asked questions'
-summary: |
- **Applies to**
-
- - Windows 10
-
- > [!IMPORTANT]
- > Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature doesn't support feature updates and therefore doesn't enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
-
- The following list identifies some commonly asked questions about Windows To Go.
-
- - [What is Windows To Go?](#what-is-windows-to-go-)
-
- - [Does Windows To Go rely on virtualization?](#does-windows-to-go-rely-on-virtualization-)
-
- - [Who should use Windows To Go?](#who-should-use-windows-to-go-)
-
- - [How can Windows To Go be deployed in an organization?](#how-can-windows-to-go-be-deployed-in-an-organization-)
-
- - [Is Windows To Go supported on both USB 2.0 and USB 3.0 drives?](#is-windows-to-go-supported-on-both-usb-2-0-and-usb-3-0-drives-)
-
- - [Is Windows To Go supported on USB 2.0 and USB 3.0 ports?](#is-windows-to-go-supported-on-usb-2-0-and-usb-3-0-ports-)
-
- - [How do I identify a USB 3.0 port?](#how-do-i-identify-a-usb-3-0-port-)
-
- - [Does Windows To Go run faster on a USB 3.0 port?](#does-windows-to-go-run-faster-on-a-usb-3-0-port-)
-
- - [Can the user self-provision Windows To Go?](#can-the-user-self-provision-windows-to-go-)
-
- - [How can Windows To Go be managed in an organization?](#how-can-windows-to-go-be-managed-in-an-organization-)
-
- - [How do I make my computer boot from USB?](#how-do-i-make-my-computer-boot-from-usb-)
-
- - [Why isn't my computer booting from USB?](#why-isn-t-my-computer-booting-from-usb-)
-
- - [What happens if I remove my Windows To Go drive while it's running?](#what-happens-if-i-remove-my-windows-to-go-drive-while-it-s-running-)
-
- - [Can I use BitLocker to protect my Windows To Go drive?](#can-i-use-bitlocker-to-protect-my-windows-to-go-drive-)
-
- - [Why can't I enable BitLocker from Windows To Go Creator?](#why-can-t-i-enable-bitlocker-from-windows-to-go-creator-)
-
- - [What power states do Windows To Go support?](#what-power-states-does-windows-to-go-support-)
-
- - [Why is hibernation disabled in Windows To Go?](#why-is-hibernation-disabled-in-windows-to-go-)
-
- - [Does Windows To Go support crash dump analysis?](#does-windows-to-go-support-crash-dump-analysis-)
-
- - [Do "Windows To Go Startup Options" work with dual boot computers?](#do--windows-to-go-startup-options--work-with-dual-boot-computers-)
-
- - [I plugged my Windows To Go drive into a running computer and I can't see the partitions on the drive. Why not?](#i-plugged-my-windows-to-go-drive-into-a-running-computer-and-i-can-t-see-the-partitions-on-the-drive--why-not-)
-
- - [I'm booted into Windows To Go, but I can't browse to the internal hard drive of the host computer. Why not?](#i-m-booted-into-windows-to-go--but-i-can-t-browse-to-the-internal-hard-drive-of-the-host-computer--why-not-)
-
- - [Why does my Windows To Go drive have an MBR disk format with a FAT32 system partition?](#why-does-my-windows-to-go-drive-have-an-mbr-disk-format-with-a-fat32-system-partition-)
-
- - [Is Windows To Go secure if I use it on an untrusted machine?](#is-windows-to-go-secure-if-i-use-it-on-an-untrusted-computer-)
-
- - [Does Windows To Go work with ARM processors?](#does-windows-to-go-work-with-arm-processors-)
-
- - [Can I synchronize data from Windows To Go with my other computer?](#can-i-synchronize-data-from-windows-to-go-with-my-other-computer-)
-
- - [What size USB Flash Drive do I need to make a Windows To Go drive?](#what-size-usb-flash-drive-do-i-need-to-make-a-windows-to-go-drive-)
-
- - [Do I need to activate Windows To Go every time I roam?](#do-i-need-to-activate-windows-to-go-every-time-i-roam-)
-
- - [Can I use all Windows features on Windows To Go?](#can-i-use-all-windows-features-on-windows-to-go-)
-
- - [Can I use all my applications on Windows To Go?](#can-i-use-all-my-applications-on-windows-to-go-)
-
- - [Does Windows To Go work slower than standard Windows?](#does-windows-to-go-work-slower-than-standard-windows-)
-
- - [If I lose my Windows To Go drive, will my data be safe?](#if-i-lose-my-windows-to-go-drive--will-my-data-be-safe-)
-
- - [Can I boot Windows To Go on a Mac?](#can-i-boot-windows-to-go-on-a-mac-)
-
- - [Are there any APIs that allow applications to identify a Windows To Go workspace?](#are-there-any-apis-that-allow-applications-to-identify-a-windows-to-go-workspace-)
-
- - [How is Windows To Go licensed?](#how-is-windows-to-go-licensed-)
-
- - [Does Windows Recovery Environment work with Windows To Go? What's the guidance for recovering a Windows To Go drive?](#does-windows-recovery-environment-work-with-windows-to-go--what-s-the-guidance-for-recovering-a-windows-to-go-drive-)
-
- - [Why won't Windows To Go work on a computer running Windows XP or Windows Vista?](#why-won-t-windows-to-go-work-on-a-computer-running-windows-xp-or-windows-vista-)
-
- - [Why does the operating system on the host computer matter?](#why-does-the-operating-system-on-the-host-computer-matter-)
-
- - [My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?](#my-host-computer-running-windows-7-is-protected-by-bitlocker-drive-encryption--why-did-i-need-to-use-the-recovery-key-to-unlock-and-reboot-my-host-computer-after-using-windows-to-go-)
-
- - [I decided to stop using a drive for Windows To Go and reformatted it – why it doesn't have a drive letter assigned and how can I fix it?](#i-decided-to-stop-using-a-drive-for-windows-to-go-and-reformatted-it---why-it-doesn-t-have-a-drive-letter-assigned-and-how-can-i-fix-it-)
-
- - [Why do I keep on getting the message "Installing devices…" when I boot Windows To Go?](#why-do-i-keep-on-getting-the-message--installing-devices---when-i-boot-windows-to-go-)
-
- - [How do I upgrade the operating system on my Windows To Go drive?](#how-do-i-upgrade-the-operating-system-on-my-windows-to-go-drive-)
-
-
-sections:
- - name: Ignored
- questions:
- - question: |
- What is Windows To Go?
- answer: |
- Windows To Go is a feature for users of Windows 10 Enterprise and Windows 10 Education that enables users to boot a full version of Windows from external USB drives on host PCs.
-
- - question: |
- Does Windows To Go rely on virtualization?
- answer: |
- No. Windows To Go is a native instance of Windows 10 that runs from a USB device. It's just like a laptop hard drive with Windows 8 that has been put into a USB enclosure.
-
- - question: |
- Who should use Windows To Go?
- answer: |
- Windows To Go was designed for enterprise usage and targets scenarios such as continuance of operations, contractors, managed free seating, traveling workers, and work from home.
-
- - question: |
- How can Windows To Go be deployed in an organization?
- answer: |
- Windows To Go can be deployed using standard Windows deployment tools like Diskpart and DISM. The prerequisites for deploying Windows To Go are:
-
- - A Windows To Go recommended USB drive to provision; See the list of currently available USB drives at [Hardware considerations for Windows To Go](windows-to-go-overview.md#wtg-hardware)
-
- - A Windows 10 Enterprise or Windows 10 Education image
-
- - A Windows 10 Enterprise, Windows 10 Education or Windows 10 Professional host PC that can be used to provision new USB keys
-
- You can use a Windows PowerShell script to target several drives and scale your deployment for a large number of Windows To Go drives. You can also use a USB duplicator to duplicate a Windows To Go drive after it has been provisioned if you're creating a large number of drives. See the [Windows To Go Step by Step](https://go.microsoft.com/fwlink/p/?LinkId=618950) article on the TechNet wiki for a walkthrough of the drive creation process.
-
- - question: |
- Is Windows To Go supported on both USB 2.0 and USB 3.0 drives?
- answer: |
- No. Windows To Go is supported on USB 3.0 drives that are certified for Windows To Go.
-
- - question: |
- Is Windows To Go supported on USB 2.0 and USB 3.0 ports?
- answer: |
- Yes. Windows To Go is fully supported on either USB 2.0 ports or USB 3.0 ports on PCs certified for Windows 7 or later.
-
- - question: |
- How do I identify a USB 3.0 port?
- answer: |
- USB 3.0 ports are usually marked blue or carry an SS marking on the side.
-
- - question: |
- Does Windows To Go run faster on a USB 3.0 port?
- answer: |
- Yes. Because USB 3.0 offers significantly faster speeds than USB 2.0, a Windows To Go drive running on a USB 3.0 port will operate considerably faster. This speed increase applies to both drive provisioning and when the drive is being used as a workspace.
-
- - question: |
- Can the user self-provision Windows To Go?
- answer: |
- Yes, if the user has administrator permissions they can self-provision a Windows To Go drive using the Windows To Go Creator wizard which is included in Windows 10 Enterprise, Windows 10 Education and Windows 10 Professional. Additionally, Configuration Manager SP1 and later releases include support for user self-provisioning of Windows To Go drives.
-
- - question: |
- How can Windows To Go be managed in an organization?
- answer: |
- Windows To Go can be deployed and managed like a traditional desktop PC using standard Windows enterprise software distribution tools like Microsoft Configuration Manager. Computer and user settings for Windows To Go workspaces can be managed using Group Policy setting also in the same manner that you manage Group Policy settings for other PCs in your organization. Windows To Go workspaces can be configured to connect to the organizational resources remotely using DirectAccess or a virtual private network connection so that they can connect securely to your network.
-
- - question: |
- How do I make my computer boot from USB?
- answer: |
- For host computers running Windows 10
-
- - Using Cortana, search for **Windows To Go startup options**, and then press Enter.
- - In the **Windows To Go Startup Options** dialog box, select **Yes**, and then click **Save Changes** to configure the computer to boot from USB.
-
- For host computers running Windows 8 or Windows 8.1:
-
- Press **Windows logo key+W** and then search for **Windows To Go startup options** and then press Enter.
-
- In the **Windows To Go Startup Options** dialog box select **Yes** and then click **Save Changes** to configure the computer to boot from USB.
-
- > [!NOTE]
- > Your IT department can use Group Policy to configure Windows To Go Startup Options in your organization.
-
-
-
- If the host computer is running an earlier version of the Windows operating system need to configure the computer to boot from USB manually.
-
- To do this, early during boot time (usually when you see the manufacturer's logo), enter your firmware/BIOS setup. (This method to enter firmware/BIOS setup differs with different computer manufacturers, but is usually entered by pressing one of the function keys, such as F12, F2, F1, Esc, and so forth. You should check the manufacturer's site to be sure if you don't know which key to use to enter firmware setup.)
-
- After you have entered firmware setup, make sure that boot from USB is enabled. Then change the boot order to boot from USB drives first.
-
- Alternatively, if your computer supports it, you can try to use the one-time boot menu (often F12), to select USB boot on a per-boot basis.
-
- For more detailed instructions, see the wiki article, [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkID=618951).
-
- **Warning**
- Configuring a computer to boot from USB will cause your computer to attempt to boot from any bootable USB device connected to your computer. This potentially includes malicious devices. Users should be informed of this risk and instructed to not have any bootable USB storage devices plugged in to their computers except for their Windows To Go drive.
-
-
-
- - question: |
- Why isn't my computer booting from USB?
- answer: |
- Computers certified for Windows 7 and later are required to have support for USB boot. Check to see if any of the following items apply to your situation:
-
- 1. Ensure that your computer has the latest BIOS installed and the BIOS is configured to boot from a USB device.
-
- 2. Ensure that the Windows To Go drive is connected directly to a USB port on the computer. Many computers don't support booting from a device connected to a USB 3 PCI add-on card or external USB hubs.
-
- 3. If the computer isn't booting from a USB 3.0 port, try to boot from a USB 2.0 port.
-
- If none of these items enable the computer to boot from USB, contact the hardware manufacturer for additional support.
-
- - question: |
- What happens if I remove my Windows To Go drive while it's running?
- answer: |
- If the Windows To Go drive is removed, the computer will freeze and the user will have 60 seconds to reinsert the Windows To Go drive. If the Windows To Go drive is reinserted into the same port it was removed from, Windows will resume at the point where the drive was removed. If the USB drive isn't reinserted, or is reinserted into a different port, the host computer will turn off after 60 seconds.
-
- **Warning**
- You should never remove your Windows To Go drive when your workspace is running. The computer freeze is a safety measure to help mitigate the risk of accidental removal. Removing the Windows To Go drive without shutting down the Windows To Go workspace could result in corruption of the Windows To Go drive.
-
-
-
- - question: |
- Can I use BitLocker to protect my Windows To Go drive?
- answer: |
- Yes. In Windows 8 and later, BitLocker has added support for using a password to protect operating system drives. This means that you can use a password to secure your Windows To Go workspace and you'll be prompted to enter this password every time you use the Windows To Go workspace.
-
- - question: |
- Why can't I enable BitLocker from Windows To Go Creator?
- answer: |
- Several different Group Policies control the use of BitLocker on your organizations computers. These policies are located in the **Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** folder of the local Group Policy editor. The folder contains three subfolders for fixed, operating system and removable data drive types.
-
- When you're using Windows To Go Creator, the Windows To Go drive is considered a removable data drive by BitLocker. Review the following setting to see if these settings apply in your situation:
-
- 1. **Control use of BitLocker on removable drives**
-
- If this setting is disabled BitLocker can't be used with removable drives, so the Windows To Go Creator wizard will fail if it attempts to enable BitLocker on the Windows To Go drive.
-
- 2. **Configure use of smart cards on removable data drives**
-
- If this setting is enabled and the option **Require use of smart cards on removable data drives** is also selected the creator wizard might fail if you haven't already signed on using your smart card credentials before starting the Windows To Go Creator wizard.
-
- 3. **Configure use of passwords for removable data drives**
-
- If this setting is enabled and the **Require password complexity option** is selected the computer must be able to connect to the domain controller to verify that the password specified meets the password complexity requirements. If the connection isn't available, the Windows To Go Creator wizard will fail to enable BitLocker.
-
- Additionally, the Windows To Go Creator will disable the BitLocker option if the drive doesn't have any volumes. In this situation, you should initialize the drive and create a volume using the Disk Management console before provisioning the drive with Windows To Go.
-
- - question: |
- What power states does Windows To Go support?
- answer: |
- Windows To Go supports all power states except the hibernate class of power states, which include hybrid boot, hybrid sleep, and hibernate. This default behavior can be modified by using Group Policy settings to enable hibernation of the Windows To Go workspace.
-
- - question: |
- Why is hibernation disabled in Windows To Go?
- answer: |
- When a Windows To Go workspace is hibernated, it will only successfully resume on the exact same hardware. Therefore, if a Windows To Go workspace is hibernated on one computer and roamed to another, the hibernation state (and therefore user state) will be lost. To prevent this from happening, the default settings for a Windows To Go workspace disable hibernation. If you're confident that you'll only attempt to resume on the same computer, you can enable hibernation using the Windows To Go Group Policy setting, **Allow hibernate (S4) when started from a Windows To Go workspace** that is located at **\\\\Computer Configuration\\Administrative Templates\\Windows Components\\Portable Operating System\\** in the Local Group Policy Editor (gpedit.msc).
-
- - question: |
- Does Windows To Go support crash dump analysis?
- answer: |
- Yes. Windows 8 and later support crash dump stack analysis for both USB 2.0 and 3.0.
-
- - question: |
- Do "Windows To Go Startup Options" work with dual boot computers?
- answer: |
- Yes, if both operating systems are running the Windows 8 operating system. Enabling "Windows To Go Startup Options" should cause the computer to boot from the Windows To Go workspace when the drive is plugged in before the computer is turned on.
-
- If you have configured a dual boot computer with a Windows operating system and another operating system, it might work occasionally and fail occasionally. Using this configuration is unsupported.
-
- - question: |
- I plugged my Windows To Go drive into a running computer and I can't see the partitions on the drive. Why not?
- answer: |
- Windows To Go Creator and the recommended deployment steps for Windows To Go set the NO\_DEFAULT\_DRIVE\_LETTER flag on the Windows To Go drive. This flag prevents Windows from automatically assigning drive letters to the partitions on the Windows To Go drive. That's why you can't see the partitions on the drive when you plug your Windows To Go drive into a running computer. This helps prevent accidental data leakage between the Windows To Go drive and the host computer. If you really need to access the files on the Windows To Go drive from a running computer, you can use diskmgmt.msc or diskpart to assign a drive letter.
-
- **Warning**
- It's strongly recommended that you don't plug your Windows To Go drive into a running computer. If the computer is compromised, your Windows To Go workspace can also be compromised.
-
-
-
- - question: |
- I'm booted into Windows To Go, but I can't browse to the internal hard drive of the host computer. Why not?
- answer: |
- Windows To Go Creator and the recommended deployment steps for Windows To Go set SAN Policy 4 on Windows To Go drive. This policy prevents Windows from automatically mounting internal disk drives. That's why you can't see the internal hard drives of the host computer when you're booted into Windows To Go. This is done to prevent accidental data leakage between Windows To Go and the host system. This policy also prevents potential corruption on the host drives or data loss if the host operating system is in a hibernation state. If you really need to access the files on the internal hard drive, you can use diskmgmt.msc to mount the internal drive.
-
- **Warning**
- It is strongly recommended that you do not mount internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 or later operating system, mounting the drive will lead to loss of hibernation state and therefore user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted.
-
-
-
- - question: |
- Why does my Windows To Go drive have an MBR disk format with a FAT32 system partition?
- answer: |
- This is done to allow Windows To Go to boot from UEFI and legacy systems.
-
- - question: |
- Is Windows To Go secure if I use it on an untrusted computer?
- answer: |
- While you are more secure than if you use a completely untrusted operating system, you are still vulnerable to attacks from the firmware or anything that runs before Windows To Go starts. If you plug your Windows To Go drive into a running untrusted computer, your Windows To Go drive can be compromised because any malicious software that might be active on the computer can access the drive.
-
- - question: |
- Does Windows To Go work with ARM processors?
- answer: |
- No. Windows RT is a specialized version of Windows designed for ARM processors. Windows To Go is currently only supported on PCs with x86 or x64-based processors.
-
- - question: |
- Can I synchronize data from Windows To Go with my other computer?
- answer: |
- To get your data across all your computers, we recommend using folder redirection and client side caching to store copies of your data on a server while giving you offline access to the files you need.
-
- - question: |
- What size USB flash drive do I need to make a Windows To Go drive?
- answer: |
- The size constraints are the same as full Windows. To ensure that you have enough space for Windows, your data, and your applications, we recommend USB drives that are a minimum of 20 GB in size.
-
- - question: |
- Do I need to activate Windows To Go every time I roam?
- answer: |
- No, Windows To Go requires volume activation; either using the [Key Management Service](/previous-versions/tn-archive/ff793434(v=technet.10)) (KMS) server in your organization or using [Active Directory](/previous-versions/windows/hh852637(v=win.10)) based volume activation. The Windows To Go workspace won't need to be reactivated every time you roam. KMS activates Windows on a local network, eliminating the need for individual computers to connect to Microsoft. To remain activated, KMS client computers must renew their activation by connecting to the KMS host on periodic basis. This typically occurs as soon as the user has access to the corporate network (either through a direct connection on-premises or through a remote connection using DirectAccess or a virtual private network connection), once activated the machine won't need to be activated again until the activation validity interval has passed. In a KMS configuration, the activation validity interval is 180 days.
-
- - question: |
- Can I use all Windows features on Windows To Go?
- answer: |
- Yes, with some minor exceptions, you can use all Windows features with your Windows To Go workspace. The only currently unsupported features are using the Windows Recovery Environment and PC Reset & Refresh.
-
- - question: |
- Can I use all my applications on Windows To Go?
- answer: |
- Yes. Because your Windows To Go workspace is a full Windows 10 environment, all applications that work with Windows 10 should work in your Windows To Go workspace. However, any applications that use hardware binding (usually for licensing and/or digital rights management reasons) may not run when you roam your Windows To Go drive between different host computers, and you may have to use those applications on the same host computer every time.
-
- - question: |
- Does Windows To Go work slower than standard Windows?
- answer: |
- If you're using a USB 3.0 port and a Windows To Go certified device, there should be no perceivable difference between standard Windows and Windows To Go. However, if you're booting from a USB 2.0 port, you may notice some slowdown since USB 2.0 transfer speeds are slower than SATA speeds.
-
- - question: |
- If I lose my Windows To Go drive, will my data be safe?
- answer: |
- Yes! If you enable BitLocker on your Windows To Go drive, all your data will be encrypted and protected and a malicious user won't be able to access your data without your password. If you don't enable BitLocker, your data will be vulnerable if you lose your Windows To Go drive.
-
- - question: |
- Can I boot Windows To Go on a Mac?
- answer: |
- We're committed to give customers a consistent and quality Windows 10 experience with Windows To Go. Windows To Go supports host devices certified for use with Windows 7 or later. Because Mac computers aren't certified for use with Windows 7 or later, using Windows To Go isn't supported on a Mac.
-
- - question: |
- Are there any APIs that allow applications to identify a Windows To Go workspace?
- answer: |
- Yes. You can use a combination of identifiers to determine if the currently running operating system is a Windows To Go workspace. First, check if the **PortableOperatingSystem** property is true. When that value is true, it means that the operating system was booted from an external USB device.
-
- Next, check if the **OperatingSystemSKU** property is equal to **4** (for Windows 10 Enterprise) or **121** (for Windows 10 Education). The combination of those two properties represents a Windows To Go workspace environment.
-
- For more information, see the MSDN article on the [Win32\_OperatingSystem class](/windows/win32/cimwin32prov/win32-operatingsystem).
-
- - question: |
- How is Windows To Go licensed?
- answer: |
- Windows To Go allows organization to support the use of privately owned PCs at the home or office with more secure access to their organizational resources. With Windows To Go use rights under [Software Assurance](https://go.microsoft.com/fwlink/p/?LinkId=619062), an employee will be able to use Windows To Go on any company PC licensed with Software Assurance as well as from their home PC.
-
- - question: |
- Does Windows Recovery Environment work with Windows To Go? What's the guidance for recovering a Windows To Go drive?
- answer: |
- No, use of Windows Recovery Environment isn't supported on Windows To Go. It's recommended that you implement user state virtualization technologies like Folder Redirection to centralize and back up user data in the data center. If any corruption occurs on a Windows To Go drive, you should reprovision the workspace.
-
- - question: |
- Why won't Windows To Go work on a computer running Windows XP or Windows Vista?
- answer: |
- Actually it might. If you've purchased a computer certified for Windows 7 or later and then installed an older operating system, Windows To Go will boot and run as expected as long as you've configured the firmware to boot from USB. However, if the computer was certified for Windows XP or Windows Vista, it might not meet the hardware requirements for Windows To Go to run. Typically computers certified for Windows Vista and earlier operating systems have less memory, less processing power, reduced video rendering, and slower USB ports.
-
- - question: |
- Why does the operating system on the host computer matter?
- answer: |
- It doesn't other than to help visually identify if the PC has compatible hardware. For a PC to be certified for Windows 7 or later it had to support booting from USB. If a computer can't boot from USB there's no way that it can be used with Windows To Go. The Windows To Go workspace is a full Windows 10 environment, so all of the hardware requirements of Windows 10 with respect to processing speed, memory usage, and graphics rendering need to be supported to be assured that it will work as expected.
-
- - question: |
- My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?
- answer: |
- The default BitLocker protection profile in Windows 7 monitors the host computer for changes to the boot order as part of protecting the computer from tampering. When you change the boot order of the host computer to enable it to boot from the Windows To Go drive, the BitLocker system measurements will reflect that change and boot into recovery mode so that the computer can be inspected if necessary.
-
- You can reset the BitLocker system measurements to incorporate the new boot order using the following steps:
-
- 1. Sign in to the host computer using an account with administrator privileges.
-
- 2. Click **Start**, click **Control Panel**, click **System and Security**, and then click **BitLocker Drive Encryption**.
-
- 3. Click **Suspend Protection** for the operating system drive.
-
- A message is displayed, informing you that your data won't be protected while BitLocker is suspended and asking if you want to suspend BitLocker Drive Encryption. Click **Yes** to continue and suspend BitLocker on the drive.
-
- 4. Restart the computer and enter the firmware settings to reset the boot order to boot from USB first. For more information on changing the boot order in the BIOS, see [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) on the TechNet wiki.
-
- 5. Restart the computer again and then sign in to the host computer using an account with administrator privileges. (Neither your Windows To Go drive nor any other USB drive should be inserted.)
-
- 6. Click **Start**, click **Control Panel**, click **System and Security**, and then click **BitLocker Drive Encryption**.
-
- 7. Click **Resume Protection** to re-enable BitLocker protection.
-
- The host computer will now be able to be booted from a USB drive without triggering recovery mode.
-
- > [!NOTE]
- > The default BitLocker protection profile in Windows 8 or later doesn't monitor the boot order.
-
-
-
- - question: |
- I decided to stop using a drive for Windows To Go and reformatted it – why it doesn't have a drive letter assigned and how can I fix it?
- answer: |
- Reformatting the drive erases the data on the drive, but doesn't reconfigure the volume attributes. When a drive is provisioned for use as a Windows To Go drive the NODEFAULTDRIVELETTER attribute is set on the volume. To remove this attribute, use the following steps:
-
- 1. Open a command prompt with full administrator permissions.
-
- > [!NOTE]
- > If your user account is a member of the Administrators group, but isn't the Administrator account itself, then, by default, the programs that you run only have standard user permissions unless you explicitly choose to elevate them.
-
-
-
- 2. Start the [diskpart](/windows-server/administration/windows-commands/diskpart) command interpreter, by typing `diskpart` at the command prompt.
-
- 3. Use the `select disk` command to identify the drive. If you don't know the drive number, use the `list` command to display the list of disks available.
-
- 4. After selecting the disk, run the `clean` command to remove all data, formatting, and initialization information from the drive.
-
- - question: |
- Why do I keep on getting the message "Installing devices…" when I boot Windows To Go?
- answer: |
- One of the challenges involved in moving the Windows To Go drive between PCs while seamlessly booting Windows with access to all of their applications and data is that for Windows to be fully functional, specific drivers need to be installed for the hardware in each machine that runs Windows. Windows 8 or later has a process called respecialize which will identify new drivers that need to be loaded for the new PC and disable drivers that aren't present on the new configuration. In general, this feature is reliable and efficient when roaming between PCs of widely varying hardware configurations.
-
- In certain cases, third-party drivers for different hardware models or versions can reuse device IDs, driver file names, registry keys (or any other operating system constructs that don't support side-by-side storage) for similar hardware. For example, Touchpad drivers on different laptops often reuse the same device ID's, and video cards from the same manufacturer may often reuse service names. Windows handles these situations by marking the non-present device node with a flag that indicates the existing driver needs to be reinstalled before continuing to install the new driver.
-
- This process will occur on any boot that a new driver is found and a driver conflict is detected. In some cases that will result in a respecialize progress message "Installing devices…" displaying every time that a Windows to Go drive is roamed between two PCs that require conflicting drivers.
-
- - question: |
- How do I upgrade the operating system on my Windows To Go drive?
- answer: |
- There's no support in Windows for upgrading a Windows To Go drive. Deployed Windows To Go drives with older versions of Windows will need to be reimaged with a new version of Windows in order to transition to the new operating system version.
-
-additionalContent: |
-
- ## Additional resources
-
- - [Windows 10 forums](https://go.microsoft.com/fwlink/p/?LinkId=618949)
- - [Windows To Go Step by Step Wiki](https://go.microsoft.com/fwlink/p/?LinkId=618950)
- - [Windows To Go: feature overview](windows-to-go-overview.md)
- - [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
- - [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
- - [Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
-
diff --git a/windows/deployment/planning/windows-to-go-overview.md b/windows/deployment/planning/windows-to-go-overview.md
deleted file mode 100644
index 4332f5785a..0000000000
--- a/windows/deployment/planning/windows-to-go-overview.md
+++ /dev/null
@@ -1,155 +0,0 @@
----
-title: Windows To Go feature overview (Windows 10)
-description: Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that lets you create a workspace that can be booted from a USB-connected drive.
-manager: aaroncz
-ms.author: frankroj
-ms.prod: windows-client
-author: frankroj
-ms.topic: overview
-ms.technology: itpro-deploy
-ms.collection:
- - highpri
- - tier2
-ms.date: 10/28/2022
----
-
-# Windows To Go: feature overview
-
-**Applies to**
-
-- Windows 10
-
-> [!IMPORTANT]
-> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
-
-Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs.
-
-PCs that meet the Windows 7 or later [certification requirements](/previous-versions/windows/hardware/cert-program/) can run Windows 10 in a Windows To Go workspace, regardless of the operating system running on the PC. Windows To Go workspaces can use the same image enterprises use for their desktops and laptops and can be managed the same way. Windows To Go isn't intended to replace desktops, laptops or supplant other mobility offerings. Rather, it provides support for efficient use of resources for alternative workplace scenarios. There are some other considerations that you should keep in mind before you start to use Windows To Go:
-
-- [Windows To Go: feature overview](#windows-to-go-feature-overview)
- - [Differences between Windows To Go and a typical installation of Windows](#differences-between-windows-to-go-and-a-typical-installation-of-windows)
- - [Roaming with Windows To Go](#roaming-with-windows-to-go)
- - [Prepare for Windows To Go](#prepare-for-windows-to-go)
- - [Hardware considerations for Windows To Go](#hardware-considerations-for-windows-to-go)
-
-> [!NOTE]
-> Windows To Go isn't supported on Windows RT.
-
-## Differences between Windows To Go and a typical installation of Windows
-
-Windows To Go workspace operates just like any other installation of Windows with a few exceptions. These exceptions are:
-
-- **Internal disks are offline.** To ensure data isn't accidentally disclosed, internal hard disks on the host computer are offline by default when booted into a Windows To Go workspace. Similarly if a Windows To Go drive is inserted into a running system, the Windows To Go drive won't be listed in Windows Explorer.
-- **Trusted Platform Module (TPM) is not used.** When using BitLocker Drive Encryption, a pre-operating system boot password will be used for security rather than the TPM since the TPM is tied to a specific computer and Windows To Go drives will move between computers.
-- **Hibernate is disabled by default.** To ensure that the Windows To Go workspace is able to move between computers easily, hibernation is disabled by default. Hibernation can be re-enabled by using Group Policy settings.
-- **Windows Recovery Environment is not available.** In the rare case that you need to recover your Windows To Go drive, you should re-image it with a fresh image of Windows.
-- **Refreshing or resetting a Windows To Go workspace is not supported.** Resetting to the manufacturer's standard for the computer doesn't apply when running a Windows To Go workspace, so the feature was disabled.
-- **Upgrading a Windows To Go workspace is not supported.** Older Windows 8 or Windows 8.1 Windows To Go workspaces can't be upgraded to Windows 10 workspaces, nor can Windows 10 Windows To Go workspaces be upgraded to future versions of Windows 10. For new versions, the workspace needs to be re-imaged with a fresh image of Windows.
-
-## Roaming with Windows To Go
-
-Windows To Go drives can be booted on multiple computers. When a Windows To Go workspace is first booted on a host computer, it will detect all hardware on the computer and install any needed drivers. When the Windows To Go workspace is next booted on that host computer, it will be able to identify the host computer and load the correct set of drivers automatically.
-
-The applications that you want to use from the Windows To Go workspace should be tested to make sure they also support roaming. Some applications bind to the computer hardware, which will cause difficulties if the workspace is being used with multiple host computers.
-
-## Prepare for Windows To Go
-
-Enterprises install Windows on a large group of computers either by using configuration management software (such as Microsoft Configuration Manager), or by using standard Windows deployment tools such as DiskPart and the Deployment Image Servicing and Management (DISM) tool.
-
-These same tools can be used to provision Windows To Go drive, just as if you were planning for provisioning a new class of mobile PCs. You can use the [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) to review deployment tools available.
-
-> [!IMPORTANT]
-> Make sure you use the versions of the deployment tools provided for the version of Windows you are deploying. There have been many enhancements made to support Windows To Go. Using versions of the deployment tools released for earlier versions of Windows to provision a Windows To Go drive is not supported.
-
-As you decide what to include in your Windows To Go image, be sure to consider the following questions:
-
-Are there any drivers that you need to inject into the image?
-
-How will data be stored and synchronized to appropriate locations from the USB device?
-
-Are there any applications that are incompatible with Windows To Go roaming that shouldn't be included in the image?
-
-What should be the architecture of the image - 32bit/64bit?
-
-What remote connectivity solution should be supported in the image if Windows To Go is used outside the corporate network?
-
-For more information about designing and planning your Windows To Go deployment, see [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md).
-
-## Hardware considerations for Windows To Go
-
-**For USB drives**
-
-The devices listed in this section have been specially optimized and certified for Windows To Go and meet the necessary requirements for booting and running a full version of Windows 10 from a USB drive. The optimizations for Windows To Go include the following items:
-
-- Windows To Go certified USB drives are built for high random read/write speeds and support the thousands of random access I/O operations per second required for running normal Windows workloads smoothly.
-- Windows To Go certified USB drives have been tuned to ensure they boot and run on hardware certified for use with Windows 7 and later.
-- Windows To Go certified USB drives are built to last. Certified USB drives are backed with manufacturer warranties and should continue operating under normal usage. Refer to the manufacturer websites for warranty details.
-
-As of the date of publication, the following are the USB drives currently certified for use as Windows To Go drives:
-
-> [!WARNING]
-> Using a USB drive that has not been certified is not supported.
-
-- IronKey Workspace W700 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w700.html](https://www.kingston.com/support/technical/products?model=dtws))
-- IronKey Workspace W500 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w500.html](https://www.kingston.com/support/technical/products?model=dtws))
-- IronKey Workspace W300 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w300.html](https://www.kingston.com/support/technical/products?model=dtws))
-- Kingston DataTraveler Workspace for Windows To Go ([http://www.kingston.com/wtg/](https://go.microsoft.com/fwlink/p/?LinkId=618719))
-
-- Super Talent Express RC4 for Windows To Go
-
- -and-
-
- Super Talent Express RC8 for Windows To Go
-
- ([http://www.supertalent.com/wtg/](https://go.microsoft.com/fwlink/p/?LinkId=618721))
-
-- Western Digital My Passport Enterprise ([http://www.wd.com/wtg](https://go.microsoft.com/fwlink/p/?LinkId=618722))
-
- We recommend that you run the WD Compass utility to prepare the Western Digital My Passport Enterprise drive for provisioning with Windows To Go. For more information about the WD Compass utility, see [http://www.wd.com/wtg](https://go.microsoft.com/fwlink/p/?LinkId=618722)
-
-**For host computers**
-
-When assessing the use of a PC as a host for a Windows To Go workspace, you should consider the following criteria:
-
-- Hardware that has been certified for use with Windows 7 or later operating systems will work well with Windows To Go.
-- Running a Windows To Go workspace from a computer that is running Windows RT isn't a supported scenario.
-- Running a Windows To Go workspace on a Mac computer isn't a supported scenario.
-
-The following table details the characteristics that the host computer must have to be used with Windows To Go:
-
-|Item|Requirement|
-|--- |--- |
-|Boot process|Capable of USB boot|
-|Firmware|USB boot enabled. (PCs certified for use with Windows 7 or later can be configured to boot directly from USB, check with the hardware manufacturer if you're unsure of the ability of your PC to boot from USB)|
-|Processor architecture|Must support the image on the Windows To Go drive|
-|External USB Hubs|Not supported; connect the Windows To Go drive directly to the host machine|
-|Processor|1 GHz or faster|
-|RAM|2 GB or greater|
-|Graphics|DirectX 9 graphics device with WDDM 1.2 or greater driver|
-|USB port|USB 2.0 port or greater|
-
-**Checking for architectural compatibility between the host PC and the Windows To Go drive**
-
-In addition to the USB boot support in the BIOS, the Windows 10 image on your Windows To Go drive must be compatible with the processor architecture and the firmware of the host PC as shown in the table below.
-
-|Host PC Firmware Type|Host PC Processor Architecture|Compatible Windows To Go Image Architecture|
-|--- |--- |--- |
-|Legacy BIOS|32-bit|32-bit only|
-|Legacy BIOS|64-bit|32-bit and 64-bit|
-|UEFI BIOS|32-bit|32-bit only|
-|UEFI BIOS|64-bit|64-bit only|
-
-## Other resources
-
-- [Windows 10 forums](https://go.microsoft.com/fwlink/p/?LinkId=618949)
-- [Windows To Go Step by Step Wiki](https://go.microsoft.com/fwlink/p/?LinkId=618950)
-- [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951)
-
-## Related articles
-
-[Deploy Windows To Go in your organization](../deploy-windows-to-go.md)
-[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.yml)
-[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
-[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
-[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
-[Best practice recommendations for Windows To Go](best-practice-recommendations-for-windows-to-go.md)
diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md
index f49339b0fd..8e5e27c8df 100644
--- a/windows/deployment/s-mode.md
+++ b/windows/deployment/s-mode.md
@@ -2,13 +2,13 @@
title: Windows Pro in S mode
description: Overview of Windows Pro and Enterprise in S mode.
ms.localizationpriority: high
-ms.prod: windows-client
+ms.service: windows-client
manager: aaroncz
author: frankroj
ms.author: frankroj
ms.topic: conceptual
ms.date: 04/26/2023
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Windows Pro in S mode
diff --git a/windows/deployment/update/PSFxWhitepaper.md b/windows/deployment/update/PSFxWhitepaper.md
index 72d37a8849..c8ea253ee3 100644
--- a/windows/deployment/update/PSFxWhitepaper.md
+++ b/windows/deployment/update/PSFxWhitepaper.md
@@ -1,8 +1,8 @@
---
title: Windows Updates using forward and reverse differentials
description: A technique to produce compact software updates optimized for any origin and destination revision pair
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/check-release-health.md b/windows/deployment/update/check-release-health.md
index ba7b6d264d..164a2970b3 100644
--- a/windows/deployment/update/check-release-health.md
+++ b/windows/deployment/update/check-release-health.md
@@ -1,8 +1,8 @@
---
title: How to check Windows release health
description: Check the release health status of Microsoft 365 services before you call support to see if there's an active service interruption.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.author: mstewart
author: mestew
diff --git a/windows/deployment/update/create-deployment-plan.md b/windows/deployment/update/create-deployment-plan.md
index f5f57bd6c5..d1b6ebd87e 100644
--- a/windows/deployment/update/create-deployment-plan.md
+++ b/windows/deployment/update/create-deployment-plan.md
@@ -1,8 +1,8 @@
---
title: Create a deployment plan
description: Devise the number of deployment rings you need and how you want to populate each of the deployment rings.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/deployment-service-drivers.md b/windows/deployment/update/deployment-service-drivers.md
index 4373f59f58..ca104fce34 100644
--- a/windows/deployment/update/deployment-service-drivers.md
+++ b/windows/deployment/update/deployment-service-drivers.md
@@ -2,8 +2,8 @@
title: Deploy drivers and firmware updates
titleSuffix: Windows Update for Business deployment service
description: Use Windows Update for Business deployment service to deploy driver and firmware updates to devices.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/deployment-service-expedited-updates.md b/windows/deployment/update/deployment-service-expedited-updates.md
index 9279a5e9d4..0b59cbea9e 100644
--- a/windows/deployment/update/deployment-service-expedited-updates.md
+++ b/windows/deployment/update/deployment-service-expedited-updates.md
@@ -2,8 +2,8 @@
title: Deploy expedited updates
titleSuffix: Windows Update for Business deployment service
description: Learn how to use Windows Update for Business deployment service to deploy expedited updates to devices in your organization.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.author: mstewart
author: mestew
@@ -32,7 +32,11 @@ In this article, you will:
## Prerequisites
-All of the [prerequisites for the Windows Update for Business deployment service](deployment-service-prerequisites.md) must be met.
+All of the [prerequisites for the Windows Update for Business deployment service](deployment-service-prerequisites.md) must be met, including ensuring that the *Update Health Tools* is installed on the clients.
+- The *Update Health Tools* are installed starting with [KB4023057](https://support.microsoft.com/kb/4023057). To confirm the presence of the Update Health Tools on a device, use one of the following methods:
+ - Run a [readiness test for expedited updates](#readiness-test-for-expediting-updates)
+ - Look for the folder **C:\Program Files\Microsoft Update Health Tools** or review *Add Remove Programs* for **Microsoft Update Health Tools**.
+ - Example PowerShell script to verify tools installation: `Get-CimInstance -ClassName Win32_Product \| Where-Object {$_.Name -match "Microsoft Update Health Tools"}`
### Permissions
@@ -213,8 +217,8 @@ The request returns a 201 Created response code and a [deployment](/graph/api/re
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments/$entity",
"id": "de910e12-3456-7890-abcd-ef1234567890",
- "createdDateTime": "2023-02-09T22:55:04.8547517Z",
- "lastModifiedDateTime": "2023-02-09T22:55:04.8547524Z",
+ "createdDateTime": "2024-01-30T19:43:37.1672634Z",
+ "lastModifiedDateTime": "2024-01-30T19:43:37.1672644Z",
"state": {
"effectiveValue": "offering",
"requestedValue": "none",
@@ -222,15 +226,19 @@ The request returns a 201 Created response code and a [deployment](/graph/api/re
},
"content": {
"@odata.type": "#microsoft.graph.windowsUpdates.catalogContent",
- "catalogEntry@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments('de910e12-3456-7890-abcd-ef1234567890')/content/microsoft.graph.windowsUpdates.catalogContent/catalogEntry/$entity",
+ "catalogEntry@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments('073fb534-5cdd-4326-8aa2-a4d29037b60f')/content/microsoft.graph.windowsUpdates.catalogContent/catalogEntry/$entity",
"catalogEntry": {
"@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry",
- "id": "693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432",
+ "id": "e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5",
"displayName": null,
"deployableUntilDateTime": null,
- "releaseDateTime": "2023-01-10T00:00:00Z",
+ "releaseDateTime": "2023-08-08T00:00:00Z",
"isExpeditable": false,
- "qualityUpdateClassification": "security"
+ "qualityUpdateClassification": "security",
+ "catalogName": null,
+ "shortName": null,
+ "qualityUpdateCadence": "monthly",
+ "cveSeverityInformation": null
}
},
"settings": {
@@ -238,10 +246,12 @@ The request returns a 201 Created response code and a [deployment](/graph/api/re
"monitoring": null,
"contentApplicability": null,
"userExperience": {
- "daysUntilForcedReboot": 2
+ "daysUntilForcedReboot": 2,
+ "offerAsOptional": null
},
"expedite": {
- "isExpedited": true
+ "isExpedited": true,
+ "isReadinessTest": false
}
},
"audience@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments('de910e12-3456-7890-abcd-ef1234567890')/audience/$entity",
@@ -293,6 +303,48 @@ The following example deletes the deployment with a **Deployment ID** of `de910e
DELETE https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e12-3456-7890-abcd-ef1234567890
```
+## Readiness test for expediting updates
+
+You can verify the readiness of clients to receive expedited updates by using [isReadinessTest](/graph/api/resources/windowsupdates-expeditesettings). Create a deployment that specifies it's an expedite readiness test, then add members to the deployment audience. The service will check to see if the clients meet the prerequisites for expediting updates. The results of the test are displayed in the [Windows Update for Business reports workbook](wufb-reports-workbook.md#quality-updates-tab). Under the **Quality updates** tab, select the **Expedite status** tile, which opens a flyout with a **Readiness** tab with the readiness test results.
+
+```msgraph-interactive
+POST https://graph.microsoft.com/beta/admin/windows/updates/deployments
+content-type: application/json
+
+{
+ "@odata.type": "#microsoft.graph.windowsUpdates.deployment",
+ "content": {
+ "@odata.type": "#microsoft.graph.windowsUpdates.catalogContent",
+ "catalogEntry": {
+ "@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry",
+ "id": "317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5"
+ }
+ },
+ "settings": {
+ "@odata.type": "microsoft.graph.windowsUpdates.deploymentSettings",
+ "expedite": {
+ "isExpedited": true,
+ "isReadinessTest": true
+ }
+ }
+}
+```
+
+The truncated response displays that **isReadinessTest** is set to `true` and gives you a **DeploymentID** of `de910e12-3456-7890-abcd-ef1234567890`. You can then [add members to the deployment audience](#add-members-to-the-deployment-audience) to have the service check that the devices meet the preresquites then review the results in the [Windows Update for Business reports workbook](wufb-reports-workbook.md#quality-updates-tab).
+
+```json
+ "expedite": {
+ "isExpedited": true,
+ "isReadinessTest": true
+ }
+ },
+ "audience@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments('6a6c03b5-008e-4b4d-8acd-48144208f179_Readiness')/audience/$entity",
+ "audience": {
+ "id": "de910e12-3456-7890-abcd-ef1234567890",
+ "applicableContent": []
+ }
+
+```
[!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-update-health-tools-logs.md)]
diff --git a/windows/deployment/update/deployment-service-feature-updates.md b/windows/deployment/update/deployment-service-feature-updates.md
index 070ecd8914..99d6c26f7c 100644
--- a/windows/deployment/update/deployment-service-feature-updates.md
+++ b/windows/deployment/update/deployment-service-feature-updates.md
@@ -2,8 +2,8 @@
title: Deploy feature updates
titleSuffix: Windows Update for Business deployment service
description: Use Windows Update for Business deployment service to deploy feature updates to devices in your organization.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.author: mstewart
author: mestew
diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md
index b3fa2680c5..adf8bfe314 100644
--- a/windows/deployment/update/deployment-service-overview.md
+++ b/windows/deployment/update/deployment-service-overview.md
@@ -2,8 +2,8 @@
title: Overview of the deployment service
titleSuffix: Windows Update for Business deployment service
description: Overview of deployment service to control approval, scheduling, and safeguarding of Windows updates with the deployment service.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.author: mstewart
author: mestew
diff --git a/windows/deployment/update/deployment-service-prerequisites.md b/windows/deployment/update/deployment-service-prerequisites.md
index d4dbc2e5e1..1f24cbfe24 100644
--- a/windows/deployment/update/deployment-service-prerequisites.md
+++ b/windows/deployment/update/deployment-service-prerequisites.md
@@ -2,8 +2,8 @@
title: Prerequisites for the deployment service
titleSuffix: Windows Update for Business deployment service
description: Prerequisites for using the Windows Update for Business deployment service for updating devices in your organization.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.author: mstewart
author: mestew
@@ -14,7 +14,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 02/14/2023
+ms.date: 01/29/2024
---
# Windows Update for Business deployment service prerequisites
@@ -48,9 +48,9 @@ Windows Update for Business deployment service supports Windows client devices o
### Windows operating system updates
-- Expediting updates requires the *Update Health Tools* on the clients. The tools are installed starting with [KB 4023057](https://support.microsoft.com/topic/kb4023057-update-for-windows-10-update-service-components-fccad0ca-dc10-2e46-9ed1-7e392450fb3a). To confirm the presence of the Update Health Tools on a device:
+- Expediting updates requires the *Update Health Tools* on the clients. The tools are installed starting with [KB4023057](https://support.microsoft.com/kb/4023057). To confirm the presence of the Update Health Tools on a device:
- Look for the folder **C:\Program Files\Microsoft Update Health Tools** or review *Add Remove Programs* for **Microsoft Update Health Tools**.
- - As an Admin, run the following PowerShell script: `Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -match "Microsoft Update Health Tools"}`
+ - As an Admin, run the following PowerShell script: `Get-CimInstance -ClassName Win32_Product | Where-Object {$_.Name -match "Microsoft Update Health Tools"}`
- For [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#services-that-rely-on-enhanced-diagnostic-data), installing the January 2023 release preview cumulative update, or a later equivalent update, is recommended
diff --git a/windows/deployment/update/deployment-service-troubleshoot.md b/windows/deployment/update/deployment-service-troubleshoot.md
index 65a6b7777a..da9f167b83 100644
--- a/windows/deployment/update/deployment-service-troubleshoot.md
+++ b/windows/deployment/update/deployment-service-troubleshoot.md
@@ -2,8 +2,8 @@
title: Troubleshoot the deployment service
titleSuffix: Windows Update for Business deployment service
description: Solutions to commonly encountered problems when using the Windows Update for Business deployment service.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: troubleshooting
ms.author: mstewart
author: mestew
diff --git a/windows/deployment/update/eval-infra-tools.md b/windows/deployment/update/eval-infra-tools.md
index 9352455d20..d12a78f404 100644
--- a/windows/deployment/update/eval-infra-tools.md
+++ b/windows/deployment/update/eval-infra-tools.md
@@ -1,8 +1,8 @@
---
title: Evaluate infrastructure and tools
description: Review the steps to ensure your infrastructure is ready to deploy updates to clients in your organization.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: article
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/feature-update-user-install.md b/windows/deployment/update/feature-update-user-install.md
index 41a21d5d7c..51371de0c7 100644
--- a/windows/deployment/update/feature-update-user-install.md
+++ b/windows/deployment/update/feature-update-user-install.md
@@ -1,8 +1,8 @@
---
title: Best practices - user-initiated feature update installation
description: Learn recommendations and best practices for manually deploying a feature update for a user-initiated installation.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: best-practice
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md
index 972dd73a69..f7968c1ebc 100644
--- a/windows/deployment/update/fod-and-lang-packs.md
+++ b/windows/deployment/update/fod-and-lang-packs.md
@@ -1,8 +1,8 @@
---
title: FoD and language packs for WSUS and Configuration Manager
description: Learn how to make FoD and language packs available to clients when you're using WSUS or Configuration Manager.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.author: mstewart
author: mestew
diff --git a/windows/deployment/update/get-started-updates-channels-tools.md b/windows/deployment/update/get-started-updates-channels-tools.md
index 5dc206f1aa..46dca308f1 100644
--- a/windows/deployment/update/get-started-updates-channels-tools.md
+++ b/windows/deployment/update/get-started-updates-channels-tools.md
@@ -1,8 +1,8 @@
---
title: Windows client updates, channels, and tools
description: Brief summary of the kinds of Windows updates, the channels they're served through, and the tools for managing them
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md
index ef02459999..70f2c18280 100644
--- a/windows/deployment/update/how-windows-update-works.md
+++ b/windows/deployment/update/how-windows-update-works.md
@@ -1,8 +1,8 @@
---
title: How Windows Update works
description: In this article, learn about the process Windows Update uses to download and install updates on Windows client devices.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/images/waas-active-hours-policy.PNG b/windows/deployment/update/images/waas-active-hours-policy.png
similarity index 100%
rename from windows/deployment/update/images/waas-active-hours-policy.PNG
rename to windows/deployment/update/images/waas-active-hours-policy.png
diff --git a/windows/deployment/update/images/waas-active-hours.PNG b/windows/deployment/update/images/waas-active-hours.png
similarity index 100%
rename from windows/deployment/update/images/waas-active-hours.PNG
rename to windows/deployment/update/images/waas-active-hours.png
diff --git a/windows/deployment/update/includes/update-history.md b/windows/deployment/update/includes/update-history.md
index 9963e0b8b6..cc5fb9bb9f 100644
--- a/windows/deployment/update/includes/update-history.md
+++ b/windows/deployment/update/includes/update-history.md
@@ -2,8 +2,8 @@
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.technology: itpro-updates
-ms.prod: windows-client
+ms.subservice: itpro-updates
+ms.service: windows-client
ms.topic: include
ms.date: 02/24/2023
ms.localizationpriority: medium
diff --git a/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md
index 24da4ab44e..572d549362 100644
--- a/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md
+++ b/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md
@@ -2,8 +2,8 @@
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.technology: itpro-updates
-ms.prod: windows-client
+ms.subservice: itpro-updates
+ms.service: windows-client
ms.topic: include
ms.date: 02/14/2023
ms.localizationpriority: medium
diff --git a/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md b/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md
index d8c96ee718..cc46da849e 100644
--- a/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md
+++ b/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md
@@ -2,8 +2,8 @@
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.technology: itpro-updates
-ms.prod: windows-client
+ms.subservice: itpro-updates
+ms.service: windows-client
ms.topic: include
ms.date: 02/14/2023
ms.localizationpriority: medium
diff --git a/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md
index ed62f731f1..f84dd43e0a 100644
--- a/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md
+++ b/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md
@@ -2,8 +2,8 @@
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.technology: itpro-updates
-ms.prod: windows-client
+ms.subservice: itpro-updates
+ms.service: windows-client
ms.topic: include
ms.date: 02/14/2023
ms.localizationpriority: medium
diff --git a/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md
index 336236ee43..9cfcff85ad 100644
--- a/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md
+++ b/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md
@@ -2,8 +2,8 @@
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.technology: itpro-updates
-ms.prod: windows-client
+ms.subservice: itpro-updates
+ms.service: windows-client
ms.topic: include
ms.date: 02/14/2023
ms.localizationpriority: medium
diff --git a/windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md b/windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md
index 23bbb2b2d9..40f67810ab 100644
--- a/windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md
+++ b/windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md
@@ -2,8 +2,8 @@
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.technology: itpro-updates
-ms.prod: windows-client
+ms.subservice: itpro-updates
+ms.service: windows-client
ms.topic: include
ms.date: 02/14/2023
ms.localizationpriority: medium
diff --git a/windows/deployment/update/includes/wufb-deployment-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-graph-explorer.md
index 8d869d1f69..8250bc9e1d 100644
--- a/windows/deployment/update/includes/wufb-deployment-graph-explorer.md
+++ b/windows/deployment/update/includes/wufb-deployment-graph-explorer.md
@@ -2,8 +2,8 @@
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.technology: itpro-updates
-ms.prod: windows-client
+ms.subservice: itpro-updates
+ms.service: windows-client
ms.topic: include
ms.date: 02/14/2023
ms.localizationpriority: medium
diff --git a/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md b/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md
index 682134eb32..d4681b40c2 100644
--- a/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md
+++ b/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md
@@ -2,8 +2,8 @@
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.technology: itpro-updates
-ms.prod: windows-client
+ms.subservice: itpro-updates
+ms.service: windows-client
ms.topic: include
ms.date: 02/14/2023
ms.localizationpriority: medium
diff --git a/windows/deployment/update/includes/wufb-deployment-limitations.md b/windows/deployment/update/includes/wufb-deployment-limitations.md
index 34e70ba899..a57711bffd 100644
--- a/windows/deployment/update/includes/wufb-deployment-limitations.md
+++ b/windows/deployment/update/includes/wufb-deployment-limitations.md
@@ -2,8 +2,8 @@
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.technology: itpro-updates
-ms.prod: windows-client
+ms.subservice: itpro-updates
+ms.service: windows-client
ms.topic: include
ms.date: 02/14/2023
ms.localizationpriority: medium
diff --git a/windows/deployment/update/includes/wufb-deployment-update-health-tools-logs.md b/windows/deployment/update/includes/wufb-deployment-update-health-tools-logs.md
index 4e0d5caaff..cd39b4dd7e 100644
--- a/windows/deployment/update/includes/wufb-deployment-update-health-tools-logs.md
+++ b/windows/deployment/update/includes/wufb-deployment-update-health-tools-logs.md
@@ -2,8 +2,8 @@
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.technology: itpro-updates
-ms.prod: windows-client
+ms.subservice: itpro-updates
+ms.service: windows-client
ms.topic: include
ms.date: 02/14/2023
ms.localizationpriority: medium
diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index da738e8991..a698c7f33b 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -2,8 +2,8 @@
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.technology: itpro-updates
-ms.prod: windows-client
+ms.subservice: itpro-updates
+ms.service: windows-client
ms.topic: include
ms.date: 04/26/2023
ms.localizationpriority: medium
diff --git a/windows/deployment/update/includes/wufb-reports-endpoints.md b/windows/deployment/update/includes/wufb-reports-endpoints.md
index 88fd5d146e..a3bfb9b575 100644
--- a/windows/deployment/update/includes/wufb-reports-endpoints.md
+++ b/windows/deployment/update/includes/wufb-reports-endpoints.md
@@ -2,8 +2,8 @@
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.technology: itpro-updates
-ms.prod: windows-client
+ms.subservice: itpro-updates
+ms.service: windows-client
ms.topic: include
ms.date: 12/15/2023
ms.localizationpriority: medium
diff --git a/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md b/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md
index 70c1948c7a..f0f14e2a67 100644
--- a/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md
+++ b/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md
@@ -2,8 +2,8 @@
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.technology: itpro-updates
-ms.prod: windows-client
+ms.subservice: itpro-updates
+ms.service: windows-client
ms.topic: include
ms.date: 08/18/2022
ms.localizationpriority: medium
diff --git a/windows/deployment/update/includes/wufb-reports-script-error-codes.md b/windows/deployment/update/includes/wufb-reports-script-error-codes.md
index 479b5a9eff..7057d0789c 100644
--- a/windows/deployment/update/includes/wufb-reports-script-error-codes.md
+++ b/windows/deployment/update/includes/wufb-reports-script-error-codes.md
@@ -2,8 +2,8 @@
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.technology: itpro-updates
-ms.prod: windows-client
+ms.subservice: itpro-updates
+ms.service: windows-client
ms.topic: include
ms.date: 07/11/2023
ms.localizationpriority: medium
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index baae39d605..080e86b6ad 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -1,8 +1,8 @@
---
title: Update Windows installation media with Dynamic Update
description: Learn how to acquire and apply Dynamic Update packages to existing Windows images prior to deployment
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/optional-content.md b/windows/deployment/update/optional-content.md
index 1245ce7f59..7f6fffc7b4 100644
--- a/windows/deployment/update/optional-content.md
+++ b/windows/deployment/update/optional-content.md
@@ -1,8 +1,8 @@
---
title: Migrating and acquiring optional Windows content
description: How to keep language resources and Features on Demand during operating system updates for your organization.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/plan-define-readiness.md b/windows/deployment/update/plan-define-readiness.md
index 3116459b20..dcc9544f7e 100644
--- a/windows/deployment/update/plan-define-readiness.md
+++ b/windows/deployment/update/plan-define-readiness.md
@@ -1,8 +1,8 @@
---
title: Define readiness criteria
description: Identify important roles and figure out how to classify apps so you can plan and manage your deployment
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/plan-define-strategy.md b/windows/deployment/update/plan-define-strategy.md
index 9f3f2e92b7..e2175c7b40 100644
--- a/windows/deployment/update/plan-define-strategy.md
+++ b/windows/deployment/update/plan-define-strategy.md
@@ -1,8 +1,8 @@
---
title: Define update strategy
description: Example of using a calendar-based approach to achieve consistent update installation in your organization.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/plan-determine-app-readiness.md b/windows/deployment/update/plan-determine-app-readiness.md
index 735e5a3095..6801a4cca8 100644
--- a/windows/deployment/update/plan-determine-app-readiness.md
+++ b/windows/deployment/update/plan-determine-app-readiness.md
@@ -1,8 +1,8 @@
---
title: Determine application readiness
description: How to test your apps to identify which need attention prior to deploying an update in your organization.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.author: mstewart
author: mestew
diff --git a/windows/deployment/update/prepare-deploy-windows.md b/windows/deployment/update/prepare-deploy-windows.md
index ad9ebeff3a..a9af4519db 100644
--- a/windows/deployment/update/prepare-deploy-windows.md
+++ b/windows/deployment/update/prepare-deploy-windows.md
@@ -1,8 +1,8 @@
---
title: Prepare to deploy Windows
description: Final steps to get ready to deploy Windows, including preparing infrastructure, environment, applications, devices, network, capability, and users
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/release-cycle.md b/windows/deployment/update/release-cycle.md
index bb6949ca8e..2d4e8ecb19 100644
--- a/windows/deployment/update/release-cycle.md
+++ b/windows/deployment/update/release-cycle.md
@@ -1,8 +1,8 @@
---
title: Update release cycle for Windows clients
description: Learn about the release cycle for updates so Windows clients in your organization stay productive and protected.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/safeguard-holds.md b/windows/deployment/update/safeguard-holds.md
index 86232917dd..104400de70 100644
--- a/windows/deployment/update/safeguard-holds.md
+++ b/windows/deployment/update/safeguard-holds.md
@@ -1,8 +1,8 @@
---
title: Safeguard holds for Windows
description: What are safeguard holds? How to can you tell if a safeguard hold is in effect, and what to do about it.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/safeguard-opt-out.md b/windows/deployment/update/safeguard-opt-out.md
index 30227f3553..0e0a112ae1 100644
--- a/windows/deployment/update/safeguard-opt-out.md
+++ b/windows/deployment/update/safeguard-opt-out.md
@@ -1,8 +1,8 @@
---
title: Opt out of safeguard holds
description: How to install an update in your organization even when a safeguard hold for a known issue has been applied to it.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md
index 7aa9bf3ff1..85af66e440 100644
--- a/windows/deployment/update/servicing-stack-updates.md
+++ b/windows/deployment/update/servicing-stack-updates.md
@@ -1,8 +1,8 @@
---
title: Servicing stack updates
description: In this article, learn how servicing stack updates improve the code that installs the other updates.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/update-baseline.md b/windows/deployment/update/update-baseline.md
index b534f09c0c..28b05bb90e 100644
--- a/windows/deployment/update/update-baseline.md
+++ b/windows/deployment/update/update-baseline.md
@@ -1,8 +1,8 @@
---
title: Windows 10 Update Baseline
description: Use an update baseline to optimize user experience and meet monthly update goals in your organization.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/update-policies.md b/windows/deployment/update/update-policies.md
index b7fa2d5094..50b404df35 100644
--- a/windows/deployment/update/update-policies.md
+++ b/windows/deployment/update/update-policies.md
@@ -1,8 +1,8 @@
---
title: Policies for update compliance and user experience
description: Explanation and recommendations for update compliance, activity, and user experience for your organization.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md
index 7856c98348..11732bc1ca 100644
--- a/windows/deployment/update/waas-branchcache.md
+++ b/windows/deployment/update/waas-branchcache.md
@@ -1,8 +1,8 @@
---
title: Configure BranchCache for Windows client updates
description: In this article, learn how to use BranchCache to optimize network bandwidth during update deployment.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index 2a1baa5255..4a74fbe288 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -2,12 +2,12 @@
title: Configure Windows Update for Business
manager: aaroncz
description: You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices.
-ms.prod: windows-client
+ms.service: windows-client
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
ms.topic: conceptual
-ms.technology: itpro-updates
+ms.subservice: itpro-updates
ms.collection:
- tier1
appliesto:
diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md
index d94af9011d..54a680ab36 100644
--- a/windows/deployment/update/waas-integrate-wufb.md
+++ b/windows/deployment/update/waas-integrate-wufb.md
@@ -1,8 +1,8 @@
---
title: Integrate Windows Update for Business
description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and Microsoft Configuration Manager.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index b1aee2ba14..6506f11e90 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -1,8 +1,8 @@
---
title: Deploy updates using Windows Server Update Services
description: WSUS allows companies to defer, selectively approve, choose when delivered, and determine which devices receive updates.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index 070ded3d1e..25fff01d83 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -2,7 +2,8 @@
title: Windows Update for Business
manager: aaroncz
description: Learn how Windows Update for Business lets you manage when devices receive updates from Windows Update.
-ms.prod: windows-client
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: overview
author: mestew
ms.author: mstewart
@@ -10,9 +11,9 @@ ms.collection:
- highpri
- tier2
ms.localizationpriority: medium
-appliesto:
+appliesto:
- ✅ Windows 11
-- ✅ Windows 10
+- ✅ Windows 10
ms.date: 11/07/2023
---
@@ -27,7 +28,7 @@ Windows Update for Business is a free service that is available for the followin
- Enterprise, including Enterprise LTSC, IoT Enterprise, and IoT Enterprise LTSC
Windows Update for Business enables IT administrators to keep their organization's Windows client devices always up to date with the latest security updates and Windows features by directly connecting these systems to the Windows Update service. You can use Group Policy or Mobile Device Management (MDM) solutions, such as Microsoft Intune, to configure the Windows Update for Business settings that control how and when devices are updated.
-
+
Specifically, Windows Update for Business lets you control update offerings and experiences to allow for reliability and performance testing on a subset of devices before deploying updates across the organization. It also provides a positive update experience for people in your organization.
## What can I do with Windows Update for Business?
@@ -85,7 +86,7 @@ An administrator can defer the installation of both feature and quality updates
|Nondeferrable | none |
+ [Insert graphic with the deferrals set to different values showing a feature update rollout)-->
#### Pause an update
@@ -98,7 +99,7 @@ When updating from Windows Update, you get the added benefits of built-in compat
### Recommendations
-For the best experience with Windows Update, follow these guidelines:
+For the best experience with Windows Update, follow these guidelines:
- Use devices for at least 6 hours per month, including at least 2 hours of continuous use.
- Keep devices regularly charged. Plugging in devices overnight enables them to automatically update outside of active hours.
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index 6f20706c2e..52cda69c7b 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -1,8 +1,8 @@
---
title: Overview of Windows as a service
description: Windows as a service is a way to build, deploy, and service Windows. Learn how Windows as a service works.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: overview
author: mestew
ms.author: mstewart
@@ -11,64 +11,61 @@ ms.localizationpriority: medium
ms.collection:
- highpri
- tier2
-appliesto:
+appliesto:
- ✅ Windows 11
-- ✅ Windows 10
+- ✅ Windows 10
ms.date: 12/31/2017
---
# Overview of Windows as a service
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2).
-Windows as a service is a way to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
+Windows as a service is a way to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
## Building
-Prior to Windows 10, Microsoft released new versions of Windows every few years. This traditional deployment schedule imposed a training burden on users because the feature revisions were often significant. That schedule also meant waiting long periods without new features — a scenario that doesn't work in today's rapidly changing world, a world in which new security, management, and deployment capabilities are necessary to address challenges.
+Prior to Windows 10, Microsoft released new versions of Windows every few years. This traditional deployment schedule imposed a training burden on users because the feature revisions were often significant. That schedule also meant waiting long periods without new features. That scenario doesn't always work in today's rapidly changing world, a world in which new security, management, and deployment capabilities are necessary to address challenges.
-In the past, when Microsoft developed new versions of Windows, it typically released technical previews near the end of the process, when Windows was nearly ready to ship. With Windows 10, new features are delivered to the [Windows Insider community](/windows-insider/business/register) as soon as possible, during the development cycle, through a process called *flighting*. Organizations can see exactly what Microsoft is developing and start their testing as soon as possible.
+In the past, when Microsoft developed new versions of Windows, it typically released technical previews near the end of the process, when Windows was nearly ready to ship. With Windows 10, new features are delivered to the [Windows Insider Program](/windows-insider/) as soon as possible, during the development cycle, through a process called *flighting*. Organizations can see exactly what Microsoft is developing and start their testing as soon as possible.
Microsoft also depends on receiving feedback from organizations throughout the development process so that it can make adjustments as quickly as possible rather than waiting until after release. For more information about the Windows Insider Program and how to sign up, see the section [Windows Insider](#windows-insider).
-Of course, Microsoft also performs extensive internal testing, with engineering teams installing new builds daily, and larger groups of employees installing builds frequently, all before those builds are ever released to the Windows Insider Program.
+Microsoft also runs extensive internal testing, with engineering teams installing new builds daily, and larger groups of employees installing builds frequently, all before those builds are ever released to the Windows Insider Program.
## Deploying
Deploying Windows 10 and Windows 11 is simpler than with previous versions of Windows. When migrating from earlier versions of Windows, you can use an easy in-place upgrade process to automatically preserve all apps, settings, and data. Afterwards, deployment of feature updates is equally simple.
-
### Application compatibility
-Application compatibility testing has historically been a burden when approaching a Windows deployment or upgrade. Application compatibility from the perspective of desktop applications, websites, and apps built on the Universal Windows Platform (UWP) has improved tremendously over older versions of Windows. For the most important business-critical applications, organizations should still perform testing regularly to validate compatibility with new builds.
+Application compatibility testing has historically been a burden when approaching a Windows deployment or upgrade. Application compatibility from the perspective of desktop applications, websites, and apps built on the Universal Windows Platform (UWP) has improved tremendously over older versions of Windows. For the most important business-critical applications, organizations should still perform testing regularly to validate compatibility with new builds.
## Servicing
-Traditional Windows servicing has included several release types: major revisions (for example, the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10 and Windows 11, there are two release types: feature updates that add new functionality and quality updates that provide security and reliability fixes.
+Traditional Windows servicing has included several release types: major revisions (for example, the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10 and Windows 11, there are two release types: feature updates that add new functionality and quality updates that provide security and reliability fixes.
-Servicing channels are the first way to separate users into deployment groups for feature and quality updates. For more information about developing a deployment strategy that uses servicing channels, see [Plan servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md).
+Servicing channels are the first way to separate users into deployment groups for feature and quality updates. For more information about developing a deployment strategy that uses servicing channels, see [Plan servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md).
For information about each servicing tool, see [Servicing tools](#servicing-tools).
There are three servicing channels, each of which provides different levels of flexibility over when these updates are delivered to client computers. For more information, see [Servicing channels](#servicing-channels).
-
There are currently three release channels for Windows clients:
-- The **General Availability Channel** receives feature updates as soon as they're available.
+- The **General Availability Channel** receives feature updates as soon as they're available.
- The **Long-Term Servicing Channel**, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years.
- The **Windows Insider Program** provides organizations with the opportunity to test and provide feedback on features that will be shipped in the next feature update.
>[!NOTE]
->With each General Availability release, we recommend beginning deployment right away to devices selected for early adoption (targeted validation) and ramp up to full deployment at your discretion. This will enable you to gain access to new features, experiences, and integrated security as soon as possible.
+>With each General Availability release, we recommend beginning deployment right away to devices selected for early adoption (targeted validation) and ramp up to full deployment at your discretion. This will enable you to gain access to new features, experiences, and integrated security as soon as possible.
>[!IMPORTANT]
->Devices on the General Availability Channel must have their diagnostic data set to **1 (Basic)** or higher in order to ensure that the service is performing at the expected quality. For instructions to set the diagnostic data level, see [Configure the operating system diagnostic data level](/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels).
+>Devices on the General Availability Channel must have their diagnostic data set to **1 (Basic)** or higher in order to ensure that the service is performing at the expected quality. For instructions to set the diagnostic data level, see [Configure Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization).
### Feature updates
-New features are packaged into feature updates that you can deploy using existing management tools. These changes come in bite-sized chunks rather than all at once, decreasing user readiness time.
-
+New features are packaged into feature updates that you can deploy using existing management tools. These changes come in bite-sized chunks rather than all at once, decreasing user readiness time.
### Quality updates
@@ -76,12 +73,12 @@ Monthly updates in previous Windows versions were often overwhelming because of
Rather than receiving several updates each month and trying to figure out which the organization needs, which ultimately causes platform fragmentation, administrators see one cumulative monthly update that supersedes the previous month's update, containing both security and non-security fixes. This approach makes updating simpler and ensures that devices are more closely aligned with the testing done at Microsoft, reducing unexpected issues resulting from updates.
-## Servicing channels
+## Servicing channels
-There are three servicing channels. The [Windows Insider Program](#windows-insider) provides organizations with the opportunity to test and provide feedback on features that will be shipped in the next feature update. The [General Availability Channel](#general-availability-channel) provides new functionality with feature update releases. Organizations can choose when to deploy updates from the General Availability Channel. The [Long-Term Servicing Channel](#long-term-servicing-channel), which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years. For details about the versions in each servicing channel, see [Windows 10 release information](/windows/release-health/release-information).
+There are three servicing channels. The [Windows Insider Program](#windows-insider) provides organizations with the opportunity to test and provide feedback on features that will be shipped in the next feature update. The [General Availability Channel](#general-availability-channel) provides new functionality with feature update releases. Organizations can choose when to deploy updates from the General Availability Channel. The [Long-Term Servicing Channel](#long-term-servicing-channel), which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years. For more information about the versions in each servicing channel, see [Windows release information](/windows/release-health/).
> [!NOTE]
-> Servicing channels are not the only way to separate groups of devices when consuming updates. Each channel can contain subsets of devices, which staggers servicing even further. For information about the servicing strategy and ongoing deployment process for Windows 10, including the role of servicing channels, see [Plan servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md).
+> Servicing channels aren't the only way to separate groups of devices when consuming updates. Each channel can contain subsets of devices, which staggers servicing even further. For information about the servicing strategy and ongoing deployment process for Windows 10, including the role of servicing channels, see [Plan servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md).
### General Availability Channel
@@ -89,12 +86,9 @@ In the General Availability Channel, feature updates are available annually. Thi
When Microsoft officially releases a feature update, we make it available to any device not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the General Availability Channel is available but not necessarily immediately mandatory, depending on the policy of the management system. For more information about servicing tools, see [Servicing tools](#servicing-tools).
-
> [!NOTE]
> All releases of Windows 10 have **18 months of servicing for all editions**--these updates provide security and feature updates for the release. However, fall releases of the **Enterprise and Education editions** will have an **additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release**. This extended servicing window applies to Enterprise and Education editions starting with Windows 10, version 1607.
->
->
-> [!NOTE]
+>
> Organizations can electively delay feature updates into as many phases as they wish by using one of the servicing tools mentioned in the section Servicing tools.
### Long-term Servicing Channel
@@ -105,13 +99,12 @@ Specialized systems—such as devices that control medical equipment, point-of-s
>
> The Long-term Servicing channel is not intended for deployment on most or all the devices in an organization; it should be used only for special-purpose devices. As a general guideline, a device with Microsoft Office installed is a general-purpose device, typically used by an information worker, and therefore it is better suited for the General Availability channel.
-Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSC. Instead, it typically offers new LTSC releases every 2–3 years, and organizations can choose to install them as in-place upgrades or even skip releases over the product's lifecycle. Always check your individual LTSC release to verify its servicing lifecycle. For more information, see [release information](/windows/release-health/release-information), or perform a search on the [product's lifecycle information](/lifecycle/products/) page.
+Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSC. Instead, it typically offers new LTSC releases every 2-3 years, and organizations can choose to install them as in-place upgrades or even skip releases over the product's lifecycle. Always check your individual LTSC release to verify its servicing lifecycle. For more information, see [release information](/windows/release-health/), or perform a search on the [product's lifecycle information](/lifecycle/products/) page.
> [!NOTE]
> LTSC releases will support the currently released processors and chipsets at the time of release of the LTSC. As future CPU generations are released, support will be created through future LTSC releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](/lifecycle/faq/windows).
-The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSC editions. This edition of Windows doesn't include some applications, such as Microsoft Edge, Microsoft Store, Cortana (though limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps aren't supported in the Enterprise LTSC editions, even if you install by using sideloading.
-
+The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSC editions. This edition of Windows doesn't include some applications, such as Microsoft Edge, Microsoft Store, Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps aren't supported in the Enterprise LTSC editions, even if you install by using sideloading.
### Windows Insider
@@ -119,18 +112,16 @@ For many IT pros, gaining visibility into feature updates early can be both intr
Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program and provide feedback on any issues they encounter. For information about the Windows Insider Program for Business, go to [Windows Insider Program for Business](/windows-insider/business/register).
-
-
## Servicing tools
There are many tools you can use to service Windows as a service. Each option has its pros and cons, ranging from capabilities and control to simplicity and low administrative requirements. The following are examples of the servicing tools available to manage Windows as a service updates:
- **Windows Update (stand-alone)** provides limited control over feature updates, with IT pros manually configuring the device to be in the General Availability Channel. Organizations can target which devices defer updates by selecting the **Defer upgrades** check box in **Start\Settings\Update & Security\Advanced Options** on a Windows client device.
- **Windows Update for Business** includes control over update deferment and provides centralized management using Group Policy or MDM. Windows Update for Business can be used to defer updates by up to 365 days, depending on the version. These deployment options are available to clients in the General Availability Channel. In addition to being able to use Group Policy to manage Windows Update for Business, either option can be configured without requiring any on-premises infrastructure by using Microsoft Intune.
-- **Windows Server Update Services (WSUS)** provides extensive control over updates and is natively available in the Windows Server operating system. In addition to the ability to defer updates, organizations can add an approval layer for updates and choose to deploy them to specific computers or groups of computers whenever ready.
-- **Microsoft Configuration Manager** provides the greatest control over servicing Windows as a service. IT pros can defer updates, approve them, and have multiple options for targeting deployments and managing bandwidth usage and deployment times.
+- **Windows Server Update Services (WSUS)** provides extensive control over updates and is natively available in the Windows Server operating system. In addition to the ability to defer updates, organizations can add an approval layer for updates and choose to deploy them to specific computers or groups of computers whenever ready.
+- **Microsoft Configuration Manager** provides the greatest control over servicing Windows as a service. IT pros can defer updates, approve them, and have multiple options for targeting deployments and managing bandwidth usage and deployment times.
-**Servicing tools comparison**
+### Servicing tools comparison
| Servicing tool | Can updates be deferred? | Ability to approve updates | Peer-to-peer option | Additional features |
| --- | --- | --- | --- | --- |
@@ -138,5 +129,3 @@ There are many tools you can use to service Windows as a service. Each option ha
| Windows Update for Business | Yes | No | Delivery Optimization | Other Group Policy objects |
| WSUS | Yes | Yes | BranchCache or Delivery Optimization | Upstream/downstream server scalability |
| Configuration Manager | Yes | Yes | BranchCache, Client Peer Cache, or Delivery Optimization. For the latter, see [peer-to-peer content distribution](/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#peer-to-peer-content-distribution) and [Optimize Windows Update Delivery](../do/waas-optimize-windows-10-updates.md) | Distribution points, multiple deployment options |
-
-
diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md
index f027e7d657..fce23e0310 100644
--- a/windows/deployment/update/waas-quick-start.md
+++ b/windows/deployment/update/waas-quick-start.md
@@ -1,8 +1,8 @@
---
title: Quick guide to Windows as a service (Windows 10)
description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md
index 18b0aa011f..6fd7172197 100644
--- a/windows/deployment/update/waas-restart.md
+++ b/windows/deployment/update/waas-restart.md
@@ -1,8 +1,8 @@
---
title: Manage device restarts after updates
description: Use Group Policy settings, mobile device management (MDM), or Registry to configure when devices will restart after a Windows update is installed.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
index 894cb7361b..78cf2b2e50 100644
--- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
@@ -1,8 +1,8 @@
---
title: Assign devices to servicing channels for updates
description: Learn how to assign devices to servicing channels for Windows 10 updates locally, by using Group Policy, and by using MDM
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
index 31038c9fc0..fa5ee150d4 100644
--- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
@@ -1,8 +1,8 @@
---
title: Prepare a servicing strategy for Windows client updates
description: A strong Windows client deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index b370409adb..84c4092f53 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -1,8 +1,8 @@
---
title: Manage additional Windows Update settings
description: In this article, learn about additional settings to control the behavior of Windows Update in your organization.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/waas-wufb-csp-mdm.md b/windows/deployment/update/waas-wufb-csp-mdm.md
index cc945db4c2..23e561ea09 100644
--- a/windows/deployment/update/waas-wufb-csp-mdm.md
+++ b/windows/deployment/update/waas-wufb-csp-mdm.md
@@ -1,8 +1,8 @@
---
title: Configure Windows Update for Business by using CSPs and MDM
description: Walk through demonstration of how to configure Windows Update for Business settings using Configuration Service Providers and MDM.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 11/30/2023
+ms.date: 01/18/2024
---
# Walkthrough: Use CSPs and MDMs to configure Windows Update for Business
@@ -202,9 +202,9 @@ The features that are turned off by default from servicing updates will be enabl
You can enable these features by using [AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol). The following options are available:
-- **0** (default): Allowed. All features in the latest monthly cumulative update are enabled.
- - When the policy is set to **0**, all features that are currently turned off will turn on when the device next reboots
-- **1** - Not allowed. Features that are shipped turned off by default will remain off
+- **0** (default): Not allowed. Features that are shipped turned off by default will remain off
+- **1**: Allowed. All features in the latest monthly cumulative update are enabled.
+ - When the policy is set to **1**, all features that are currently turned off will turn on when the device next reboots.
#### I want to enable optional updates
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index 22c937a71a..6b757b2706 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -1,8 +1,8 @@
---
title: Configure Windows Update for Business via Group Policy
description: Walk through of how to configure Windows Update for Business settings using Group Policy to update devices.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
manager: aaroncz
ms.topic: conceptual
author: mestew
diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md
index c37d7cc3d2..b6dbfb03a0 100644
--- a/windows/deployment/update/windows-update-error-reference.md
+++ b/windows/deployment/update/windows-update-error-reference.md
@@ -1,8 +1,8 @@
---
title: Windows Update error code list by component
description: Learn about reference information for Windows Update error codes, including automatic update errors, UI errors, and reporter errors.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md
index b75a881dc0..80f4dcb167 100644
--- a/windows/deployment/update/windows-update-logs.md
+++ b/windows/deployment/update/windows-update-logs.md
@@ -1,8 +1,8 @@
---
title: Windows Update log files
description: Learn about the Windows Update log files and how to merge and convert Windows Update trace files (.etl files) into a single readable WindowsUpdate.log file.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: troubleshooting
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/windows-update-overview.md b/windows/deployment/update/windows-update-overview.md
index 7965aa2782..c81a8e7319 100644
--- a/windows/deployment/update/windows-update-overview.md
+++ b/windows/deployment/update/windows-update-overview.md
@@ -1,8 +1,8 @@
---
title: Get started with Windows Update
description: An overview of learning resources for Windows Update, including documents on architecture, log files, and common errors.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/windows-update-security.md b/windows/deployment/update/windows-update-security.md
index ab1ed81b28..1d7ec557b6 100644
--- a/windows/deployment/update/windows-update-security.md
+++ b/windows/deployment/update/windows-update-security.md
@@ -2,8 +2,8 @@
title: Windows Update security
manager: aaroncz
description: Overview of the security for Windows Update including security for the metadata exchange and content download.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md
index 714ea509f5..d58ab72657 100644
--- a/windows/deployment/update/wufb-compliancedeadlines.md
+++ b/windows/deployment/update/wufb-compliancedeadlines.md
@@ -2,8 +2,8 @@
title: Enforce compliance deadlines with policies
titleSuffix: Windows Update for Business
description: This article contains information on how to enforce compliance deadlines using Windows Update for Business.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
diff --git a/windows/deployment/update/wufb-reports-admin-center.md b/windows/deployment/update/wufb-reports-admin-center.md
index 0e0b313437..9d93702ea9 100644
--- a/windows/deployment/update/wufb-reports-admin-center.md
+++ b/windows/deployment/update/wufb-reports-admin-center.md
@@ -3,8 +3,8 @@ title: Microsoft 365 admin center software updates page
titleSuffix: Windows Update for Business reports
manager: aaroncz
description: Microsoft admin center populates Windows Update for Business reports data into the software updates page.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-configuration-intune.md b/windows/deployment/update/wufb-reports-configuration-intune.md
index 395856651d..94e36fa723 100644
--- a/windows/deployment/update/wufb-reports-configuration-intune.md
+++ b/windows/deployment/update/wufb-reports-configuration-intune.md
@@ -2,8 +2,8 @@
title: Configure devices using Microsoft Intune
titleSuffix: Windows Update for Business reports
description: How to configure devices to use Windows Update for Business reports from Microsoft Intune.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-configuration-manual.md b/windows/deployment/update/wufb-reports-configuration-manual.md
index 7c76c5ad32..545ebbed48 100644
--- a/windows/deployment/update/wufb-reports-configuration-manual.md
+++ b/windows/deployment/update/wufb-reports-configuration-manual.md
@@ -2,8 +2,8 @@
title: Manually configure devices to send data
titleSuffix: Windows Update for Business reports
description: How to manually configure devices for Windows Update for Business reports using a PowerShell script.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-configuration-script.md b/windows/deployment/update/wufb-reports-configuration-script.md
index 10af47e205..e216694bc7 100644
--- a/windows/deployment/update/wufb-reports-configuration-script.md
+++ b/windows/deployment/update/wufb-reports-configuration-script.md
@@ -2,8 +2,8 @@
title: Configure clients with a script
titleSuffix: Windows Update for Business reports
description: How to get and use the Windows Update for Business reports configuration script to configure devices for Windows Update for Business reports.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-do.md b/windows/deployment/update/wufb-reports-do.md
index d71d76d0be..a02d0d0993 100644
--- a/windows/deployment/update/wufb-reports-do.md
+++ b/windows/deployment/update/wufb-reports-do.md
@@ -2,8 +2,8 @@
title: Delivery Optimization data in reports
titleSuffix: Windows Update for Business reports
description: This article provides information about Delivery Optimization data in Windows Update for Business reports.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-enable.md b/windows/deployment/update/wufb-reports-enable.md
index 27a5b5ad14..1502d549d2 100644
--- a/windows/deployment/update/wufb-reports-enable.md
+++ b/windows/deployment/update/wufb-reports-enable.md
@@ -2,8 +2,8 @@
title: Enable Windows Update for Business reports
titleSuffix: Windows Update for Business reports
description: How to enable the Windows Update for Business reports service through the Azure portal or the Microsoft 365 admin center.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml
index fe8f250ece..99fee1bb21 100644
--- a/windows/deployment/update/wufb-reports-faq.yml
+++ b/windows/deployment/update/wufb-reports-faq.yml
@@ -3,13 +3,13 @@ metadata:
title: Frequently Asked Questions (FAQ)
titleSuffix: Windows Update for Business reports
description: Answers to frequently asked questions about Windows Update for Business reports.
- ms.prod: windows-client
- ms.technology: itpro-updates
+ ms.service: windows-client
+ ms.subservice: itpro-updates
ms.topic: faq
manager: aaroncz
author: mestew
ms.author: mstewart
- ms.date: 06/20/2023
+ ms.date: 01/26/2024
title: Frequently Asked Questions about Windows Update for Business reports
summary: |
This article answers frequently asked questions about Windows Update for Business reports.
@@ -32,6 +32,7 @@ summary: |
- [Why am I missing devices in reports?](#why-am-i-missing-devices-in-reports)
- [What is the difference between OS version and target version?](#what-is-the-difference-between-os-version-and-target-version)
- [Why are there multiple records for the same device?](#why-are-there-multiple-records-for-the-same-device)
+ - [Why are devices showing an unknown state?](#why-are-devices-showing-an-unknown-state)
- [When should I use the UCClient, UCClientUpdateStatus, or UCUpdateAlert tables?](#when-should-i-use-the-ucclient--ucclientupdatestatus--or-ucupdatealert-tables)
- [What is the difference between quality and security updates?](#what-is-the-difference-between-quality-and-security-updates)
- [How do I confirm that devices are sending data?](#how-do-i-confirm-that-devices-are-sending-data)
@@ -108,7 +109,10 @@ sections:
- **The workbook has limited the results**: The default limit for rows in Azure workbooks is set to 1000. This limit is to avoid any delay in the load time for the interface. If you noticed that you can't find a specific device, you can export the output in Excel, or open the results in the logs view for the full result by selecting the three dots beside each component.
- question: Why are there multiple records for the same device?
answer: |
- Devices have multiple records when the `UCClientUpdateStatus` or `UCClientServiceStatus` tables are queried. These tables contain multiple records because they have the history for all devices that have discovered applicable updates within the past 28 days. For example, it's possible that a device has discovered multiple security updates, each with different update states, at various times over the past 28 days. It's also possible that a device can be in multiple deployments, so multiple records are displayed.
+ Devices have multiple records when the `UCClientUpdateStatus` or `UCClientServiceStatus` tables are queried. These tables contain multiple records because they have the history for all devices that have discovered applicable updates within the past 28 days. For example, it's possible that a device has discovered multiple security updates, each with different update states, at various times over the past 28 days. It's also possible that a device can be in multiple deployments, so multiple records are displayed.
+ - question: Why are devices showing an unknown state?
+ answer: |
+ An unknown client state is displayed if there isn't an update record for the device. This state can happen for many reasons, like the device not being active, not being able to scan Windows Update, or it doesn't currently have any update related activity occurring.
- question: What is the difference between OS version and target version?
answer: |
The word *target* in data labels refers to the update version, build or KB the client intends to update to. Typically, the fields starting with *OS*, such as OSbuild and OSversion, represents what the device is currently running.
diff --git a/windows/deployment/update/wufb-reports-help.md b/windows/deployment/update/wufb-reports-help.md
index 49268fb5a7..3580a4810a 100644
--- a/windows/deployment/update/wufb-reports-help.md
+++ b/windows/deployment/update/wufb-reports-help.md
@@ -2,8 +2,8 @@
title: Feedback, support, and troubleshooting
titleSuffix: Windows Update for Business reports
description: Windows Update for Business reports support, feedback, and troubleshooting information.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: article
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-overview.md b/windows/deployment/update/wufb-reports-overview.md
index a38066595f..080f273243 100644
--- a/windows/deployment/update/wufb-reports-overview.md
+++ b/windows/deployment/update/wufb-reports-overview.md
@@ -2,8 +2,8 @@
title: Windows Update for Business reports overview
titleSuffix: Windows Update for Business reports
description: Overview of Windows Update for Business reports to explain what it's used for and the cloud services it relies on.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: overview
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md
index c81cd3c96b..30f7ecac00 100644
--- a/windows/deployment/update/wufb-reports-prerequisites.md
+++ b/windows/deployment/update/wufb-reports-prerequisites.md
@@ -2,8 +2,8 @@
title: Prerequisites for Windows Update for Business reports
titleSuffix: Windows Update for Business reports
description: List of prerequisites for enabling and using Windows Update for Business reports in your organization.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-schema-enumerated-types.md b/windows/deployment/update/wufb-reports-schema-enumerated-types.md
index af84c4b582..ec7e675fd1 100644
--- a/windows/deployment/update/wufb-reports-schema-enumerated-types.md
+++ b/windows/deployment/update/wufb-reports-schema-enumerated-types.md
@@ -2,8 +2,8 @@
title: Enumerated types
titleSuffix: Windows Update for Business reports
description: Enumerated types for Windows Update for Business reports.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-schema-ucclient.md b/windows/deployment/update/wufb-reports-schema-ucclient.md
index b5383c4ad8..b4c113ef71 100644
--- a/windows/deployment/update/wufb-reports-schema-ucclient.md
+++ b/windows/deployment/update/wufb-reports-schema-ucclient.md
@@ -2,8 +2,8 @@
title: UCClient data schema
titleSuffix: Windows Update for Business reports
description: UCClient schema for Windows Update for Business reports. UCClient acts as an individual device's record.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md b/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md
index 59208c8193..e531090eff 100644
--- a/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md
@@ -2,8 +2,8 @@
title: UCClientReadinessStatus data schema
titleSuffix: Windows Update for Business reports
description: UCClientReadinessStatus schema for Windows Update for Business reports. UCClientReadinessStatus is an individual device's record about Windows 11 readiness.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
index 058a649dd6..e75f3bed7e 100644
--- a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
@@ -2,8 +2,8 @@
title: UCClientUpdateStatus data schema
titleSuffix: Windows Update for Business reports
description: UCClientUpdateStatus schema for Windows Update for Business reports. UCClientUpdateStatus combines the latest client-based data with the latest service data.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-schema-ucdevicealert.md b/windows/deployment/update/wufb-reports-schema-ucdevicealert.md
index e5dfa88144..c6f38d89f3 100644
--- a/windows/deployment/update/wufb-reports-schema-ucdevicealert.md
+++ b/windows/deployment/update/wufb-reports-schema-ucdevicealert.md
@@ -2,8 +2,8 @@
title: UCDeviceAlert data schema
titleSuffix: Windows Update for Business reports
description: UCDeviceAlert schema for Windows Update for Business reports. UCDeviceAlert is an individual device's record about an alert.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md
index 33540428e2..834c5a0b29 100644
--- a/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md
@@ -2,8 +2,8 @@
title: UCDOAggregatedStatus data schema
titleSuffix: Windows Update for Business reports
description: UCDOAggregatedStatus schema for Windows Update for Business reports. UCDOAggregatedStatus is an aggregation of all UDDOStatus records across the tenant.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-schema-ucdostatus.md b/windows/deployment/update/wufb-reports-schema-ucdostatus.md
index 98e6832a40..f6ff2a21b3 100644
--- a/windows/deployment/update/wufb-reports-schema-ucdostatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucdostatus.md
@@ -2,15 +2,16 @@
title: UCDOStatus data schema
titleSuffix: Windows Update for Business reports
description: UCDOStatus schema for Windows Update for Business reports. UCDOStatus provides information, for a single device, on its DO and MCC bandwidth utilization.
-ms.prod: windows-client
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
manager: aaroncz
ms.reviewer: carmenf
-appliesto:
+appliesto:
- ✅ Windows 11
-- ✅ Windows 10
+- ✅ Windows 10
ms.date: 12/06/2023
---
diff --git a/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md
index c78b2c076d..f01a18f679 100644
--- a/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md
@@ -2,8 +2,8 @@
title: UCServiceUpdateStatus data schema
titleSuffix: Windows Update for Business reports
description: UCServiceUpdateStatus schema for Windows Update for Business reports. UCServiceUpdateStatus has service-side information for one device and one update.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-schema-ucupdatealert.md b/windows/deployment/update/wufb-reports-schema-ucupdatealert.md
index 588cbd8cb6..331547385e 100644
--- a/windows/deployment/update/wufb-reports-schema-ucupdatealert.md
+++ b/windows/deployment/update/wufb-reports-schema-ucupdatealert.md
@@ -2,8 +2,8 @@
title: UCUpdateAlert data schema
titleSuffix: Windows Update for Business reports
description: UCUpdateAlert schema for Windows Update for Business reports. UCUpdateAlert is an alert for both client and service updates.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-schema.md b/windows/deployment/update/wufb-reports-schema.md
index 75cdcb5587..d87b64907c 100644
--- a/windows/deployment/update/wufb-reports-schema.md
+++ b/windows/deployment/update/wufb-reports-schema.md
@@ -2,8 +2,8 @@
title: Windows Update for Business reports data schema
titleSuffix: Windows Update for Business reports
description: An overview of Windows Update for Business reports data schema to power additional dashboards and data analysis tools.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-use.md b/windows/deployment/update/wufb-reports-use.md
index 2b4f1b8b1a..7fb8613fcf 100644
--- a/windows/deployment/update/wufb-reports-use.md
+++ b/windows/deployment/update/wufb-reports-use.md
@@ -2,8 +2,8 @@
title: Use the Windows Update for Business reports data
titleSuffix: Windows Update for Business reports
description: How to use the Windows Update for Business reports data for custom solutions using tools like Azure Monitor Logs.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-workbook.md b/windows/deployment/update/wufb-reports-workbook.md
index d024ceda0d..a8e2e42be7 100644
--- a/windows/deployment/update/wufb-reports-workbook.md
+++ b/windows/deployment/update/wufb-reports-workbook.md
@@ -2,8 +2,8 @@
title: Use the workbook for Windows Update for Business reports
titleSuffix: Windows Update for Business reports
description: How to use the Windows Update for Business reports workbook from the Azure portal.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
@@ -11,7 +11,7 @@ manager: aaroncz
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 06/23/2023
+ms.date: 01/29/2024
---
# Windows Update for Business reports workbook
@@ -36,6 +36,8 @@ To access the Windows Update for Business reports workbook:
1. When the gallery opens, select the **Windows Update for Business reports** workbook. If needed, you can filter workbooks by name in the gallery.
1. When the workbook opens, you may need to specify which **Subscription** and **Workspace** you used when [enabling Windows Update for Business reports](wufb-reports-enable.md).
+> [!Important]
+> Don't pin the Windows Update for Business reports workbook to an Azure dashboard. Using a pinned report loads an older copy of the report and it won't display any updates to the report template.
## Summary tab
@@ -72,7 +74,8 @@ The **Quality updates** tab displays generalized data at the top by using tiles.
|**Latest security update**| Count of devices that have reported successful installation of the latest security update. | - Select **View details** to display a flyout with a chart that displays the first 1000 items. - Select `...` from the flyout to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). |
| **Missing one security update** | Count of devices that haven't installed the latest security update.| - Select **View details** to display a flyout with a chart that displays the first 1000 items. - Select `...` from the flyout to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial).|
| **Missing multiple security updates** | Count of devices that are missing two or more security updates. | - Select **View details** to display a flyout with a chart that displays the first 1000 items. - Select `...` from the flyout to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). |
-| **Expedite performance** | Overview of the progress for the expedited deployments of the latest security update. | - Select **View details** to display a flyout with a chart that displays the total progress of each deployment, number of alerts, and count of devices. - Select the count from the **Alerts** column to display the alerts, by name, for the deployment. Selecting the device count for the alert name displays a list of devices with the alert. - Select the count in the **TotalDevices** column to display a list of clients and their information for the deployment. |
+| **Active alerts** | Count of active update and device alerts for quality updates. | |
+| **Expedite status** | Overview of the progress for the expedited deployments of the latest security update. | Select **View details** to display a flyout with two tabs: **Deployments** and **Readiness** - The **Deployments** tab contins a chart that displays the total progress of each deployment, number of alerts, and count of devices.
- The **Readiness** tab contains a chart that displays the number of devices that are **Eligible** and **Ineligible** to install expedited udpates. The **Readiness** tab also contains a table listing the deployments for expedited updates.
-
-> See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
-
-Several log files are created during each phase of the upgrade process. These log files are essential for troubleshooting upgrade problems. By default, the folders that contain these log files are hidden on the upgrade target computer. To view the log files, configure Windows Explorer to view hidden items, or use a tool to automatically gather these logs. The most useful log is **setupact.log**. The log files are located in a different folder depending on the Windows Setup phase. Recall that you can determine the phase from the extend code.
-
-> [!NOTE]
-> Also see the [Windows Error Reporting](windows-error-reporting.md) section in this document for help locating error codes and log files.
-
-The following table describes some log files and how to use them for troubleshooting purposes:
-
+>
+> Also see the [Windows Error Reporting](windows-error-reporting.md) article in this section for help with locating error codes and log files.
+The following table describes some log files and how to use them for troubleshooting purposes:
|Log file |Phase: Location |Description |When to use|
|---|---|---|---|
-|setupact.log|Down-Level:
$Windows.~BT\Sources\Panther|Contains information about setup actions during the downlevel phase. |All down-level failures and starting point for rollback investigations.
Setup.act is the most important log for diagnosing setup issues.|
-|setupact.log|OOBE:
$Windows.~BT\Sources\Panther\UnattendGC|Contains information about actions during the OOBE phase.|Investigating rollbacks that failed during OOBE phase and operations - 0x4001C, 0x4001D, 0x4001E, 0x4001F.|
-|setupact.log|Rollback:
$Windows.~BT\Sources\Rollback|Contains information about actions during rollback.|Investigating generic rollbacks - 0xC1900101.|
-|setupact.log|Pre-initialization (prior to downlevel):
Windows|Contains information about initializing setup.|If setup fails to launch.|
-|setupact.log|Post-upgrade (after OOBE):
Windows\Panther|Contains information about setup actions during the installation.|Investigate post-upgrade related issues.|
-|setuperr.log|Same as setupact.log|Contains information about setup errors during the installation.|Review all errors encountered during the installation phase.|
-|miglog.xml|Post-upgrade (after OOBE):
Windows\Panther|Contains information about what was migrated during the installation.|Identify post upgrade data migration issues.|
-|BlueBox.log|Down-Level:
Windows\Logs\Mosetup|Contains information communication between `setup.exe` and Windows Update.|Use during WSUS and Windows Update down-level failures or for 0xC1900107.|
-|Supplemental rollback logs:
Setupmem.dmp
setupapi.dev.log
Event logs (*.evtx)|$Windows.~BT\Sources\Rollback|Additional logs collected during rollback.|Setupmem.dmp: If OS bug checks during upgrade, setup will attempt to extract a mini-dump.
Setupapi: Device install issues - 0x30018
Event logs: Generic rollbacks (0xC1900101) or unexpected reboots.|
+|**setupact.log**|Down-Level:
$Windows.~BT\Sources\Panther|Contains information about setup actions during the downlevel phase. |All down-level failures and starting point for rollback investigations.
Setup.act is the most important log for diagnosing setup issues.|
+|**setupact.log**|OOBE:
$Windows.~BT\Sources\Panther\UnattendGC|Contains information about actions during the OOBE phase.|Investigating rollbacks that failed during OOBE phase and operations - 0x4001C, 0x4001D, 0x4001E, 0x4001F.|
+|**setupact.log**|Rollback:
$Windows.~BT\Sources\Rollback|Contains information about actions during rollback.|Investigating generic rollbacks - 0xC1900101.|
+|**setupact.log**|Pre-initialization (prior to downlevel):
Windows|Contains information about initializing setup.|If setup fails to launch.|
+|**setupact.log**|Post-upgrade (after OOBE):
Windows\Panther|Contains information about setup actions during the installation.|Investigate post-upgrade related issues.|
+|**setuperr.log**|Same as setupact.log|Contains information about setup errors during the installation.|Review all errors encountered during the installation phase.|
+|**miglog.xml**|Post-upgrade (after OOBE):
Windows\Panther|Contains information about what was migrated during the installation.|Identify post upgrade data migration issues.|
+|**BlueBox.log**|Down-Level:
Windows\Logs\Mosetup|Contains information communication between `setup.exe` and Windows Update.|Use during WSUS and Windows Update down-level failures or for 0xC1900107.|
+|Supplemental rollback logs:
**Setupmem.dmp**
**setupapi.dev.log**
Event logs (*.evtx)|$Windows.~BT\Sources\Rollback|Additional logs collected during rollback.|Setupmem.dmp: If OS bug checks during upgrade, setup attempts to extract a mini-dump.
Setupapi: Device install issues - 0x30018
Event logs: Generic rollbacks (0xC1900101) or unexpected reboots.|
## Log entry structure
-A setupact.log or setuperr.log entry (files are located at C:\Windows) includes the following elements:
+A `setupact.log` or `setuperr.log` entry includes the following elements:
-1. **The date and time** - 2016-09-08 09:20:05
+1. **The date and time** - 2023-09-08 09:20:05
+1. **The log level** - Info, Warning, Error, Fatal Error
-2. **The log level** - Info, Warning, Error, Fatal Error
+1. **The logging component** - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS
+ The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are useful for troubleshooting Windows Setup errors.
-3. **The logging component** - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS
-
-
- The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are useful for troubleshooting Windows Setup errors.
-
-
-4. **The message** - Operation completed successfully.
+1. **The message** - Operation completed successfully.
See the following example:
| Date/Time | Log level | Component | Message |
|------|------------|------------|------------|
-|2016-09-08 09:23:50,| Warning | MIG | Couldn't replace object C:\Users\name\Cookies. Target Object can't be removed.|
+|2023-09-08 09:23:50,| Warning | MIG | Couldn't replace object C:\Users\name\Cookies. Target Object can't be removed.|
## Analyze log files
-The following instructions are meant for IT professionals. Also see the [Upgrade error codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json) section in this guide to familiarize yourself with [result codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#result-codes) and [extend codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#extend-codes).
+The following instructions are meant for IT professionals. Also see the [Upgrade error codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json) section in this guide to become familiar with [result codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#result-codes) and [extend codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#extend-codes).
To analyze Windows Setup log files:
-1. Determine the Windows Setup error code. This code should be returned by Windows Setup if it isn't successful with the upgrade process.
+1. Determine the Windows Setup error code. Windows Setup should return an error code if it isn't successful with the upgrade process.
-2. Based on the [extend code](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#extend-codes) portion of the error code, determine the type and location of a log file to investigate.
+1. Based on the [extend code](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#extend-codes) portion of the error code, determine the type and location of a log file to investigate.
-3. Open the log file in a text editor, such as notepad.
+1. Open the log file in a text editor, such as notepad.
-4. Using the [result code](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#result-codes) portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below.
+1. Using the [result code](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#result-codes) portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below.
-5. To find the last occurrence of the result code:
+1. To find the last occurrence of the result code:
1. Scroll to the bottom of the file and select after the last character.
- 2. Select **Edit**.
- 3. Select **Find**.
- 4. Type the result code.
- 5. Under **Direction** select **Up**.
- 6. Select **Find Next**.
+ 1. Select **Edit**.
+ 1. Select **Find**.
+ 1. Type the result code.
+ 1. Under **Direction** select **Up**.
+ 1. Select **Find Next**.
-6. When you've located the last occurrence of the result code, scroll up a few lines from this location in the file and review the processes that failed prior to generating the result code.
+1. When the last occurrence of the result code is located, scroll up a few lines from this location in the file and review the processes that failed prior to generating the result code.
-7. Search for the following important text strings:
+1. Search for the following important text strings:
- `Shell application requested abort`
- `Abandoning apply due to error for object`
-8. Decode Win32 errors that appear in this section.
+1. Decode Win32 errors that appear in this section.
-9. Write down the timestamp for the observed errors in this section.
+1. Write down the timestamp for the observed errors in this section.
-10. Search other log files for additional information matching these timestamps or errors.
+1. Search other log files for additional information matching these timestamps or errors.
-For example, assume that the error code for an error is 0x8007042B - 0x2000D. Searching for "8007042B" reveals the following content from the setuperr.log file:
+For example, assume that the error code for an error is **0x8007042B - 0x2000D**. Searching for **8007042B** reveals the following content from the `setuperr.log` file:
> [!NOTE]
-> Some lines in the text below are shortened to enhance readability. For example
->
-> - The date and time at the start of each line (ex: 2016-10-05 15:27:08) is shortened to minutes and seconds
+>
+> Some lines in the following text are shortened to enhance readability. For example
+>
+> - The date and time at the start of each line (ex: 2023-10-05 15:27:08) is shortened to minutes and seconds
> - The certificate file name, which is a long text string, is shortened to just "CN."
**setuperr.log** content:
@@ -127,20 +123,20 @@ For example, assume that the error code for an error is 0x8007042B - 0x2000D. Se
27:09, Error SP CSetupPlatformPrivate::Execute: Execution of operations queue failed, abandoning. Error: 0x8007042B[gle=0x000000b7]
```
-The first line indicates there was an error **0x00000570** with the file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]** (shown below):
+The first line indicates there was an error **0x00000570** with the file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]**:
```console
27:08, Error SP Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
```
-The error 0x00000570 is a [Win32 error code](/openspecs/windows_protocols/ms-erref/18d8fbe8-a967-4f1c-ae50-99ca8e491d2d) corresponding to: ERROR_FILE_CORRUPT: The file or directory is corrupted and unreadable.
+The error **0x00000570** is a [Win32 error code](/openspecs/windows_protocols/ms-erref/18d8fbe8-a967-4f1c-ae50-99ca8e491d2d) corresponding to: **ERROR_FILE_CORRUPT: The file or directory is corrupted and unreadable**.
-Therefore, Windows Setup failed because it wasn't able to migrate the corrupt file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN]**. This file is a local system certificate and can be safely deleted. Searching the setupact.log file for more details, the phrase "Shell application requested abort" is found in a location with the same timestamp as the lines in setuperr.log. This confirms our suspicion that this file is the cause of the upgrade failure:
+Therefore, Windows Setup failed because it wasn't able to migrate the corrupt file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN]**. This file is a local system certificate and can be safely deleted. After the `setupact.log` file is searched for more details, the phrase **Shell application requested abort** is found in a location with the same timestamp as the lines in `setuperr.log`. This analysis confirms the suspicion that this file is the cause of the upgrade failure:
**setupact.log** content:
```console
-27:00, Info Gather started at 10/5/2016 23:27:00
+27:00, Info Gather started at 10/5/2023 23:27:00
27:00, Info [0x080489] MIG Setting system object filter context (System)
27:00, Info [0x0803e5] MIG Not unmapping HKCU\Software\Classes; it is not mapped
27:00, Info [0x0803e5] MIG Not unmapping HKCU; it is not mapped
@@ -157,7 +153,7 @@ Therefore, Windows Setup failed because it wasn't able to migrate the corrupt fi
27:08, Info MIG COutOfProcPluginFactory::LaunchSurrogateHost::CommandLine: -shortened-
27:08, Info MIG COutOfProcPluginFactory::LaunchSurrogateHost: Successfully launched host and got control object.
27:08, Error Gather failed. Last error: 0x00000000
-27:08, Info Gather ended at 10/5/2016 23:27:08 with result 44
+27:08, Info Gather ended at 10/5/2023 23:27:08 with result 44
27:08, Info Leaving MigGather method
27:08, Error SP SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C
```
@@ -166,7 +162,7 @@ Therefore, Windows Setup failed because it wasn't able to migrate the corrupt fi
```console
>>> [Device Install (UpdateDriverForPlugAndPlayDevices) - PCI\VEN_8086&DEV_8C4F]
->>> Section start 2019/09/26 20:13:01.623
+>>> Section start 2023/09/26 20:13:01.623
cmd: rundll32.exe "C:\WINDOWS\Installer\MSI6E4C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_95972906 484 ChipsetWiX.CustomAction!Intel.Deployment.ChipsetWiX.CustomActions.InstallDrivers
ndv: INF path: C:\WINDOWS\TEMP\{15B1CD41-69F5-48EA-9F45-0560A40FE2D8}\Drivers\lynxpoint\LynxPointSystem.inf
ndv: Install flags: 0x00000000
@@ -250,15 +246,12 @@ Therefore, Windows Setup failed because it wasn't able to migrate the corrupt fi
<<< [Exit status: FAILURE(0xC1900101)]
```
-This analysis indicates that the Windows upgrade error can be resolved by deleting the C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN] file.
+This analysis indicates that the Windows upgrade error can be resolved by deleting the `C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN]` file.
> [!NOTE]
-> In this example, the full, unshortened file name is C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\be8228fb2d3cb6c6b0ccd9ad51b320b4_a43d512c-69f2-42de-aef9-7a88fabdaa3f.
+>
+> In this example, the full file name is `C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\be8228fb2d3cb6c6b0ccd9ad51b320b4_a43d512c-69f2-42de-aef9-7a88fabdaa3f`.
## Related articles
-[Windows 10 FAQ for IT professionals](../planning/windows-10-enterprise-faq-itpro.yml)
-
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
-
[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
-
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
-
[Fix Windows Update errors by using the DISM or System Update Readiness tool](/troubleshoot/windows-server/deployment/fix-windows-update-errors)
+- [Fix Windows Update errors by using the DISM or System Update Readiness tool](/troubleshoot/windows-server/deployment/fix-windows-update-errors).
diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
deleted file mode 100644
index cf7359540a..0000000000
--- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
+++ /dev/null
@@ -1,61 +0,0 @@
----
-title: Resolve Windows 10 upgrade errors - Windows IT Pro
-manager: aaroncz
-ms.author: frankroj
-description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors.
-ms.prod: windows-client
-author: frankroj
-ms.localizationpriority: medium
-ms.topic: article
-ms.technology: itpro-deploy
-ms.date: 10/28/2022
----
-
-# Resolve Windows 10 upgrade errors: Technical information for IT Pros
-
-**Applies to**
-- Windows 10
-
->[!IMPORTANT]
->This article contains technical instructions for IT administrators. If you are not an IT administrator, try some of the [quick fixes](/troubleshoot/windows-client/deployment/windows-10-upgrade-quick-fixes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json) described in this article then contact [Microsoft Support](https://support.microsoft.com/contactus/) starting with the Virtual Agent. To talk to a person about your issue, click **Get started** to interact with the Virtual Agent, then enter "Talk to a person" two times. The Virtual Agent can also help you to resolve many Windows upgrade issues. Also see: [Get help with Windows 10 upgrade and installation errors](https://support.microsoft.com/help/10587/windows-10-get-help-with-upgrade-installation-errors) and [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md).
-
-This article contains a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade.
-
-The article has been divided into subtopics of different technical levels. Basic level provides common procedures that can resolve several types of upgrade errors. Advanced level requires some experience with detailed troubleshooting methods.
-
-The following four levels are assigned:
-
-Level 100: Basic
-Level 200: Moderate
-Level 300: Moderate advanced
-Level 400: Advanced
-
-## In this guide
-
-See the following topics in this article:
-
-- [Quick fixes](/troubleshoot/windows-client/deployment/windows-10-upgrade-quick-fixes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json): \Level 100\ Steps you can take to eliminate many Windows upgrade errors.
-- [SetupDiag](setupdiag.md): \Level 300\ SetupDiag is a new tool to help you isolate the root cause of an upgrade failure.
-- [Troubleshooting upgrade errors](/troubleshoot/windows-client/deployment/windows-10-upgrade-issues-troubleshooting?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json): \Level 300\ General advice and techniques for troubleshooting Windows 10 upgrade errors, and an explanation of phases used during the upgrade process.
-- [Windows Error Reporting](windows-error-reporting.md): \Level 300\ How to use Event Viewer to review details about a Windows 10 upgrade.
-- [Upgrade error codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json): \Level 400\ The components of an error code are explained.
- - [Result codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#result-codes): Information about result codes.
- - [Extend codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#extend-codes): Information about extend codes.
-- [Log files](log-files.md): \Level 400\ A list and description of log files useful for troubleshooting.
- - [Log entry structure](log-files.md#log-entry-structure): The format of a log entry is described.
- - [Analyze log files](log-files.md#analyze-log-files): General procedures for log file analysis, and an example.
-- [Resolution procedures](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json): \Level 200\ Causes and mitigation procedures associated with specific error codes.
- - [0xC1900101](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#0xc1900101): Information about the 0xC1900101 result code.
- - [0x800xxxxx](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#0x800xxxxx): Information about result codes that start with 0x800.
- - [Other result codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#other-result-codes): Additional causes and mitigation procedures are provided for some result codes.
- - [Other error codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#other-error-codes): Additional causes and mitigation procedures are provided for some error codes.
-- [Submit Windows 10 upgrade errors](submit-errors.md): \Level 100\ Submit upgrade errors to Microsoft for analysis.
-
-## Related articles
-
-[Windows 10 FAQ for IT professionals](../planning/windows-10-enterprise-faq-itpro.yml)
-
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
-
[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
-
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
-
[Fix Windows Update errors by using the DISM or System Update Readiness tool](/troubleshoot/windows-server/deployment/fix-windows-update-errors)
-
diff --git a/windows/deployment/upgrade/resolve-windows-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-upgrade-errors.md
new file mode 100644
index 0000000000..db42df75b3
--- /dev/null
+++ b/windows/deployment/upgrade/resolve-windows-upgrade-errors.md
@@ -0,0 +1,57 @@
+---
+title: Resolve Windows upgrade errors - Windows IT Pro
+manager: aaroncz
+ms.author: frankroj
+description: Resolve Windows upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors.
+author: frankroj
+ms.localizationpriority: medium
+ms.topic: article
+ms.service: windows-client
+ms.subservice: itpro-deploy
+ms.date: 01/18/2024
+appliesto:
+ - ✅ Windows 11
+ - ✅ Windows 10
+---
+
+# Resolve Windows upgrade errors: Technical information for IT Pros
+
+> [!IMPORTANT]
+>
+> This article contains technical instructions for IT administrators. The article isn't intended for non-IT administrators such as home or consumer users.
+
+This article contains a brief introduction to the Windows installation processes, and provides resolution procedures that IT administrators can use to resolve issues with a Windows upgrade.
+
+The article is divided into subtopics of different technical levels. Basic level provides common procedures that can resolve several types of upgrade errors. Advanced level requires some experience with detailed troubleshooting methods.
+
+The following four levels are assigned:
+
+- Level 100: Basic
+- Level 200: Moderate
+- Level 300: Moderate advanced
+- Level 400: Advanced
+
+## In this guide
+
+See the following articles in this section:
+
+- [Quick fixes](/troubleshoot/windows-client/deployment/windows-10-upgrade-quick-fixes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json): \Level 100\ Steps to take to eliminate many Windows upgrade errors.
+- [SetupDiag](setupdiag.md): \Level 300\ SetupDiag is a new tool to help isolate the root cause of an upgrade failure.
+- [Troubleshooting upgrade errors](/troubleshoot/windows-client/deployment/windows-10-upgrade-issues-troubleshooting?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json): \Level 300\ General advice and techniques for troubleshooting Windows upgrade errors, and an explanation of phases used during the upgrade process.
+- [Windows Error Reporting](windows-error-reporting.md): \Level 300\ How to use Event Viewer to review details about a Windows upgrade.
+- [Upgrade error codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json): \Level 400\ The components of an error code are explained.
+ - [Result codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#result-codes): Information about result codes.
+ - [Extend codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#extend-codes): Information about extend codes.
+- [Log files](log-files.md): \Level 400\ A list and description of log files useful for troubleshooting.
+ - [Log entry structure](log-files.md#log-entry-structure): The format of a log entry is described.
+ - [Analyze log files](log-files.md#analyze-log-files): General procedures for log file analysis, and an example.
+- [Resolution procedures](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json): \Level 200\ Causes and mitigation procedures associated with specific error codes.
+ - [0xC1900101](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#0xc1900101): Information about the 0xC1900101 result code.
+ - [0x800xxxxx](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#0x800xxxxx): Information about result codes that start with 0x800.
+ - [Other result codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#other-result-codes): Additional causes and mitigation procedures are provided for some result codes.
+ - [Other error codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#other-error-codes): Additional causes and mitigation procedures are provided for some error codes.
+- [Submit Windows upgrade errors](submit-errors.md): \Level 100\ Submit upgrade errors to Microsoft for analysis.
+
+## Related articles
+
+- [Fix Windows Update errors by using the DISM or System Update Readiness tool](/troubleshoot/windows-server/deployment/fix-windows-update-errors).
diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md
index 3b512451f5..00ae1403ff 100644
--- a/windows/deployment/upgrade/setupdiag.md
+++ b/windows/deployment/upgrade/setupdiag.md
@@ -1,8 +1,9 @@
---
title: SetupDiag
description: SetupDiag works by examining Windows Setup log files. This article shows how to use the SetupDiag tool to diagnose Windows Setup errors.
-ms.prod: windows-client
-ms.technology: itpro-deploy
+ms.reviewer: shendrix
+ms.service: windows-client
+ms.subservice: itpro-deploy
author: frankroj
manager: aaroncz
ms.author: frankroj
@@ -11,34 +12,34 @@ ms.topic: troubleshooting
ms.collection:
- highpri
- tier2
-ms.date: 10/28/2022
+ms.date: 01/18/2024
+appliesto:
+ - ✅ Windows 11
+ - ✅ Windows 10
---
# SetupDiag
-**Applies to**
-- Windows 10
+> [!NOTE]
+>
+> This article is a 300 level article (moderate advanced). See [Resolve Windows upgrade errors](resolve-windows-upgrade-errors.md) for a full list of articles in this section.
->[!NOTE]
->This is a 300 level topic (moderate advanced).
->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
-
- [](https://go.microsoft.com/fwlink/?linkid=870142)
+> [!div class="nextstepaction"]
+> [Download the latest version of SetupDiag](https://go.microsoft.com/fwlink/?linkid=870142)
## About SetupDiag
-Current downloadable version of SetupDiag: 1.6.2107.27002.
-> Always be sure to run the most recent version of SetupDiag, so that can access new functionality and fixes to known issues.
+> [!IMPORTANT]
+>
+> When SetupDiag is run manually, Microsoft recommends running the latest version of SetupDiag. The latest version is available via the following [download link](https://go.microsoft.com/fwlink/?linkid=870142). Running the latest version ensures the latest functionality and fixes known issues.
-SetupDiag is a diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful.
+SetupDiag is a diagnostic tool that can be used to obtain details about why a Windows upgrade was unsuccessful.
-SetupDiag works by examining Windows Setup log files. It attempts to parse these log files to determine the root cause of a failure to update or upgrade the computer to Windows 10. SetupDiag can be run on the computer that failed to update, or you can export logs from the computer to another location and run SetupDiag in offline mode.
+SetupDiag works by examining Windows Setup log files. It attempts to parse these log files to determine the root cause of a failure to update or upgrade the computer to Windows. SetupDiag can be run on the computer that failed to update. The logs can also be exported from the computer to another location and then running SetupDiag in offline mode.
-## SetupDiag in Windows 10, version 2004 and later
+SetupDiag is included with [Windows Setup](/windows-hardware/manufacture/desktop/deployment-troubleshooting-and-log-files#windows-setup-scenario) in all currently supported versions of Windows.
-With the release of Windows 10, version 2004, SetupDiag is included with [Windows Setup](/windows-hardware/manufacture/desktop/deployment-troubleshooting-and-log-files#windows-setup-scenario).
-
-During the upgrade process, Windows Setup will extract all its sources files to the **%SystemDrive%\$Windows.~bt\Sources** directory. With Windows 10, version 2004 and later, **setupdiag.exe** is also installed to this directory. If there's an issue with the upgrade, SetupDiag will automatically run to determine the cause of the failure.
+During the upgrade process, Windows Setup extracts all its sources files, including **SetupDiag.exe**, to the **%SystemDrive%\$Windows.~bt\Sources** directory. If there's an issue with the upgrade, SetupDiag automatically runs to determine the cause of the failure.
When run by Windows Setup, the following [parameters](#parameters) are used:
@@ -47,145 +48,200 @@ When run by Windows Setup, the following [parameters](#parameters) are used:
- /Output:%windir%\logs\SetupDiag\SetupDiagResults.xml
- /RegPath:HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupDiag\Results
-The resulting SetupDiag analysis can be found at **%WinDir%\Logs\SetupDiag\SetupDiagResults.xml** and in the registry under **HKLM\SYSTEM\Setup\SetupDiag\Results**. Note that the registry path isn't the same as the default registry path when SetupDiag is run manually. When SetupDiag is run manually, and the /RegPath parameter isn't specified, data is stored in the registry at HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag.
+The resulting SetupDiag analysis can be found at `%WinDir%\Logs\SetupDiag\SetupDiagResults.xml` and in the registry under `HKLM\SYSTEM\Setup\SetupDiag\Results`.
+
+> [!NOTE]
+>
+> When Windows Setup runs SetupDiag automatically, the registry path isn't the same as the default registry path when SetupDiag is run manually. When SetupDiag is run manually, and the `/RegPath` parameter isn't specified, data is stored in the registry at `HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag`.
> [!IMPORTANT]
+>
> When SetupDiag indicates that there were multiple failures, the last failure in the log file is typically the fatal error, not the first one.
-If the upgrade process proceeds normally, the **Sources** directory including **setupdiag.exe** is moved under **%SystemDrive%\Windows.Old** for cleanup. If the **Windows.old** directory is deleted later, **setupdiag.exe** will also be removed.
-
-## Using SetupDiag
-
-To quickly use SetupDiag on your current computer:
-1. Verify that your system meets the [requirements](#requirements) described below. If needed, install the [.NET framework 4.6](https://www.microsoft.com/download/details.aspx?id=48137).
-2. [Download SetupDiag](https://go.microsoft.com/fwlink/?linkid=870142).
-3. If your web browser asks what to do with the file, choose **Save**. By default, the file will be saved to your **Downloads** folder. You can also save it to a different location if desired by using **Save As**.
-4. When SetupDiag has finished downloading, open the folder where you downloaded the file. By default, this folder is the **Downloads** folder, which is displayed in File Explorer under **Quick access** in the left navigation pane.
-5. Double-click the **SetupDiag** file to run it. Select **Yes** if you're asked to approve running the program.
- - Double-clicking the file to run it will automatically close the command window when SetupDiag has completed its analysis. If you wish to keep this window open instead, and review the messages that you see, run the program by typing **SetupDiag** at the command prompt instead of double-clicking it. You'll need to change directories to the location of SetupDiag to run it this way.
-6. A command window will open while SetupDiag diagnoses your computer. Wait for this process to finish.
-7. When SetupDiag finishes, two files will be created in the same folder where you double-clicked SetupDiag. One is a configuration file, the other is a log file.
-8. Use Notepad to open the log file: **SetupDiagResults.log**.
-9. Review the information that is displayed. If a rule was matched, this information can tell you why the computer failed to upgrade, and potentially how to fix the problem. See the [Text log sample](#text-log-sample) below.
-
-For instructions on how to run the tool in offline mode and with more advanced options, see the [Parameters](#parameters) and [Examples](#examples) sections below.
-
-The [Release notes](#release-notes) section at the bottom of this article has information about recent updates to this tool.
+If the upgrade process proceeds normally, the **Sources** directory including **SetupDiag.exe** is moved under **%SystemDrive%\Windows.Old** for cleanup. If the **Windows.old** directory is deleted later, **SetupDiag.exe** is also removed.
## Requirements
-1. The destination OS must be Windows 10.
-2. [.NET Framework 4.6](https://www.microsoft.com/download/details.aspx?id=48137) must be installed. If you aren't sure what version of .NET is currently installed, see [How to: Determine Which .NET Framework Versions Are Installed](/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed). You can also use the following command-line query to display the installed v4 versions:
+1. The destination version of Windows must be a currently supported version of Windows. The originally installed version of Windows can be a version of Windows that's out of support as long as:
+ - The destination version of Windows is a currently supported version of Windows.
+ - Upgrade to the destination version of Windows is supported from the original installed version of Windows.
+
+1. [.NET Framework 4.7.2](https://go.microsoft.com/fwlink/?linkid=863265) or newer must be installed. To determine which version of .NET is preinstalled with a specific version of Windows, see [.NET Framework system requirements: Supported client operating systems](/dotnet/framework/get-started/system-requirements#supported-client-operating-systems). To determine which version of .NET is currently installed, see [How to: Determine Which .NET Framework Versions Are Installed](/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed).
+
+ The following command-line query can be used to display the currently installed version of .NET:
+
+ ```cmd
+ reg.exe query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4" /s
```
- reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4" /s
- ```
+
+ As long as at least the required version of .NET is installed, no additional action is required, including if a newer version is installed.
+
+## Using SetupDiag
+
+To quickly use SetupDiag on the current computer:
+
+1. Verify that the system meets the [requirements](#requirements).
+
+1. [Download SetupDiag](https://go.microsoft.com/fwlink/?linkid=870142).
+
+1. If the web browser asks what to do with the file, choose **Save**. By default, the file is saved to the **Downloads** folder. If desired, the file can also be saved to a different location by using **Save As**.
+
+1. When SetupDiag finishes downloading, open the folder where the file was downloaded. By default, this folder is the **Downloads** folder, which is displayed in File Explorer under **Quick access** in the left navigation pane.
+
+1. Double-click the **SetupDiag** file to run it. Select **Yes** if asked to approve running the program.
+
+ Double-clicking the file to run it automatically closes the command window when SetupDiag completes its analysis. To instead keep the window open to review the messages SetupDiag generates, run the program by typing **SetupDiag** at the command prompt instead of double-clicking it. When running from a command prompt, make sure to change directories to where SetupDiag is located.
+
+1. A command window opens while SetupDiag diagnoses the computer. Wait for this process to finish.
+
+1. When SetupDiag finishes, two files are created in the same folder where SetupDiag was run from. One is a configuration file, the other is a log file.
+
+1. Use Notepad to open the log file **SetupDiagResults.log**.
+
+1. Review the information that is displayed. If a rule was matched, this information can say why the computer failed to upgrade, and potentially how to fix the problem. See the section [Text log sample](#text-log-sample).
+
+For instructions on how to run the tool in offline mode and with more advanced options, see the sections [Parameters](#parameters) and [Examples](#examples).
## Parameters
| Parameter | Description |
| --- | --- |
-| /? |
|
-| /Output:\
|
-| /LogsPath:\
|
-| /ZipLogs:\
|
-| /Format:\
|
-| /Scenario:\[Recovery\] |
|
-| /Verbose |
|
-| /NoTel |
|
-| /AddReg |
|
-| /RegPath |
|
+| **/?** | Displays interactive help |
+| **/Output:\[Full path and file name for output log file\]** | This optional parameter specifies the name and location for the results log file. The output file contains the analysis from SetupDiag. Only text format output is supported. UNC paths work provided the context under which SetupDiag runs has access to the UNC path. If the path has a space in it, the entire path must be enclosed in double quotes (**"**). See the [Examples](#examples) sections for an example.
Default: If not specified, SetupDiag creates the file **SetupDiagResults.log** in the same directory where **SetupDiag.exe** is run. |
+| **/LogsPath:\[Full path to logs\]** | This optional parameter specifies the location of logs to parse and where to find the log files for an offline analysis. These log files can be in a flat folder format, or containing multiple subdirectories. SetupDiag recursively searches all child directories. Defaults to checking the current system for logs. |
+| **/ZipLogs:\[True \| False\]** | This optional parameter Tells **SetupDiag.exe** to create a zip file containing the results and all the log files that were parsed. The zip file is created in the same directory where **SetupDiag.exe** is run.
Default: If not specified, a value of 'true' is used. |
+| **/Format:\[xml \| json\]** | This optional parameter specifies the output format for log files to be XML or JSON. If this parameter isn't specified, text format is used by default. |
+| **/Scenario:\[Recovery \| Debug\]** | This optional parameter can do one of the following two items based on the argument used:
|
+| **/Verbose** | This optional parameter creates a diagnostic log in the current directory, with debugging information, additional data, and details about SetupDiag. By default, SetupDiag only produces a log file entry for major errors. Using **/Verbose** causes SetupDiag to always produce another log file with debugging details. These details can be useful when reporting a problem with SetupDiag. |
+| **/NoTel** | This optional parameter tells **SetupDiag.exe** not to send diagnostic telemetry to Microsoft. |
+| **/RegPath** | This optional parameter Instructs **SetupDiag.exe** to add failure information to the registry under the given path. Registry paths should start with **HKEY_LOCAL_MACHINE** or **HKEY_CURRENT_USER** and be accessible at the elevation level SetupDiag is executed under. If this parameter isn't specified, the default path is **HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag**. |
+| **/AddReg** | This optional parameter Instructs **SetupDiag.exe** to add failure information to the registry on the executing system in offline mode. SetupDiag by default adds failure information to the registry in Online mode only. Registry data goes to **HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup\Volatile\SetupDiag** unless otherwise specified. |
-Note: The **/Mode** parameter is deprecated in version 1.4.0.0 of SetupDiag.
-- In previous versions, this command was used with the LogsPath parameter to specify that SetupDiag should run in an offline manner to analyze a set of log files that were captured from a different computer. In version 1.4.0.0, when you specify /LogsPath then SetupDiag will automatically run in offline mode, therefore the /Mode parameter isn't needed.
+> [!NOTE]
+>
+> The **/Mode** parameter is deprecated in SetupDiag.
+>
+> In previous versions, this command was used with the LogsPath parameter to specify that SetupDiag should run in an offline manner to analyze a set of log files that were captured from a different computer. In current versions of SetupDiag, when /LogsPath is specified then SetupDiag automatically runs in offline mode, therefore the /Mode parameter isn't needed.
-### Examples:
+### Examples
-In the following example, SetupDiag is run with default parameters (online mode, results file is SetupDiagResults.log in the same folder where SetupDiag is run).
+- In the following example, SetupDiag is run with default parameters in online mode. The results file is **SetupDiagResults.log** in the same folder where SetupDiag is run.
-```
-SetupDiag.exe
-```
+ ```cmd
+ SetupDiag.exe
+ ```
-In the following example, SetupDiag is run in online mode (this mode is the default). It will know where to look for logs on the current (failing) system, so there's no need to gather logs ahead of time. A custom location for results is specified.
+- In the following example, SetupDiag is run in online mode (this mode is the default). It knows where to look for logs on the current (failing) system, so there's no need to gather logs ahead of time. A custom location for results is specified.
-```
-SetupDiag.exe /Output:C:\SetupDiag\Results.log
-```
+ ```cmd
+ SetupDiag.exe /Output:C:\SetupDiag\Results.log
+ ```
-The following example uses the /Output parameter to save results to a path name that contains a space:
+- The following example uses the **/Output** parameter to save results to a path name that contains a space:
-```
-SetupDiag /Output:"C:\Tools\SetupDiag\SetupDiag Results\Results.log"
-```
+ ```cmd
+ SetupDiag /Output:"C:\Tools\SetupDiag\SetupDiag Results\Results.log"
+ ```
-The following example specifies that SetupDiag is to run in offline mode, and to process the log files found in **D:\Temp\Logs\LogSet1**.
+- The following example specifies that SetupDiag is to run in offline mode, and to process the log files found in **D:\Temp\Logs\LogSet1**.
-```
-SetupDiag.exe /Output:C:\SetupDiag\Results.log /LogsPath:D:\Temp\Logs\LogSet1
-```
+ ```cmd
+ SetupDiag.exe /Output:C:\SetupDiag\Results.log /LogsPath:D:\Temp\Logs\LogSet1
+ ```
-The following example sets recovery scenario in offline mode. In the example, SetupDiag will search for reset/recovery logs in the specified LogsPath location and output the results to the directory specified by the /Output parameter.
+- The following example sets recovery scenario in offline mode. In the example, SetupDiag searches for reset/recovery logs in the specified LogsPath location and output the results to the directory specified by the **/Output** parameter.
-```
-SetupDiag.exe /Output:C:\SetupDiag\RecoveryResults.log /LogsPath:D:\Temp\Cabs\PBR_Log /Scenario:Recovery
-```
+ ```cmd
+ SetupDiag.exe /Output:C:\SetupDiag\RecoveryResults.log /LogsPath:D:\Temp\Cabs\PBR_Log /Scenario:Recovery
+ ```
-The following example sets recovery scenario in online mode. In the example, SetupDiag will search for reset/recovery logs on the current system and output results in XML format.
+- The following example sets recovery scenario in online mode. In the example, SetupDiag searches for reset/recovery logs on the current system and output results in XML format.
-```
-SetupDiag.exe /Scenario:Recovery /Format:xml
-```
+ ```cmd
+ SetupDiag.exe /Scenario:Recovery /Format:xml
+ ```
+- The following example is an example of Offline Mode. SetupDiag is instructed to parse setup/upgrade log files in the LogsPath directory and output the results to `C:\SetupDiag\Results.txt`.
+
+ ```cmd
+ SetupDiag.exe /Output:C:\SetupDiag\Results.txt /LogsPath:D:\Temp\Logs\Logs1 /RegPath:HKEY_CURRENT_USER\SYSTEM\SetupDiag
+ ```
+
+- The following example is an example of Online Mode. SetupDiag is instructed to look for setup/upgrade logs on the current system and output its results in XML format to `C:\SetupDiag\Results.xml`.
+
+ ```cmd
+ SetupDiag.exe /Output:C:\SetupDiag\Results.xml /Format:xml
+ ```
+
+- The following example is an example of Online Mode where no parameters are needed or used. SetupDiag is instructed to look for setup/upgrade logs on the current system and output the results to the same directory where SetupDiag is located.
+
+ ```cmd
+ SetupDiag.exe
+ ```
+
+- The following example is an example of Reset/Recovery Offline Mode. SetupDiag is instructed to look for reset/recovery logs in the specified LogsPath location. It then outputs the results to the directory specified by the **/Output** parameter.
+
+ ```cmd
+ SetupDiag.exe /Output:C:\SetupDiag\RecoveryResults.log /LogsPath:D:\Temp\Cabs\PBR_Log /Scenario:Recovery
+ ```
+
+- The following example is an example of Reset/Recovery Online Mode. SetupDiag is instructed to look for reset/recovery logs on the current system and output its results in XML format.
+
+ ```cmd
+ SetupDiag.exe /Scenario:Recovery /Format:xml
+ ```
## Log files
-[Windows Setup Log Files and Event Logs](/windows-hardware/manufacture/desktop/windows-setup-log-files-and-event-logs) has information about where logs are created during Windows Setup. For offline processing, you should run SetupDiag against the contents of the entire folder. For example, depending on when the upgrade failed, copy one of the following folders to your offline location:
+[Windows Setup Log Files and Event Logs](/windows-hardware/manufacture/desktop/windows-setup-log-files-and-event-logs) has information about where logs are created during Windows Setup. For offline processing, SetupDiag should be run against the contents of the entire folder. For example, depending on when the upgrade failed, copy one of the following folders to the offline location:
-\\$Windows.~bt\sources\panther
-
\\$Windows.~bt\Sources\Rollback
-
\Windows\Panther
-
\Windows\Panther\NewOS
+- `\$Windows.~bt\sources\panther`
+- `\$Windows.~bt\Sources\Rollback`
+- `\Windows\Panther`
+- `\Windows\Panther\NewOS`
-If you copy the parent folder and all subfolders, SetupDiag will automatically search for log files in all subdirectories.
+If the parent folder and all subfolders are copied, SetupDiag automatically searches for log files in all subdirectories.
## Setup bug check analysis
-When Microsoft Windows encounters a condition that compromises safe system operation, the system halts. This condition is called a bug check. It's also commonly referred to as a system crash, a kernel error, a Stop error, or BSOD. Typically a hardware device, hardware driver, or related software causes this error.
+When Microsoft Windows encounters a condition that compromises safe system operation, the system halts. This condition is called a bug check. This condition is also commonly referred to as a system crash, a kernel error, a Stop error, or BSOD. Typically a hardware device, hardware driver, or related software causes this error.
-If crash dumps [are enabled](/windows-hardware/drivers/debugger/enabling-a-kernel-mode-dump-file) on the system, a crash dump file is created. If the bug check occurs during an upgrade, Windows Setup will extract a minidump (setupmem.dmp) file. SetupDiag can also debug these setup-related minidumps.
+If crash dumps [are enabled](/windows-hardware/drivers/debugger/enabling-a-kernel-mode-dump-file) on the system, a crash dump file is created. If the bug check occurs during an upgrade, Windows Setup extracts a minidump (`setupmem.dmp`) file. SetupDiag can also debug these setup-related minidumps.
+
+To debug a setup-related bug check:
+
+- Specify the **/LogsPath** parameter. Memory dumps can't be debugged in online mode.
+
+- Gather the setup memory dump file (`setupmem.dmp) from the failing system.
+
+ `Setupmem.dmp` is created in either **%SystemDrive%\$Windows.~bt\Sources\Rollback**, or in **%WinDir%\Panther\NewOS\Rollback** depending on when the bug check occurs.
-To debug a setup-related bug check, you must:
-- Specify the **/LogsPath** parameter. You can't debug memory dumps in online mode.
-- Gather the setup memory dump file (setupmem.dmp) from the failing system.
- - Setupmem.dmp will be created in either **%SystemDrive%\$Windows.~bt\Sources\Rollback**, or in **%WinDir%\Panther\NewOS\Rollback** depending on when the bug check occurs.
- Install the [Windows Debugging Tools](/windows-hardware/drivers/debugger/debugger-download-tools) on the computer that runs SetupDiag.
-In the following example, the **setupmem.dmp** file is copied to the **D:\Dump** directory and the Windows Debugging Tools are installed prior to running SetupDiag:
+In the following example, the `setupmem.dmp` file is copied to the `D:\Dump` directory and the Windows Debugging Tools are installed prior to running SetupDiag:
-```
+```cmd
SetupDiag.exe /Output:C:\SetupDiag\Dumpdebug.log /LogsPath:D:\Dump
```
## Known issues
-1. Some rules can take a long time to process if the log files involved are large.
-
+- Some rules can take a long time to process if the log files involved are large.
## Sample output
The following command is an example where SetupDiag is run in offline mode.
-```
+```cmd
D:\SetupDiag>SetupDiag.exe /output:c:\setupdiag\result.xml /logspath:D:\Tests\Logs\f55be736-beed-4b9b-aedf-c133536c946e /format:xml
-SetupDiag v1.6.0.0
+SetupDiag v1.7.0.0
Copyright (c) Microsoft Corporation. All rights reserved.
Searching for setup logs...
-Found d:\tests\Logs\f55be736-beed-4b9b-aedf-c133536c946e\setupact_6.log with update date 6/12/2019 2:44:20 PM to be the correct setup log.
-Found d:\tests\Logs\f55be736-beed-4b9b-aedf-c133536c946e\setupact_1.log with update date 6/12/2019 2:45:19 PM to be the correct rollback log.
+Found d:\tests\Logs\f55be736-beed-4b9b-aedf-c133536c946e\setupact_6.log with update date 6/12/2023 2:44:20 PM to be the correct setup log.
+Found d:\tests\Logs\f55be736-beed-4b9b-aedf-c133536c946e\setupact_1.log with update date 6/12/2023 2:45:19 PM to be the correct rollback log.
Gathering baseline information from setup logs...
@@ -208,241 +264,108 @@ SetupDiag found 1 matching issue.
SetupDiag results were logged to: c:\setupdiag\results.xml
Logs ZipFile created at: c:\setupdiag\Logs_14.zip
-
```
## Rules
-When searching log files, SetupDiag uses a set of rules to match known issues. These rules are contained in the rules.xml file that is extracted when SetupDiag is run. The rules.xml file might be updated as new versions of SetupDiag are made available. For more information, see the [release notes](#release-notes) section.
+When SetupDiag searches log files, it uses a set of rules to match known issues. These rules are contained in an xml file. The xml file might be updated with new and updated rules as new versions of SetupDiag are made available.
-Each rule name and its associated unique rule identifier are listed with a description of the known upgrade-blocking issue. In the rule descriptions, the term "down-level" refers to the first phase of the upgrade process, which runs under the starting OS.
+Each rule name and its associated unique rule identifier are listed with a description of the known upgrade-blocking issue. In the rule descriptions, the term **down-level** refers to the first phase of the upgrade process, which runs under the original OS.
-1. CompatScanOnly - FFDAFD37-DB75-498A-A893-472D49A1311D
- - This rule indicates that `setup.exe` was called with a specific command line parameter that indicated setup was to do a compat scan only, not an upgrade.
-2. BitLockerHardblock - C30152E2-938E-44B8-915B-D1181BA635AE
- - This is an upgrade block when the target OS doesn't support BitLocker, yet the host OS has BitLocker enabled.
-3. VHDHardblock - D9ED1B82-4ED8-4DFD-8EC0-BE69048978CC
- - This block happens when the host OS is booted to a VHD image. Upgrade isn't supported when the host OS is booted from a VHD image.
-4. PortableWorkspaceHardblock - 5B0D3AB4-212A-4CE4-BDB9-37CA404BB280
- - This indicates that the host OS is booted from a Windows To-Go device (USB key). Upgrade isn't supported in the Windows To-Go environment.
-5. AuditModeHardblock - A03BD71B-487B-4ACA-83A0-735B0F3F1A90
- - This block indicates that the host OS is currently booted into Audit Mode, a special mode for modifying the Windows state. Upgrade isn't supported from this state.
-6. SafeModeHardblock - 404D9523-B7A8-4203-90AF-5FBB05B6579B
- - This block indicates that the host OS is booted to Safe Mode, where upgrade isn't supported.
-7. InsufficientSystemPartitionDiskSpaceHardblock - 3789FBF8-E177-437D-B1E3-D38B4C4269D1
- - This block is encountered when setup determines the system partition (where the boot loader files are stored) doesn't have enough space to be serviced with the newer boot files required during the upgrade process.
-8. CompatBlockedApplicationAutoUninstall - BEBA5BC6-6150-413E-8ACE-5E1EC8D34DD5
- - This rule indicates there's an application that needs to be uninstalled before setup can continue.
-9. CompatBlockedApplicationDismissable - EA52620B-E6A0-4BBC-882E-0686605736D9
- - When running setup in /quiet mode, there are dismissible application messages that turn into blocks unless the command line also specifies "/compat ignorewarning". This rule indicates setup was executed in /quiet mode but there's an application dismissible block message that has prevented setup from continuing.
-10. CompatBlockedApplicationManualUninstall - 9E912E5F-25A5-4FC0-BEC1-CA0EA5432FF4
- - This rule indicates that an application without an Add/Remove Programs entry, is present on the system and blocking setup from continuing. This typically requires manual removal of the files associated with this application to continue.
-11. HardblockDeviceOrDriver - ED3AEFA1-F3E2-4F33-8A21-184ADF215B1B
- - This error indicates a device driver that is loaded on the host OS isn't compatible with the newer OS version and needs to be removed prior to the upgrade.
-12. HardblockMismatchedLanguage - 60BA8449-CF23-4D92-A108-D6FCEFB95B45
- - This rule indicates the host OS and the target OS language editions don't match.
-13. HardblockFlightSigning - 598F2802-3E7F-4697-BD18-7A6371C8B2F8
- - This rule indicates the target OS is a pre-release, Windows Insider build, and the target machine has Secure Boot enabled. This will block the pre-release signed build from booting if installed on the machine.
-14. DiskSpaceBlockInDownLevel - 6080AFAC-892E-4903-94EA-7A17E69E549E
- - This failure indicates the system ran out of disk space during the down-level operations of upgrade.
-15. DiskSpaceFailure - 981DCBA5-B8D0-4BA7-A8AB-4030F7A10191
- - This failure indicates the system drive ran out of available disk space at some point after the first reboot into the upgrade.
-16. DeviceInstallHang - 37BB1C3A-4D79-40E8-A556-FDA126D40BC6
- - This failure rule indicates the system hung or bug checked during the device installation phase of upgrade.
-17. DebugSetupMemoryDump - C7C63D8A-C5F6-4255-8031-74597773C3C6
- - This offline only rule indicates a bug check occurred during setup. If the debugger tools are available on the system, SetupDiag will debug the memory dump and provide details.
-18. DebugSetupCrash - CEEBA202-6F04-4BC3-84B8-7B99AED924B1
- - This offline only rule indicates that setup itself encountered a failure that resulted in a process memory dump. If the debugger tools are installed on the system, SetupDiag will debug the memory dump and give further details.
-19. DebugMemoryDump - 505ED489-329A-43F5-B467-FCAAF6A1264C
- - This offline only rule is for any memory.dmp file that resulted during the setup/upgrade operation. If the debugger tools are installed on the system, SetupDiag will debug the memory dump and give further details.
-20. BootFailureDetected - 4FB446C2-D4EC-40B4-97E2-67EB19D1CFB7
- - This rule indicates a boot failure occurred during a specific phase of the update. The rule will indicate the failure code and phase for diagnostic purposes.
-21. FindDebugInfoFromRollbackLog - 9600EB68-1120-4A87-9FE9-3A4A70ACFC37
- - This rule will determine and give details when a bug check occurs during the setup/upgrade process that resulted in a memory dump, but without the requirement of the debugger package being on the executing machine.
-22. AdvancedInstallerFailed - 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC
- - Finds fatal advanced installer operations that cause setup failures.
-23. FindMigApplyUnitFailure - A4232E11-4043-4A37-9BF4-5901C46FD781
- - Detects a migration unit failure that caused the update to fail. This rule will output the name of the migration plug-in and the error code it produced for diagnostic purposes.
-24. FindMigGatherUnitFailure - D04C064B-CD77-4E64-96D6-D26F30B4EE29
- - Detects a migration gather unit failure that caused the update to fail. This rule will output the name of the gather unit/plug-in and the error code it produced for diagnostic purposes.
-25. CriticalSafeOSDUFailure - 73566DF2-CA26-4073-B34C-C9BC70DBF043
- - This rule indicates a failure occurred while updating the SafeOS image with a critical dynamic update. It will indicate the phase and error code that occurred while attempting to update the SafeOS image for diagnostic purposes.
-26. UserProfileCreationFailureDuringOnlineApply - 678117CE-F6A9-40C5-BC9F-A22575C78B14
- - Indicates there was a critical failure while creating or modifying a User Profile during the online apply phase of the update. It will indicate the operation and error code associated with the failure for diagnostic purposes.
-27. WimMountFailure - BE6DF2F1-19A6-48C6-AEF8-D3B0CE3D4549
- - This rule indicates the update failed to mount a WIM file. It will show the name of the WIM file and the error message and error code associated with the failure for diagnostic purposes.
-28. FindSuccessfulUpgrade - 8A0824C8-A56D-4C55-95A0-22751AB62F3E
- - Determines if the given setup was a success or not based off the logs.
-29. FindSetupHostReportedFailure - 6253C04F-2E4E-4F7A-B88E-95A69702F7EC
- - Gives information about failures surfaced early in the upgrade process by setuphost.exe
-30. FindDownlevelFailure - 716334B7-F46A-4BAA-94F2-3E31BC9EFA55
- - Gives failure information surfaced by SetupPlatform, later in the down-level phase.
-31. FindAbruptDownlevelFailure - 55882B1A-DA3E-408A-9076-23B22A0472BD
- - Gives last operation failure information when the system fails in the down-level, but the log just ends abruptly.
-32. FindSetupPlatformFailedOperationInfo - 307A0133-F06B-4B75-AEA8-116C3B53C2D1
- - Gives last phase and error information when SetupPlatform indicates a critical failure. This rule will indicate the operation and error associated with the failure for diagnostic purposes.
-33. FindRollbackFailure - 3A43C9B5-05B3-4F7C-A955-88F991BB5A48
- - Gives last operation, failure phase and error information when a rollback occurs.
-34. AdvancedInstallerGenericFailure - 4019550D-4CAA-45B0-A222-349C48E86F71
- - A rule to match AdvancedInstaller read/write failures in a generic sense. Will output the executable being called as well as the error code and exit code reported.
-35. OptionalComponentFailedToGetOCsFromPackage - D012E2A2-99D8-4A8C-BBB2-088B92083D78 (NOTE: This rule replaces the OptionalComponentInstallFailure rule present in v1.10.
- - This matches a specific Optional Component failure when attempting to enumerate components in a package. Will output the package name and error code.
-36. OptionalComponentOpenPackageFailed - 22952520-EC89-4FBD-94E0-B67DF88347F6
- - Matches a specific Optional Component failure when attempting to open an OC package. Will output the package name and error code.
-37. OptionalComponentInitCBSSessionFailed - 63340812-9252-45F3-A0F2-B2A4CA5E9317
- - Matches a specific failure where the advanced installer service or components aren't operating or started on the system. Will output the error code.
-38. UserProfileCreationFailureDuringFinalize - C6677BA6-2E53-4A88-B528-336D15ED1A64
- - Matches a specific User Profile creation error during the finalize phase of setup. Will output the failure code.
-39. WimApplyExtractFailure - 746879E9-C9C5-488C-8D4B-0C811FF3A9A8
- - Matches a WIM apply failure during WIM extraction phases of setup. Will output the extension, path and error code.
-40. UpdateAgentExpanderFailure - 66E496B3-7D19-47FA-B19B-4040B9FD17E2
- - Matches DPX expander failures in the down-level phase of update from Windows Update. Will output the package name, function, expression and error code.
-41. FindFatalPluginFailure - E48E3F1C-26F6-4AFB-859B-BF637DA49636
- - Matches any plug-in failure that setupplatform decides is fatal to setup. Will output the plugin name, operation and error code.
-42. AdvancedInstallerFailed - 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC
- - Indicates critical failure in the AdvancedInstaller while running an installer package, includes the .exe being called, the phase, mode, component and error codes.
-43. MigrationAbortedDueToPluginFailure - D07A24F6-5B25-474E-B516-A730085940C9
- - Indicates a critical failure in a migration plugin that causes setup to abort the migration. Will provide the setup operation, plug-in name, plug-in action and error code.
-44. DISMAddPackageFailed - 6196FF5B-E69E-4117-9EC6-9C1EAB20A3B9
- - Indicates a critical failure during a DISM add package operation. Will specify the Package Name, DISM error and add package error code.
-45. PlugInComplianceBlock - D912150B-1302-4860-91B5-527907D08960
- - Detects all compat blocks from Server compliance plug-ins. Outputs the block information and remediation.
-46. AdvancedInstallerGenericFailure - 4019550D-4CAA-45B0-A222-349C48E86F71
- - Triggers on advanced installer failures in a generic sense, outputting the application called, phase, mode, component and error code.
-47. FindMigGatherApplyFailure - A9964E6C-A2A8-45FF-B6B5-25E0BD71428E
- - Shows errors when the migration Engine fails out on a gather or apply operation. Indicates the Migration Object (file or registry path), the Migration
-48. OptionalComponentFailedToGetOCsFromPackage - D012E2A2-99D8-4A8C-BBB2-088B92083D78
- - Indicates the optional component (OC) migration operation failed to enumerate optional components from an OC Package. Outputs the package name and error code.
-49. OptionalComponentOpenPackageFailed - 22952520-EC89-4FBD-94E0-B67DF88347F6
- - Indicates the optional component migration operation failed to open an optional component Package. Outputs the package name and error code.
-50. OptionalComponentInitCBSSessionFailed - 63340812-9252-45F3-A0F2-B2A4CA5E9317
- - Indicates corruption in the servicing stack on the down-level system. Outputs the error code encountered while trying to initialize the servicing component on the existing OS.
-51. DISMproviderFailure - D76EF86F-B3F8-433F-9EBF-B4411F8141F4
- - Triggers when a DISM provider (plug-in) fails in a critical operation. Outputs the file (plug-in name), function called + error code, and error message from the provider.
-52. SysPrepLaunchModuleFailure - 7905655C-F295-45F7-8873-81D6F9149BFD
- - Indicates a sysPrep plug-in has failed in a critical operation. Indicates the plug-in name, operation name and error code.
-53. UserProvidedDriverInjectionFailure - 2247C48A-7EE3-4037-AFAB-95B92DE1D980
- - A driver provided to setup (via command line input) has failed in some way. Outputs the driver install function and error code.
-54. PlugInComplianceBlock - D912150B-1302-4860-91B5-527907D08960
- - These are for server upgrades only, will output the compliance block and remediation required.
-55. PreReleaseWimMountDriverFound - 31EC76CC-27EC-4ADC-9869-66AABEDB56F0
- - Captures failures due to having an unrecognized wimmount.sys driver registered on the system.
-56. WinSetupBootFilterFailure - C073BFC8-5810-4E19-B53B-4280B79E096C
- - Detects failures in the kernel mode file operations.
-57. WimMountDriverIssue - 565B60DD-5403-4797-AE3E-BC5CB972FBAE
- - Detects failures in WimMount.sys registration on the system.
-58. DISMImageSessionFailure - 61B7886B-10CD-4C98-A299-B987CB24A11C
- - Captures failure information when DISM fails to start an image session successfully.
-59. FindEarlyDownlevelError - A4CE4FC9-5E10-4BB1-8ECE-3B29EB9D7C52
- - Detects failures in down-level phase before setup platform is invoked.
-60. FindSPFatalError - A4028172-1B09-48F8-AD3B-86CDD7D55852
- - Captures failure information when setup platform encounters a fatal error.
-61. UserProfileSuffixMismatch - B4BBCCCE-F99D-43EB-9090-078213397FD8
- - Detects when a file or other object causes the migration or creation of a user profile to fail during the update.
-
-## Release notes
-
-07/27/2021 - SetupDiag v1.6.2107.27002 is released with 61 rules, as a standalone tool available in the Download Center.
-- This version contains compliance updates and minor bug fixes.
-- With this release and subsequent releases, the version number of the downloadable SetupDiag tool is different from the one included with Windows Setup.
-
-05/06/2021 - SetupDiag v1.6.1.0 is released with 61 rules, as a standalone tool available in the Download Center.
-- This version of SetupDiag is included with Windows 10, version 21H1.
-- A new rule is added: UserProfileSuffixMismatch.
-- All outputs to the command line are now invariant culture for purposes of time/date format
-- Fixed an issue with registry output in which the "no match found" result caused a corrupted REG_SZ value.
-
-08/08/2019 - SetupDiag v1.6.0.42 is released with 60 rules, as a standalone tool available from the Download Center.
- - Log detection performance is improved. Log detection takes around 10 seconds or less where before it could take up to a minute.
- - Added Setup Operation and Setup Phase information to both the results log and the registry information.
- - This is the last Operation and Phase that Setup was in when the failure occurred.
- - Added detailed Setup Operation and Setup Phase information (and timing) to output log when /verbose is specified.
- - Note, if the issue found is a compat block, no Setup Operation or Phase info exists yet and therefore won't be available.
- - Added more info to the Registry output.
- - Detailed 'FailureData' info where available. Example: "AppName = MyBlockedApplication" or "DiskSpace = 6603" (in MB)
- - "Key = Value" data specific to the failure found.
- - Added 'UpgradeStartTime', 'UpgradeEndTime' and 'UpgradeElapsedTime'
- - Added 'SetupDiagVersion', 'DateTime' (to indicate when SetupDiag was executed on the system), 'TargetOSVersion', 'HostOSVersion' and more…
-
-
-06/19/2019 - SetupDiag v1.5.0.0 is released with 60 rules, as a standalone tool available from the Download Center.
-- All date and time outputs are updated to localized format per user request.
-- Added setup Operation and Phase information to /verbose log.
-- Added last Setup Operation and last Setup Phase information to most rules where it makes sense (see new output below).
-- Performance improvement in searching setupact.logs to determine correct log to parse.
-- Added SetupDiag version number to text report (xml and json always had it).
-- Added "no match" reports for xml and json per user request.
-- Formatted Json output for easy readability.
-- Performance improvements when searching for setup logs; this should be much faster now.
-- Added seven new rules: PlugInComplianceBlock, PreReleaseWimMountDriverFound, WinSetupBootFilterFailure, WimMountDriverIssue, DISMImageSessionFailure, FindEarlyDownlevelError, and FindSPFatalError. See the [Rules](#rules) section above for more information.
-- Diagnostic information is now output to the registry at **HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag**
- - The **/AddReg** command was added to toggle registry output. This setting is off by default for offline mode, and on by default for online mode. The command has no effect for online mode and enables registry output for offline mode.
- - This registry key is deleted as soon as SetupDiag is run a second time, and replaced with current data, so it's always up to date.
- - This registry key also gets deleted when a new update instance is invoked.
- - For an example, see [Sample registry key](#sample-registry-key).
-
-05/17/2019 - SetupDiag v1.4.1.0 is released with 53 rules, as a standalone tool available from the Download Center.
-- This release dds the ability to find and diagnose reset and recovery failures (Push-Button Reset).
-
-12/18/2018 - SetupDiag v1.4.0.0 is released with 53 rules, as a standalone tool available from the Download Center.
-- This release includes major improvements in rule processing performance: ~3x faster rule processing performance!
- - The FindDownlevelFailure rule is up to 10 times faster.
-- New rules have been added to analyze failures upgrading to Windows 10 version 1809.
-- A new help link is available for resolving servicing stack failures on the down-level OS when the rule match indicates this type of failure.
-- Removed the need to specify /Mode parameter. Now if you specify /LogsPath, it automatically assumes offline mode.
-- Some functional and output improvements were made for several rules.
-
-07/16/2018 - SetupDiag v1.3.1 is released with 44 rules, as a standalone tool available from the Download Center.
-- This release fixes a problem that can occur when running SetupDiag in online mode on a computer that produces a setupmem.dmp file, but doesn't have debugger binaries installed.
-
-07/10/2018 - SetupDiag v1.30 is released with 44 rules, as a standalone tool available from the Download Center.
-- Bug fix for an over-matched plug-in rule. The rule will now correctly match only critical (setup failure) plug-in issues.
-- New feature: Ability to output logs in JSON and XML format.
- - Use "/Format:xml" or "/Format:json" command line parameters to specify the new output format. See [sample logs](#sample-logs) at the bottom of this topic.
- - If the "/Format:xml" or "/Format:json" parameter is omitted, the log output format will default to text.
-- New Feature: Where possible, specific instructions are now provided in rule output to repair the identified error. For example, instructions are provided to remediate known blocking issues such as uninstalling an incompatible app or freeing up space on the system drive.
-- Three new rules added: AdvancedInstallerFailed, MigrationAbortedDueToPluginFailure, DISMAddPackageFailed.
-
-05/30/2018 - SetupDiag v1.20 is released with 41 rules, as a standalone tool available from the Download Center.
-- Fixed a bug in device install failure detection in online mode.
-- Changed SetupDiag to work without an instance of setupact.log. Previously, SetupDiag required at least one setupact.log to operate. This change enables the tool to analyze update failures that occur prior to calling SetupHost.
-- Telemetry is refactored to only send the rule name and GUID (or "NoRuleMatched" if no rule is matched) and the Setup360 ReportId. This change assures data privacy during rule processing.
-
-05/02/2018 - SetupDiag v1.10 is released with 34 rules, as a standalone tool available from the Download Center.
-- A performance enhancement has been added to result in faster rule processing.
-- Rules output now includes links to support articles, if applicable.
-- SetupDiag now provides the path and name of files that it's processing.
-- You can now run SetupDiag by selecting it and then examining the output log file.
-- An output log file is now always created, whether or not a rule was matched.
-
-03/30/2018 - SetupDiag v1.00 is released with 26 rules, as a standalone tool available from the Download Center.
+| Rule Name | GUID | Description |
+| --- | --- |
+| **CompatScanOnly** | FFDAFD37-DB75-498A-A893-472D49A1311D | This rule indicates that `setup.exe` was called with a specific command line parameter that indicated setup was to do a compatibility scan only, not an upgrade. |
+| **PlugInComplianceBlock** | D912150B-1302-4860-91B5-527907D08960 | Detects all compatibility blocks from Server compliance plug-ins. This rule is for server upgrades only. It outputs the compliance block and remediation required. |
+| **BitLockerHardblock** | C30152E2-938E-44B8-915B-D1181BA635AE | This block is an upgrade block when the target OS doesn't support BitLocker, yet the host OS has BitLocker enabled. |
+| **VHDHardblock** | D9ED1B82-4ED8-4DFD-8EC0-BE69048978CC | This block happens when the host OS is booted to a VHD image. Upgrade isn't supported when the host OS is booted from a VHD image. |
+| **PortableWorkspaceHardblock** | 5B0D3AB4-212A-4CE4-BDB9-37CA404BB280 | This block indicates that the host OS is booted from a Windows To-Go device (USB key). Upgrade isn't supported in the Windows To-Go environment. |
+| **AuditModeHardblock** | A03BD71B-487B-4ACA-83A0-735B0F3F1A90 | This block indicates that the host OS is currently booted into Audit Mode, a special mode for modifying the Windows state. Upgrade isn't supported from this state. |
+| **SafeModeHardblock** | 404D9523-B7A8-4203-90AF-5FBB05B6579B | This block indicates that the host OS is booted to Safe Mode, where upgrade isn't supported. |
+| **InsufficientSystemPartitionDiskSpaceHardblock** | 3789FBF8-E177-437D-B1E3-D38B4C4269D1 | This block is encountered when setup determines the system partition doesn't have enough space to be serviced with the newer boot files required during the upgrade process. The system partition is where the boot loader files are stored |
+| **CompatBlockedApplicationAutoUninstall** | BEBA5BC6-6150-413E-8ACE-5E1EC8D34DD5 | This rule indicates there's an application that needs to be uninstalled before setup can continue. |
+| **CompatBlockedApplicationDismissable** | EA52620B-E6A0-4BBC-882E-0686605736D9 | When setup is run in **/quiet** mode, there are dismissible application messages that turn into blocks unless the command line also specifies **/compat ignorewarning**. This rule indicates setup was executed in **/quiet** mode but there's an application dismissible block message that prevented setup from continuing. |
+| **CompatBlockedFODDismissable** | 7B693C42-793E-4E9E-A10B-ED0F33D45E2A | When setup is run in **/quiet** mode, there are dismissible Feature On Demand messages that turn into blocks unless the command line also specifies **/compat ignorewarning**. This rule indicates setup was executed in **/quiet** mode but there's a Feature On Demand dismissible block message that prevented setup from continuing, usually that the target OS image is missing a Feature On Demand that is installed in the current OS. Removal of the Feature On Demand in the current OS should also resolve the issue.
+| **CompatBlockedApplicationManualUninstall** | 9E912E5F-25A5-4FC0-BEC1-CA0EA5432FF4 | This rule indicates that an application without an Add/Remove Programs entry, is present on the system and blocking setup from continuing. This block typically requires manual removal of the files associated with this application to continue. |
+| **GenericCompatBlock** | 511B9D95-C945-4F9B-BD63-98F1465E1CF6 | The rule indicates that system doesn't meet a hardware requirement for running Windows. For example, the device is missing a requirement for TPM 2.0. This issue can occur even when an attempt is made to bypass the hardware requirements. |
+| **GatedCompatBlock** | 34A9F145-3842-4A68-987F-4622EE0FC162 | This rule indicates that the upgrade failed due to a temporary block. A temporary block is put in place when an issue is found with a specific piece of software or hardware driver and the issue has a fix pending. The block is lifted once the fix is widely available. |
+| **HardblockDeviceOrDriver** | ED3AEFA1-F3E2-4F33-8A21-184ADF215B1B | This error indicates a device driver that is loaded on the host OS isn't compatible with the newer OS version. The device driver needs to be removed prior to the upgrade. |
+| **HardblockMismatchedLanguage** | 60BA8449-CF23-4D92-A108-D6FCEFB95B45 | This rule indicates the host OS and the target OS language editions don't match. |
+| **HardblockFlightSigning** | 598F2802-3E7F-4697-BD18-7A6371C8B2F8 | This rule indicates the target OS is a pre-release, Windows Insider build, and the target machine has Secure Boot enabled. This rule blocks the pre-release signed build from booting if installed on the machine. |
+| **DiskSpaceBlockInDownLevel** | 6080AFAC-892E-4903-94EA-7A17E69E549E | This failure indicates the system ran out of disk space during the down-level operations of upgrade. |
+| **DiskSpaceFailure** | 981DCBA5-B8D0-4BA7-A8AB-4030F7A10191 | This failure indicates the system drive ran out of available disk space at some point after the first reboot into the upgrade. |
+| **PreReleaseWimMountDriverFound** | 31EC76CC-27EC-4ADC-9869-66AABEDB56F0 | Captures failures due to having an unrecognized `wimmount.sys` driver registered on the system. |
+| **DebugSetupMemoryDump** | C7C63D8A-C5F6-4255-8031-74597773C3C6 | This offline only rule indicates a bug check occurred during setup. If the debugger tools are available on the system, SetupDiag debugs the memory dump and provide details. |
+| **DebugSetupCrash** | CEEBA202-6F04-4BC3-84B8-7B99AED924B1 | This offline only rule indicates that setup itself encountered a failure that resulted in a process memory dump. If the debugger tools are installed on the system, SetupDiag debugs the memory dump and give further details. |
+| **DebugMemoryDump** | 505ED489-329A-43F5-B467-FCAAF6A1264C | This offline only rule is for any memory.dmp file that resulted during the setup/upgrade operation. If the debugger tools are installed on the system, SetupDiag debugs the memory dump and give further details. |
+| **DeviceInstallHang** | 37BB1C3A-4D79-40E8-A556-FDA126D40BC6 | This failure rule indicates the system hung or bug checked during the device installation phase of upgrade. |
+| **DriverPackageMissingFileFailure** | 37BB1C3A-4D79-40E8-A556-FDA126D40BC6 | This rule indicates that a driver package had a missing file during device install. Updating the driver package might help resolve the issue. |
+| **UnsignedDriverBootFailure** | CD270AA4-C044-4A22-886A-F34EF2E79469 | This rule indicates that an unsigned driver caused a boot failure. |
+| **BootFailureDetected** | 4FB446C2-D4EC-40B4-97E2-67EB19D1CFB7 | This rule indicates a boot failure occurred during a specific phase of the update. The rule indicates the failure code and phase for diagnostic purposes. |
+| **WinSetupBootFilterFailure** | C073BFC8-5810-4E19-B53B-4280B79E096C | Detects failures in the kernel mode file operations. |
+| **FindDebugInfoFromRollbackLog** | 9600EB68-1120-4A87-9FE9-3A4A70ACFC37 | This rule determines and gives details when a bug check occurs during the setup/upgrade process that resulted in a memory dump. However, a debugger package isn't required on the executing machine. |
+| **AdvancedInstallerFailed** | 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC | Finds fatal advanced installer operations that cause setup failures. Indicates critical failure in the AdvancedInstaller while running an installer package, includes the .exe being called, the phase, mode, component and error codes. |
+| **AdvancedInstallerPluginInstallFailed** | 2F784A0E-CEB1-47C5-8072-F1294C7CB4AE | This rule indicates some component that was being installed via an advanced installer (FeatureOnDemand, Language Packs, .NET packages, etc.) failed to install. The rule calls out what was being installed. If the failed component is a FeatureOnDemand, remove the Windows Feature, reboot, and try the upgrade again. If the failed component is a Language Pack, remove the additional language pack, reboot, and try the upgrade again. |
+| **AdvancedInstallerGenericFailure** | 4019550D-4CAA-45B0-A222-349C48E86F71 | A rule to match AdvancedInstaller read/write failures in a generic sense. Triggers on advanced installer failures in a generic sense. It outputs the application called, phase, mode, component and error code. |
+| **FindMigApplyUnitFailure** | A4232E11-4043-4A37-9BF4-5901C46FD781 | Detects a migration unit failure that caused the update to fail. This rule outputs the name of the migration plug-in and the error code it produced for diagnostic purposes. |
+| **FindMigGatherUnitFailure** | D04C064B-CD77-4E64-96D6-D26F30B4EE29 | Detects a migration gather unit failure that caused the update to fail. This rule outputs the name of the gather unit/plug-in and the error code it produced for diagnostic purposes. |
+| **FindMigGatherApplyFailure** | A9964E6C-A2A8-45FF-B6B5-25E0BD71428E | Shows errors when the migration Engine fails out on a gather or apply operation. Indicates the Migration Object (file or registry path), the Migration |
+| **OptionalComponentFailedToGetOCsFromPackage** | D012E2A2-99D8-4A8C-BBB2-088B92083D78 | This rule matches a specific Optional Component failure when attempting to enumerate components in a package. Indicates the optional component (OC) migration operation failed to enumerate optional components from an OC Package. It outputs the package name and error code. This rule replaces the OptionalComponentInstallFailure rule present. |
+| **OptionalComponentOpenPackageFailed** | 22952520-EC89-4FBD-94E0-B67DF88347F6 | Matches a specific Optional Component failure when attempting to open an OC package. It outputs the package name and error code. Indicates the optional component migration operation failed to open an optional component Package. Outputs the package name and error code. |
+| **OptionalComponentInitCBSSessionFailed** | 63340812-9252-45F3-A0F2-B2A4CA5E9317 | Matches a specific failure where the advanced installer service or components aren't operating or started on the system. Indicates corruption in the servicing stack on the down-level system. Outputs the error code encountered while trying to initialize the servicing component on the existing OS. |
+| **CriticalSafeOSDUFailure** | 73566DF2-CA26-4073-B34C-C9BC70DBF043 | This rule indicates a failure occurred while updating the SafeOS image with a critical dynamic update. It indicates the phase and error code that occurred while attempting to update the SafeOS image for diagnostic purposes. |
+| **UserProfileCreationFailureDuringOnlineApply** | 678117CE-F6A9-40C5-BC9F-A22575C78B14 | Indicates there was a critical failure while creating or modifying a User Profile during the online apply phase of the update. It indicates the operation and error code associated with the failure for diagnostic purposes. |
+| **UserProfileCreationFailureDuringFinalize** | C6677BA6-2E53-4A88-B528-336D15ED1A64 | Matches a specific User Profile creation error during the finalize phase of setup. It outputs the failure code. |
+| **UserProfileSuffixMismatch** | B4BBCCCE-F99D-43EB-9090-078213397FD8 | Detects when a file or other object causes the migration or creation of a user profile to fail during the update. |
+| **DuplicateUserProfileFailure** | BD7B3109-80F1-4421-8F0A-B34CD25F4B51 | This rule indicates a fatal error while migrating user profiles, usually with multiple SIDs associated with a single user profile. This error usually occurs when software creates local user accounts that aren't ever used or signed in with. The rule indicates the SID and UserName of the account that is causing the failure. To attempt to resolve the issue, first back up all the user's files for the affected user account. After the user's files are backed up, delete the account in a supported manner. Make sure that the account isn't one that is needed or is currently used to sign into the device. After deleting the account, reboot, and try the upgrade again. |
+| **WimMountFailure** | BE6DF2F1-19A6-48C6-AEF8-D3B0CE3D4549 | This rule indicates the update failed to mount a WIM file. It shows the name of the WIM file and the error message and error code associated with the failure for diagnostic purposes. |
+| **WimMountDriverIssue** | 565B60DD-5403-4797-AE3E-BC5CB972FBAE | Detects failures in `WimMount.sys` registration on the system. |
+| **WimApplyExtractFailure** | 746879E9-C9C5-488C-8D4B-0C811FF3A9A8 | Matches a WIM apply failure during WIM extraction phases of setup. It outputs the extension, path and error code. |
+| **UpdateAgentExpanderFailure** | 66E496B3-7D19-47FA-B19B-4040B9FD17E2 | Matches DPX expander failures in the down-level phase of update from Windows Update. It outputs the package name, function, expression and error code. |
+| **FindFatalPluginFailure** | E48E3F1C-26F6-4AFB-859B-BF637DA49636 | Matches any plug-in failure that setupplatform decides is fatal to setup. It outputs the plugin name, operation and error code. |
+| **MigrationAbortedDueToPluginFailure** | D07A24F6-5B25-474E-B516-A730085940C9 | Indicates a critical failure in a migration plugin that causes setup to abort the migration. Provides the setup operation, plug-in name, plug-in action and error code. |
+| **DISMAddPackageFailed** | 6196FF5B-E69E-4117-9EC6-9C1EAB20A3B9 | Indicates a critical failure during a DISM add package operation. Specifies the Package Name, DISM error and add package error code. |
+| **DISMImageSessionFailure** | 61B7886B-10CD-4C98-A299-B987CB24A11C | Captures failure information when DISM fails to start an image session successfully. |
+| **DISMproviderFailure** | D76EF86F-B3F8-433F-9EBF-B4411F8141F4 | Triggers when a DISM provider (plug-in) fails in a critical operation. Outputs the file (plug-in name), function called + error code, and error message from the provider. |
+| **SysPrepLaunchModuleFailure** | 7905655C-F295-45F7-8873-81D6F9149BFD | Indicates a sysPrep plug-in failed in a critical operation. Indicates the plug-in name, operation name and error code. |
+| **UserProvidedDriverInjectionFailure** | 2247C48A-7EE3-4037-AFAB-95B92DE1D980 | A driver provided to setup (via command line input) failed in some way. Outputs the driver install function and error code. |
+| **DriverMigrationFailure** | 9378D9E2-256E-448C-B02F-137F611F5CE3 | This rule indicates a fatal failure when migrating drivers. |
+| **UnknownDriverMigrationFailure** | D7541B80-5071-42CE-AD14-FBE8C0C4F7FD | This rule indicates a bad driver package resides on the system. The driver package causes the upgrade to fail when the driver package is attempted to migrate to the new OS. The rule usually indicates the driver package name that caused the issue. The remediation is to remove the bad driver package, reboot, and try the upgrade again. If an update to this driver is available from the OEM, updating the driver package is recommended. |
+| | |
+| **FindSuccessfulUpgrade** | 8A0824C8-A56D-4C55-95A0-22751AB62F3E | Determines if the given setup was a success or not based off the logs. |
+| **FindSetupHostReportedFailure** | 6253C04F-2E4E-4F7A-B88E-95A69702F7EC | Gives information about failures surfaced early in the upgrade process by `setuphost.exe` |
+| **FindDownlevelFailure** | 716334B7-F46A-4BAA-94F2-3E31BC9EFA55 | Gives failure information surfaced by SetupPlatform, later in the down-level phase. |
+| **FindAbruptDownlevelFailure** | 55882B1A-DA3E-408A-9076-23B22A0472BD | Gives last operation failure information when the system fails in the down-level, but the log just ends abruptly. |
+| **FindEarlyDownlevelError** | A4CE4FC9-5E10-4BB1-8ECE-3B29EB9D7C52 | Detects failures in down-level phase before setup platform is invoked. |
+| **FindSPFatalError** | A4028172-1B09-48F8-AD3B-86CDD7D55852 | Captures failure information when setup platform encounters a fatal error. |
+| **FindSetupPlatformFailedOperationInfo** | 307A0133-F06B-4B75-AEA8-116C3B53C2D1 | Gives last phase and error information when SetupPlatform indicates a critical failure. This rule indicates the operation and error associated with the failure for diagnostic purposes. |
+| **FindRollbackFailure** | 3A43C9B5-05B3-4F7C-A955-88F991BB5A48 | Gives last operation, failure phase and error information when a rollback occurs. |
## Sample logs
### Text log sample
-```
+```txt
Matching Profile found: OptionalComponentOpenPackageFailed - 22952520-EC89-4FBD-94E0-B67DF88347F6
System Information:
- Machine Name = Offline
- Manufacturer = MSI
- Model = MS-7998
- HostOSArchitecture = x64
- FirmwareType = PCAT
- BiosReleaseDate = 20160727000000.000000+000
- BiosVendor = BIOS Date: 07/27/16 10:01:46 Ver: V1.70
- BiosVersion = 1.70
- HostOSVersion = 10.0.15063
- HostOSBuildString = 15063.0.amd64fre.rs2_release.170317-1834
- TargetOSBuildString = 10.0.16299.15 (rs3_release.170928-1534)
- HostOSLanguageId = 2057
- HostOSEdition = Core
- RegisteredAV = Windows Defender,
- FilterDrivers = WdFilter,wcifs,WIMMount,luafv,Wof,FileInfo,
- UpgradeStartTime = 3/21/2018 9:47:16 PM
- UpgradeEndTime = 3/21/2018 10:02:40 PM
- UpgradeElapsedTime = 00:15:24
- ReportId = dd4db176-4e3f-4451-aef6-22cf46de8bde
+ Machine Name = Offline
+ Manufacturer = MSI
+ Model = MS-7998
+ HostOSArchitecture = x64
+ FirmwareType = PCAT
+ BiosReleaseDate = 20160727000000.000000+000
+ BiosVendor = BIOS Date: 07/27/16 10:01:46 Ver: V1.70
+ BiosVersion = 1.70
+ HostOSVersion = 10.0.15063
+ HostOSBuildString = 15063.0.amd64fre.rs2_release.170317-1834
+ TargetOSBuildString = 10.0.16299.15 (rs3_release.170928-1534)
+ HostOSLanguageId = 2057
+ HostOSEdition = Core
+ RegisteredAV = Windows Defender,
+ FilterDrivers = WdFilter,wcifs,WIMMount,luafv,Wof,FileInfo,
+ UpgradeStartTime = 3/21/2023 9:47:16 PM
+ UpgradeEndTime = 3/21/2023 10:02:40 PM
+ UpgradeElapsedTime = 00:15:24
+ ReportId = dd4db176-4e3f-4451-aef6-22cf46de8bde
Error: SetupDiag reports Optional Component installation failed to open OC Package. Package Name: Foundation, Error: 0x8007001F
Recommend you check the "Windows Modules Installer" service (Trusted Installer) is started on the system and set to automatic start, reboot and try the update again. Optionally, you can check the status of optional components on the system (search for Windows Features), uninstall any unneeded optional components, reboot and try the update again.
@@ -455,7 +378,7 @@ Refer to https://learn.microsoft.com/windows/deployment/upgrade/upgrade-error-co
```xml
->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
-
-## In this topic
-
-This topic describes how to submit problems with a Windows 10 upgrade to Microsoft using the Windows 10 Feedback Hub.
+This article describes how to submit problems with a Windows upgrade to Microsoft using the Windows Feedback Hub.
## About the Feedback Hub
-The Feedback Hub app lets you tell Microsoft about any problems you run in to while using Windows 10 and send suggestions to help us improve your Windows experience. Previously, you could only use the Feedback Hub if you were in the Windows Insider Program. Now anyone can use this tool. You can download the Feedback Hub app from the Microsoft Store [here](https://www.microsoft.com/store/p/feedback-hub/9nblggh4r32n?SilentAuth=1&wa=wsignin1.0).
+The Feedback Hub app allows reporting to Microsoft of any problems encountered while using Windows. It also allows sending suggestions to Microsoft on how to improve the Windows experience. Previously, the Feedback Hub could only be used through the Windows Insider Program. Now anyone can use this tool. The Feedback Hub app can be downloaded from the [Microsoft Store](https://www.microsoft.com/store/p/feedback-hub/9nblggh4r32n?SilentAuth=1&wa=wsignin1.0).
-The Feedback Hub requires Windows 10. If you're having problems upgrading from an older version of Windows to Windows 10, you can use the Feedback Hub to submit this information. However, you must collect the log files from the legacy operating system and then attach these files to your feedback using a device that is running Windows 10. If you're upgrading to Windows 10 from a previous version of Windows 10, the Feedback Hub will collect log files automatically.
+The Feedback Hub requires a currently supported version of Windows. The Feedback Hub can be used to submit information to Microsoft if problems are encountered while upgrading Windows. If upgrading to a currently supported version of Windows from a previous version that's Windows 10 or newer, the Feedback Hub automatically collects log files. For operating systems prior to Windows 10 that don't support the Feedback Hub, the log files must be manually collected. The log files can then be attached to the feedback item using a device that is running a currently supported version of Windows that supports the Feedback Hub.
## Submit feedback
-To submit feedback about a failed Windows 10 upgrade, select the following link: [Feedback Hub](feedback-hub://?referrer=resolveUpgradeErrorsPage&tabid=2&contextid=81&newFeedback=true&feedbackType=2&topic=submit-errors.md)
+To submit feedback about a failed Windows upgrade, open the [Feedback Hub](feedback-hub://?referrer=resolveUpgradeErrorsPage&tabid=2&contextid=81&newFeedback=true&feedbackType=2&topic=submit-errors.md).
-The Feedback Hub will open.
+In the Feedback Hub, fill out all four sections with as much detail as possible:
-- Under **Tell us about it**, and then under **Summarize your issue**, type **Upgrade failing**.
-- Under **Give us more detail**, provide additional information about the failed upgrade, such as:
- - When did the failure occur?
- - Were there any reboots?
- - How many times did the system reboot?
- - How did the upgrade fail?
- - Were any error codes visible?
- - Did the computer fail to a blue screen?
- - Did the computer automatically rollback or did it hang, requiring you to power cycle it before it rolled back?
-- Additional details
- - What type of security software is installed?
- - Is the computer up to date with latest drivers and firmware?
- - Are there any external devices connected?
-- If you used the link above, the category and subcategory will be automatically selected. If it isn't selected, choose **Install and Update** and **Windows Installation**.
+1. **Enter your feedback**
+1. **Choose a category**
+1. **Find similar feedback**
+1. **Add more details**
-You can attach a screenshot or file if desired. This is optional, but can be helpful when diagnosing your upgrade issue. The location of these files is described here: [Windows Setup log files and event logs](/windows-hardware/manufacture/desktop/windows-setup-log-files-and-event-logs).
+Recommended information that can be included under the **Add more details** section include:
-Select **Submit** to send your feedback.
+- When did the failure occur?
+ - Were there any reboots?
+ - How many times did the system reboot?
+- How did the upgrade fail?
+ - Were any error codes visible?
+ - Did the computer fail to a blue screen?
+ - Did the computer automatically rollback or did it hang, requiring the computer to be power cycled before it rolled back?
+- What type of security software is installed?
+- Is the computer up to date with latest drivers and firmware?
+- Are there any external devices connected?
-See the following example:
+Using the **Attach a screenshot** and **Attach a file** options allows screenshots or files to be included as part of the feedback item. Attachments and screenshots are optional, but can be helpful when diagnosing the upgrade issue. For example, log files can be included as attachments to the feedback item. The location of the Windows upgrade log files is described in the article [Windows Setup log files and event logs](/windows-hardware/manufacture/desktop/windows-setup-log-files-and-event-logs).
-
+Finally the **Recreate my problem** option can be used to potentially send additional data and logs for Microsoft to evaluate.
-After you select Submit, that's all you need to do. Microsoft will receive your feedback and begin analyzing the issue. You can check on your feedback periodically to see what solutions have been provided.
+Once all the feedback items are completed, select the **Submit** button to send the feedback. Microsoft receives the feedback and begins analyzing the issue. The submitted feedback can be checked on periodically to see what solutions are provided.
-## Link to your feedback
+## Link to the feedback
-After your feedback is submitted, you can email or post links to it by opening the Feedback Hub, clicking My feedback at the top, clicking the feedback item you submitted, clicking **Share**, then copying the short link that is displayed.
+After the feedback is submitted, additional information and items can be added to the feedback item. To do so:
-
+1. Open the [Feedback Hub](feedback-hub:).
+1. At the top of the Feedback Hub, select **My feedback**.
+1. Select the feedback item that was submitted.
+1. Select **Share**.
+1. Copy and then use the short link that is displayed.
+
+:::image type="content" alt-text="Share example." source="../images/share.jpg":::
## Related articles
-
-[Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx)
diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md
index 7686e7d15b..3a3e1ce84b 100644
--- a/windows/deployment/upgrade/windows-10-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md
@@ -1,7 +1,7 @@
---
title: Windows 10 upgrade paths (Windows 10)
description: You can upgrade to Windows 10 from a previous version of Windows if the upgrade path is supported.
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
manager: aaroncz
@@ -10,7 +10,7 @@ ms.topic: conceptual
ms.collection:
- highpri
- tier2
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/02/2023
appliesto:
- ✅ Windows 10
diff --git a/windows/deployment/upgrade/windows-edition-upgrades.md b/windows/deployment/upgrade/windows-edition-upgrades.md
index 44c3c79c40..f09b8e67cc 100644
--- a/windows/deployment/upgrade/windows-edition-upgrades.md
+++ b/windows/deployment/upgrade/windows-edition-upgrades.md
@@ -3,14 +3,14 @@ title: Windows edition upgrade
description: With Windows, you can quickly upgrade from one edition of Windows to another, provided the upgrade path is supported.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: conceptual
ms.collection:
- highpri
- tier2
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/02/2023
appliesto:
- ✅ Windows 10
diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md
index 57c9590028..6bf70a9220 100644
--- a/windows/deployment/upgrade/windows-error-reporting.md
+++ b/windows/deployment/upgrade/windows-error-reporting.md
@@ -3,30 +3,32 @@ title: Windows error reporting - Windows IT Pro
manager: aaroncz
ms.author: frankroj
description: Learn how to review the events generated by Windows Error Reporting when something goes wrong during Windows 10 setup.
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.localizationpriority: medium
ms.topic: article
-ms.technology: itpro-deploy
-ms.date: 10/28/2022
+ms.subservice: itpro-deploy
+ms.date: 01/18/2024
+appliesto:
+ - ✅ Windows 11
+ - ✅ Windows 10
---
# Windows Error Reporting
-**Applies to**
-- Windows 10
-
> [!NOTE]
-> This is a 300 level topic (moderately advanced).
-> See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
+>
+> This article is a 300 level article (moderately advanced).
+>
+> See [Resolve Windows upgrade errors](resolve-windows-upgrade-errors.md) for a full list of articles in this section.
-
-When Windows Setup fails, the result and extend code are recorded as an informational event in the Application log by Windows Error Reporting as event 1001. The event name is **WinSetupDiag02**. You can use Event Viewer to review this event, or you can use Windows PowerShell.
+When Windows Setup fails, the result and extend code are recorded as an informational event in the Application log by Windows Error Reporting as event 1001. The event name is **WinSetupDiag02**. Event Viewer or Windows PowerShell can be used to review this event.
To use Windows PowerShell, type the following commands from an elevated Windows PowerShell prompt:
> [!IMPORTANT]
-> The following source will be available only if you have updated from a previous version of Windows 10 to a new version. If you installed the current version and have not updated, the source named **WinSetupDiag02** will be unavailable.
+>
+> The following Event logs are only available if Windows was updated from a previous version of Windows to a new version of Windows.
```powershell
$events = Get-WinEvent -FilterHashtable @{LogName="Application";ID="1001";Data="WinSetupDiag02"}
@@ -34,37 +36,35 @@ $event = [xml]$events[0].ToXml()
$event.Event.EventData.Data
```
-To use Event Viewer:
+To use Event Viewer:
+
1. Open Event Viewer and navigate to **Windows Logs\Application**.
-2. Select **Find**, and then search for **winsetupdiag02**.
-3. Double-click the event that is highlighted.
+1. Select **Find**, and then search for **winsetupdiag02**.
+1. Double-click the event that is highlighted.
> [!NOTE]
-> For legacy operating systems, the Event Name was WinSetupDiag01.
+>
+> For legacy operating systems, the Event Name was WinSetupDiag01.
Ten parameters are listed in the event:
-| Parameters |
-| ------------- |
-|P1: The Setup Scenario (1=Media,5=WindowsUpdate,7=Media Creation Tool) |
-|P2: Setup Mode (x=default,1=Downlevel,5=Rollback) |
-|P3: New OS Architecture (x=default,0=X86,9=AMD64) |
-|P4: Install Result (x=default,0=Success,1=Failure,2=Cancel,3=Blocked) |
-|**P5: Result Error Code** (Ex: 0xc1900101) |
-|**P6: Extend Error Code** (Ex: 0x20017) |
-|P7: Source OS build (Ex: 9600) |
-|P8: Source OS branch (not typically available) |
-|P9: New OS build (Ex: 16299} |
-|P10: New OS branch (Ex: rs3_release} |
+| Parameters |
+| ------------- |
+| P1: The Setup Scenario (1=Media,5=WindowsUpdate,7=Media Creation Tool) |
+| P2: Setup Mode (x=default,1=Downlevel,5=Rollback) |
+| P3: New OS Architecture (x=default,0=X86,9=AMD64) |
+| P4: Install Result (x=default,0=Success,1=Failure,2=Cancel,3=Blocked) |
+| **P5: Result Error Code** (Ex: 0xc1900101) |
+| **P6: Extend Error Code** (Ex: 0x20017) |
+| P7: Source OS build (Ex: 9600) |
+| P8: Source OS branch (not typically available) |
+| P9: New OS build (Ex: 16299) |
+| P10: New OS branch (Ex: rs3_release) |
-The event will also contain links to log files that can be used to perform a detailed diagnosis of the error. An example of this event from a successful upgrade is shown below.
+The event also contains links to log files that can be used to perform a detailed diagnosis of the error. The following example is an example of this event from a successful upgrade:
:::image type="content" alt-text="Windows Error Reporting." source="../images/event.png" lightbox="../images/event.png":::
## Related articles
-[Windows 10 FAQ for IT professionals](../planning/windows-10-enterprise-faq-itpro.yml)
-[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
-[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
-[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
-[Fix Windows Update errors by using the DISM or System Update Readiness tool](/troubleshoot/windows-server/deployment/fix-windows-update-errors)
\ No newline at end of file
+- [Fix Windows Update errors by using the DISM or System Update Readiness tool](/troubleshoot/windows-server/deployment/fix-windows-update-errors).
diff --git a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
index 4a534442ee..90b71af916 100644
--- a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
+++ b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
@@ -3,10 +3,10 @@ title: Windows Upgrade and Migration Considerations (Windows 10)
description: Discover the Microsoft tools you can use to move files and settings between installations including special considerations for performing an upgrade or migration.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 08/09/2023
---
diff --git a/windows/deployment/upgrade/windows-upgrade-paths.md b/windows/deployment/upgrade/windows-upgrade-paths.md
index c8ea3f2dda..cf0bfb9763 100644
--- a/windows/deployment/upgrade/windows-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-upgrade-paths.md
@@ -1,7 +1,7 @@
---
title: Windows upgrade paths
description: Upgrade to current versions of Windows from a previous version of Windows
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
manager: aaroncz
@@ -10,7 +10,7 @@ ms.topic: conceptual
ms.collection:
- highpri
- tier2
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/02/2023
appliesto:
- ✅ Windows 10
diff --git a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
index 2507bb5313..398bf0db0c 100644
--- a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
+++ b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
@@ -4,10 +4,10 @@ description: Plan, collect, and prepare the source computer for migration using
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 01/09/2024
appliesto:
- ✅ Windows 11
diff --git a/windows/deployment/usmt/migrate-application-settings.md b/windows/deployment/usmt/migrate-application-settings.md
index 939c96ca6e..0c0c0cd136 100644
--- a/windows/deployment/usmt/migrate-application-settings.md
+++ b/windows/deployment/usmt/migrate-application-settings.md
@@ -4,11 +4,11 @@ description: Learn how to author a custom migration .xml file that migrates the
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/migration-store-types-overview.md b/windows/deployment/usmt/migration-store-types-overview.md
index 0465a9e2e2..a78ca35e20 100644
--- a/windows/deployment/usmt/migration-store-types-overview.md
+++ b/windows/deployment/usmt/migration-store-types-overview.md
@@ -4,11 +4,11 @@ description: Learn about the migration store types and how to determine which mi
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/offline-migration-reference.md b/windows/deployment/usmt/offline-migration-reference.md
index 0b291ae30c..37d0ee09aa 100644
--- a/windows/deployment/usmt/offline-migration-reference.md
+++ b/windows/deployment/usmt/offline-migration-reference.md
@@ -4,11 +4,11 @@ description: Offline migration enables the ScanState tool to run inside a differ
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md
index 76447bf7e6..a0a19e6b05 100644
--- a/windows/deployment/usmt/understanding-migration-xml-files.md
+++ b/windows/deployment/usmt/understanding-migration-xml-files.md
@@ -4,11 +4,11 @@ description: Learn how to modify the behavior of a basic User State Migration To
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-best-practices.md b/windows/deployment/usmt/usmt-best-practices.md
index b0dd174acb..52e3d80761 100644
--- a/windows/deployment/usmt/usmt-best-practices.md
+++ b/windows/deployment/usmt/usmt-best-practices.md
@@ -4,11 +4,11 @@ description: This article discusses general and security-related best practices
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-choose-migration-store-type.md b/windows/deployment/usmt/usmt-choose-migration-store-type.md
index 0f81628b29..3fa1d56d53 100644
--- a/windows/deployment/usmt/usmt-choose-migration-store-type.md
+++ b/windows/deployment/usmt/usmt-choose-migration-store-type.md
@@ -4,11 +4,11 @@ description: Learn how to choose a migration store type and estimate the amount
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-command-line-syntax.md b/windows/deployment/usmt/usmt-command-line-syntax.md
index 46389ba17b..7910d461e3 100644
--- a/windows/deployment/usmt/usmt-command-line-syntax.md
+++ b/windows/deployment/usmt/usmt-command-line-syntax.md
@@ -4,11 +4,11 @@ description: Learn about the User State Migration Tool (USMT) command-line synta
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-common-migration-scenarios.md b/windows/deployment/usmt/usmt-common-migration-scenarios.md
index 3f2d0b63c8..3cd5309aed 100644
--- a/windows/deployment/usmt/usmt-common-migration-scenarios.md
+++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md
@@ -4,11 +4,11 @@ description: See how the User State Migration Tool (USMT) is used when planning
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-configxml-file.md b/windows/deployment/usmt/usmt-configxml-file.md
index 2a5afcc0d3..4e57000ce6 100644
--- a/windows/deployment/usmt/usmt-configxml-file.md
+++ b/windows/deployment/usmt/usmt-configxml-file.md
@@ -4,11 +4,11 @@ description: Learn how the Config.xml file is an optional User State Migration T
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-conflicts-and-precedence.md b/windows/deployment/usmt/usmt-conflicts-and-precedence.md
index 1cbc5f19e7..3bcd0d7bad 100644
--- a/windows/deployment/usmt/usmt-conflicts-and-precedence.md
+++ b/windows/deployment/usmt/usmt-conflicts-and-precedence.md
@@ -4,11 +4,11 @@ description: In this article, learn how User State Migration Tool (USMT) deals w
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-custom-xml-examples.md b/windows/deployment/usmt/usmt-custom-xml-examples.md
index 30bc9366d2..18b3331ea4 100644
--- a/windows/deployment/usmt/usmt-custom-xml-examples.md
+++ b/windows/deployment/usmt/usmt-custom-xml-examples.md
@@ -4,10 +4,10 @@ description: Use custom XML examples to learn how to migrate an unsupported appl
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 01/09/2024
appliesto:
- ✅ Windows 11
diff --git a/windows/deployment/usmt/usmt-customize-xml-files.md b/windows/deployment/usmt/usmt-customize-xml-files.md
index caf629751e..33c3120090 100644
--- a/windows/deployment/usmt/usmt-customize-xml-files.md
+++ b/windows/deployment/usmt/usmt-customize-xml-files.md
@@ -4,11 +4,11 @@ description: Learn how to customize USMT XML files. Also, learn about the migrat
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-determine-what-to-migrate.md b/windows/deployment/usmt/usmt-determine-what-to-migrate.md
index 45f064acbe..68e87f678b 100644
--- a/windows/deployment/usmt/usmt-determine-what-to-migrate.md
+++ b/windows/deployment/usmt/usmt-determine-what-to-migrate.md
@@ -4,11 +4,11 @@ description: Determine migration settings for standard or customized for the Use
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-estimate-migration-store-size.md b/windows/deployment/usmt/usmt-estimate-migration-store-size.md
index fb45d82016..8db55b2eae 100644
--- a/windows/deployment/usmt/usmt-estimate-migration-store-size.md
+++ b/windows/deployment/usmt/usmt-estimate-migration-store-size.md
@@ -4,11 +4,11 @@ description: Estimate the disk space requirement for a migration so that the Use
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-exclude-files-and-settings.md b/windows/deployment/usmt/usmt-exclude-files-and-settings.md
index 3d5057bb4b..221ef98e11 100644
--- a/windows/deployment/usmt/usmt-exclude-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-exclude-files-and-settings.md
@@ -4,11 +4,11 @@ description: In this article, learn how to exclude files and settings when creat
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
index 34a771f93f..c39ac18b5a 100644
--- a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
+++ b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
@@ -4,11 +4,11 @@ description: In this article, learn how to extract files from a compressed User
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-faq.yml b/windows/deployment/usmt/usmt-faq.yml
index f53ff44eee..666888f9d3 100644
--- a/windows/deployment/usmt/usmt-faq.yml
+++ b/windows/deployment/usmt/usmt-faq.yml
@@ -3,8 +3,8 @@ metadata:
title: 'USMT Frequently Asked Questions'
description: 'Learn about frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT).'
ms.assetid: 813c13a7-6818-4e6e-9284-7ee49493241b
- ms.prod: windows-client
- ms.technology: itpro-deploy
+ ms.service: windows-client
+ ms.subservice: itpro-deploy
author: frankroj
ms.author: frankroj
manager: aaroncz
diff --git a/windows/deployment/usmt/usmt-general-conventions.md b/windows/deployment/usmt/usmt-general-conventions.md
index d33d7352e7..f0e8b6df67 100644
--- a/windows/deployment/usmt/usmt-general-conventions.md
+++ b/windows/deployment/usmt/usmt-general-conventions.md
@@ -4,11 +4,11 @@ description: Learn about general XML guidelines and how to use XML helper functi
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-hard-link-migration-store.md b/windows/deployment/usmt/usmt-hard-link-migration-store.md
index 0223b25691..fb1b03a426 100644
--- a/windows/deployment/usmt/usmt-hard-link-migration-store.md
+++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md
@@ -4,11 +4,11 @@ description: Use of a hard-link migration store for a computer-refresh scenario
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-how-it-works.md b/windows/deployment/usmt/usmt-how-it-works.md
index d104178d52..7008393b54 100644
--- a/windows/deployment/usmt/usmt-how-it-works.md
+++ b/windows/deployment/usmt/usmt-how-it-works.md
@@ -4,10 +4,10 @@ description: Learn how USMT works and how it includes two tools that migrate set
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 01/09/2024
appliesto:
- ✅ Windows 11
diff --git a/windows/deployment/usmt/usmt-how-to.md b/windows/deployment/usmt/usmt-how-to.md
index ec174c6783..5356e4e408 100644
--- a/windows/deployment/usmt/usmt-how-to.md
+++ b/windows/deployment/usmt/usmt-how-to.md
@@ -4,11 +4,11 @@ description: Reference the articles in this article to learn how to use User Sta
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-identify-application-settings.md b/windows/deployment/usmt/usmt-identify-application-settings.md
index 493e1d8149..588764266d 100644
--- a/windows/deployment/usmt/usmt-identify-application-settings.md
+++ b/windows/deployment/usmt/usmt-identify-application-settings.md
@@ -4,11 +4,11 @@ description: Identify which applications and settings need to be migrated before
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
index 54fbd98fbd..db8587a5a5 100644
--- a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
+++ b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
@@ -4,11 +4,11 @@ description: Identify the file types, files, folders, and settings that need to
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-identify-operating-system-settings.md b/windows/deployment/usmt/usmt-identify-operating-system-settings.md
index 3d88e65fb7..5d8c14a899 100644
--- a/windows/deployment/usmt/usmt-identify-operating-system-settings.md
+++ b/windows/deployment/usmt/usmt-identify-operating-system-settings.md
@@ -4,11 +4,11 @@ description: Identify which system settings need to be migrated. The User State
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-identify-users.md b/windows/deployment/usmt/usmt-identify-users.md
index 012922be11..6f3195fe0a 100644
--- a/windows/deployment/usmt/usmt-identify-users.md
+++ b/windows/deployment/usmt/usmt-identify-users.md
@@ -4,11 +4,11 @@ description: Learn how to identify users that need to be migrated, and how to mi
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.topic: article
ms.localizationpriority: medium
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 01/09/2024
appliesto:
- ✅ Windows 11
diff --git a/windows/deployment/usmt/usmt-include-files-and-settings.md b/windows/deployment/usmt/usmt-include-files-and-settings.md
index 1da15a3f4c..aa89ea14d0 100644
--- a/windows/deployment/usmt/usmt-include-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-include-files-and-settings.md
@@ -4,11 +4,11 @@ description: Specify the migration .xml files that are needed, then use the User
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-loadstate-syntax.md b/windows/deployment/usmt/usmt-loadstate-syntax.md
index 596f89f4fa..520ba1010a 100644
--- a/windows/deployment/usmt/usmt-loadstate-syntax.md
+++ b/windows/deployment/usmt/usmt-loadstate-syntax.md
@@ -4,11 +4,11 @@ description: Learn about the syntax and usage of the command-line options availa
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-log-files.md b/windows/deployment/usmt/usmt-log-files.md
index 1df852f15e..53b4df1789 100644
--- a/windows/deployment/usmt/usmt-log-files.md
+++ b/windows/deployment/usmt/usmt-log-files.md
@@ -4,11 +4,11 @@ description: Learn how to use User State Migration Tool (USMT) logs to monitor t
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
index cf601ee1cf..eeb1b3c15f 100644
--- a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
+++ b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
@@ -4,11 +4,11 @@ description: Learn how to migrate Encrypting File System (EFS) certificates. Als
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-migrate-user-accounts.md b/windows/deployment/usmt/usmt-migrate-user-accounts.md
index 2ceb559375..898de489c6 100644
--- a/windows/deployment/usmt/usmt-migrate-user-accounts.md
+++ b/windows/deployment/usmt/usmt-migrate-user-accounts.md
@@ -4,11 +4,11 @@ description: Learn how to migrate user accounts and how to specify which users t
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-migration-store-encryption.md b/windows/deployment/usmt/usmt-migration-store-encryption.md
index 0a21f770cd..17d6643a94 100644
--- a/windows/deployment/usmt/usmt-migration-store-encryption.md
+++ b/windows/deployment/usmt/usmt-migration-store-encryption.md
@@ -4,11 +4,11 @@ description: Learn how the User State Migration Tool (USMT) enables support for
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-overview.md b/windows/deployment/usmt/usmt-overview.md
index 7f7d552536..f0023bfc0b 100644
--- a/windows/deployment/usmt/usmt-overview.md
+++ b/windows/deployment/usmt/usmt-overview.md
@@ -1,8 +1,8 @@
---
title: User State Migration Tool (USMT) overview
description: Learn about using User State Migration Tool (USMT) to streamline and simplify user state migration during large deployments of Windows operating systems.
-ms.prod: windows-client
-ms.technology: itpro-deploy
+ms.service: windows-client
+ms.subservice: itpro-deploy
author: frankroj
ms.reviewer: kevinmi,warrenw
manager: aaroncz
diff --git a/windows/deployment/usmt/usmt-plan-your-migration.md b/windows/deployment/usmt/usmt-plan-your-migration.md
index 259b476d8b..806b4afc87 100644
--- a/windows/deployment/usmt/usmt-plan-your-migration.md
+++ b/windows/deployment/usmt/usmt-plan-your-migration.md
@@ -4,11 +4,11 @@ description: Learn how to plan the migration carefully so the migration can proc
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-recognized-environment-variables.md b/windows/deployment/usmt/usmt-recognized-environment-variables.md
index c981506fa9..be9096cf54 100644
--- a/windows/deployment/usmt/usmt-recognized-environment-variables.md
+++ b/windows/deployment/usmt/usmt-recognized-environment-variables.md
@@ -1,8 +1,8 @@
---
title: Recognized environment variables
description: Learn how to use environment variables to identify folders that can be different on different computers.
-ms.prod: windows-client
-ms.technology: itpro-deploy
+ms.service: windows-client
+ms.subservice: itpro-deploy
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
diff --git a/windows/deployment/usmt/usmt-reference.md b/windows/deployment/usmt/usmt-reference.md
index d9e5035776..e81d243feb 100644
--- a/windows/deployment/usmt/usmt-reference.md
+++ b/windows/deployment/usmt/usmt-reference.md
@@ -4,11 +4,11 @@ description: Use this User State Migration Toolkit (USMT) article to learn detai
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-requirements.md b/windows/deployment/usmt/usmt-requirements.md
index bbdeaf766b..1ed79eb022 100644
--- a/windows/deployment/usmt/usmt-requirements.md
+++ b/windows/deployment/usmt/usmt-requirements.md
@@ -4,11 +4,11 @@ description: While the User State Migration Tool (USMT) doesn't have many requir
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/18/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -38,6 +38,9 @@ The following table lists the operating systems supported in USMT.
## Unsupported scenarios
- USMT doesn't support any of the Windows Server operating systems.
+- USMT doesn't support Microsoft Entra joined devices as either a source or destination device.
+- USMT might work with Microsoft Entra hybrid joined devices, but it's not a tested scenario so therefore unsupported.
+- USMT doesn't support migrating settings for Microsoft Store apps.
- USMT shouldn't be used for migrating between previous versions of Windows. USMT is only meant to:
- Migrate to a currently supported version of Windows
- Migrate between currently supported versions of Windows, assuming the version of Windows being migrated to is newer or the same as the previous version of Windows being migrated from.
diff --git a/windows/deployment/usmt/usmt-reroute-files-and-settings.md b/windows/deployment/usmt/usmt-reroute-files-and-settings.md
index e1d3c09748..247311e3eb 100644
--- a/windows/deployment/usmt/usmt-reroute-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-reroute-files-and-settings.md
@@ -4,11 +4,11 @@ description: Learn how to create a custom .xml file and specify this file name o
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-resources.md b/windows/deployment/usmt/usmt-resources.md
index 3eb634db20..18a09528cb 100644
--- a/windows/deployment/usmt/usmt-resources.md
+++ b/windows/deployment/usmt/usmt-resources.md
@@ -4,11 +4,11 @@ description: Learn about User State Migration Tool (USMT) online resources, incl
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md
index 7ac1922e48..5b74859a02 100644
--- a/windows/deployment/usmt/usmt-scanstate-syntax.md
+++ b/windows/deployment/usmt/usmt-scanstate-syntax.md
@@ -4,11 +4,11 @@ description: The ScanState command is used with the User State Migration Tool (U
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-technical-reference.md b/windows/deployment/usmt/usmt-technical-reference.md
index 9e79a478fa..6a7de9fd90 100644
--- a/windows/deployment/usmt/usmt-technical-reference.md
+++ b/windows/deployment/usmt/usmt-technical-reference.md
@@ -4,11 +4,11 @@ description: The User State Migration Tool (USMT) provides a highly customizable
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-test-your-migration.md b/windows/deployment/usmt/usmt-test-your-migration.md
index e8afbe495c..b4a39f6bfd 100644
--- a/windows/deployment/usmt/usmt-test-your-migration.md
+++ b/windows/deployment/usmt/usmt-test-your-migration.md
@@ -4,11 +4,11 @@ description: Learn about testing the migration plan in a controlled laboratory s
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-topics.md b/windows/deployment/usmt/usmt-topics.md
index 57328e3440..8b868f1fec 100644
--- a/windows/deployment/usmt/usmt-topics.md
+++ b/windows/deployment/usmt/usmt-topics.md
@@ -4,11 +4,11 @@ description: Learn about User State Migration Tool (USMT) overview articles that
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-troubleshooting.md b/windows/deployment/usmt/usmt-troubleshooting.md
index 203c1e2f5e..e3c14bf619 100644
--- a/windows/deployment/usmt/usmt-troubleshooting.md
+++ b/windows/deployment/usmt/usmt-troubleshooting.md
@@ -4,11 +4,11 @@ description: Learn about articles that address common User State Migration Tool
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-utilities.md b/windows/deployment/usmt/usmt-utilities.md
index 1cec514459..2ccde56d88 100644
--- a/windows/deployment/usmt/usmt-utilities.md
+++ b/windows/deployment/usmt/usmt-utilities.md
@@ -4,11 +4,11 @@ description: Learn about the syntax for the utilities available in User State Mi
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
index ca020782bf..cee6051fd0 100644
--- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
+++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
@@ -4,11 +4,11 @@ description: Learn how User State Migration Tool (USMT) is designed so that an I
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/18/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -214,7 +214,10 @@ USMT doesn't migrate the Start menu layout. To migrate a user's Start menu, sett
### User profiles from Active Directory to Microsoft Entra ID
-USMT doesn't support migrating user profiles from Active Directory to Microsoft Entra ID.
+- USMT doesn't support migrating user profiles from Active Directory domain joined devices to Microsoft Entra joined devices.
+- USMT doesn't support migrating user profiles from Microsoft Entra joined devices to Active Directory domain joined devices.
+- USMT doesn't support migrating user profiles between Microsoft Entra joined devices.
+- USMT might work when migrating user profiles between Microsoft Entra hybrid joined devices or between Active Directory domain joined devices and Microsoft Entra hybrid joined devices, but it's not a tested scenario so therefore unsupported.
## Related articles
diff --git a/windows/deployment/usmt/usmt-xml-elements-library.md b/windows/deployment/usmt/usmt-xml-elements-library.md
index 5f4ace10bf..7e06dffcf9 100644
--- a/windows/deployment/usmt/usmt-xml-elements-library.md
+++ b/windows/deployment/usmt/usmt-xml-elements-library.md
@@ -4,11 +4,11 @@ description: Learn about the XML elements and helper functions that can be emplo
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-xml-reference.md b/windows/deployment/usmt/usmt-xml-reference.md
index a6fd75e2bd..4bc9ba48e0 100644
--- a/windows/deployment/usmt/usmt-xml-reference.md
+++ b/windows/deployment/usmt/usmt-xml-reference.md
@@ -4,11 +4,11 @@ description: Learn about working with and customizing the migration XML files us
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
index f100667719..2f66da5edc 100644
--- a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
+++ b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
@@ -4,11 +4,11 @@ description: Use these tips and tricks to verify the condition of a compressed m
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/xml-file-requirements.md b/windows/deployment/usmt/xml-file-requirements.md
index f9f5cfeac3..3182faf447 100644
--- a/windows/deployment/usmt/xml-file-requirements.md
+++ b/windows/deployment/usmt/xml-file-requirements.md
@@ -4,11 +4,11 @@ description: Learn about the XML file requirements for creating custom .xml file
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index aefcd10aa4..0e1c0ccf66 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -5,8 +5,8 @@ ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
author: frankroj
-ms.prod: windows-client
-ms.technology: itpro-fundamentals
+ms.service: windows-client
+ms.subservice: itpro-fundamentals
ms.localizationpriority: medium
ms.topic: how-to
ms.date: 11/14/2023
diff --git a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md
index 956036f01b..4c3cae83e2 100644
--- a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md
+++ b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md
@@ -4,11 +4,11 @@ description: Learn how to use the Volume Activation Management Tool (VAMT) Activ
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Activate by Proxy an Active Directory Forest
diff --git a/windows/deployment/volume-activation/activate-forest-vamt.md b/windows/deployment/volume-activation/activate-forest-vamt.md
index ce77d52b35..82278ce278 100644
--- a/windows/deployment/volume-activation/activate-forest-vamt.md
+++ b/windows/deployment/volume-activation/activate-forest-vamt.md
@@ -4,11 +4,11 @@ description: Use the Volume Activation Management Tool (VAMT) Active Directory-B
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Activate an Active Directory Forest Online
diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
index 9304d88783..94a2db6f87 100644
--- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
+++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
@@ -5,8 +5,8 @@ ms.reviewer: nganguly
manager: aaroncz
author: frankroj
ms.author: frankroj
-ms.prod: windows-client
-ms.technology: itpro-fundamentals
+ms.service: windows-client
+ms.subservice: itpro-fundamentals
ms.localizationpriority: medium
ms.date: 11/07/2022
ms.topic: how-to
diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
index b1056c9728..0f74f80116 100644
--- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
+++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
@@ -2,8 +2,8 @@
title: Activate using Key Management Service
description: Learn how to use Key Management Service (KMS) to activate Windows.
ms.reviewer: nganguly
-ms.prod: windows-client
-ms.technology: itpro-fundamentals
+ms.service: windows-client
+ms.subservice: itpro-fundamentals
author: frankroj
manager: aaroncz
ms.author: frankroj
diff --git a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
index 2dbac0a510..006a02b12c 100644
--- a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
+++ b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
@@ -4,12 +4,12 @@ description: After you have configured Key Management Service (KMS) or Active Di
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.localizationpriority: medium
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Activate clients running Windows 10
diff --git a/windows/deployment/volume-activation/active-directory-based-activation-overview.md b/windows/deployment/volume-activation/active-directory-based-activation-overview.md
index 37122356a9..3d293922bf 100644
--- a/windows/deployment/volume-activation/active-directory-based-activation-overview.md
+++ b/windows/deployment/volume-activation/active-directory-based-activation-overview.md
@@ -4,11 +4,11 @@ description: Enable your enterprise to activate its computers through a connecti
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Active Directory-Based Activation overview
diff --git a/windows/deployment/volume-activation/add-manage-products-vamt.md b/windows/deployment/volume-activation/add-manage-products-vamt.md
index a57398003d..a458568f79 100644
--- a/windows/deployment/volume-activation/add-manage-products-vamt.md
+++ b/windows/deployment/volume-activation/add-manage-products-vamt.md
@@ -4,11 +4,11 @@ description: Add client computers into the Volume Activation Management Tool (VA
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Add and manage products
diff --git a/windows/deployment/volume-activation/add-remove-computers-vamt.md b/windows/deployment/volume-activation/add-remove-computers-vamt.md
index 20e49eabe0..4ee747359f 100644
--- a/windows/deployment/volume-activation/add-remove-computers-vamt.md
+++ b/windows/deployment/volume-activation/add-remove-computers-vamt.md
@@ -4,11 +4,11 @@ description: The Discover products function on the Volume Activation Management
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Add and remove computers
diff --git a/windows/deployment/volume-activation/add-remove-product-key-vamt.md b/windows/deployment/volume-activation/add-remove-product-key-vamt.md
index 229cb229b6..89439e87f0 100644
--- a/windows/deployment/volume-activation/add-remove-product-key-vamt.md
+++ b/windows/deployment/volume-activation/add-remove-product-key-vamt.md
@@ -4,11 +4,11 @@ description: Add a product key to the Volume Activation Management Tool (VAMT) d
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Add and remove a product key
diff --git a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
index be88aa7204..4d9d39522a 100644
--- a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
+++ b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
@@ -5,8 +5,8 @@ ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
author: frankroj
-ms.prod: windows-client
-ms.technology: itpro-fundamentals
+ms.service: windows-client
+ms.subservice: itpro-fundamentals
ms.localizationpriority: medium
ms.date: 11/07/2022
ms.topic: article
diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md
index a2282b3152..5b39a2996e 100644
--- a/windows/deployment/volume-activation/configure-client-computers-vamt.md
+++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md
@@ -5,10 +5,10 @@ ms.reviewer: nganguly
manager: aaroncz
author: frankroj
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Configure client computers
diff --git a/windows/deployment/volume-activation/import-export-vamt-data.md b/windows/deployment/volume-activation/import-export-vamt-data.md
index 378f187d4d..888523a907 100644
--- a/windows/deployment/volume-activation/import-export-vamt-data.md
+++ b/windows/deployment/volume-activation/import-export-vamt-data.md
@@ -4,8 +4,8 @@ description: Learn how to use the VAMT to import product-activation data from a
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
-ms.technology: itpro-fundamentals
+ms.service: windows-client
+ms.subservice: itpro-fundamentals
author: frankroj
ms.date: 11/07/2022
ms.topic: how-to
diff --git a/windows/deployment/volume-activation/install-configure-vamt.md b/windows/deployment/volume-activation/install-configure-vamt.md
index c2f7b56ef2..ed447a8674 100644
--- a/windows/deployment/volume-activation/install-configure-vamt.md
+++ b/windows/deployment/volume-activation/install-configure-vamt.md
@@ -4,12 +4,12 @@ description: Learn how to install and configure the Volume Activation Management
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.localizationpriority: medium
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Install and configure VAMT
diff --git a/windows/deployment/volume-activation/install-kms-client-key-vamt.md b/windows/deployment/volume-activation/install-kms-client-key-vamt.md
index 1788056d42..0c65b30992 100644
--- a/windows/deployment/volume-activation/install-kms-client-key-vamt.md
+++ b/windows/deployment/volume-activation/install-kms-client-key-vamt.md
@@ -4,12 +4,12 @@ description: Learn to use the Volume Activation Management Tool (VAMT) to instal
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.localizationpriority: medium
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Install a KMS Client Key
diff --git a/windows/deployment/volume-activation/install-product-key-vamt.md b/windows/deployment/volume-activation/install-product-key-vamt.md
index e98a27e5cd..fec886a0b7 100644
--- a/windows/deployment/volume-activation/install-product-key-vamt.md
+++ b/windows/deployment/volume-activation/install-product-key-vamt.md
@@ -4,12 +4,12 @@ description: Learn to use the Volume Activation Management Tool (VAMT) to instal
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.localizationpriority: medium
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Install a Product Key
diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md
index 455f978c0a..e5e731a271 100644
--- a/windows/deployment/volume-activation/install-vamt.md
+++ b/windows/deployment/volume-activation/install-vamt.md
@@ -4,12 +4,12 @@ description: Learn how to install Volume Activation Management Tool (VAMT) as pa
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.localizationpriority: medium
ms.date: 10/13/2023
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md
index ecd19f7dcc..ae69a809d3 100644
--- a/windows/deployment/volume-activation/introduction-vamt.md
+++ b/windows/deployment/volume-activation/introduction-vamt.md
@@ -4,8 +4,8 @@ description: VAMT enables administrators to automate and centrally manage the Wi
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
-ms.technology: itpro-fundamentals
+ms.service: windows-client
+ms.subservice: itpro-fundamentals
author: frankroj
ms.date: 11/07/2022
ms.topic: overview
diff --git a/windows/deployment/volume-activation/kms-activation-vamt.md b/windows/deployment/volume-activation/kms-activation-vamt.md
index 5c00b19da0..97e5bcca16 100644
--- a/windows/deployment/volume-activation/kms-activation-vamt.md
+++ b/windows/deployment/volume-activation/kms-activation-vamt.md
@@ -4,11 +4,11 @@ description: The Volume Activation Management Tool (VAMT) can be used to perform
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Perform KMS activation
diff --git a/windows/deployment/volume-activation/local-reactivation-vamt.md b/windows/deployment/volume-activation/local-reactivation-vamt.md
index 51ac686f69..277342a97d 100644
--- a/windows/deployment/volume-activation/local-reactivation-vamt.md
+++ b/windows/deployment/volume-activation/local-reactivation-vamt.md
@@ -4,11 +4,11 @@ description: An initially activated a computer using scenarios like MAK, retail,
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Perform local reactivation
diff --git a/windows/deployment/volume-activation/manage-activations-vamt.md b/windows/deployment/volume-activation/manage-activations-vamt.md
index 92fe7a7905..20fa3589f1 100644
--- a/windows/deployment/volume-activation/manage-activations-vamt.md
+++ b/windows/deployment/volume-activation/manage-activations-vamt.md
@@ -4,11 +4,11 @@ description: Learn how to manage activations and how to activate a client comput
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Manage Activations
diff --git a/windows/deployment/volume-activation/manage-product-keys-vamt.md b/windows/deployment/volume-activation/manage-product-keys-vamt.md
index 51995c11dc..ccaa432308 100644
--- a/windows/deployment/volume-activation/manage-product-keys-vamt.md
+++ b/windows/deployment/volume-activation/manage-product-keys-vamt.md
@@ -4,11 +4,11 @@ description: In this article, learn how to add and remove a product key from the
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Manage Product Keys
diff --git a/windows/deployment/volume-activation/manage-vamt-data.md b/windows/deployment/volume-activation/manage-vamt-data.md
index 174118be90..b1556b3af2 100644
--- a/windows/deployment/volume-activation/manage-vamt-data.md
+++ b/windows/deployment/volume-activation/manage-vamt-data.md
@@ -4,11 +4,11 @@ description: Learn how to save, import, export, and merge a Computer Information
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Manage VAMT Data
diff --git a/windows/deployment/volume-activation/monitor-activation-client.md b/windows/deployment/volume-activation/monitor-activation-client.md
index 87357dbe84..e48768162a 100644
--- a/windows/deployment/volume-activation/monitor-activation-client.md
+++ b/windows/deployment/volume-activation/monitor-activation-client.md
@@ -4,11 +4,11 @@ ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
description: Understand the most common methods to monitor the success of the activation process for a computer running Windows.
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.localizationpriority: medium
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
ms.date: 11/07/2022
---
diff --git a/windows/deployment/volume-activation/online-activation-vamt.md b/windows/deployment/volume-activation/online-activation-vamt.md
index 8ca7a4f5bd..537f46d71e 100644
--- a/windows/deployment/volume-activation/online-activation-vamt.md
+++ b/windows/deployment/volume-activation/online-activation-vamt.md
@@ -4,11 +4,11 @@ description: Learn how to use the Volume Activation Management Tool (VAMT) to en
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Perform online activation
diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
index 71a14f511f..dee94991fe 100644
--- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md
+++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
@@ -4,11 +4,11 @@ description: Product activation is the process of validating software with the m
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.localizationpriority: medium
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
ms.date: 11/07/2022
---
diff --git a/windows/deployment/volume-activation/proxy-activation-vamt.md b/windows/deployment/volume-activation/proxy-activation-vamt.md
index 756957a315..9e14cf5631 100644
--- a/windows/deployment/volume-activation/proxy-activation-vamt.md
+++ b/windows/deployment/volume-activation/proxy-activation-vamt.md
@@ -4,11 +4,11 @@ description: Perform proxy activation by using the Volume Activation Management
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Perform Proxy Activation
diff --git a/windows/deployment/volume-activation/remove-products-vamt.md b/windows/deployment/volume-activation/remove-products-vamt.md
index 1da6d8b48a..2b49facf89 100644
--- a/windows/deployment/volume-activation/remove-products-vamt.md
+++ b/windows/deployment/volume-activation/remove-products-vamt.md
@@ -4,11 +4,11 @@ description: Learn how you must delete products from the product list view so yo
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Remove products
diff --git a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md
index 414c9569db..0dc03e90e0 100644
--- a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md
+++ b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md
@@ -4,11 +4,11 @@ description: Learn how to use the Volume Activation Management Tool (VAMT) to ac
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Scenario 3: KMS client activation
diff --git a/windows/deployment/volume-activation/scenario-online-activation-vamt.md b/windows/deployment/volume-activation/scenario-online-activation-vamt.md
index 8040430270..1f573be911 100644
--- a/windows/deployment/volume-activation/scenario-online-activation-vamt.md
+++ b/windows/deployment/volume-activation/scenario-online-activation-vamt.md
@@ -4,11 +4,11 @@ description: Achieve network access by deploying the Volume Activation Managemen
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Scenario 1: Online Activation
diff --git a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
index 61b958307c..654a67b2b3 100644
--- a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
+++ b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
@@ -4,11 +4,11 @@ description: Use the Volume Activation Management Tool (VAMT) to activate produc
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Scenario 2: Proxy Activation
diff --git a/windows/deployment/volume-activation/update-product-status-vamt.md b/windows/deployment/volume-activation/update-product-status-vamt.md
index 3a5330083f..713a1587f0 100644
--- a/windows/deployment/volume-activation/update-product-status-vamt.md
+++ b/windows/deployment/volume-activation/update-product-status-vamt.md
@@ -4,11 +4,11 @@ description: Learn how to use the Update license status function to add the prod
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Update product status
diff --git a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
index d086a0d8ca..9962ec8943 100644
--- a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
+++ b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
@@ -4,12 +4,12 @@ description: The Volume Activation Management Tool (VAMT) provides several usefu
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.localizationpriority: medium
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Use the Volume Activation Management Tool
diff --git a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
index 776d1007ab..0add9fe565 100644
--- a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
+++ b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
@@ -4,11 +4,11 @@ description: Learn how to use Volume Activation Management Tool (VAMT) PowerShel
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Use VAMT in Windows PowerShell
diff --git a/windows/deployment/volume-activation/vamt-known-issues.md b/windows/deployment/volume-activation/vamt-known-issues.md
index 4b52470719..a11eb40946 100644
--- a/windows/deployment/volume-activation/vamt-known-issues.md
+++ b/windows/deployment/volume-activation/vamt-known-issues.md
@@ -4,11 +4,11 @@ description: Find out the current known issues with the Volume Activation Manage
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# VAMT known issues
diff --git a/windows/deployment/volume-activation/vamt-requirements.md b/windows/deployment/volume-activation/vamt-requirements.md
index d66ce6f5a0..0080eb1275 100644
--- a/windows/deployment/volume-activation/vamt-requirements.md
+++ b/windows/deployment/volume-activation/vamt-requirements.md
@@ -4,11 +4,11 @@ description: In this article, learn about the product key and system requieremen
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# VAMT requirements
diff --git a/windows/deployment/volume-activation/vamt-step-by-step.md b/windows/deployment/volume-activation/vamt-step-by-step.md
index e085f009c8..d13bf3cb1e 100644
--- a/windows/deployment/volume-activation/vamt-step-by-step.md
+++ b/windows/deployment/volume-activation/vamt-step-by-step.md
@@ -4,11 +4,11 @@ description: Learn step-by-step instructions on implementing the Volume Activati
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# VAMT step-by-step scenarios
diff --git a/windows/deployment/volume-activation/volume-activation-management-tool.md b/windows/deployment/volume-activation/volume-activation-management-tool.md
index 6d157c6365..438e8f8684 100644
--- a/windows/deployment/volume-activation/volume-activation-management-tool.md
+++ b/windows/deployment/volume-activation/volume-activation-management-tool.md
@@ -4,8 +4,8 @@ description: The Volume Activation Management Tool (VAMT) enables network admini
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
-ms.technology: itpro-fundamentals
+ms.service: windows-client
+ms.subservice: itpro-fundamentals
author: frankroj
ms.date: 11/07/2022
ms.topic: overview
diff --git a/windows/deployment/volume-activation/volume-activation-windows-10.md b/windows/deployment/volume-activation/volume-activation-windows-10.md
index 3c213a2a45..a483753c32 100644
--- a/windows/deployment/volume-activation/volume-activation-windows-10.md
+++ b/windows/deployment/volume-activation/volume-activation-windows-10.md
@@ -4,12 +4,12 @@ description: Learn how to use volume activation to deploy & activate Windows 10.
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.localizationpriority: medium
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Volume Activation for Windows 10
diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md
index 5c34ff5222..13ee0fd808 100644
--- a/windows/deployment/wds-boot-support.md
+++ b/windows/deployment/wds-boot-support.md
@@ -1,14 +1,14 @@
---
title: Windows Deployment Services (WDS) boot.wim support
description: This article provides details on the support capabilities of WDS for end to end operating system deployment.
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.topic: article
ms.date: 11/23/2022
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Windows Deployment Services (WDS) boot.wim support
diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md
index 25168e8c14..aecea5c3dc 100644
--- a/windows/deployment/windows-10-deployment-posters.md
+++ b/windows/deployment/windows-10-deployment-posters.md
@@ -4,8 +4,8 @@ description: View and download Windows 10 deployment process flows for Microsoft
manager: aaroncz
author: frankroj
ms.author: frankroj
-ms.prod: windows-client
-ms.technology: itpro-deploy
+ms.service: windows-client
+ms.subservice: itpro-deploy
ms.localizationpriority: medium
ms.topic: reference
ms.date: 11/23/2022
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index c216cfa830..a45b5e94dc 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -4,11 +4,11 @@ description: Understand the different ways Windows 10 operating system can be de
manager: aaroncz
ms.author: frankroj
author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
ms.topic: article
ms.date: 11/23/2022
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Windows 10 deployment scenarios
@@ -94,7 +94,7 @@ There are some situations where you can't use in-place upgrade; in these situati
- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process can't change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers.
-- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed.
+- Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed.
- Updating existing images. It can be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image. But, it's not supported. Preparing an upgraded OS via `Sysprep.exe` before capturing an image isn't supported and won't work. When `Sysprep.exe` detects the upgraded OS, it will fail.
diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md
index 93cf409b93..7cfea55299 100644
--- a/windows/deployment/windows-10-enterprise-e3-overview.md
+++ b/windows/deployment/windows-10-enterprise-e3-overview.md
@@ -1,14 +1,14 @@
---
title: Windows 10/11 Enterprise E3 in CSP
description: Describes Windows 10/11 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10/11 Enterprise edition.
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
ms.date: 11/23/2022
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Windows 10/11 Enterprise E3 in CSP
diff --git a/windows/deployment/windows-10-missing-fonts.md b/windows/deployment/windows-10-missing-fonts.md
index 364c23a213..3ba1d1b034 100644
--- a/windows/deployment/windows-10-missing-fonts.md
+++ b/windows/deployment/windows-10-missing-fonts.md
@@ -1,14 +1,14 @@
---
title: How to install fonts missing after upgrading to Windows client
description: Some of the fonts are missing from the system after you upgrade to Windows client.
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.topic: article
ms.date: 11/23/2022
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# How to install fonts that are missing after upgrading to Windows client
diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md
deleted file mode 100644
index 61823c8faa..0000000000
--- a/windows/deployment/windows-10-poc-mdt.md
+++ /dev/null
@@ -1,668 +0,0 @@
----
-title: Step by step - Deploy Windows 10 in a test lab using MDT
-description: In this article, you'll learn how to deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT).
-ms.prod: windows-client
-ms.localizationpriority: medium
-ms.date: 11/23/2022
-manager: aaroncz
-ms.author: frankroj
-author: frankroj
-ms.topic: how-to
-ms.technology: itpro-deploy
----
-
-# Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit
-
-*Applies to:*
-
-- Windows 10
-
-> [!IMPORTANT]
-> This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide:
->
-> [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
->
-> Complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide:
->
-> [Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md)
-
-The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs):
-
-- **DC1**: A contoso.com domain controller, DNS server, and DHCP server.
-- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network.
-- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been shadow-copied from a physical computer on your corporate network.
-
-This guide uses the Hyper-V server role. If you don't complete all steps in a single session, consider using [checkpoints](/virtualization/hyper-v-on-windows/user-guide/checkpoints) to pause, resume, or restart your work.
-
-## In this guide
-
-This guide provides instructions to install and configure the Microsoft Deployment Toolkit (MDT) to deploy a Windows 10 image.
-
-Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
-
-|Topic|Description|Time|
-|--- |--- |--- |
-|[About MDT](#about-mdt)|A high-level overview of the Microsoft Deployment Toolkit (MDT).|Informational|
-|[Install MDT](#install-mdt)|Download and install MDT.|40 minutes|
-|[Create a deployment share and reference image](#create-a-deployment-share-and-reference-image)|A reference image is created to serve as the template for deploying new images.|90 minutes|
-|[Deploy a Windows 10 image using MDT](#deploy-a-windows-10-image-using-mdt)|The reference image is deployed in the PoC environment.|60 minutes|
-|[Refresh a computer with Windows 10](#refresh-a-computer-with-windows-10)|Export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings.|60 minutes|
-|[Replace a computer with Windows 10](#replace-a-computer-with-windows-10)|Back up an existing client computer, then restore this backup to a new computer.|60 minutes|
-|[Troubleshooting logs, events, and utilities](#troubleshooting-logs-events-and-utilities)|Log locations and troubleshooting hints.|Informational|
-
-## About MDT
-
-MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch Installation (ZTI), and User-Driven Installation (UDI) deployment methods.
-
-- LTI is the deployment method used in the current guide, requiring only MDT and performed with a minimum amount of user interaction.
-
-- ZTI is fully automated, requiring no user interaction and is performed using MDT and Microsoft Configuration Manager. After completing the steps in the current guide, see [Step by step: Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md) to use the ZTI deployment method in the PoC environment.
-
-- UDI requires manual intervention to respond to installation prompts such as machine name, password and language settings. UDI requires MDT and Microsoft Configuration Manager.
-
-## Install MDT
-
-1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt:
-
- ```powershell
- $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
- Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 0
- Stop-Process -Name Explorer
- ```
-
-1. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT)](https://www.microsoft.com/download/details.aspx?id=54259) on SRV1 using the default options.
-
-1. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](/windows-hardware/get-started/adk-install) on SRV1 using the default installation settings. Installation might require several minutes to acquire all components.
-
-1. If desired, re-enable IE Enhanced Security Configuration:
-
- ```powershell
- Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 1
- Stop-Process -Name Explorer
- ```
-
-## Create a deployment share and reference image
-
-A reference image serves as the foundation for Windows 10 devices in your organization.
-
-1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and enter the following command:
-
- ```powershell
- Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
- ```
-
-2. On SRV1, verify that the Windows Enterprise installation DVD is mounted as drive letter D.
-
-3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, select **Start**, type **deployment**, and then select **Deployment Workbench**.
-
-4. To enable quick access to the application, right-click **Deployment Workbench** on the taskbar and then select **Pin this program to the taskbar**.
-
-5. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
-
-6. Use the following settings for the New Deployment Share Wizard:
- - Deployment share path: **C:\MDTBuildLab**
- - Share name: **MDTBuildLab$**
- - Deployment share description: **MDT build lab**
- - Options: Select **Next** to accept the default
- - Summary: Select **Next**
- - Progress: settings will be applied
- - Confirmation: Select **Finish**
-
-7. Expand the **Deployment Shares** node, and then expand **MDT build lab**.
-
-8. Right-click the **Operating Systems** node, and then select **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and select **Finish**.
-
-9. Right-click the **Windows 10** folder created in the previous step, and then select **Import Operating System**.
-
-10. Use the following settings for the Import Operating System Wizard:
- - OS Type: **Full set of source files**
- - Source: **D:\\**
- - Destination: **W10Ent_x64**
- - Summary: Select **Next**
- - Progress: wait for files to be copied
- - Confirmation: Select **Finish**
-
- For purposes of this test lab, we'll only add the prerequisite .NET Framework feature. Commercial applications (ex: Microsoft Office) won't be added to the deployment share. For information about adding applications, see the [Add applications](./deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) article.
-
-11. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
-
- - Task sequence ID: **REFW10X64-001**
- - Task sequence name: **Windows 10 Enterprise x64 Default Image**
- - Task sequence comments: **Reference Build**
- - Template: **Standard Client Task Sequence**
- - Select OS: Select **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim**
- - Specify Product Key: **Do not specify a product key at this time**
- - Full Name: **Contoso**
- - Organization: **Contoso**
- - Internet Explorer home page: `http://www.contoso.com`
- - Admin Password: **Do not specify an Administrator password at this time**
- - Summary: Select **Next**
- - Confirmation: Select **Finish**
-
-12. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step.
-
-13. Select the **Task Sequence** tab. Under **State Restore** select **Tattoo** to highlight it, then select **Add** and choose **New Group**.
-
-14. On the Properties tab of the group that was created in the previous step, change the Name from **New Group** to **Custom Tasks (Pre-Windows Update)** and then select **Apply**. Select another location in the window to see the name change.
-
-15. Select the **Custom Tasks (Pre-Windows Update)** group again, select **Add**, point to **Roles**, and then select **Install Roles and Features**.
-
-16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then select **Apply**.
-
-17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox.
-
- > [!NOTE]
- > Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications.
-
-18. Select **OK** to complete editing the task sequence.
-
-19. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click **MDT build lab (C:\MDTBuildLab)** and select **Properties**, and then select the **Rules** tab.
-
-20. Replace the default rules with the following text:
-
- ```ini
- [Settings]
- Priority=Default
-
- [Default]
- _SMSTSORGNAME=Contoso
- UserDataLocation=NONE
- DoCapture=YES
- OSInstall=Y
- AdminPassword=pass@word1
- TimeZoneName=Pacific Standard Time
- OSDComputername=#Left("PC-%SerialNumber%",7)#
- JoinWorkgroup=WORKGROUP
- HideShell=YES
- FinishAction=SHUTDOWN
- DoNotCreateExtraPartition=YES
- ApplyGPOPack=NO
- SkipAdminPassword=YES
- SkipProductKey=YES
- SkipComputerName=YES
- SkipDomainMembership=YES
- SkipUserData=YES
- SkipLocaleSelection=YES
- SkipTaskSequence=NO
- SkipTimeZone=YES
- SkipApplications=YES
- SkipBitLocker=YES
- SkipSummary=YES
- SkipRoles=YES
- SkipCapture=NO
- SkipFinalSummary=NO
- ```
-
-21. Select **Apply** and then select **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file:
-
- ```ini
- [Settings]
- Priority=Default
-
- [Default]
- DeployRoot=\\SRV1\MDTBuildLab$
- UserDomain=CONTOSO
- UserID=MDT_BA
- UserPassword=pass@word1
- SkipBDDWelcome=YES
- ```
-
-22. Select **OK** to complete the configuration of the deployment share.
-
-23. Right-click **MDT build lab (C:\MDTBuildLab)** and then select **Update Deployment Share**.
-
-24. Accept all default values in the Update Deployment Share Wizard by clicking **Next** twice. The update process will take 5 to 10 minutes. When it has completed, select **Finish**.
-
-25. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. In MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI).
-
- > [!TIP]
- > To copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**.
-
-26. Open a Windows PowerShell prompt on the Hyper-V host computer and enter the following commands:
-
- ```powershell
- New-VM REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB
- Set-VMMemory REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20
- Set-VMDvdDrive REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso
- Start-VM REFW10X64-001
- vmconnect localhost REFW10X64-001
- ```
-
- The VM will require a few minutes to prepare devices and boot from the LiteTouchPE_x86.iso file.
-
-27. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then select **Next**.
-
-28. Accept the default values on the Capture Image page, and select **Next**. Operating system installation will complete after 5 to 10 minutes, and then the VM will reboot automatically. Allow the system to boot normally (don't press a key). The process is fully automated.
-
- Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures:
-
- - Install the Windows 10 Enterprise operating system.
- - Install added applications, roles, and features.
- - Update the operating system using Windows Update (or WSUS if optionally specified).
- - Stage Windows PE on the local disk.
- - Run System Preparation (Sysprep) and reboot into Windows PE.
- - Capture the installation to a Windows Imaging (WIM) file.
- - Turn off the virtual machine.
-
- This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host. After some time, you'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on your deployment server (SRV1). The file name is **REFW10X64-001.wim**.
-
-## Deploy a Windows 10 image using MDT
-
-This procedure will demonstrate how to deploy the reference image to the PoC environment using MDT.
-
-1. On SRV1, open the MDT Deployment Workbench console, right-click **Deployment Shares**, and then select **New Deployment Share**. Use the following values in the New Deployment Share Wizard:
-
- - **Deployment share path**: C:\MDTProd
- - **Share name**: MDTProd$
- - **Deployment share description**: MDT Production
- - **Options**: accept the default
-
-2. Select **Next**, verify the new deployment share was added successfully, then select **Finish**.
-
-3. In the Deployment Workbench console, expand the MDT Production deployment share, right-click **Operating Systems**, and then select **New Folder**. Name the new folder **Windows 10** and complete the wizard using default values.
-
-4. Right-click the **Windows 10** folder created in the previous step, and then select **Import Operating System**.
-
-5. On the **OS Type** page, choose **Custom image file** and then select **Next**.
-
-6. On the Image page, browse to the **C:\MDTBuildLab\Captures\REFW10X64-001.wim** file created in the previous procedure, select **Open**, and then select **Next**.
-
-7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**.
-
-8. Under **Setup source directory**, browse to **C:\MDTBuildLab\Operating Systems\W10Ent_x64** select **OK** and then select **Next**.
-
-9. On the Destination page, accept the default Destination directory name of **REFW10X64-001**, select **Next** twice, wait for the import process to complete, and then select **Finish**.
-
-10. In the **Operating Systems** > **Windows 10** node, double-click the operating system that was added to view its properties. Change the operating system name to **Windows 10 Enterprise x64 Custom Image** and then select **OK**. See the following example:
-
- 
-
-### Create the deployment task sequence
-
-1. Using the Deployment Workbench, right-click **Task Sequences** under the **MDT Production** node, select **New Folder** and create a folder with the name: **Windows 10**.
-
-2. Right-click the **Windows 10** folder created in the previous step, and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
-
- - Task sequence ID: W10-X64-001
- - Task sequence name: Windows 10 Enterprise x64 Custom Image
- - Task sequence comments: Production Image
- - Select Template: Standard Client Task Sequence
- - Select OS: Windows 10 Enterprise x64 Custom Image
- - Specify Product Key: Don't specify a product key at this time
- - Full Name: Contoso
- - Organization: Contoso
- - Internet Explorer home page: `http://www.contoso.com`
- - Admin Password: pass@word1
-
-### Configure the MDT production deployment share
-
-1. On SRV1, open an elevated Windows PowerShell prompt and enter the following commands:
-
- ```powershell
- copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\Bootstrap.ini" C:\MDTProd\Control\Bootstrap.ini -Force
- copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\CustomSettings.ini" C:\MDTProd\Control\CustomSettings.ini -Force
- ```
-
-2. In the Deployment Workbench console on SRV1, right-click the **MDT Production** deployment share and then select **Properties**.
-
-3. Select the **Rules** tab and replace the rules with the following text (don't select OK yet):
-
- ```ini
- [Settings]
- Priority=Default
-
- [Default]
- _SMSTSORGNAME=Contoso
- OSInstall=YES
- UserDataLocation=AUTO
- TimeZoneName=Pacific Standard Time
- OSDComputername=#Left("PC-%SerialNumber%",7)#
- AdminPassword=pass@word1
- JoinDomain=contoso.com
- DomainAdmin=administrator
- DomainAdminDomain=CONTOSO
- DomainAdminPassword=pass@word1
- ScanStateArgs=/ue:*\* /ui:CONTOSO\*
- USMTMigFiles001=MigApp.xml
- USMTMigFiles002=MigUser.xml
- HideShell=YES
- ApplyGPOPack=NO
- SkipAppsOnUpgrade=NO
- SkipAdminPassword=YES
- SkipProductKey=YES
- SkipComputerName=YES
- SkipDomainMembership=YES
- SkipUserData=YES
- SkipLocaleSelection=YES
- SkipTaskSequence=NO
- SkipTimeZone=YES
- SkipApplications=NO
- SkipBitLocker=YES
- SkipSummary=YES
- SkipCapture=YES
- SkipFinalSummary=NO
- EventService=http://SRV1:9800
- ```
-
- > [!NOTE]
- > The contents of the Rules tab are added to c:\MDTProd\Control\CustomSettings.ini.
-
- In this example, a **MachineObjectOU** entry isn't provided. Normally this entry describes the specific OU where new client computer objects are created in Active Directory. However, for the purposes of this test lab, clients are added to the default computers OU, which requires that this parameter be unspecified.
-
- If desired, edit the following line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (`ue`) all users except for CONTOSO users specified by the user include option (ui):
-
- ```cmd
- ScanStateArgs=/ue:*\* /ui:CONTOSO\*
- ```
-
- For example, to migrate **all** users on the computer, replace this line with the following line:
-
- ```cmd
- ScanStateArgs=/all
- ```
-
- For more information, see [ScanState Syntax](/windows/deployment/usmt/usmt-scanstate-syntax).
-
-4. Select **Edit Bootstap.ini** and replace text in the file with the following text:
-
- ```ini
- [Settings]
- Priority=Default
-
- [Default]
- DeployRoot=\\SRV1\MDTProd$
- UserDomain=CONTOSO
- UserID=MDT_BA
- UserPassword=pass@word1
- SkipBDDWelcome=YES
- ```
-
-5. Select **OK** when finished.
-
-### Update the deployment share
-
-1. Right-click the **MDT Production** deployment share and then select **Update Deployment Share**.
-
-2. Use the default options for the Update Deployment Share Wizard. The update process requires 5 to 10 minutes to complete.
-
-3. Select **Finish** when the update is complete.
-
-### Enable deployment monitoring
-
-1. In the Deployment Workbench console, right-click **MDT Production** and then select **Properties**.
-
-2. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then select **OK**.
-
-3. Verify the monitoring service is working as expected by opening the following link on SRV1: `http://localhost:9800/MDTMonitorEvent/`. If you don't see "**You have created a service**" at the top of the page, see [Troubleshooting MDT 2012 Monitoring](/archive/blogs/mniehaus/troubleshooting-mdt-2012-monitoring).
-
-4. Close Internet Explorer.
-
-### Configure Windows Deployment Services
-
-1. Initialize Windows Deployment Services (WDS) by typing the following command at an elevated Windows PowerShell prompt on SRV1:
-
- ```cmd
- WDSUTIL.exe /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall"
- WDSUTIL.exe /Set-Server /AnswerClients:All
- ```
-
-2. Select **Start**, type **Windows Deployment**, and then select **Windows Deployment Services**.
-
-3. In the Windows Deployment Services console, expand **Servers**, expand **SRV1.contoso.com**, right-click **Boot Images**, and then select **Add Boot Image**.
-
-4. Browse to the **C:\MDTProd\Boot\LiteTouchPE_x64.wim** file, select **Open**, select **Next**, and accept the defaults in the Add Image Wizard. Select **Finish** to complete adding a boot image.
-
-### Deploy the client image
-
-1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This configuration is just an artifact of the lab environment. In a typical deployment environment WDS wouldn't be installed on the default gateway.
-
- > [!NOTE]
- > Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, enter **`Get-NetIPAddress | ft interfacealias, ipaddress** in a PowerShell prompt.
-
- Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and enter the following command:
-
- ```powershell
- Disable-NetAdapter "Ethernet 2" -Confirm:$false
- ```
-
- >Wait until the disable-netadapter command completes before proceeding.
-
-2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, enter the following commands at an elevated Windows PowerShell prompt:
-
- ```powershell
- New-VM -Name "PC2" -NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
- Set-VMMemory -VMName "PC2" -DynamicMemoryEnabled $true -MinimumBytes 720MB -MaximumBytes 2048MB -Buffer 20
- ```
-
- Dynamic memory is configured on the VM to conserve resources. However, dynamic memory can cause memory allocation to be reduced below what is required to install an operating system. If memory is reduced below what is required, reset the VM and begin the OS installation task sequence immediately. The reset ensures the VM memory allocation isn't decreased too much while it's idle.
-
-3. Start the new VM and connect to it:
-
- ```powershell
- Start-VM PC2
- vmconnect localhost PC2
- ```
-
-4. When prompted, hit ENTER to start the network boot process.
-
-5. In the Windows Deployment Wizard, choose the **Windows 10 Enterprise x64 Custom Image** and then select **Next**.
-
-6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. Re-enabling the external network adapter is needed so the client can use Windows Update after operating system installation is complete. To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and enter the following command:
-
- ```powershell
- Enable-NetAdapter "Ethernet 2"
- ```
-
-7. On SRV1, in the Deployment Workbench console, select on **Monitoring** and view the status of installation. Right-click **Monitoring** and select **Refresh** if no data is displayed.
-
-8. OS installation requires about 10 minutes. When the installation is complete, the system will reboot automatically, configure devices, and install updates, requiring another 10-20 minutes. When the new client computer is finished updating, select **Finish**. You'll be automatically signed in to the local computer as administrator.
-
- 
-
-This completes the demonstration of how to deploy a reference image to the network. To conserve resources, turn off the PC2 VM before starting the next section.
-
-## Refresh a computer with Windows 10
-
-This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md).
-
-1. If the PC1 VM isn't already running, then start and connect to it:
-
- ```powershell
- Start-VM PC1
- vmconnect localhost PC1
- ```
-
-2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and performing additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
-
- ```powershell
- Checkpoint-VM -Name PC1 -SnapshotName BeginState
- ```
-
-3. Sign on to PC1 using the CONTOSO\Administrator account.
-
- Specify **contoso\administrator** as the user name to ensure you don't sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share.
-
-4. Open an elevated command prompt on PC1 and enter the following command:
-
- ```cmd
- cscript.exe \\SRV1\MDTProd$\Scripts\Litetouch.vbs
- ```
-
- > [!NOTE]
- > For more information on tools for viewing log files and to assist with troubleshooting, see [Configuration Manager Tools](/configmgr/core/support/tools).
-
-5. Choose the **Windows 10 Enterprise x64 Custom Image** and then select **Next**.
-
-6. Choose **Do not back up the existing computer** and select **Next**.
-
- > [!NOTE]
- > The USMT will still back up the computer.
-
-7. Lite Touch Installation will perform the following actions:
- - Back up user settings and data using USMT.
- - Install the Windows 10 Enterprise X64 operating system.
- - Update the operating system via Windows Update.
- - Restore user settings and data using USMT.
-
- You can review the progress of installation on SRV1 by clicking on the **Monitoring** node in the deployment workbench. When OS installation is complete, the computer will restart, set up devices, and configure settings.
-
-8. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share).
-
-9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
-
- ```powershell
- Checkpoint-VM -Name PC1 -SnapshotName RefreshState
- ```
-
-10. Restore the PC1 VM to its previous state in preparation for the replace procedure. To restore a checkpoint, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
-
- ```powershell
- Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false
- Start-VM PC1
- vmconnect localhost PC1
- ```
-
-11. Sign in to PC1 using the contoso\administrator account.
-
-## Replace a computer with Windows 10
-
-At a high level, the computer replace process consists of:
-
-- A special replace task sequence that runs the USMT backup and an optional full Windows Imaging (WIM) backup.
-- A standard OS deployment on a new computer. At the end of the deployment, the USMT backup from the old computer is restored.
-
-### Create a backup-only task sequence
-
-1. On SRV1, in the deployment workbench console, right-click the MDT Production deployment share, select **Properties**, select the **Rules** tab, and change the line **SkipUserData=YES** to **SkipUserData=NO**.
-
-2. Select **OK**, right-click **MDT Production**, select **Update Deployment Share** and accept the default options in the wizard to update the share.
-
-3. enter the following commands at an elevated Windows PowerShell prompt on SRV1:
-
- ```powershell
- New-Item -Path C:\MigData -ItemType directory
- New-SmbShare -Name MigData$ -Path C:\MigData -ChangeAccess EVERYONE
- icacls C:\MigData /grant '"contoso\administrator":(OI)(CI)(M)'
- ```
-
-4. On SRV1 in the deployment workbench, under **MDT Production**, right-click the **Task Sequences** node, and select **New Folder**.
-
-5. Name the new folder **Other**, and complete the wizard using default options.
-
-6. Right-click the **Other** folder and then select **New Task Sequence**. Use the following values in the wizard:
-
- - **Task sequence ID**: REPLACE-001
- - **Task sequence name**: Backup Only Task Sequence
- - **Task sequence comments**: Run USMT to back up user data and settings
- - **Template**: Standard Client Replace Task Sequence (note: this template isn't the default template)
-
-7. Accept defaults for the rest of the wizard and then select **Finish**. The replace task sequence will skip OS selection and settings.
-
-8. Open the new task sequence that was created and review it. Note the enter of capture and backup tasks that are present. Select **OK** when you're finished reviewing the task sequence.
-
-### Run the backup-only task sequence
-
-1. If you aren't already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, enter the following command at an elevated command prompt:
-
- ```cmd
- whoami.exe
- ```
-
-2. To ensure a clean environment before running the backup task sequence, enter the following commands at an elevated Windows PowerShell prompt on PC1:
-
- ```powershell
- Remove-Item c:\minint -recurse
- Remove-Item c:\_SMSTaskSequence -recurse
- Restart-Computer
- ```
-
-3. Sign in to PC1 using the contoso\administrator account, and then enter the following command at an elevated command prompt:
-
- ```cmd
- cscript.exe \\SRV1\MDTProd$\Scripts\Litetouch.vbs
- ```
-
-4. Complete the deployment wizard using the following settings:
-
- - **Task Sequence**: Backup Only Task Sequence
- - **User Data**: Specify a location: **\\\\SRV1\MigData$\PC1**
- - **Computer Backup**: Don't back up the existing computer.
-
-5. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and select the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks.
-
-6. On PC1, verify that **The user state capture was completed successfully** is displayed, and select **Finish** when the capture is complete.
-
-7. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example:
-
- ```cmd
- dir C:\MigData\PC1\USMT
-
- Directory: C:\MigData\PC1\USMT
-
- Mode LastWriteTime Length Name
- ---- ------------- ------ ----
- -a--- 9/6/2016 11:34 AM 14248685 USMT.MIG
- ```
-
-### Deploy PC3
-
-1. On the Hyper-V host, enter the following commands at an elevated Windows PowerShell prompt:
-
- ```powershell
- New-VM -Name "PC3" -NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
- Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20
- ```
-
-2. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, enter the following command at an elevated Windows PowerShell prompt on SRV1:
-
- ```powershell
- Disable-NetAdapter "Ethernet 2" -Confirm:$false
- ```
-
- As mentioned previously, ensure that you disable the **external** network adapter, and wait for the command to complete before proceeding.
-
-3. Start and connect to PC3 by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
-
- ```powershell
- Start-VM PC3
- vmconnect localhost PC3
- ```
-
-4. When prompted, press ENTER for network boot.
-
-5. On PC3, use the following settings for the Windows Deployment Wizard:
- - **Task Sequence**: Windows 10 Enterprise x64 Custom Image
- - **Move Data and Settings**: Don't move user data and settings
- - **User Data (Restore)**: Specify a location: **\\\\SRV1\MigData$\PC1**
-
-6. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1:
-
- ```powershell
- Enable-NetAdapter "Ethernet 2"
- ```
-
-7. Setup will install the Windows 10 Enterprise operating system, update via Windows Update, and restore the user settings and data from PC1.
-
-8. When PC3 has completed installing the OS, sign in to PC3 using the contoso\administrator account. When the PC completes updating, select **Finish**.
-
-9. Verify that settings have been migrated from PC1. This completes demonstration of the replace procedure.
-
-10. Shut down PC3 in preparation for the [next](windows-10-poc-sc-config-mgr.md) procedure.
-
-## Troubleshooting logs, events, and utilities
-
-Deployment logs are available on the client computer in the following locations:
-
-- Before the image is applied: X:\MININT\SMSOSD\OSDLOGS
-- After the system drive has been formatted: C:\MININT\SMSOSD\OSDLOGS
-- After deployment: %WINDIR%\TEMP\DeploymentLogs
-
-You can review WDS events in Event Viewer at: **Applications and Services Logs > Microsoft > Windows > Deployment-Services-Diagnostics**. By default, only the **Admin** and **Operational** logs are enabled. To enable other logs, right-click the log and then select **Enable Log**.
-
-Also see [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) for detailed troubleshooting information.
-
-## Related articles
-
-[Microsoft Deployment Toolkit](/mem/configmgr/mdt/)
-
-[Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index d3c1320d86..0ea49d8ff8 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -1,8 +1,8 @@
---
title: Steps to deploy Windows 10 with Configuration Manager
description: Learn how to deploy Windows 10 in a test lab using Microsoft Configuration Manager.
-ms.prod: windows-client
-ms.technology: itpro-deploy
+ms.service: windows-client
+ms.subservice: itpro-deploy
ms.localizationpriority: medium
manager: aaroncz
ms.author: frankroj
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index 11b304e822..2ce3939cc7 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -4,8 +4,8 @@ description: Learn about concepts and procedures for deploying Windows 10 in a p
manager: aaroncz
ms.author: frankroj
author: frankroj
-ms.prod: windows-client
-ms.technology: itpro-deploy
+ms.service: windows-client
+ms.subservice: itpro-deploy
ms.localizationpriority: medium
ms.topic: tutorial
ms.date: 11/23/2022
diff --git a/windows/deployment/windows-10-pro-in-s-mode.md b/windows/deployment/windows-10-pro-in-s-mode.md
index d2bf8bb55d..82bb386aa3 100644
--- a/windows/deployment/windows-10-pro-in-s-mode.md
+++ b/windows/deployment/windows-10-pro-in-s-mode.md
@@ -5,10 +5,10 @@ author: frankroj
ms.author: frankroj
manager: aaroncz
ms.localizationpriority: medium
-ms.prod: windows-client
+ms.service: windows-client
ms.topic: article
ms.date: 11/23/2022
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Switch to Windows 10 Pro or Enterprise from S mode
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index b5fc8eb923..53e3545bcc 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -1,8 +1,8 @@
---
title: Windows subscription activation
description: In this article, you'll learn how to dynamically enable Windows 10 and Windows 11 Enterprise or Education subscriptions.
-ms.prod: windows-client
-ms.technology: itpro-fundamentals
+ms.service: windows-client
+ms.subservice: itpro-fundamentals
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
diff --git a/windows/deployment/windows-adk-scenarios-for-it-pros.md b/windows/deployment/windows-adk-scenarios-for-it-pros.md
index f38cf33ebe..62fb152578 100644
--- a/windows/deployment/windows-adk-scenarios-for-it-pros.md
+++ b/windows/deployment/windows-adk-scenarios-for-it-pros.md
@@ -4,11 +4,11 @@ description: The Windows Assessment and Deployment Kit (Windows ADK) contains to
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
ms.date: 11/23/2022
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Windows ADK for Windows 10 scenarios for IT Pros
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
index 3e70bd954a..690fe5613b 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
@@ -2,13 +2,13 @@
title: Add and verify admin contacts
description: This article explains how to add and verify admin contacts
ms.date: 09/15/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
-manager: dougeby
+manager: aaroncz
ms.reviewer: hathind
ms.collection:
- tier2
@@ -41,6 +41,6 @@ Your admin contacts will receive notifications about support request updates and
1. Under **Tenant administration** in the **Windows Autopatch** section, select **Admin contacts**.
1. Select **+Add**.
1. Enter the contact details including name, email, phone number and preferred language. For a support ticket, the ticket's primary contact's preferred language will determine the language used for email communications.
-1. Select an [Area of focus](#area-of-focus) and enter details of the contact's knowledge and authority in the specified area of focus.
+1. Select an [Area of focus](#area-of-focus) and enter details of the contact's knowledge and authority in the specified area of focus.
1. Select **Save** to add the contact.
1. Repeat for each area of focus.
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
index f9ce34d2ae..53d37167e5 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
@@ -2,13 +2,13 @@
title: Device registration overview
description: This article provides an overview on how to register devices in Autopatch
ms.date: 07/25/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
-manager: dougeby
+manager: aaroncz
ms.reviewer: andredm7
ms.collection:
- highpri
@@ -67,7 +67,7 @@ As described in **step #4** in the previous [Detailed device registration workfl
During the tenant enrollment process, Windows Autopatch creates two different deployment ring sets:
- [Service-based deployment ring set](../deploy/windows-autopatch-groups-overview.md#service-based-deployment-rings)
-- [Software update-based deployment ring set](../deploy/windows-autopatch-groups-overview.md#software-based-deployment-rings)
+- [Software update-based deployment ring set](../deploy/windows-autopatch-groups-overview.md#software-based-deployment-rings)
The following four Microsoft Entra ID assigned groups are used to organize devices for the service-based deployment ring set:
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md
index ed02a37c7c..c7521c70a0 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md
@@ -2,13 +2,13 @@
title: Manage Windows Autopatch groups
description: This article explains how to manage Autopatch groups
ms.date: 12/13/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
-manager: dougeby
+manager: aaroncz
ms.reviewer: andredm7
ms.collection:
- highpri
@@ -123,7 +123,7 @@ You **can’t** rename the Default Autopatch group. However, you can rename a Cu
## Delete a Custom Autopatch group
-You **can’t** delete the Default Autopatch group. However, you can delete a Custom Autopatch group.
+You **can’t** delete the Default Autopatch group. However, you can delete a Custom Autopatch group.
**To delete a Custom Autopatch group:**
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md
index b482faa489..54267b0f17 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md
@@ -2,13 +2,13 @@
title: Windows Autopatch groups overview
description: This article explains what Autopatch groups are
ms.date: 07/20/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
-manager: dougeby
+manager: aaroncz
ms.reviewer: andredm7
ms.collection:
- highpri
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
index e41d8e60f4..df6c726ade 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
@@ -2,13 +2,13 @@
title: Post-device registration readiness checks
description: This article details how post-device registration readiness checks are performed in Windows Autopatch
ms.date: 09/16/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
-manager: dougeby
+manager: aaroncz
ms.reviewer: andredm7
ms.collection:
- highpri
@@ -20,7 +20,7 @@ ms.collection:
> [!IMPORTANT]
> This feature is in "public preview". It is being actively developed, and may not be complete. They're made available on a “Preview” basis. You can test and use these features in production environments and scenarios, and provide feedback.
-One of the most expensive aspects of the software update management process is to make sure devices are always healthy to receive and report software updates for each software update release cycle.
+One of the most expensive aspects of the software update management process is to make sure devices are always healthy to receive and report software updates for each software update release cycle.
Having a way of measuring, quickly detecting and remediating when something goes wrong with on-going change management processes is important; it helps mitigate high Helpdesk ticket volumes, reduces cost, and improves overall update management results.
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
index 4cb39e3d34..4c94d150e3 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@@ -2,13 +2,13 @@
title: Register your devices
description: This article details how to register devices in Autopatch
ms.date: 07/25/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
-manager: dougeby
+manager: aaroncz
ms.reviewer: andredm7
ms.collection:
- highpri
@@ -31,7 +31,7 @@ Windows Autopatch can take over software update management control of devices th
### Windows Autopatch groups device registration
-When you either create/edit a [Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups) or edit the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) to add or remove deployment rings, the device-based Microsoft Entra groups you use when setting up your deployment rings are scanned to see if devices need to be registered with the Windows Autopatch service.
+When you either create/edit a [Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups) or edit the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) to add or remove deployment rings, the device-based Microsoft Entra groups you use when setting up your deployment rings are scanned to see if devices need to be registered with the Windows Autopatch service.
If devices aren’t registered, Autopatch groups starts the device registration process by using your existing device-based Microsoft Entra groups instead of the Windows Autopatch Device Registration group.
@@ -152,7 +152,7 @@ Windows 365 Enterprise gives IT admins the option to register devices with the W
1. In the left pane, select **Devices**.
1. Navigate to Provisioning > **Windows 365**.
1. Select Provisioning policies > **Create policy**.
-1. Provide a policy name and select **Join Type**. For more information, see [Device join types](/windows-365/enterprise/identity-authentication#device-join-types).
+1. Provide a policy name and select **Join Type**. For more information, see [Device join types](/windows-365/enterprise/identity-authentication#device-join-types).
1. Select **Next**.
1. Choose the desired image and select **Next**.
1. Under the **Microsoft managed services** section, select **Windows Autopatch**. Then, select **Next**. If the *Windows Autopatch (preview) can't manage your Cloud PCs until a Global Admin has finished setting it up.* message appears, you must [enroll your tenant](../prepare/windows-autopatch-enroll-tenant.md) to continue.
@@ -200,7 +200,7 @@ Support is available either through Windows 365, or the Windows Autopatch Servic
- For Windows 365 support, see [Get support](/mem/get-support).
- For Azure Virtual Desktop support, see [Get support](https://azure.microsoft.com/support/create-ticket/).
-- For Windows Autopatch support, see [Submit a support request](/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request).
+- For Windows Autopatch support, see [Submit a support request](/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request).
## Device management lifecycle scenarios
diff --git a/windows/deployment/windows-autopatch/index.yml b/windows/deployment/windows-autopatch/index.yml
index c79efcf511..2c2a7c6642 100644
--- a/windows/deployment/windows-autopatch/index.yml
+++ b/windows/deployment/windows-autopatch/index.yml
@@ -10,13 +10,14 @@ metadata:
ms.topic: landing-page # Required
author: tiaraquan #Required; your GitHub user alias, with correct capitalization.
ms.author: tiaraquan #Required; microsoft alias of author; optional team alias.
- manager: dougeby
+ manager: aaroncz
ms.date: 05/30/2022 #Required; mm/dd/yyyy format.
- ms.prod: windows-client
- ms.technology: itpro-updates
+ ms.service: windows-client
+ ms.subservice: itpro-updates
ms.collection:
- highpri
- tier2
+ - essentials-navigation
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
@@ -33,7 +34,7 @@ landingContent:
url: ./overview/windows-autopatch-overview.md
- text: Windows Autopatch FAQ
url: ./overview/windows-autopatch-faq.yml
-
+
# Card (optional)
- title: Articles and blog posts
linkLists:
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md
index 563e6370c5..dbc576651d 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md
@@ -1,14 +1,14 @@
---
title: Device alerts
-description: Provide notifications and information about the necessary steps to keep your devices up to date.
+description: Provide notifications and information about the necessary steps to keep your devices up to date.
ms.date: 08/01/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
-manager: dougeby
+manager: aaroncz
ms.reviewer: adnich
ms.collection:
- highpri
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md
index 5aadb310ef..66650fb27b 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md
@@ -2,13 +2,13 @@
title: Microsoft Edge
description: This article explains how Microsoft Edge updates are managed in Windows Autopatch
ms.date: 09/15/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
-manager: dougeby
+manager: aaroncz
ms.reviewer: hathind
ms.collection:
- highpri
@@ -17,14 +17,14 @@ ms.collection:
# Microsoft Edge
-Windows Autopatch uses the [Stable Channel](/deployedge/microsoft-edge-channels#stable-channel) of Microsoft Edge.
+Windows Autopatch uses the [Stable Channel](/deployedge/microsoft-edge-channels#stable-channel) of Microsoft Edge.
## Device eligibility
-For a device to be eligible for Microsoft Edge updates as a part of Windows Autopatch, they must meet the following criteria:
+For a device to be eligible for Microsoft Edge updates as a part of Windows Autopatch, they must meet the following criteria:
-- The device must be powered on and have an internet connection.
-- There are no policy conflicts between Windows Autopatch policies and customer policies.
+- The device must be powered on and have an internet connection.
+- There are no policy conflicts between Windows Autopatch policies and customer policies.
- The device must be able to access the required network endpoints to reach the Microsoft Edge update service.
- If Microsoft Edge is open, it must restart for the update process to complete.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md
index 843b7e8d3c..89a23620fb 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md
@@ -2,13 +2,13 @@
title: Exclude a device
description: This article explains how to exclude a device from the Windows Autopatch service
ms.date: 08/08/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
-manager: dougeby
+manager: aaroncz
ms.reviewer: andredm7
ms.collection:
- tier2
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md
index 0a4f67979c..d9c2ce3ef0 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md
@@ -2,13 +2,13 @@
title: Manage Windows feature update releases
description: This article explains how you can manage Windows feature updates with Autopatch groups
ms.date: 07/25/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
-manager: dougeby
+manager: aaroncz
ms.reviewer: andredm7
ms.collection:
- highpri
@@ -42,7 +42,7 @@ The following table explains the auto-populating assignment of your deployments
| Phase 3 | Ring2 | Ring2 |
| Phase 4 | Last | Ring3 |
-If the Autopatch groups are edited after a release is created (Active status), the changes to the Autopatch group won’t be reflected unless you create a new custom release.
+If the Autopatch groups are edited after a release is created (Active status), the changes to the Autopatch group won’t be reflected unless you create a new custom release.
If you wish to change the auto-populating assignment of your deployment rings to release phases, you can do so by adding, removing, or editing the auto-populated phases.
@@ -110,7 +110,7 @@ A phase is made of one or more Autopatch group deployment rings. Each phase repo
#### Details about Windows feature update policies
-Windows Autopatch creates one Windows feature update policy per phase using the following naming convention:
+Windows Autopatch creates one Windows feature update policy per phase using the following naming convention:
`Windows Autopatch – DSS policy –
If you don't have co-management, see [How to use co-management in Configuration Manager](/mem/configmgr/comanage/how-to-enable) |
| **2** | Use required co-management workloads | Using Windows Autopatch requires that your managed devices use the following three co-management workloads:
If you have these workloads configured, you meet the key requirements to use Windows Autopatch. If you don't have these workloads configured, review [How to switch Configuration Manager workloads to Intune](/mem/configmgr/comanage/how-to-switch-workloads) |
| **3** | Prepare your policies | You should consider any existing policy configurations in your Configuration Manager (or on-premises) environment that could impact your deployment of Windows Autopatch. For more information, review [General considerations](#general-considerations) |
-| **4** | Ensure Configuration Manager collections or Microsoft Entra device groups readiness | To move devices to Windows Autopatch, you must register devices with the Windows Autopatch service. To do so, use either Microsoft Entra device groups, or Configuration Manager collections. Ensure you have either Microsoft Entra device groups or Configuration Manager collections that allow you to evaluate, pilot and then migrate to the Windows Autopatch service. For more information, see [Register your devices](../deploy/windows-autopatch-register-devices.md#before-you-begin). |
+| **4** | Ensure Configuration Manager collections or Microsoft Entra device groups readiness | To move devices to Windows Autopatch, you must register devices with the Windows Autopatch service. To do so, use either Microsoft Entra device groups, or Configuration Manager collections. Ensure you have either Microsoft Entra device groups or Configuration Manager collections that allow you to evaluate, pilot and then migrate to the Windows Autopatch service. For more information, see [Register your devices](../deploy/windows-autopatch-register-devices.md#before-you-begin). |
### Optimized deployment path: Configuration Manager to Windows Autopatch
@@ -195,7 +196,7 @@ Once you have assessed your readiness state to ensure you're aligned to Windows
## General considerations
-As part of your planning process, you should consider any existing enterprise configurations in your environment that could affect your deployment of Windows Autopatch.
+As part of your planning process, you should consider any existing enterprise configurations in your environment that could affect your deployment of Windows Autopatch.
Many organizations have existing policies and device management infrastructure, for example:
@@ -270,7 +271,7 @@ For example, Configuration Manager Software Update Policy settings exclude Autop
#### Servicing profiles for Microsoft 365 Apps for enterprise
-You can use automation to deliver monthly updates to Microsoft 365 Apps for enterprise directly from the Office Content Delivery Network (CDN) using [Servicing profiles](/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise#compatibility-with-servicing-profiles). A servicing profile takes precedence over other policies, such as a Microsoft Intune policy or the Office Deployment Tool. The servicing profile affects all devices that meet the [device eligibility requirements](/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise#device-eligibility) regardless of existing management tools in your environment.
+You can use automation to deliver monthly updates to Microsoft 365 Apps for enterprise directly from the Office Content Delivery Network (CDN) using [Servicing profiles](/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise#compatibility-with-servicing-profiles). A servicing profile takes precedence over other policies, such as a Microsoft Intune policy or the Office Deployment Tool. The servicing profile affects all devices that meet the [device eligibility requirements](/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise#device-eligibility) regardless of existing management tools in your environment.
You can consider retargeting servicing profiles to non-Windows Autopatch devices or if you plan to continue using them, you can [block Windows Autopatch delivered Microsoft 365 App updates](/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise#allow-or-block-microsoft-365-app-updates) for Windows Autopatch-enrolled devices.
@@ -285,14 +286,14 @@ Part of your planning might require articulating the business benefits of moving
## Stakeholder communications
-Change management relies on clear and helpful communication about upcoming changes. The best way to have a smooth deployment is to make sure end users and stakeholders are aware of all changes and disruptions. Your rollout communication plan should include all pertinent information, how to notify users, and when to communicate.
+Change management relies on clear and helpful communication about upcoming changes. The best way to have a smooth deployment is to make sure end users and stakeholders are aware of all changes and disruptions. Your rollout communication plan should include all pertinent information, how to notify users, and when to communicate.
- Identify groups impacted by the Autopatch deployment
- Identify key stakeholders in the impacted groups
- Determine the types of communications needed
- Develop your messaging based on the [Recommended deployment steps](#recommended-deployment-steps)
- Create your stakeholder and communication plan schedule based on the [Recommended deployment steps](#recommended-deployment-steps)
-- Have communications drafted and reviewed, and consider your delivery channels such as:
+- Have communications drafted and reviewed, and consider your delivery channels such as:
- Social media posts
- Internal messaging app (for example, Microsoft Teams)
- Internal team site
@@ -318,7 +319,7 @@ If you need assistance with your Windows Autopatch deployment journey, you have
- [Tenant enrollment support request](../prepare/windows-autopatch-enrollment-support-request.md)
- [General support request](../operate/windows-autopatch-support-request.md)
-First contact your Microsoft Account team who can work with you to establish any guidance or support you might need. If you don't have a Microsoft Account Team contact or wish to explore other routes, Microsoft FastTrack offers Microsoft 365 deployment guidance for customers with 150 or more licenses of an eligible subscription at no additional cost. Finally, you can also log a support request with the Windows Autopatch Service Engineering Team.
+First contact your Microsoft Account team who can work with you to establish any guidance or support you might need. If you don't have a Microsoft Account Team contact or wish to explore other routes, Microsoft FastTrack offers Microsoft 365 deployment guidance for customers with 150 or more licenses of an eligible subscription at no additional cost. Finally, you can also log a support request with the Windows Autopatch Service Engineering Team.
### Windows Autopatch Private Community (APC)
@@ -332,6 +333,6 @@ Once you're underway with your deployment, consider joining the [Windows Autopat
- Teams discussions
- Previews
-### Windows Autopatch Technology Adoption Program (TAP)
+### Windows Autopatch Technology Adoption Program (TAP)
If you have at least 500 devices enrolled in the service, and will test and give Microsoft feedback at least once a year, consider signing up to the [Windows Autopatch Technology Adoption Program (TAP)](https://aka.ms/JoinWindowsAutopatchTAP) to try out new and upcoming Windows Autopatch features.
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
index 3f0e20c935..365c39fc3b 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
@@ -2,16 +2,16 @@
metadata:
title: Windows Autopatch - Frequently Asked Questions (FAQ)
description: Answers to frequently asked questions about Windows Autopatch.
- ms.prod: windows-client
+ ms.service: windows-client
ms.topic: faq
ms.date: 12/04/2023
audience: itpro
ms.localizationpriority: medium
- manager: dougeby
+ manager: aaroncz
author: tiaraquan
ms.author: tiaraquan
ms.reviwer: hathind
- ms.technology: itpro-updates
+ ms.subservice: itpro-updates
title: Frequently Asked Questions about Windows Autopatch
summary: This article answers frequently asked questions about Windows Autopatch.
sections:
@@ -28,9 +28,9 @@ sections:
Windows Autopatch supports Windows 365 for Enterprise. Windows 365 for Business isn't supported.
- question: Does Windows Autopatch support Windows Education (A3/A5) or Windows Front Line Worker (F3) licensing?
answer: |
- Autopatch isn't available for 'A'. Windows Autopatch supports some 'F' series licensing. For more information, see [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses).
+ Autopatch isn't available for 'A'. Windows Autopatch supports some 'F' series licensing. For more information, see [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses).
- question: Will Windows Autopatch support local domain join Windows 10?
- answer: |
+ answer: |
Windows Autopatch doesn't support local (on-premises) domain join. Windows Autopatch supports [Hybrid AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or pure [Microsoft Entra join](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
- question: Will Windows Autopatch be available for state and local government customers?
answer: |
@@ -46,8 +46,8 @@ sections:
- [Azure Active Directory (Azure AD) Premium](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses)
- [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
- [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune)
-
- Additional prerequisites for devices managed by Configuration Manager:
+
+ Additional prerequisites for devices managed by Configuration Manager:
- [Configuration Manager Co-management requirements](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements)
- [A supported version of Configuration Manager](/mem/configmgr/core/servers/manage/updates#supported-versions)
@@ -77,11 +77,11 @@ sections:
- question: Can you change the policies and configurations created by Windows Autopatch?
answer: |
No. Don't change, edit, add to, or remove any of the configurations. Doing so might cause unintended configuration conflicts and impact the Windows Autopatch service. For more information about policies and configurations, see [Changes made at tenant enrollment](/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant).
- - question: How can I represent our organizational structure with our own deployment cadence?
+ - question: How can I represent our organizational structure with our own deployment cadence?
answer: |
[Windows Autopatch groups](../deploy/windows-autopatch-groups-overview.md) helps you manage updates in a way that makes sense for your businesses. For more information, see [Windows Autopatch groups overview](../deploy/windows-autopatch-groups-overview.md) and [Manage Windows Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md).
- name: Update management
- questions:
+ questions:
- question: What systems does Windows Autopatch update?
answer: |
- Windows 10/11 quality updates: Windows Autopatch manages all aspects of deployment rings.
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
index 62ac288ad4..6e49a4703c 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
@@ -2,16 +2,17 @@
title: What is Windows Autopatch?
description: Details what the service is and shortcuts to articles.
ms.date: 08/08/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
-manager: dougeby
+manager: aaroncz
ms.collection:
- highpri
- tier1
+ - essentials-overview
ms.reviewer: hathind
---
@@ -26,8 +27,8 @@ Rather than maintaining complex digital infrastructure, businesses want to focus
- **Close the security gap**: Windows Autopatch keeps software current, there are fewer vulnerabilities and threats to your devices.
- **Close the productivity gap**: Windows Autopatch adopts features as they're made available. End users get the latest tools to amplify their collaboration and work.
- **Optimize your IT admin resources**: Windows Autopatch automates routine endpoint updates. IT pros have more time to create value.
-- **On-premises infrastructure**: Transitioning to the world of software as a service (SaaS) allows you to minimize your investment in on-premises hardware since updates are delivered from the cloud.
-- **Onboard new services**: Windows Autopatch makes it easy to enroll and minimizes the time required from your IT Admins to get started.
+- **On-premises infrastructure**: Transitioning to the world of software as a service (SaaS) allows you to minimize your investment in on-premises hardware since updates are delivered from the cloud.
+- **Onboard new services**: Windows Autopatch makes it easy to enroll and minimizes the time required from your IT Admins to get started.
- **Minimize end user disruption**: Windows Autopatch releases updates in sequential deployment rings, and responding to reliability and compatibility signals, user disruptions due to updates are minimized.
Windows Autopatch helps you minimize the involvement of your scarce IT resources in the planning and deployment of updates for Windows, Microsoft 365 Apps, Microsoft Edge or Teams. Windows Autopatch uses careful rollout sequences and communicates with you throughout the release, allowing your IT Admins can focus on other activities and tasks.
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
index 0e481d7a66..40ab383a98 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
@@ -2,17 +2,18 @@
title: Privacy
description: This article provides details about the data platform and privacy compliance for Autopatch
ms.date: 09/13/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: reference
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
-manager: dougeby
+manager: aaroncz
ms.reviewer: hathind
ms.collection:
- highpri
- tier1
+ - essentials-privacy
---
# Privacy
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
index 5ac998067b..4da408b889 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
@@ -2,13 +2,13 @@
title: Roles and responsibilities
description: This article describes the roles and responsibilities provided by Windows Autopatch and what the customer must do
ms.date: 08/31/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
-manager: dougeby
+manager: aaroncz
ms.reviewer: hathind
ms.collection:
- highpri
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
index c7695ea433..2633222ae7 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
@@ -2,13 +2,13 @@
title: Configure your network
description: This article details the network configurations needed for Windows Autopatch
ms.date: 09/15/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
-manager: dougeby
+manager: aaroncz
ms.reviewer: hathind
ms.collection:
- tier2
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
index 95f0ed85fc..b24d784042 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
@@ -2,13 +2,13 @@
title: Enroll your tenant
description: This article details how to enroll your tenant
ms.date: 09/15/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
-manager: dougeby
+manager: aaroncz
ms.reviewer: hathind
ms.collection:
- highpri
@@ -22,7 +22,7 @@ Before you enroll in Windows Autopatch, there are settings, and other parameters
> [!IMPORTANT]
> You must be a Global Administrator to enroll your tenant.
-The Readiness assessment tool, accessed in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), checks management or configuration-related settings. This tool allows you to check the relevant settings, and details steps to fix any settings that aren't configured properly for Windows Autopatch.
+The Readiness assessment tool, accessed in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), checks management or configuration-related settings. This tool allows you to check the relevant settings, and details steps to fix any settings that aren't configured properly for Windows Autopatch.
## Step 1: Review all prerequisites
@@ -69,7 +69,7 @@ The following are the Microsoft Entra settings:
### Check results
-For each check, the tool reports one of four possible results:
+For each check, the tool reports one of four possible results:
| Result | Meaning |
| ----- | ----- |
@@ -80,7 +80,7 @@ For each check, the tool reports one of four possible results:
## Step 3: Fix issues with your tenant
-If the Readiness assessment tool is displaying issues with your tenant, see [Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) for more information on how to remediate.
+If the Readiness assessment tool is displaying issues with your tenant, see [Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) for more information on how to remediate.
## Step 4: Enroll your tenant
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
index bc26753af7..c349ad620f 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
@@ -2,13 +2,13 @@
title: Submit a tenant enrollment support request
description: This article details how to submit a tenant enrollment support request
ms.date: 09/13/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
-manager: dougeby
+manager: aaroncz
ms.reviewer: hathind
ms.collection:
- tier2
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
index f7a2045294..b2371addb0 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
@@ -2,13 +2,13 @@
title: Fix issues found by the Readiness assessment tool
description: This article details how to fix issues found by the Readiness assessment tool.
ms.date: 09/12/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
-manager: dougeby
+manager: aaroncz
ms.reviewer: hathind
ms.collection:
- highpri
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
index 94b4b293fd..c9728ea4ad 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
@@ -2,13 +2,13 @@
title: Prerequisites
description: This article details the prerequisites needed for Windows Autopatch
ms.date: 01/11/2024
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
-manager: dougeby
+manager: aaroncz
ms.reviewer: hathind
ms.collection:
- highpri
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
index be2b2ce1b9..13ccf4e8ec 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
@@ -2,13 +2,13 @@
title: Changes made at tenant enrollment
description: This reference article details the changes made to your tenant when enrolling into Windows Autopatch
ms.date: 12/13/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: reference
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
-manager: dougeby
+manager: aaroncz
ms.reviewer: hathind
ms.collection:
- highpri
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md b/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md
index 865f6c15c9..0d5ea5808e 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md
@@ -2,13 +2,13 @@
title: Conflicting configurations
description: This article explains how to remediate conflicting configurations affecting the Windows Autopatch service.
ms.date: 09/05/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
-manager: dougeby
+manager: aaroncz
ms.reviewer: adnich
ms.collection:
- highpri
@@ -20,16 +20,16 @@ ms.collection:
> [!IMPORTANT]
> This feature is in **public preview**. The feature is being actively developed and might not be complete.
-During Readiness checks, if there are devices with conflicting registry configurations, notifications are listed in the **Not ready** tab. The notifications include a list of alerts that explain why the device isn't ready for updates. Instructions are provided on how to resolve the issue(s). You can review any device marked as **Not ready** and remediate them to a **Ready** state.
+During Readiness checks, if there are devices with conflicting registry configurations, notifications are listed in the **Not ready** tab. The notifications include a list of alerts that explain why the device isn't ready for updates. Instructions are provided on how to resolve the issue(s). You can review any device marked as **Not ready** and remediate them to a **Ready** state.
-Windows Autopatch monitors conflicting configurations. You’re notified of the specific registry values that prevent Windows from updating properly. These registry keys should be removed to resolve the conflict. However, it’s possible that other services write back the registry keys. It’s recommended that you review common sources for conflicting configurations to ensure your devices continue to receive Windows Updates.
+Windows Autopatch monitors conflicting configurations. You’re notified of the specific registry values that prevent Windows from updating properly. These registry keys should be removed to resolve the conflict. However, it’s possible that other services write back the registry keys. It’s recommended that you review common sources for conflicting configurations to ensure your devices continue to receive Windows Updates.
The most common sources of conflicting configurations include:
- Active Directory Group Policy (GPO)
- Configuration Manager Device client settings
- Windows Update for Business (WUfB) policies
-- Manual registry updates
+- Manual registry updates
- Local Group Policy settings applied during imaging (LGPO)
## Registry keys inspected by Autopatch
@@ -51,18 +51,18 @@ Windows Autopatch recommends removing the conflicting configurations. The follow
### Intune Remediation
-Navigate to Intune Remediations and create a remediation using the following examples. It’s recommended to create a single remediation per value to understand if the value persists after removal.
+Navigate to Intune Remediations and create a remediation using the following examples. It’s recommended to create a single remediation per value to understand if the value persists after removal.
If you use either [**Detect**](#detect) and/or [**Remediate**](#remediate) actions, ensure to update the appropriate **Path** and **Value** called out in the Alert. For more information, see [Remediations](/mem/intune/fundamentals/remediations).
#### Detect
```powershell
-if((Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate).PSObject.Properties.Name -contains 'DoNotConnectToWindowsUpdateInternetLocations') {
- Exit 1
-} else {
- exit 0
-}
+if((Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate).PSObject.Properties.Name -contains 'DoNotConnectToWindowsUpdateInternetLocations') {
+ Exit 1
+} else {
+ exit 0
+}
```
| Alert details | Description |
@@ -73,9 +73,9 @@ if((Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate).PS
#### Remediate
```powershell
-if((Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate).PSObject.Properties.Name -contains 'DoNotConnectToWindowsUpdateInternetLocations') {
- Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "DoNotConnectToWindowsUpdateInternetLocations"
-}
+if((Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate).PSObject.Properties.Name -contains 'DoNotConnectToWindowsUpdateInternetLocations') {
+ Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "DoNotConnectToWindowsUpdateInternetLocations"
+}
```
| Alert details | Description |
@@ -121,7 +121,7 @@ Windows Registry Editor Version 5.00
"DoNotConnectToWindowsUpdateInternetLocations"=-
"DisableWindowsUpdateAccess"=-
"WUServer"=-
-[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"UseWUServer"=-
"NoAutoUpdate"=-
```
@@ -145,7 +145,7 @@ Group Policy management is the most popular client configuration tool in most or
Configuration Manager is a common enterprise management tool that, among many things, can help manage Windows Updates. For this reason, we see many environments misconfigured when moving to either a 100% cloud or co-managed workloads even when the workloads are configured correctly. The client settings are often missed. For more information, see [About client settings and software updates](/mem/configmgr/core/clients/deploy/about-client-settings#software-updates).
1. Go the **Microsoft Endpoint Configuration Manager Console**.
-1. Navigate to **Administration** > **Overview** > **Client Settings**.
+1. Navigate to **Administration** > **Overview** > **Client Settings**.
1. Ensure **Software Updates** isn’t configured. If configured, it’s recommended to remove these settings to prevent conflicts with Windows Autopatch.
## Third-party solutions
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md b/windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md
index 21d90312fd..9edb3f3748 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md
@@ -1,14 +1,14 @@
---
title: Driver and firmware updates for Windows Autopatch Public Preview Addendum
description: This article explains how driver and firmware updates are managed in Autopatch
-ms.date: 06/26/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.date: 06/26/2023
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
-manager: dougeby
+manager: aaroncz
msreviewer: hathind
---
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md b/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md
index 2534e971d5..c08d4cf821 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md
@@ -2,13 +2,13 @@
title: Microsoft 365 Apps for enterprise update policies
description: This article explains the Microsoft 365 Apps for enterprise policies in Windows Autopatch
ms.date: 06/23/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
-manager: dougeby
+manager: aaroncz
ms.reviewer: hathind
ms.collection:
- tier2
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md b/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md
index e72d9e8042..187028d683 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md
@@ -2,13 +2,13 @@
title: Windows update policies
description: This article explains Windows update policies in Windows Autopatch
ms.date: 09/02/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
-manager: dougeby
+manager: aaroncz
ms.reviewer: adnich
ms.collection:
- tier2
@@ -57,7 +57,7 @@ The following policies contain settings that apply to both Windows quality and f
## Windows feature update policies
-The service deploys policies using Microsoft Intune to control how Windows feature updates are deployed to devices.
+The service deploys policies using Microsoft Intune to control how Windows feature updates are deployed to devices.
### Windows feature updates for Windows 10 and later
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md
index dc5d2ccde2..7bda20114c 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md
@@ -2,13 +2,13 @@
title: What's new 2022
description: This article lists the 2022 feature releases and any corresponding Message center post numbers.
ms.date: 12/09/2022
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: whats-new
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
-manager: dougeby
+manager: aaroncz
ms.reviewer: hathind
---
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
index c47bb6418b..7342084085 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
@@ -1,14 +1,14 @@
---
title: What's new 2023
description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
-ms.date: 12/14/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.date: 12/14/2023
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: whats-new
ms.localizationpriority: medium
-author: tiaraquan
+author: tiaraquan
ms.author: tiaraquan
-manager: dougeby
+manager: aaroncz
ms.reviewer: hathind
ms.collection:
- highpri
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md
index e4a305257a..b49d11732b 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md
@@ -1,14 +1,14 @@
---
title: What's new 2024
description: This article lists the 2024 feature releases and any corresponding Message center post numbers.
-ms.date: 01/11/2024
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.date: 01/22/2024
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: whats-new
ms.localizationpriority: medium
-author: tiaraquan
+author: tiaraquan
ms.author: tiaraquan
-manager: dougeby
+manager: aaroncz
ms.reviewer: hathind
ms.collection:
- highpri
@@ -27,4 +27,12 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| Article | Description |
| ----- | ----- |
+| [Windows quality updates overview](../operate/windows-autopatch-groups-windows-quality-update-overview.md) | Added [Import Update rings for Windows 10 and later](../operate/windows-autopatch-groups-windows-quality-update-overview.md#import-update-rings-for-windows-10-and-later-public-preview) |
+| [Windows quality updates overview](../operate/windows-autopatch-groups-windows-quality-update-overview.md#service-level-objective) | Updated the Service level objective, added the Service level objective calculation. |
| [Prerequisites](../prepare/windows-autopatch-prerequisites.md#more-about-licenses) | Added more E3 and E5 licenses to the [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses) section. |
+
+## January service releases
+
+| Message center post number | Description |
+| ----- | ----- |
+| [MC708071](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Planned Maintenance: Service Improvements |
diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md
index b6ac225f0e..89a7b65ab6 100644
--- a/windows/deployment/windows-deployment-scenarios-and-tools.md
+++ b/windows/deployment/windows-deployment-scenarios-and-tools.md
@@ -4,10 +4,10 @@ description: Learn about the tools you can use to deploy Windows 10 and related
manager: aaroncz
ms.author: frankroj
author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
ms.topic: article
ms.date: 11/23/2022
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Windows 10 deployment scenarios and tools
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index e651c1901d..1e492958a1 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -8,9 +8,10 @@ metadata:
title: Windows client documentation
description: Learn how to deploy, secure, and manage Windows clients for your organization.
ms.topic: hub-page
- ms.prod: windows-client
+ ms.service: windows-client
ms.collection:
- tier1
+ - essentials-navigation
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
diff --git a/windows/privacy/Microsoft-DiagnosticDataViewer.md b/windows/privacy/Microsoft-DiagnosticDataViewer.md
index 5187258157..3aa78b5848 100644
--- a/windows/privacy/Microsoft-DiagnosticDataViewer.md
+++ b/windows/privacy/Microsoft-DiagnosticDataViewer.md
@@ -1,8 +1,8 @@
---
title: Diagnostic Data Viewer for PowerShell Overview (Windows 10)
description: Use this article to use the Diagnostic Data Viewer for PowerShell to review the diagnostic data sent to Microsoft by your device.
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
index c574ccb678..55ed54b6bd 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
@@ -1,8 +1,8 @@
---
description: Learn more about the Windows 10, version 1703 diagnostic data gathered at the basic level.
title: Windows 10, version 1703 basic diagnostic events and fields (Windows 10)
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
localizationpriority: medium
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
index f4ff30a23c..9e654c4f7c 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
@@ -1,8 +1,8 @@
---
description: Learn more about the Windows 10, version 1709 diagnostic data gathered at the basic level.
title: Windows 10, version 1709 basic diagnostic events and fields (Windows 10)
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
localizationpriority: medium
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
index f5bdec7600..9a5fa7bcfb 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
@@ -1,8 +1,8 @@
---
description: Learn more about the Windows 10, version 1803 diagnostic data gathered at the basic level.
title: Windows 10, version 1803 basic diagnostic events and fields (Windows 10)
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
localizationpriority: medium
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
index 56be393273..c047c5d610 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
@@ -1,8 +1,8 @@
---
description: Learn more about the Windows 10, version 1809 diagnostic data gathered at the basic level.
title: Windows 10, version 1809 basic diagnostic events and fields (Windows 10)
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
index 875429c841..749915474a 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
@@ -1,8 +1,8 @@
---
description: Learn more about the Windows 10, version 1903 diagnostic data gathered at the basic level.
title: Windows 10, version 1909 and Windows 10, version 1903 required diagnostic events and fields (Windows 10)
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
localizationpriority: medium
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
index 0eb6b38dc9..4815879665 100644
--- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md
+++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
@@ -1,8 +1,8 @@
---
title: Changes to Windows diagnostic data collection
description: This article provides information on changes to Windows diagnostic data collection Windows 10 and Windows 11.
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
index c47bf6303c..638225c604 100644
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@@ -1,8 +1,8 @@
---
description: Use this article to make informed decisions about how you can configure Windows diagnostic data in your organization.
title: Configure Windows diagnostic data in your organization (Windows 10 and Windows 11)
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/copilot-supplemental-terms.md b/windows/privacy/copilot-supplemental-terms.md
index caf816b1d7..69ce081127 100644
--- a/windows/privacy/copilot-supplemental-terms.md
+++ b/windows/privacy/copilot-supplemental-terms.md
@@ -1,8 +1,8 @@
---
title: COPILOT IN WINDOWS (PREVIEW) SUPPLEMENTAL TERMS
description: The Supplemental Terms for Copilot in Windows (Preview)
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: medium
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md
index df75c73dc5..040d37454e 100644
--- a/windows/privacy/diagnostic-data-viewer-overview.md
+++ b/windows/privacy/diagnostic-data-viewer-overview.md
@@ -1,8 +1,8 @@
---
title: Diagnostic Data Viewer Overview (Windows 10 and Windows 11)
description: Use this article to use the Diagnostic Data Viewer application to review the diagnostic data sent to Microsoft by your device.
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
index b8bd28080f..c31afd7cdc 100644
--- a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
+++ b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
@@ -1,8 +1,8 @@
---
title: Enhanced diagnostic data required by Windows Analytics (Windows 10)
description: Use this article to learn more about the limit enhanced diagnostic data events policy used by Desktop Analytics
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md
index a16d53210c..f397b8c180 100644
--- a/windows/privacy/essential-services-and-connected-experiences.md
+++ b/windows/privacy/essential-services-and-connected-experiences.md
@@ -1,8 +1,8 @@
---
title: Essential services and connected experiences for Windows
description: Explains what the essential services and connected experiences are for Windows
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/index.yml b/windows/privacy/index.yml
index a6892742ba..45001f0589 100644
--- a/windows/privacy/index.yml
+++ b/windows/privacy/index.yml
@@ -7,9 +7,13 @@ brand: m365
metadata:
title: Windows Privacy
description: Learn about how privacy is managed in Windows.
- ms.prod: windows-client
+ ms.service: windows-client
+ ms.subservice: itpro-privacy
ms.topic: hub-page # Required
- ms.collection: highpri
+ ms.collection:
+ - highpri
+ - essentials-privacy
+ - privacy-windows
author: DHB-MSFT
ms.author: danbrown
manager: laurawi
@@ -49,7 +53,7 @@ productDirectory:
- title: Windows 10 required diagnostic data
imageSrc: /media/common/i_build.svg
summary: See what changes Windows is making to align to the new data collection taxonomy
- url: required-windows-diagnostic-data-events-and-fields-2004.md
+ url: required-windows-diagnostic-data-events-and-fields-2004.md
# Card
- title: Optional diagnostic data
imageSrc: /media/common/i_get-started.svg
@@ -165,7 +169,7 @@ additionalContent:
- text: Manage Windows 10 connection endpoints
url: ./manage-windows-2004-endpoints.md
- text: Manage connection endpoints for non-Enterprise editions of Windows 10
- url: windows-endpoints-2004-non-enterprise-editions.md
+ url: windows-endpoints-2004-non-enterprise-editions.md
- text: Manage connections from Windows to Microsoft services
url: manage-connections-from-windows-operating-system-components-to-microsoft-services.md
# Card
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
index cf953e1759..45d6b7c45e 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
@@ -1,8 +1,8 @@
---
title: Manage connections from Windows operating system components to Microsoft services using Microsoft Intune MDM Server
description: Use MDM CSPs to minimize connections from Windows to Microsoft services, or to configure particular privacy settings.
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index c487f33918..e5ca2312fd 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -1,8 +1,8 @@
---
title: Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services
description: Learn how to minimize connections from Windows to Microsoft services, and configure particular privacy settings related to these connections.
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md
index 79bba0d70f..fa51d0f255 100644
--- a/windows/privacy/manage-windows-11-endpoints.md
+++ b/windows/privacy/manage-windows-11-endpoints.md
@@ -1,8 +1,8 @@
---
title: Connection endpoints for Windows 11 Enterprise
description: Explains what Windows 11 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 11.
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md
index f6b643c76d..319a0c8305 100644
--- a/windows/privacy/manage-windows-2004-endpoints.md
+++ b/windows/privacy/manage-windows-2004-endpoints.md
@@ -1,8 +1,8 @@
---
title: Connection endpoints for Windows 10 Enterprise, version 2004
description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 2004.
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
index f79b3dd872..91da38dfa3 100644
--- a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
+++ b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
@@ -2,8 +2,8 @@
description: Learn more about the diagnostic data gathered for Windows 11, versions 23H2 and 22H2.
title: Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2
keywords: privacy, telemetry
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
index 9b5cb9c9db..9716a4c5ce 100644
--- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
+++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
@@ -1,8 +1,8 @@
---
description: Learn more about the Windows 11 diagnostic data gathered at the basic level.
title: Required diagnostic events and fields for Windows 11, version 21H2
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
index dd99685ad0..b552e20cf5 100644
--- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
+++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
@@ -1,8 +1,8 @@
---
description: Learn more about the required Windows 10 diagnostic data gathered.
title: Required diagnostic events and fields for Windows 10 (versions 22H2, 21H2, 21H1, 20H2, and 2004)
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md
index cc4c373f09..ab86dc703a 100644
--- a/windows/privacy/windows-10-and-privacy-compliance.md
+++ b/windows/privacy/windows-10-and-privacy-compliance.md
@@ -1,14 +1,15 @@
---
title: Windows Privacy Compliance Guide
description: This article provides information to help IT and compliance professionals understand the personal data policies as related to Windows.
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: laurawi
ms.date: 05/20/2019
ms.topic: conceptual
+ms.collection: essentials-compliance
---
# Windows Privacy Compliance:
A Guide for IT and Compliance Professionals
diff --git a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
index 483e61d221..f27e7c4961 100644
--- a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
+++ b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
@@ -1,8 +1,8 @@
---
title: Windows 11 connection endpoints for non-Enterprise editions
description: Explains what Windows 11 endpoints are used in non-Enterprise editions. Specific to Windows 11.
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/windows-diagnostic-data-1703.md b/windows/privacy/windows-diagnostic-data-1703.md
index 7ae4b7f694..6716304894 100644
--- a/windows/privacy/windows-diagnostic-data-1703.md
+++ b/windows/privacy/windows-diagnostic-data-1703.md
@@ -1,8 +1,8 @@
---
title: Windows 10 diagnostic data for the Full diagnostic data level (Windows 10)
description: Use this article to learn about the types of data that is collected the Full diagnostic data level.
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md
index 8f05003e77..44ea57dcd1 100644
--- a/windows/privacy/windows-diagnostic-data.md
+++ b/windows/privacy/windows-diagnostic-data.md
@@ -1,8 +1,8 @@
---
title: Windows 10, version 1709 and Windows 11 and later optional diagnostic data (Windows 10)
description: Use this article to learn about the types of optional diagnostic data that is collected.
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
index 74b6ce5ab7..b4736b74ce 100644
--- a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
@@ -1,8 +1,8 @@
---
title: Windows 10, version 1809, connection endpoints for non-Enterprise editions
description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 1809.
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md b/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md
index 2a78739318..c8f28f8ea4 100644
--- a/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md
@@ -1,8 +1,8 @@
---
title: Windows 10, version 2004, connection endpoints for non-Enterprise editions
description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 2004.
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
index 2ec2462e4c..f268f032bb 100644
--- a/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+++ b/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
@@ -1,12 +1,10 @@
---
title: Windows Defender Application Control and virtualization-based code integrity
description: Hardware and software system integrity-hardening capabilities that can be deployed separately or in combination with Windows Defender Application Control (WDAC).
-ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
-ms.technology: itpro-security
ms.date: 03/16/2023
ms.topic: article
---
diff --git a/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md b/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md
index 284e549300..e9d01861ab 100644
--- a/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md
+++ b/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md
@@ -35,7 +35,7 @@ To configure UAC, you can use:
The following instructions provide details how to configure your devices. Select the option that best suits your needs.
-#### [:::image type="icon" source="../../../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune)
+#### [:::image type="icon" source="../../../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune)
### Configure UAC with a Settings catalog policy
@@ -61,7 +61,7 @@ The policy settings are located under: `./Device/Vendor/MSFT/Policy/Config/Local
| **Setting name**: Switch to the secure desktop when prompting for elevation
**Policy CSP name**: `UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation`|
| **Setting name**: Virtualize file and registry write failures to per-user locations
**Policy CSP name**: `UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations`|
-#### [:::image type="icon" source="../../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
+#### [:::image type="icon" source="../../../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo)
You can use security policies to configure how User Account Control works in your organization. The policies can be configured locally by using the Local Security Policy snap-in (`secpol.msc`) or configured for the domain, OU, or specific groups by group policy.
@@ -80,7 +80,7 @@ The policy settings are located under: `Computer Configuration\Windows Settings\
|User Account Control: Switch to the secure desktop when prompting for elevation | Enabled |
|User Account Control: Virtualize file and registry write failures to per-user locations | Enabled |
-#### [:::image type="icon" source="../../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg)
+#### [:::image type="icon" source="../../../images/icons/registry.svg" border="false"::: **Registry**](#tab/reg)
The registry keys are found under the key: `HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`.
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/administer-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/administer-applocker.md
index ef477ce467..a095fd7246 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/administer-applocker.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/administer-applocker.md
@@ -3,7 +3,7 @@ title: Administer AppLocker
description: This article for IT professionals provides links to specific procedures to use when administering AppLocker policies.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 12/19/2023
+ms.date: 01/03/2024
---
# Administer AppLocker
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md
index ffd2a32a70..654b172dca 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md
@@ -6,7 +6,7 @@ ms.collection:
- must-keep
ms.topic: conceptual
ms.localizationpriority: medium
-ms.date: 12/19/2023
+ms.date: 01/03/2024
---
# AppLocker
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
index e237fc6361..e974fdf194 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
@@ -3,7 +3,7 @@ title: Deploy AppLocker policies by using the enforce rules setting
description: This article for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 12/19/2023
+ms.date: 01/03/2024
---
# Deploy AppLocker policies by using the enforce rules setting
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/edit-an-applocker-policy.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/edit-an-applocker-policy.md
index ed64315838..fe3ac2062b 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/edit-an-applocker-policy.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/edit-an-applocker-policy.md
@@ -3,7 +3,7 @@ title: Edit an AppLocker policy
description: This article for IT professionals describes the steps required to modify an AppLocker policy.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 12/19/2023
+ms.date: 01/03/2024
---
# Edit an AppLocker policy
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/maintain-applocker-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/maintain-applocker-policies.md
index 933deb03c0..75f6df943a 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/maintain-applocker-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/maintain-applocker-policies.md
@@ -3,7 +3,7 @@ title: Maintain AppLocker policies
description: Learn how to maintain rules within AppLocker policies. View common AppLocker maintenance scenarios and see the methods to use to maintain AppLocker policies.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 12/19/2023
+ms.date: 01/03/2024
---
# Maintain AppLocker policies
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/optimize-applocker-performance.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/optimize-applocker-performance.md
index 6523b1bccc..63277272b1 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/optimize-applocker-performance.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/optimize-applocker-performance.md
@@ -3,7 +3,7 @@ title: Optimize AppLocker performance
description: This article for IT professionals describes how to optimize AppLocker policy enforcement.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 12/19/2023
+ms.date: 01/03/2024
---
# Optimize AppLocker performance
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md
index 33b57f4bc0..e47477a31a 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md
@@ -3,7 +3,7 @@ title: Test and update an AppLocker policy
description: This article discusses the steps required to test an AppLocker policy prior to deployment.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 12/19/2023
+ms.date: 01/03/2024
---
# Test and update an AppLocker policy
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
index ffefd947e7..0678fb60b9 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
@@ -3,7 +3,7 @@ title: Use the AppLocker Windows PowerShell cmdlets
description: This article for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 12/19/2023
+ms.date: 01/03/2024
---
# Use the AppLocker Windows PowerShell cmdlets
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/deployment/wdac-deployment-guide.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/wdac-deployment-guide.md
index 90bdaa9748..21442ea394 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/deployment/wdac-deployment-guide.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/wdac-deployment-guide.md
@@ -4,6 +4,7 @@ description: Learn how to plan and implement a WDAC deployment.
ms.localizationpriority: medium
ms.date: 01/23/2023
ms.topic: overview
+ms.collection: essentials-get-started
---
# Deploying Windows Defender Application Control (WDAC) policies
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
index 615226657c..2b18eadcc2 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
@@ -5,7 +5,7 @@ ms.localizationpriority: medium
ms.collection:
- tier3
- must-keep
-ms.date: 06/06/2023
+ms.date: 01/24/2024
ms.topic: article
---
@@ -20,7 +20,7 @@ Microsoft has strict requirements for code running in kernel. So, malicious acto
- Malicious behaviors (malware) or certificates used to sign malware
- Behaviors that aren't malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel
-Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). For more information about driver submission, see [Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center](https://www.microsoft.com/security/blog/2021/12/08/improve-kernel-security-with-the-new-microsoft-vulnerable-and-malicious-driver-reporting-center/). To report an issue or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi) or submit feedback on this article.
+Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). For more information about driver submission, see [Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center](https://www.microsoft.com/security/blog/2021/12/08/improve-kernel-security-with-the-new-microsoft-vulnerable-and-malicious-driver-reporting-center/). To report an issue or request a change to the blocklist, including updating a block rule once a driver has been fixed, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi) or submit feedback on this article.
> [!NOTE]
> Blocking drivers can cause devices or software to malfunction, and in rare cases, lead to blue screen. The vulnerable driver blocklist is not guaranteed to block every driver found to have vulnerabilities. Microsoft attempts to balance the security risks from vulnerable drivers with the potential impact on compatibility and reliability to produce the blocklist. As always, Microsoft recommends using an explicit allow list approach to security wherever possible.
@@ -39,7 +39,7 @@ With Windows 11 2022 update, the vulnerable driver blocklist is enabled by defa
The blocklist is updated with each new major release of Windows, typically 1-2 times per year, including most recently with the Windows 11 2022 update released in September 2022. The most current blocklist is now also available for Windows 10 20H2 and Windows 11 21H2 users as an optional update from Windows Update. Microsoft will occasionally publish future updates through regular Windows servicing.
-Customers who always want the most up-to-date driver blocklist can also use Windows Defender Application Control (WDAC) to apply the latest recommended driver blocklist contained in this article. For your convenience, we've provided a download of the most up-to-date vulnerable driver blocklist along with instructions to apply it on your computer at the end of this article. Otherwise, you can use the XML provided below to create your own custom WDAC policies.
+Customers who always want the most up-to-date driver blocklist can also use Windows Defender Application Control (WDAC) to apply the latest recommended driver blocklist contained in this article. For your convenience, we provide a download of the most up-to-date vulnerable driver blocklist along with instructions to apply it on your computer at the end of this article. Otherwise, use the following XML to create your own custom WDAC policies.
## Blocking vulnerable drivers using WDAC
@@ -72,15 +72,17 @@ To check that the policy was successfully applied on your computer:
## Vulnerable driver blocklist XML
> [!IMPORTANT]
-> The policy listed below contains **Allow All** rules. If your version of Windows supports WDAC multiple policies, we recommend deploying this policy alongside any existing WDAC policies. If you do plan to merge this policy with another policy, you may need to remove the **Allow All** rules before merging it if the other policy applies an explicit allow list. For more information, see [Create a WDAC Deny Policy](/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy#single-policy-considerations).
+> The following policy contains **Allow All** rules. If your version of Windows supports WDAC multiple policies, we recommend deploying this policy alongside any existing WDAC policies. If you do plan to merge this policy with another policy, you may need to remove the **Allow All** rules before merging it if the other policy applies an explicit allow list. For more information, see [Create a WDAC Deny Policy](/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy#single-policy-considerations).
> [!NOTE]
> To use this policy with Windows Server 2016, you must convert the policy XML on a device running a newer operating system.
+The following recommended blocklist xml policy file can also be downloaded from the [Microsoft Download Center](https://aka.ms/VulnerableDriverBlockList).
+
```xml
**Key name**: `UsePassportForWork`
**Type**: `REG_DWORD`
**Value**:
`1` to enable
`0` to disable |
+| CSP (device)|**Key path**: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\
**Key name**: `UsePassportForWork`
**Type**: `REG_DWORD`
**Value**:
`1` to enable
`0` to disable |
+| GPO (user)|**Key path**: `HKEY_USERS\
**Key name**: `Enabled`
**Type**: `REG_DWORD`
**Value**:
`1` to enable
`0` to disable |
+| GPO (user)|**Key path**: `KEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork`
**Key name**: `Enabled`
**Type**: `REG_DWORD`
**Value**:
`1` to enable
`0` to disable |
+
+> [!NOTE]
+> If there's a conflicting device policy and user policy, the user policy takes precedence. It's not recommended to create Local GPO or registry settings that could conflict with an MDM policy. This conflict could lead to unexpected results.
+
+## Next steps
+
+For a list of Windows Hello for Business policy settings, see [Windows Hello for Business policy settings](policy-settings.md).
+
+To learn more about Windows Hello for Business features and how to configure them, see:
+
+- [PIN reset](pin-reset.md)
+- [Dual enrollment](hello-feature-dual-enrollment.md)
+- [Dynamic Lock](hello-feature-dynamic-lock.md)
+- [Multi-factor Unlock](multifactor-unlock.md)
+- [Remote desktop (RDP) sign-in](rdp-sign-in.md)
+
+
+
+[CSP-1]: /windows/client-management/mdm/passportforwork-csp#devicetenantid
+[CSP-2]: /windows/client-management/mdm/passportforwork-csp
+[ENTRA-2]: /entra/fundamentals/how-to-find-tenant
+[MEM-1]: /mem/intune/configuration/settings-catalog
+[MEM-2]: /mem/intune/protect/security-baselines
+[MEM-3]: /mem/intune/configuration/custom-settings-configure
+[MEM-4]: /windows/client-management/mdm/passportforwork-csp
+[MEM-5]: /mem/intune/protect/endpoint-security-account-protection-policy
+[MEM-6]: /mem/intune/protect/identity-protection-configure
diff --git a/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md b/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md
new file mode 100644
index 0000000000..475b2dc597
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md
@@ -0,0 +1,117 @@
+---
+title: Windows Hello for Business cloud-only deployment guide
+description: Learn how to deploy Windows Hello for Business in a cloud-only deployment scenario.
+ms.date: 01/03/2024
+ms.topic: how-to
+---
+
+# Cloud-only deployment guide
+
+[!INCLUDE [apply-to-cloud](includes/apply-to-cloud.md)]
+
+[!INCLUDE [requirements](includes/requirements.md)]
+
+> [!div class="checklist"]
+>
+> - [Authentication](index.md#authentication-to-microsoft-entra-id)
+> - [Device configuration](index.md#device-configuration-options)
+> - [Licensing for cloud services](index.md#licensing-for-cloud-services-requirements)
+> - [Prepare users to use Windows Hello](prepare-users.md)
+
+## Deployment steps
+
+> [!div class="checklist"]
+> Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps:
+>
+> - [Configure Windows Hello for Business policy settings](#configure-windows-hello-for-business-policy-settings)
+> - [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business)
+
+## Configure Windows Hello for Business policy settings
+
+When you Microsoft Entra join a device, the system attempts to automatically enroll you in Windows Hello for Business. If you want to use Windows Hello for Business in a cloud-only environment with its default settings, there's no extra configuration needed.
+
+Cloud-only deployments use Microsoft Entra multifactor authentication (MFA) during Windows Hello for Business enrollment, and there's no other MFA configuration needed. If you aren't already registered in MFA, you're guided through the MFA registration as part of the Windows Hello for Business enrollment process.
+
+Policy settings can be configured to control the behavior of Windows Hello for Business, via configuration service provider (CSP) or group policy (GPO). In cloud-only deployments, devices are
+typically configured via an MDM solution like Microsoft Intune, using the [PassportForWork CSP][WIN-1].
+
+> [!NOTE]
+> Review the article [Configure Windows Hello for Business using Microsoft Intune](../configure.md#configure-windows-hello-for-business-using-microsoft-intune) to learn about the different options offered by Microsoft Intune to configure Windows Hello for Business.
+
+If the Intune tenant-wide policy is configured to *disable Windows Hello for Business*, or if devices are deployed with Windows Hello disabled, you must configure one policy setting to enable Windows Hello for Business:
+
+- [Use Windows Hello for Business](../policy-settings.md#use-windows-hello-for-business)
+
+Another optional, but recommended, policy setting is:
+
+- [Use a hardware security device](../policy-settings.md#use-a-hardware-security-device)
+
+Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
+
+# [:::image type="icon" source="images/intune.svg"::: **Intune/CSP**](#tab/intune)
+
+[!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+| **Windows Hello for Business** | Use Passport For Work | true |
+| **Windows Hello for Business** | Require Security Device | true |
+
+[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][MEM-1] with the [PassportForWork CSP][CSP-1].
+
+| Setting |
+|--------|
+| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork`
- **Data type:** `bool`
- **Value:** `True`|
+| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice`
- **Data type:** `bool`
- **Value:** `True`|
+
+# [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo)
+
+To configure a device with group policy, use the [Local Group Policy Editor](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731745(v=ws.10)).
+
+| Group policy path | Group policy setting | Value |
+| - | - | - |
+| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**
or
**User Configuration\Administrative Templates\Windows Components\Windows Hello for Business**|Use Windows Hello for Business| **Enabled**|
+| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use a hardware security device| **Enabled**|
+
+---
+
+> [!TIP]
+> If you're using Microsoft Intune, and you're not using the [tenant-wide policy](../configure.md#verify-the-tenant-wide-policy), enable the Enrollment Status Page (ESP) to ensure that the devices receive the Windows Hello for Business policy settings before users can access their desktop. For more information about ESP, see [Set up the Enrollment Status Page][MEM-1].
+
+More policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see [Windows Hello for Business policy settings](../policy-settings.md).
+
+## Enroll in Windows Hello for Business
+
+The Windows Hello for Business provisioning process begins immediately after a user signs in, if certain prerequisite checks are passed.
+
+### User experience
+
+[!INCLUDE [user-experience](includes/user-experience.md)]
+
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]
+
+### Sequence diagrams
+
+To better understand the provisioning flows, review the following sequence diagrams based on the authentication type:
+
+- [Provisioning for Microsoft Entra joined devices with managed authentication](../how-it-works-provisioning.md#provisioning-for-microsoft-entra-joined-devices-with-managed-authentication)
+- [Provisioning for Microsoft Entra joined devices with federated authentication](../how-it-works-provisioning.md#provisioning-for-microsoft-entra-joined-devices-with-federated-authentication)
+
+To better understand the authentication flows, review the following sequence diagram:
+
+- [Microsoft Entra join authentication to Microsoft Entra ID](../how-it-works-authentication.md#microsoft-entra-join-authentication-to-microsoft-entra-id)
+
+## Disable automatic enrollment
+
+If you want to disable the automatic Windows Hello for Business enrollment, you can configure your devices with a policy setting or registry key. For more information, see [Disable Windows Hello for Business enrollment](../configure.md#disable-windows-hello-for-business-enrollment).
+
+> [!NOTE]
+> During the out-of-box experience (OOBE) flow of a Microsoft Entra join, you are guided to enroll in Windows Hello for Business when you don't have Intune. You can cancel the PIN screen and access the desktop without enrolling in Windows Hello for Business.
+
+
+
+[CSP-1]: /windows/client-management/mdm/passportforwork-csp
+[MEM-1]: /mem/intune/enrollment/windows-enrollment-status
+[WIN-1]: /windows/client-management/mdm/passportforwork-csp
diff --git a/windows/security/identity-protection/hello-for-business/deploy/cloud.md b/windows/security/identity-protection/hello-for-business/deploy/cloud.md
deleted file mode 100644
index ca409fc0b7..0000000000
--- a/windows/security/identity-protection/hello-for-business/deploy/cloud.md
+++ /dev/null
@@ -1,84 +0,0 @@
----
-title: Windows Hello for Business cloud-only deployment
-description: Learn how to configure Windows Hello for Business in a cloud-only deployment scenario.
-ms.date: 10/03/2023
-ms.topic: how-to
----
-# Cloud-only deployment
-
-[!INCLUDE [apply-to-cloud](includes/apply-to-cloud.md)]
-
-## Introduction
-
-When you Microsoft Entra join a Windows device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in a cloud-only environment, there's no additional configuration needed.
-
-You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. This article describes how to disable Windows Hello for Business enrollment in a cloud only environment.
-
-> [!NOTE]
-> During the out-of-box experience (OOBE) flow of a Microsoft Entra join, you will see a provisioning PIN when you don't have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts.
-
-## Prerequisites
-
-Cloud only deployments will use Microsoft Entra multifactor authentication (MFA) during Windows Hello for Business enrollment, and there's no additional MFA configuration needed. If you aren't already registered in MFA, you'll be guided through the MFA registration as part of the Windows Hello for Business enrollment process.
-
-The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](requirements.md#azure-ad-cloud-only-deployment).
-
-It's possible for federated domains to configure the *FederatedIdpMfaBehavior* flag. The flag instructs Microsoft Entra ID to accept, enforce, or reject the MFA challenge from the federated IdP. For more information, see [federatedIdpMfaBehavior values](/graph/api/resources/internaldomainfederation#federatedidpmfabehavior-values). To check this setting, use the following PowerShell command:
-
-```powershell
-Connect-MgGraph
-$DomainId = "
or
**User Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use Windows Hello for Business| **Enabled**|
+| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**
or
**User Configuration\Administrative Templates\Windows Components\Windows Hello for Business**|Use certificate for on-premises authentication| **Enabled**|
+| **Computer Configuration\Windows Settings\Security Settings\Public Key Policies**
or
**User Configuration\Windows Settings\Security Settings\Public Key Policies** |Certificate Services Client - Auto-Enrollment| - Select **Enabled** from the **Configuration Model**
- Select the **Renew expired certificates, update pending certificates, and remove revoked certificates**
- Select **Update certificates that use certificate templates**|
+| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use a hardware security device| **Enabled**|
> [!NOTE]
-> Windows Hello for Business can be configured using different policies. These policies are optional to configure, but it's recommended to enable *Use a hardware security device*.
->
-> For more information about these policies, see [Group Policy settings for Windows Hello for Business](../hello-manage-in-organization.md#group-policy-settings-for-windows-hello-for-business).
+> The enablement of the *Use a hardware security device* policy setting is optional, but recommended.
-### Configure security for GPO
+[!INCLUDE [gpo-settings-2](../../../../../includes/configure/gpo-settings-2.md)]
-The best way to deploy the Windows Hello for Business GPO is to use security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout.
+> [!TIP]
+> The best way to deploy the Windows Hello for Business GPO is to use security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all security principals. The security group filtering ensures that only the members of the global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business.
-1. Start the **Group Policy Management Console** (gpmc.msc)
-1. Expand the domain and select the **Group Policy Object** node in the navigation pane
-1. Open the **Enable Windows Hello for Business** GPO
-1. In the **Security Filtering** section of the content pane, select **Add**. Type the name of the security group you previously created (for example, *Windows Hello for Business Users*) and select **OK**
-1. Select the **Delegation** tab. Select **Authenticated Users > Advanced**
-1. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Select **OK**
-
-### Deploy the Windows Hello for Business Group Policy object
-
-The application of Group Policy object uses security group filtering. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all users. The security group filtering ensures that only the members of the *Windows Hello for Business Users* global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business.
-
-1. Start the **Group Policy Management Console** (gpmc.msc)
-1. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select **Link an existing GPO**
-1. In the **Select GPO** dialog box, select *Enable Windows Hello for Business* or the name of the Windows Hello for Business Group Policy object you previously created and select **OK**
-
-### Add members to the targeted group
-
-Users (or devices) must receive the Windows Hello for Business group policy settings and have the proper permission to provision Windows Hello for Business. You can provide users with these settings and permissions by adding members to the *Windows Hello for Business Users* group. Users and groups who aren't members of this group won't attempt to enroll for Windows Hello for Business.
-
-# [:::image type="icon" source="images/intune.svg"::: **Intune**](#tab/intune)
-
-## Configure Windows Hello for Business using Microsoft Intune
+# [:::image type="icon" source="images/intune.svg"::: **Intune/CSP**](#tab/intune)
> [!IMPORTANT]
> The information in this section applies to Microsoft Entra joined devices managed by Intune. Before proceeding, ensure that you completed the steps described in:
@@ -106,99 +64,77 @@ Users (or devices) must receive the Windows Hello for Business group policy sett
> - [Configure single sign-on for Microsoft Entra joined devices](../hello-hybrid-aadj-sso.md)
> - [Using Certificates for AADJ On-premises Single-sign On](../hello-hybrid-aadj-sso-cert.md)
-For Microsoft Entra joined devices enrolled in Intune, you can use Intune policies to manage Windows Hello for Business.
+> [!NOTE]
+> Review the article [Configure Windows Hello for Business using Microsoft Intune](../configure.md#configure-windows-hello-for-business-using-microsoft-intune) to learn about the different options offered by Microsoft Intune to configure Windows Hello for Business.
-There are different ways to enable and configure Windows Hello for Business in Intune:
+If the Intune tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business).
-- Using a policy applied at the tenant level. The tenant policy:
- - Is only applied at enrollment time, and any changes to its configuration won't apply to devices already enrolled in Intune
- - It applies to *all devices* getting enrolled in Intune. For this reason, the policy is usually disabled and Windows Hello for Business is enabled using a policy targeted to a security group
-- A device configuration policy that is applied *after* device enrollment. Any changes to the policy will be applied to the devices during regular policy refresh intervals. Choose from the following policy types:
- - [Settings catalog][MEM-1]
- - [Security baselines][MEM-2]
- - [Custom policy][MEM-3], via the [PassportForWork CSP][MEM-4]
- - [Account protection policy][MEM-5]
- - [Identity protection policy template][MEM-6]
+[!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
-### Verify the tenant-wide policy
+| Category | Setting name | Value |
+|--|--|--|
+| **Windows Hello for Business** | Use Passport For Work | true |
+| **Windows Hello for Business** | Use Certificate For On Prem Auth | Enabled |
+| **Windows Hello for Business** | Require Security Device | true |
-To check the Windows Hello for Business policy applied at enrollment time:
+[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Select **Devices** > **Windows** > **Windows Enrollment**
-1. Select **Windows Hello for Business**
-1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured
+Alternatively, you can configure devices using a [custom policy][MEM-1] with the [PassportForWork CSP][CSP-1].
-:::image type="content" source="images/whfb-intune-disable.png" alt-text="Screenshot that shows disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="images/whfb-intune-disable.png":::
+| Setting |
+|--------|
+| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork`
- **Data type:** `bool`
- **Value:** `True`|
+| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UseCertificateForOnPremAuth`
- **Data type:** `bool`
- **Value:** `True`|
+| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice`
- **Data type:** `bool`
- **Value:** `True`|
-If the tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business). Otherwise, follow the instructions below to create a policy using an *account protection* policy.
-
-### Enable and configure Windows Hello for Business
-
-To configure Windows Hello for Business using an *account protection* policy:
-
-1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Select **Endpoint security** > **Account protection**
-1. Select **+ Create Policy**
-1. For *Platform**, select **Windows 10 and later** and for *Profile* select **Account protection**
-1. Select **Create**
-1. Specify a **Name** and, optionally, a **Description** > **Next**
-1. Under *Block Windows Hello for Business*, select **Disabled** and multiple policies become available
- - These policies are optional to configure, but it's recommended to configure *Enable to use a Trusted Platform Module (TPM)* to **Yes**
- - For more information about these policies, see [MDM policy settings for Windows Hello for Business](../hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business)
-1. Under *Enable to certificate for on-premises resources*, select **YES**
-1. Select **Next**
-1. Optionally, add *scope tags* > **Next**
-1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
-1. Review the policy configuration and select **Create**
-
-:::image type="content" source="images/whfb-intune-account-protection-cert-enable.png" alt-text="Screenshot that shows enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-cert-enable.png":::
+For more information about the certificate trust policy, see [Windows Hello for Business policy settings](../policy-settings.md#use-certificate-for-on-premises-authentication).
---
+If you deploy Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings take precedence, and Intune settings are ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](../configure.md#policy-conflicts-from-multiple-policy-sources)
+
+More policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see [Windows Hello for Business policy settings](../policy-settings.md).
+
## Enroll in Windows Hello for Business
The Windows Hello for Business provisioning process begins immediately after the user profile is loaded and before the user receives their desktop. For the provisioning process to begin, all prerequisite checks must pass.
You can determine the status of the prerequisite checks by viewing the **User Device Registration** admin log under **Applications and Services Logs > Microsoft > Windows**.\
-This information is also available using the `dsregcmd /status` command from a console. For more information, see [dsregcmd][AZ-4].
+This information is also available using the `dsregcmd.exe /status` command from a console. For more information, see [dsregcmd][AZ-4].
-### PIN Setup
+### User experience
-This is the process that occurs after a user signs in, to enroll in Windows Hello for Business:
+[!INCLUDE [user-experience](includes/user-experience.md)]
-1. The user is prompted with a full screen page to use Windows Hello with the organization account. The user selects **OK**
-1. The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry
-1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device
-1. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Microsoft Entra ID to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and see their desktop. While the user has completed provisioning, Microsoft Entra Connect synchronizes the user's key to Active Directory
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]
-:::image type="content" source="images/haadj-whfb-pin-provisioning.gif" alt-text="Screenshot that shows animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business.":::
-
-> [!IMPORTANT]
-> The following is the enrollment behavior prior to Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889).
->
-> The minimum time needed to synchronize the user's public key from Microsoft Entra ID to the on-premises Active Directory is 30 minutes. The Microsoft Entra Connect scheduler controls the synchronization interval.
-> **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources.
-> Read [Microsoft Entra Connect Sync: Scheduler](/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization.
->
-> [!NOTE]
-> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning. With this update, users no longer need to wait for Microsoft Entra Connect to sync their public key on-premises. Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completing the provisioning. The update needs to be installed on the federation servers.
-
-After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows send the certificate request to the AD FS server for certificate enrollment.
+After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows sends the certificate request to the AD FS server for certificate enrollment.
The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.
> [!NOTE]
-> In order for AD FS to verify the key used in the certificate request, it needs to be able to access the ```https://enterpriseregistration.windows.net``` endpoint.
+> In order for AD FS to verify the key used in the certificate request, it needs to be able to access the `https://enterpriseregistration.windows.net` endpoint.
-The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user's certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user that they can use their PIN to sign-in through the Windows Action Center.
+The CA validates that the certificate is signed by the registration authority. On successful validation, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user's certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user that they can use their PIN to sign-in through the Action Center.
+
+> [!NOTE]
+> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning. With this update, users don't need to wait for Microsoft Entra Connect to sync their public key on-premises. Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completing the provisioning. The update needs to be installed on the federation servers.
+
+### Sequence diagrams
+
+To better understand the provisioning flows, review the following sequence diagrams based on the device join and authentication type:
+
+- [Provisioning for Microsoft Entra joined devices with managed authentication](../how-it-works-provisioning.md#provisioning-for-microsoft-entra-joined-devices-with-managed-authentication)
+- [Provisioning for Microsoft Entra joined devices with federated authentication](../how-it-works-provisioning.md#provisioning-for-microsoft-entra-joined-devices-with-federated-authentication)
+- [Provisioning in a hybrid certificate trust deployment model with federated authentication](../how-it-works-provisioning.md#provisioning-in-a-hybrid-certificate-trust-deployment-model-with-federated-authentication)
+
+To better understand the authentication flows, review the following sequence diagram:
+
+- [Microsoft Entra join authentication to Active Directory using a certificate](../how-it-works-authentication.md#microsoft-entra-join-authentication-to-active-directory-using-a-certificate)
+- [Microsoft Entra hybrid join authentication using a certificate](../how-it-works-authentication.md#microsoft-entra-hybrid-join-authentication-using-a-certificate)
-[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
-[MEM-1]: /mem/intune/configuration/settings-catalog
-[MEM-2]: /mem/intune/protect/security-baselines
-[MEM-3]: /mem/intune/configuration/custom-settings-configure
-[MEM-4]: /windows/client-management/mdm/passportforwork-csp
-[MEM-5]: /mem/intune/protect/endpoint-security-account-protection-policy
-[MEM-6]: /mem/intune/protect/identity-protection-configure
+[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
+[CSP-1]: /windows/client-management/mdm/passportforwork-csp
+[MEM-1]: /mem/intune/configuration/custom-settings-configure
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md
index 7ff5c70e48..85dd13860f 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md
@@ -1,20 +1,15 @@
---
title: Configure and validate the PKI in an hybrid certificate trust model
description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a hybrid certificate trust model.
-ms.date: 12/15/2023
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
-- ✅ Windows Server 2022
-- ✅ Windows Server 2019
-- ✅ Windows Server 2016
+ms.date: 01/03/2024
ms.topic: tutorial
---
+
# Configure and validate the PKI in a hybrid certificate trust model
[!INCLUDE [apply-to-hybrid-cert-trust](includes/apply-to-hybrid-cert-trust.md)]
-Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a *root of trust* for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
+Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *certificate trust* models. The domain controllers must have a certificate, which serves as a *root of trust* for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
Hybrid certificate trust deployments issue users a sign-in certificate, enabling them to authenticate to Active Directory using Windows Hello for Business credentials. Additionally, hybrid certificate trust deployments issue certificates to registration authorities to provide defense-in-depth security when issuing user authentication certificates.
@@ -22,22 +17,15 @@ Hybrid certificate trust deployments issue users a sign-in certificate, enabling
## Configure the enterprise PKI
-[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)]
+[!INCLUDE [dc-certificate-template](includes/certificate-template-dc.md)]
-> [!NOTE]
-> Inclusion of the *KDC Authentication* OID in domain controller certificate is not required for Microsoft Entra hybrid joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Microsoft Entra joined devices.
-
-> [!IMPORTANT]
-> For Microsoft Entra joined devices to authenticate to on-premises resources, ensure to:
->
-> - Install the root CA certificate in the device's trusted root certificate store. See [how to deploy a trusted certificate profile](/mem/intune/protect/certificates-trusted-root#to-create-a-trusted-certificate-profile) via Intune
-> - Publish your certificate revocation list to a location that is available to Microsoft Entra joined devices, such as a web-based URL
+[!INCLUDE [dc-certificate-template-dc-hybrid-notes](includes/certificate-template-dc-hybrid-notes.md)]
[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
-[!INCLUDE [enrollment-agent-certificate-template](includes/enrollment-agent-certificate-template.md)]
+[!INCLUDE [enrollment-agent-certificate-template](includes/certificate-template-enrollment-agent.md)]
-[!INCLUDE [auth-certificate-template](includes/auth-certificate-template.md)]
+[!INCLUDE [auth-certificate-template](includes/certificate-template-auth.md)]
[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
index a9d49ebfec..3fcb86b928 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
@@ -1,74 +1,51 @@
---
-title: Windows Hello for Business hybrid certificate trust deployment
+title: Windows Hello for Business hybrid certificate trust deployment guide
description: Learn how to deploy Windows Hello for Business in a hybrid certificate trust scenario.
-ms.date: 12/15/2023
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
-- ✅ Windows Server 2022
-- ✅ Windows Server 2019
-- ✅ Windows Server 2016
+ms.date: 01/03/2024
ms.topic: tutorial
---
-# Hybrid certificate trust deployment
+# Hybrid certificate trust deployment guide
[!INCLUDE [apply-to-hybrid-cert-trust](includes/apply-to-hybrid-cert-trust.md)]
-Hybrid environments are distributed systems that enable organizations to use on-premises and Microsoft Entra protected resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication and single sign-on to modern resources.
-
-This deployment guide describes how to deploy Windows Hello for Business in a hybrid certificate trust scenario.
-
> [!IMPORTANT]
> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. It is also the recommended deployment model if you don't need to deploy certificates to the end users. For more information, see [cloud Kerberos trust deployment](hybrid-cloud-kerberos-trust.md).
-It's recommended that you review the [Windows Hello for Business planning guide](../hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions.
-
-## Prerequisites
+[!INCLUDE [requirements](includes/requirements.md)]
> [!div class="checklist"]
-> The following prerequisites must be met for a hybrid certificate trust deployment:
>
-> - Directories and directory synchronization
-> - Federated authentication to Microsoft Entra ID
-> - Device registration
-> - Public Key Infrastructure
-> - Multifactor authentication
-> - Device management
+> - [Public Key Infrastructure](index.md#pki-requirements)
+> - [Authentication](index.md#authentication-to-microsoft-entra-id)
+> - [Device configuration](index.md#device-configuration-options)
+> - [Licensing for cloud services](index.md#licensing-for-cloud-services-requirements)
+> - [Prepare users to use Windows Hello](prepare-users.md)
-### Directories and directory synchronization
+## Deployment steps
-Hybrid Windows Hello for Business needs two directories:
+> [!div class="checklist"]
+> Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps:
+>
+> - [Configure and validate the Public Key Infrastructure](hybrid-cert-trust-pki.md)
+> - [Configure Active Directory Federation Services](hybrid-cert-trust-adfs.md)
+> - [Configure and enroll in Windows Hello for Business](hybrid-cert-trust-enroll.md)
+> - (optional) [Configure single sign-on for Microsoft Entra joined devices](../hello-hybrid-aadj-sso.md)
-- An on-premises Active Directory
-- A Microsoft Entra tenant with a Microsoft Entra ID P1 or P2 subscription
+## Federated authentication to Microsoft Entra ID
-The two directories must be synchronized with [Microsoft Entra Connect Sync][AZ-1], which synchronizes user accounts from the on-premises Active Directory to Microsoft Entra ID.
-The hybrid-certificate trust deployment needs a *Microsoft Entra ID P1 or P2* subscription because it uses the device write-back synchronization feature.
-
-> [!NOTE]
-> Windows Hello for Business hybrid certificate trust is not supported if the users' on-premises UPN suffix cannot be added as a verified domain in Microsoft Entra ID.
-
-> [!IMPORTANT]
-> Windows Hello for Business is tied between a user and a device. Both the user and device object must be synchronized between Microsoft Entra ID and Active Directory.
-
-### Federated authentication to Microsoft Entra ID
-
-Windows Hello for Business hybrid certificate trust doesn't support Microsoft Entra ID *Pass-through Authentication* (PTA) or *password hash sync* (PHS).\
-Windows Hello for Business hybrid certificate trust requires Active Directory to be federated with Microsoft Entra ID using AD FS. Additionally, you need to configure your AD FS farm to support Azure registered devices.
+Windows Hello for Business hybrid certificate trust requires Active Directory to be federated with Microsoft Entra ID using AD FS. You must also configure the AD FS farm to support Azure registered devices.
If you're new to AD FS and federation services:
- Review [key AD FS concepts][SER-3] prior to deploying the AD FS farm
- Review the [AD FS design guide][SER-4] to design and plan your federation service
-Once you have your AD FS design ready:
-
-- Review [deploying a federation server farm][SER-2] to configure AD FS in your environment
+Once you have your AD FS design ready, review [deploying a federation server farm][SER-2] to configure AD FS in your environment
The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889).
-### Device registration and device write-back
+## Device registration and device write-back
Windows devices must be registered in Microsoft Entra ID. Devices can be registered in Microsoft Entra ID using either *Microsoft Entra join* or *Microsoft Entra hybrid join*.\
For Microsoft Entra hybrid joined devices, review the guidance on the [plan your Microsoft Entra hybrid join implementation][AZ-8] page.
@@ -79,9 +56,9 @@ For a **manual configuration** of your AD FS farm to support device registration
Hybrid certificate trust deployments require the *device write-back* feature. Authentication to AD FS needs both the user and the device to authenticate. Typically the users are synchronized, but not devices. This prevents AD FS from authenticating the device and results in Windows Hello for Business certificate enrollment failures. For this reason, Windows Hello for Business deployments need device write-back.
> [!NOTE]
-> Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Microsoft Entra ID and Active Directory. Device write-back is used to update the *msDS-KeyCredentialLink* attribute on the computer object.
+> Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Microsoft Entra ID and Active Directory. Device write-back is used to update the `msDS-KeyCredentialLink` attribute on the computer object.
-If you manually configured AD FS, or if you ran Microsoft Entra Connect Sync using *Custom Settings*, you must ensure that you have configured **device write-back** and **device authentication** in your AD FS farm. For more information, see [Configure Device Write Back and Device Authentication][SER-5].
+If you manually configured AD FS, or if you ran Microsoft Entra Connect Sync using *Custom Settings*, you must ensure to configure **device write-back** and **device authentication** in your AD FS farm. For more information, see [Configure Device Write Back and Device Authentication][SER-5].
### Public Key Infrastructure
@@ -90,21 +67,6 @@ The enterprise PKI and a certificate registration authority (CRA) are required t
During Windows Hello for Business provisioning, users receive a sign-in certificate through the CRA.
-### Multifactor authentication
-
-The Windows Hello for Business provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but requires a second factor of authentication.\
-Hybrid deployments can use:
-
-- [Microsoft Entra multifactor authentication][AZ-2]
-- A multifactor authentication provided by AD FS, which includes an adapter model that enables third parties to integrate their MFA into AD FS
-
-For more information how to configure Microsoft Entra multifactor authentication, see [Configure Microsoft Entra multifactor authentication settings][AZ-3].\
-For more information how to configure AD FS to provide multifactor authentication, see [Configure Azure MFA as authentication provider with AD FS][SER-1].
-
-### Device management
-
-To configure Windows Hello for Business, devices can be configured through a mobile device management (MDM) solution like Intune, or via group policy.
-
## Next steps
> [!div class="checklist"]
@@ -120,14 +82,10 @@ To configure Windows Hello for Business, devices can be configured through a mob
> [Next: configure and validate the Public Key Infrastructure >](hybrid-cert-trust-pki.md)
-[AZ-1]: /azure/active-directory/hybrid/how-to-connect-sync-whatis
-[AZ-2]: /azure/multi-factor-authentication/multi-factor-authentication
-[AZ-3]: /azure/multi-factor-authentication/multi-factor-authentication-whats-next
[AZ-8]: /azure/active-directory/devices/hybrid-azuread-join-plan
[AZ-10]: /azure/active-directory/devices/howto-hybrid-azure-ad-join#federated-domains
[AZ-11]: /azure/active-directory/devices/hybrid-azuread-join-manual
-[SER-1]: /windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa
[SER-2]: /windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm
[SER-3]: /windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts
[SER-4]: /windows-server/identity/ad-fs/design/ad-fs-design-guide-in-windows-server-2012-r2
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md
deleted file mode 100644
index da843f036d..0000000000
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md
+++ /dev/null
@@ -1,218 +0,0 @@
----
-title: Windows Hello for Business cloud Kerberos trust clients configuration and enrollment
-description: Learn how to configure devices and enroll them in Windows Hello for Business in a cloud Kerberos trust scenario.
-ms.date: 02/24/2023
-appliesto:
-- ✅ Windows 10, version 21H2 and later
-ms.topic: tutorial
----
-# Configure and provision Windows Hello for Business - cloud Kerberos trust
-
-[!INCLUDE [apply-to-hybrid-cloud-kerberos-trust](includes/apply-to-hybrid-cloud-kerberos-trust.md)]
-
-## Deployment steps
-
-Deploying Windows Hello for Business cloud Kerberos trust consists of two steps:
-
-1. Set up Microsoft Entra Kerberos.
-1. Configure a Windows Hello for Business policy and deploy it to the devices.
-
-
-
-### Deploy Microsoft Entra Kerberos
-
-If you've already deployed on-premises SSO for passwordless security key sign-in, then you've already deployed Microsoft Entra Kerberos in your hybrid environment. You don't need to redeploy or change your existing Microsoft Entra Kerberos deployment to support Windows Hello for Business and you can skip this section.
-
-If you haven't deployed Microsoft Entra Kerberos, follow the instructions in the [Enable passwordless security key sign-in to on-premises resources by using Microsoft Entra ID][AZ-2] documentation. This page includes information on how to install and use the Microsoft Entra Kerberos PowerShell module. Use the module to create a Microsoft Entra Kerberos server object for the domains where you want to use Windows Hello for Business cloud Kerberos trust.
-
-### Configure Windows Hello for Business policy
-
-After setting up the Microsoft Entra Kerberos object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
-
-#### [:::image type="icon" source="images/intune.svg"::: **Intune**](#tab/intune)
-
-For devices managed by Intune, you can use Intune policies to configure Windows Hello for Business.
-
-There are different ways to enable and configure Windows Hello for Business in Intune:
-
-- When the device is enrolled in Intune, a tenant-wide policy is applied to the device. This policy is applied at enrollment time only, and any changes to its configuration won't apply to devices already enrolled in Intune. For this reason, this policy is usually disabled, and Windows Hello for Business can be enabled using a policy targeted to a security group.
-- After the device is enrolled in Intune, you can apply a device configuration policy. Any changes to the policy will be applied to the devices during regular policy refresh intervals. There are different policy types to choose from:
- - [Settings catalog][MEM-7]
- - [Security baselines][MEM-2]
- - [Custom policy][MEM-3], via the [PassportForWork CSP][MEM-4]
- - [Account protection policy][MEM-5]
- - [Identity protection policy template][MEM-6]
-
-### Verify the tenant-wide policy
-
-To check the Windows Hello for Business policy applied at enrollment time:
-
-1. Sign in to the Microsoft Intune admin center.
-1. Select **Devices** > **Windows** > **Windows Enrollment**.
-1. Select **Windows Hello for Business**.
-1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured.
-
-:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." border="true" lightbox="images/whfb-intune-disable.png":::
-
-If the tenant-wide policy is enabled and configured to your needs, you can skip to [Configure cloud Kerberos trust policy](#configure-the-cloud-kerberos-trust-policy). Otherwise, follow the instructions below to create a policy using an *account protection* policy.
-
-### Enable Windows Hello for Business
-
-To configure Windows Hello for Business using an account protection policy:
-
-1. Sign in to the Microsoft Intune admin center.
-1. Select **Endpoint security** > **Account protection**.
-1. Select **+ Create Policy**.
-1. For **Platform**, select **Windows 10 and later** and for **Profile** select **Account protection**.
-1. Select **Create**.
-1. Specify a **Name** and, optionally, a **Description** > **Next**.
-1. Under **Block Windows Hello for Business**, select **Disabled** and multiple policies become available.
- - These policies are optional to configure, but it's recommended to configure **Enable to use a Trusted Platform Module (TPM)** to **Yes**.
- - For more information about these policies, see [MDM policy settings for Windows Hello for Business](../hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business).
-1. Under **Enable to certificate for on-premises resources**, select **Not configured**
-1. Select **Next**.
-1. Optionally, add **scope tags** and select **Next**.
-1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**.
-1. Review the policy configuration and select **Create**.
-
-> [!TIP]
-> If you want to enforce the use of digits for your Windows Hello for Business PIN, use the settings catalog and choose **Digits** or **Digits (User)** instead of using the Account protection template.
-
-:::image type="content" source="images/whfb-intune-account-protection-enable.png" alt-text="This image shows the enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-enable.png":::
-
-Assign the policy to a security group that contains as members the devices or users that you want to configure.
-
-### Configure the cloud Kerberos trust policy
-
-The cloud Kerberos trust policy can be configured using a custom template, and it's configured separately from enabling Windows Hello for Business.
-
-To configure the cloud Kerberos trust policy:
-
-1. Sign in to the Microsoft Intune admin center.
-1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**.
-1. For Profile Type, select **Templates** and select the **Custom** Template.
-1. Name the profile with a familiar name, for example, "Windows Hello for Business cloud Kerberos trust".
-1. In Configuration Settings, add a new configuration with the following settings:
-
- - Name: **Windows Hello for Business cloud Kerberos trust** or another familiar name
- - Description (optional): *Enable Windows Hello for Business cloud Kerberos trust for sign-in and on-premises SSO*
- - OMA-URI: **`./Device/Vendor/MSFT/PassportForWork/`*\
- **Data type:** `bool`
- **Value:** `True`|
+| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UseCloudTrustForOnPremAuth`
- **Data type:** `bool`
- **Value:** `True`|
+| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice`
- **Data type:** `bool`
- **Value:** `True`|
+
+# [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo)
+
+[!INCLUDE [gpo-enable-whfb](includes/gpo-enable-whfb.md)]
+
+> [!NOTE]
+> Cloud Kerberos trust requires setting a dedicated policy for it to be enabled. This policy setting is only available as a computer configuration.
+>
+>You may need to update your Group Policy definitions to be able to configure the cloud Kerberos trust policy. You can copy the ADMX and ADML files from a Windows client that supports cloud Kerberos trust to their respective language folder on your Group Policy management server. Windows Hello for Business settings are in the *Passport.admx* and *Passport.adml* files.
+>
+>You can also create a Group Policy Central Store and copy them their respective language folder. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows][TS-1].
+
+[!INCLUDE [gpo-settings-1](../../../../../includes/configure/gpo-settings-1.md)]
+
+| Group policy path | Group policy setting | Value |
+| - | - | - |
+| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**
or
**User Configuration\Administrative Templates\Windows Components\Windows Hello for Business**|Use Windows Hello for Business| **Enabled**|
+| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use cloud Kerberos trust for on-premises authentication| **Enabled**|
+| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use a hardware security device| **Enabled**|
+
+[!INCLUDE [gpo-settings-2](../../../../../includes/configure/gpo-settings-2.md)]
+
+> [!TIP]
+> The best way to deploy the Windows Hello for Business GPO is to use security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all security principals. The security group filtering ensures that only the members of the global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business.
+
+---
+
+If you deploy Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings take precedence, and Intune settings are ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](../configure.md#policy-conflicts-from-multiple-policy-sources).
+
+More policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see [Windows Hello for Business policy settings](../policy-settings.md).
+
+## Enroll in Windows Hello for Business
+
+The Windows Hello for Business provisioning process begins immediately after a user signs in, if the prerequisite checks pass. Windows Hello for Business *cloud Kerberos trust* adds a prerequisite check for Microsoft Entra hybrid joined devices when cloud Kerberos trust is enabled by policy.
+
+You can determine the status of the prerequisite check by viewing the **User Device Registration** admin log under **Applications and Services Logs** > **Microsoft** > **Windows**.\
+This information is also available using the `dsregcmd.exe /status` command from a console. For more information, see [dsregcmd][AZ-4].
+
+The cloud Kerberos trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Microsoft Entra Kerberos is set up for the user's domain and tenant. If Microsoft Entra Kerberos is set up, the user receives a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud Kerberos trust isn't enforced by policy or if the device is Microsoft Entra joined.
+
+> [!NOTE]
+> The cloud Kerberos trust prerequisite check isn't done on Microsoft Entra joined devices. If Microsoft Entra Kerberos isn't provisioned, a user on a Microsoft Entra joined device will still be able to sign in, but won't have SSO to on-premises resources secured by Active Directory.
+
+### User experience
+
+[!INCLUDE [user-experience](includes/user-experience.md)]
+
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]
+
+Once a user completes enrollment with cloud Kerberos trust, the Windows Hello gesture can be used **immediately** for sign-in. On a Microsoft Entra hybrid joined device, the first use of the PIN requires line of sight to a DC. Once the user signs in or unlocks with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity.
+
+After enrollment, Microsoft Entra Connect synchronizes the user's key from Microsoft Entra ID to Active Directory.
+
+### Sequence diagrams
+
+To better understand the provisioning flows, review the following sequence diagrams based on the device join and authentication type:
+
+- [Provisioning for Microsoft Entra joined devices with managed authentication](../how-it-works-provisioning.md#provisioning-for-microsoft-entra-joined-devices-with-managed-authentication)
+- [Provisioning for Microsoft Entra joined devices with federated authentication](../how-it-works-provisioning.md#provisioning-for-microsoft-entra-joined-devices-with-federated-authentication)
+- [Provisioning in a cloud Kerberos trust deployment model with managed authentication](../how-it-works-provisioning.md#provisioning-in-a-cloud-kerberos-trust-deployment-model-with-managed-authentication)
+
+To better understand the authentication flows, review the following sequence diagram:
+
+- [Microsoft Entra join authentication to Active Directory using cloud Kerberos trust](../how-it-works-authentication.md#microsoft-entra-join-authentication-to-active-directory-using-cloud-kerberos-trust)
+
+## Migrate from key trust deployment model to cloud Kerberos trust
+
+If you deployed Windows Hello for Business using the key trust model, and want to migrate to the cloud Kerberos trust model, follow these steps:
+
+1. [Set up Microsoft Entra Kerberos in your hybrid environment](#deploy-microsoft-entra-kerberos)
+1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy-settings)
+1. For Microsoft Entra joined devices, sign out and sign in to the device using Windows Hello for Business
+
+> [!NOTE]
+> For Microsoft Entra hybrid joined devices, users must perform the first sign in with new credentials while having line of sight to a DC.
+
+## Migrate from certificate trust deployment model to cloud Kerberos trust
+
+> [!IMPORTANT]
+> There is no *direct* migration path from a certificate trust deployment to a cloud Kerberos trust deployment. The Windows Hello container must be deleted before you can migrate to cloud Kerberos trust.
+
+If you deployed Windows Hello for Business using the certificate trust model, and want to use the cloud Kerberos trust model, you must redeploy Windows Hello for Business by following these steps:
+
+1. Disable the certificate trust policy
+1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy-settings)
+1. Remove the certificate trust credential using the command `certutil.exe -deletehellocontainer` from the user context
+1. Sign out and sign back in
+1. Provision Windows Hello for Business using a method of your choice
+
+> [!NOTE]
+> For Microsoft Entra hybrid joined devices, users must perform the first sign-in with new credentials while having line of sight to a DC.
+
+## Frequently Asked Questions
+
+For a list of frequently asked questions about Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business Frequently Asked Questions](../hello-faq.yml#cloud-kerberos-trust).
+
+## Unsupported scenarios
+
+The following scenarios aren't supported using Windows Hello for Business cloud Kerberos trust:
+
+- RDP/VDI scenarios using supplied credentials (RDP/VDI can be used with Remote Credential Guard or if a certificate is enrolled into the Windows Hello for Business container)
+- Using cloud Kerberos trust for *Run as*
+- Signing in with cloud Kerberos trust on a Microsoft Entra hybrid joined device without previously signing in with DC connectivity
-[AZ-1]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises
-
+[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
+[CSP-1]: /windows/client-management/mdm/passportforwork-csp
+[ENTRA-1]: /entra/identity/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azureadhybridauthenticationmanagement-module
+[MEM-1]: /mem/intune/configuration/custom-settings-configure
[SERV-1]: /windows-server/administration/performance-tuning/role/active-directory-server/capacity-planning-for-active-directory-domain-services
-
-[SUP-1]: https://support.microsoft.com/topic/january-23-2020-kb4534307-os-build-14393-3474-b181594e-2c6a-14ea-e75b-678efea9d27e
-[SUP-2]: https://support.microsoft.com/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f
+[TS-1]: /troubleshoot/windows-client/group-policy/create-and-manage-central-store
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
index 10b8e56a94..a1686099b6 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
@@ -1,165 +1,114 @@
---
-title: Windows Hello for Business hybrid key trust clients configuration and enrollment
+title: Configure and enroll in Windows Hello for Business in a hybrid key trust model
description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid key trust scenario.
-ms.date: 01/03/2023
+ms.date: 12/29/2023
ms.topic: tutorial
---
-# Configure and enroll in Windows Hello for Business - hybrid key trust
+# Configure and enroll in Windows Hello for Business in a hybrid key trust model
[!INCLUDE [apply-to-hybrid-key-trust](includes/apply-to-hybrid-key-trust.md)]
-After the prerequisites are met and the PKI configuration is validated, Windows Hello for business must be enabled on the Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
-
-#### [:::image type="icon" source="images/intune.svg"::: **Intune**](#tab/intune)
-
-## Configure Windows Hello for Business using Microsoft Intune
-
-For Microsoft Entra joined devices and Microsoft Entra hybrid joined devices enrolled in Intune, you can use Intune policies to manage Windows Hello for Business.
-
-There are different ways to enable and configure Windows Hello for Business in Intune:
-
-- Using a policy applied at the tenant level. The tenant policy:
- - Is only applied at enrollment time, and any changes to its configuration won't apply to devices already enrolled in Intune
- - It applies to *all devices* getting enrolled in Intune. For this reason, the policy is usually disabled and Windows Hello for Business is enabled using a policy targeted to a security group
-- A device configuration policy that is applied *after* device enrollment. Any changes to the policy will be applied to the devices during regular policy refresh intervals. There are different policy types to choose from:
- - [Settings catalog][MEM-1]
- - [Security baselines][MEM-2]
- - [Custom policy][MEM-3], via the [PassportForWork CSP][MEM-4]
- - [Account protection policy][MEM-5]
- - [Identity protection policy template][MEM-6]
-
-### Verify the tenant-wide policy
-
-To check the Windows Hello for Business policy applied at enrollment time:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Select **Devices** > **Windows** > **Windows Enrollment**
-1. Select **Windows Hello for Business**
-1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured
-
-:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="images/whfb-intune-disable.png":::
-
-If the tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business). Otherwise, follow the instructions below to create a policy using an *account protection* policy.
-
-### Enable and configure Windows Hello for Business
-
-To configure Windows Hello for Business using an *account protection* policy:
-
-1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Select **Endpoint security** > **Account protection**
-1. Select **+ Create Policy**
-1. For *Platform**, select **Windows 10 and later** and for *Profile* select **Account protection**
-1. Select **Create**
-1. Specify a **Name** and, optionally, a **Description** > **Next**
-1. Under *Block Windows Hello for Business*, select **Disabled** and multiple policies become available
- - These policies are optional to configure, but it's recommended to configure *Enable to use a Trusted Platform Module (TPM)* to **Yes**
- - For more information about these policies, see [MDM policy settings for Windows Hello for Business](../hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business)
-1. Select **Next**
-1. Optionally, add *scope tags* > **Next**
-1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
-1. Review the policy configuration and select **Create**
-
-:::image type="content" source="images/whfb-intune-account-protection-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-enable.png":::
-
-#### [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo)
-
-## Configure Windows Hello for Business using group policies
-
-For Microsoft Entra hybrid joined devices, you can use group policies to configure Windows Hello for Business.
-It's suggested to create a security group (for example, *Windows Hello for Business Users*) to make it easy to deploy Windows Hello for Business in phases. You assign **Group Policy permissions** to this group to simplify the deployment by adding the users to the group.
-
-The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory
-
-> [!NOTE]
-> If you deployed Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](../hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources)
-
-### Enable Windows Hello for Business group policy setting
-
-The *Enable Windows Hello for Business* group policy setting is the configuration needed for Windows to determine if a user should attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to **enabled**.\
-You can configure the *Enable Windows Hello for Business* setting for computer or users:
-
-- Deploying this policy setting to computers (or group of computers) results in all users that sign-in that computer to attempt a Windows Hello for Business enrollment
-- Deploying this policy setting to a user (or group of users), results in only that user attempting a Windows Hello for Business enrollment
-
-If both user and computer policy settings are deployed, the user policy setting has precedence.
-
-### Enable and configure Windows Hello for Business
-
-Sign-in a domain controller or management workstations with *Domain Admin* equivalent credentials.
-
-1. Start the **Group Policy Management Console** (gpmc.msc)
-1. Expand the domain and select the **Group Policy Object** node in the navigation pane
-1. Right-click **Group Policy object** and select **New**
-1. Type *Enable Windows Hello for Business* in the name box and select **OK**
-1. In the content pane, right-click the **Enable Windows Hello for Business** group policy object and select **Edit**
-1. In the navigation pane, expand **Policies** under **User Configuration**
-1. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**
-1. In the content pane, open **Use Windows Hello for Business**. Select **Enable > OK**
-1. Close the **Group Policy Management Editor**
-
-> [!NOTE]
-> Windows Hello for Business can be configured using different policies. These policies are optional to configure, but it's recommended to enable *Use a hardware security device*.
+> [!div class="checklist"]
+> Once the prerequisites are met and the PKI configuration is validated, deploying Windows Hello for Business consists of the following steps:
>
-> For more information about these policies, see [Group Policy settings for Windows Hello for Business](../hello-manage-in-organization.md#group-policy-settings-for-windows-hello-for-business).
+> - [Configure Windows Hello for Business policy settings](#configure-windows-hello-for-business-policy-settings)
+> - [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business)
-### Configure security for GPO
+## Configure Windows Hello for Business policy settings
-The best way to deploy the Windows Hello for Business GPO is to use security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout.
+There's one policy setting required to enable Windows Hello for Business in a key trust model:
-1. Start the **Group Policy Management Console** (gpmc.msc)
-1. Expand the domain and select the **Group Policy Object** node in the navigation pane
-1. Open the **Enable Windows Hello for Business** GPO
-1. In the **Security Filtering** section of the content pane, select **Add**. Type the name of the security group you previously created (for example, *Windows Hello for Business Users*) and select **OK**
-1. Select the **Delegation** tab. Select **Authenticated Users > Advanced**
-1. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Select **OK**
+- [Use Windows Hello for Business](../policy-settings.md#use-windows-hello-for-business)
-### Deploy the Windows Hello for Business Group Policy object
+Another optional, but recommended, policy setting is:
-The application of Group Policy object uses security group filtering. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all users. The security group filtering ensures that only the members of the *Windows Hello for Business Users* global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business.
+- [Use a hardware security device](../policy-settings.md#use-a-hardware-security-device)
-1. Start the **Group Policy Management Console** (gpmc.msc)
-1. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select **Link an existing GPO**
-1. In the **Select GPO** dialog box, select *Enable Windows Hello for Business* or the name of the Windows Hello for Business Group Policy object you previously created and select **OK**
+The following instructions describe how to configure your devices using either Microsoft Intune or group policy (GPO).
-### Add members to the targeted group
+# [:::image type="icon" source="images/intune.svg"::: **Intune/CSP**](#tab/intune)
-Users (or devices) must receive the Windows Hello for Business group policy settings and have the proper permission to provision Windows Hello for Business. You can provide users with these settings and permissions by adding members to the *Windows Hello for Business Users* group. Users and groups who aren't members of this group won't attempt to enroll for Windows Hello for Business.
+> [!NOTE]
+> Review the article [Configure Windows Hello for Business using Microsoft Intune](../configure.md#configure-windows-hello-for-business-using-microsoft-intune) to learn about the different options offered by Microsoft Intune to configure Windows Hello for Business.
+
+If the Intune tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business).
+
+[!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+| **Windows Hello for Business** | Use Passport For Work | true |
+| **Windows Hello for Business** | Require Security Device | true |
+
+[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][MEM-1] with the [PassportForWork CSP][CSP-1].
+
+| Setting |
+|--------|
+| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork`
- **Data type:** `bool`
- **Value:** `True`|
+| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice`
- **Data type:** `bool`
- **Value:** `True`|
+
+# [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo)
+
+[!INCLUDE [gpo-enable-whfb](includes/gpo-enable-whfb.md)]
+
+[!INCLUDE [gpo-settings-1](../../../../../includes/configure/gpo-settings-1.md)]
+
+| Group policy path | Group policy setting | Value |
+| - | - | - |
+| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**
or
**User Configuration\Administrative Templates\Windows Components\Windows Hello for Business**|Use Windows Hello for Business| **Enabled**|
+| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use a hardware security device| **Enabled**|
+
+[!INCLUDE [gpo-settings-2](../../../../../includes/configure/gpo-settings-2.md)]
+
+> [!TIP]
+> The best way to deploy the Windows Hello for Business GPO is to use security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all security principals. The security group filtering ensures that only the members of the global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business.
---
+If you deploy Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings take precedence, and Intune settings are ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](../configure.md#policy-conflicts-from-multiple-policy-sources)
+
+Other policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see [Windows Hello for Business policy settings](../policy-settings.md).
+
## Enroll in Windows Hello for Business
The Windows Hello for Business provisioning process begins immediately after the user profile is loaded and before the user receives their desktop. For the provisioning process to begin, all prerequisite checks must pass.
You can determine the status of the prerequisite checks by viewing the **User Device Registration** admin log under **Applications and Services Logs > Microsoft > Windows**.\
-This information is also available using the `dsregcmd /status` command from a console. For more information, see [dsregcmd][AZ-4].
+This information is also available using the `dsregcmd.exe /status` command from a console. For more information, see [dsregcmd][AZ-4].
:::image type="content" source="images/Event358.png" alt-text="Details about event ID 358 showing that the device is ready to enroll in Windows Hello for Business." border="false" lightbox="images/Event358.png":::
-### PIN Setup
+### User experience
-The following process occurs after a user signs in, to enroll in Windows Hello for Business:
+[!INCLUDE [user-experience](includes/user-experience.md)]
-1. The user is prompted with a full screen page to use Windows Hello with the organization account. The user selects **OK**
-1. The enrollment flow proceeds to the multi-factor authentication phase. The process informs the user that there's an MFA contact attempt, using the configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry
-1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device
-1. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Microsoft Entra ID to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and see their desktop. While the user has completed provisioning, Microsoft Entra Connect synchronizes the user's key to Active Directory
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]
-:::image type="content" source="images/haadj-whfb-pin-provisioning.gif" alt-text="Animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business.":::
+After enrollment, Microsoft Entra Connect synchronizes the user's key from Microsoft Entra ID to Active Directory.
> [!IMPORTANT]
> The minimum time needed to synchronize the user's public key from Microsoft Entra ID to the on-premises Active Directory is 30 minutes. The Microsoft Entra Connect scheduler controls the synchronization interval.
-> **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources.
+> **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and access on-premises resources.
> Read [Microsoft Entra Connect Sync: Scheduler][AZ-5] to view and adjust the **synchronization cycle** for your organization.
+### Sequence diagrams
+
+To better understand the provisioning flows, review the following sequence diagrams based on the device join and authentication type:
+
+- [Provisioning for Microsoft Entra joined devices with managed authentication](../how-it-works-provisioning.md#provisioning-for-microsoft-entra-joined-devices-with-managed-authentication)
+- [Provisioning for Microsoft Entra joined devices with federated authentication](../how-it-works-provisioning.md#provisioning-for-microsoft-entra-joined-devices-with-federated-authentication)
+- [Provisioning in a hybrid key trust deployment model with managed authentication](../how-it-works-provisioning.md#provisioning-in-a-hybrid-key-trust-deployment-model-with-managed-authentication)
+
+To better understand the authentication flows, review the following sequence diagram:
+
+- [Microsoft Entra hybrid join authentication using a key](../how-it-works-authentication.md#microsoft-entra-hybrid-join-authentication-using-a-key)
+- [Microsoft Entra join authentication to Active Directory using a key](../how-it-works-authentication.md#microsoft-entra-join-authentication-to-active-directory-using-a-key)
+
[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
[AZ-5]: /azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler
-
-[MEM-1]: /mem/intune/configuration/settings-catalog
-[MEM-2]: /mem/intune/protect/security-baselines
-[MEM-3]: /mem/intune/configuration/custom-settings-configure
-[MEM-4]: /windows/client-management/mdm/passportforwork-csp
-[MEM-5]: /mem/intune/protect/endpoint-security-account-protection-policy
-[MEM-6]: /mem/intune/protect/identity-protection-configure
+[CSP-1]: /windows/client-management/mdm/passportforwork-csp
+[MEM-1]: /mem/intune/configuration/custom-settings-configure
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md
deleted file mode 100644
index 2fa08c15c9..0000000000
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md
+++ /dev/null
@@ -1,107 +0,0 @@
----
-title: Configure and validate the Public Key Infrastructure in a hybrid key trust model
-description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a hybrid key trust model.
-ms.date: 01/03/2023
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
-- ✅ Windows Server 2022
-- ✅ Windows Server 2019
-- ✅ Windows Server 2016
-ms.topic: tutorial
----
-# Configure and validate the Public Key Infrastructure - hybrid key trust
-
-[!INCLUDE [apply-to-hybrid-key-trust](includes/apply-to-hybrid-key-trust.md)]
-
-Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* model. The domain controllers must have a certificate, which serves as a *root of trust* for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
-
-Key trust deployments do not need client-issued certificates for on-premises authentication. Active Directory user accounts are configured for public key mapping by *Microsoft Entra Connect Sync*, which synchronizes the public key of the Windows Hello for Business credential to an attribute on the user's Active Directory object (`msDS-KeyCredentialLink`).
-
-A Windows Server-based PKI or a third-party Enterprise certification authority can be used. The requirements for the domain controller certificate are shown below. For more details, see [Requirements for domain controller certificates from a third-party CA][SERV-1].
-
-## Deploy an enterprise certification authority
-
-This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on an enterprise PKI running the Windows Server *Active Directory Certificate Services* role.\
-If you don't have an existing PKI, review [Certification Authority Guidance][PREV-1] to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy][PREV-2] for instructions on how to configure your PKI using the information from your design session.
-
-### Lab-based PKI
-
-The following instructions may be used to deploy simple public key infrastructure that is suitable **for a lab environment**.
-
-Sign in using *Enterprise Administrator* equivalent credentials on a Windows Server where you want the certification authority (CA) installed.
-
->[!NOTE]
->Never install a certification authority on a domain controller in a production environment.
-
-1. Open an elevated Windows PowerShell prompt
-1. Use the following command to install the Active Directory Certificate Services role.
- ```PowerShell
- Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
- ```
-1. Use the following command to configure the CA using a basic certification authority configuration
- ```PowerShell
- Install-AdcsCertificationAuthority
- ```
-
-## Configure the enterprise PKI
-
-[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)]
-
-> [!NOTE]
-> Inclusion of the *KDC Authentication* OID in domain controller certificate is not required for Microsoft Entra hybrid joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Microsoft Entra joined devices.
-
-> [!IMPORTANT]
-> For Microsoft Entra joined devices to authenticate to on-premises resources, ensure to:
->
-> - Install the root CA certificate in the device's trusted root certificate store. See [how to deploy a trusted certificate profile](/mem/intune/protect/certificates-trusted-root#to-create-a-trusted-certificate-profile) via Intune
-> - Publish your certificate revocation list to a location that is available to Microsoft Entra joined devices, such as a web-based URL
-
-[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
-
-[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
-
-### Publish the certificate template to the CA
-
-A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them.
-
-Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials.
-
-1. Open the **Certification Authority** management console
-1. Expand the parent node from the navigation pane
-1. Select **Certificate Templates** in the navigation pane
-1. Right-click the **Certificate Templates** node. Select **New > Certificate Template to issue**
-1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)* template you created in the previous steps > select **OK**
-1. Close the console
-
-> [!IMPORTANT]
-> If you plan to deploy **Microsoft Entra joined** devices, and require single sign-on (SSO) to on-premises resources when signing in with Windows Hello for Business, follow the procedures to [update your CA to include an http-based CRL distribution point](../hello-hybrid-aadj-sso.md).
-
-## Configure and deploy certificates to domain controllers
-
-[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)]
-
-## Validate the configuration
-
-[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)]
-
-## Section review and next steps
-
-Before moving to the next section, ensure the following steps are complete:
-
-> [!div class="checklist"]
->
-> - Configure domain controller certificates
-> - Supersede existing domain controller certificates
-> - Unpublish superseded certificate templates
-> - Publish the certificate template to the CA
-> - Deploy certificates to the domain controllers
-> - Validate the domain controllers configuration
-
-> [!div class="nextstepaction"]
-> [Next: configure and provision Windows Hello for Business >](hybrid-key-trust-enroll.md)
-
-
-[SERV-1]: /troubleshoot/windows-server/windows-security/requirements-domain-controller
-[PREV-1]: /previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11)
-[PREV-2]: /previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831348(v=ws.11)
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
index 2b0ec7021d..e5a08f2117 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
@@ -1,109 +1,93 @@
---
-title: Windows Hello for Business hybrid key trust deployment
+title: Windows Hello for Business hybrid key trust deployment guide
description: Learn how to deploy Windows Hello for Business in a hybrid key trust scenario.
-ms.date: 12/28/2022
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
-- ✅ Windows Server 2022
-- ✅ Windows Server 2019
-- ✅ Windows Server 2016
-ms.topic: how-to
+ms.date: 01/03/2024
+ms.topic: tutorial
---
-# Hybrid key trust deployment
+
+# Hybrid key trust deployment guide
[!INCLUDE [apply-to-hybrid-key-trust](includes/apply-to-hybrid-key-trust.md)]
-Hybrid environments are distributed systems that enable organizations to use on-premises and Microsoft Entra protected resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication and single sign-on to modern resources.
-
-This deployment guide describes how to deploy Windows Hello for Business in a hybrid key trust scenario.
-
> [!IMPORTANT]
> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. For more information, see [cloud Kerberos trust deployment](hybrid-cloud-kerberos-trust.md).
-It is recommended that you review the [Windows Hello for Business planning guide](../hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions.
-
-## Prerequisites
-
-The following prerequisites must be met for a hybrid key trust deployment:
+[!INCLUDE [requirements](includes/requirements.md)]
> [!div class="checklist"]
-> * Directories and directory synchronization
-> * Authentication to Microsoft Entra ID
-> * Device registration
-> * Public Key Infrastructure
-> * Multifactor authentication
-> * Device management
+>
+> - [Public Key Infrastructure](index.md#pki-requirements)
+> - [Authentication](index.md#authentication-to-microsoft-entra-id)
+> - [Device configuration](index.md#device-configuration-options)
+> - [Prepare users to use Windows Hello](prepare-users.md)
-### Directories and directory synchronization
-
-Hybrid Windows Hello for Business needs two directories:
-
-- An on-premises Active Directory
-- A Microsoft Entra tenant
-
-The two directories must be synchronized with [Microsoft Entra Connect Sync][AZ-1], which synchronizes user accounts from the on-premises Active Directory to Microsoft Entra ID.\
-During the Window Hello for Business provisioning process, users register the public portion of their Windows Hello for Business credential with Microsoft Entra ID. *Microsoft Entra Connect Sync* synchronizes the Windows Hello for Business public key to Active Directory.
-
-> [!NOTE]
-> Windows Hello for Business hybrid key trust is not supported if the users' on-premises UPN suffix cannot be added as a verified domain in Microsoft Entra ID.
-
-
-
-### Authentication to Microsoft Entra ID
-
-Authentication to Microsoft Entra ID can be configured with or without federation:
-
-- [Password hash synchronization][AZ-6] or [Microsoft Entra pass-through authentication][AZ-7] is required for non-federated environments
-- Active Directory Federation Services (AD FS) or a third-party federation service is required for federated environments
-
-### Device registration
-
-The Windows devices must be registered in Microsoft Entra ID. Devices can be registered in Microsoft Entra ID using either *Microsoft Entra join* or *Microsoft Entra hybrid join*.\
-For *Microsoft Entra hybrid joined* devices, review the guidance on the [Plan your Microsoft Entra hybrid join implementation][AZ-8] page.
-
-### Public Key Infrastructure
-
-An enterprise PKI is required as *trust anchor* for authentication. Domain controllers require a certificate for Windows clients to trust them.
-
-
-
-### Multifactor authentication
-
-The Windows Hello for Business provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but requires a second factor of authentication.\
-Hybrid deployments can use:
-
-- [Microsoft Entra multifactor authentication][AZ-2]
-- A multifactor authentication provided by AD FS, which includes an adapter model that enables third parties to integrate their MFA into AD FS
-
-For more information how to configure Microsoft Entra multifactor authentication, see [Configure Microsoft Entra multifactor authentication settings][AZ-3].\
-For more information how to configure AD FS to provide multifactor authentication, see [Configure Azure MFA as authentication provider with AD FS][SER-1].
-
-### Device management
-
-To configure Windows Hello for Business, devices can be configured through a mobile device management (MDM) solution like Intune, or via group policy.
-
-## Next steps
-
-Once the prerequisites are met, deploying Windows Hello for Business with a hybrid key trust model consists of the following steps:
+## Deployment steps
> [!div class="checklist"]
-> * Configure and validate the PKI
-> * Configure Windows Hello for Business settings
-> * Provision Windows Hello for Business on Windows clients
-> * Configure single sign-on (SSO) for Microsoft Entra joined devices
+> Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps:
+>
+> - [Configure and validate the Public Key Infrastructure](#configure-and-validate-the-public-key-infrastructure)
+> - [Configure and enroll in Windows Hello for Business](hybrid-key-trust-enroll.md)
+> - (optional) [Configure single sign-on for Microsoft Entra joined devices](../hello-hybrid-aadj-sso.md)
+
+## Configure and validate the Public Key Infrastructure
+
+Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* model. The domain controllers must have a certificate, which serves as a *root of trust* for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
+
+Key trust deployments don't need client-issued certificates for on-premises authentication. *Microsoft Entra Connect Sync* configures Active Directory user accounts for public key mapping, by synchronizing the public key of the Windows Hello for Business credential to an attribute on the user's Active Directory object (`msDS-KeyCredentialLink` attribute).
+
+A Windows Server-based PKI or a third-party Enterprise certification authority can be used. For more information, see [Requirements for domain controller certificates from a third-party CA][SERV-1].
+
+[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)]
+
+## Configure the enterprise PKI
+
+[!INCLUDE [dc-certificate-template](includes/certificate-template-dc.md)]
+
+[!INCLUDE [dc-certificate-template-dc-hybrid-notes](includes/certificate-template-dc-hybrid-notes.md)]
+
+[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
+
+[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
+
+### Publish the certificate template to the CA
+
+A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them.
+
+Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials.
+
+1. Open the **Certification Authority** management console
+1. Expand the parent node from the navigation pane
+1. Select **Certificate Templates** in the navigation pane
+1. Right-click the **Certificate Templates** node. Select **New > Certificate Template to issue**
+1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)* template you created in the previous steps > select **OK**
+1. Close the console
+
+> [!IMPORTANT]
+> If you plan to deploy **Microsoft Entra joined** devices, and require single sign-on (SSO) to on-premises resources when signing in with Windows Hello for Business, follow the procedures to [update your CA to include an http-based CRL distribution point](../hello-hybrid-aadj-sso.md).
+
+## Configure and deploy certificates to domain controllers
+
+[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)]
+
+## Validate the configuration
+
+[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)]
+
+## Section review and next steps
+
+> [!div class="checklist"]
+> Before moving to the next section, ensure the following steps are complete:
+>
+> - Configure domain controller certificate template
+> - Supersede existing domain controller certificates
+> - Unpublish superseded certificate templates
+> - Publish the certificate template to the CA
+> - Deploy certificates to the domain controllers
+> - Validate the domain controllers configuration
> [!div class="nextstepaction"]
-> [Next: configure and validate the Public Key Infrastructure >](hybrid-key-trust-pki.md)
+> [Next: configure and enroll in Windows Hello for Business >](hybrid-key-trust-enroll.md)
-[AZ-1]: /azure/active-directory/hybrid/how-to-connect-sync-whatis
-[AZ-2]: /azure/multi-factor-authentication/multi-factor-authentication
-[AZ-3]: /azure/multi-factor-authentication/multi-factor-authentication-whats-next
-[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
-[AZ-5]: /azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler
-[AZ-6]: /azure/active-directory/hybrid/whatis-phs
-[AZ-7]: /azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication
-[AZ-8]: /azure/active-directory/devices/hybrid-azuread-join-plan
-
-[SER-1]: /windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa
+[SERV-1]: /troubleshoot/windows-server/windows-security/requirements-domain-controller
diff --git a/windows/security/identity-protection/hello-for-business/deploy/images/cloud-trust-prereq-check.png b/windows/security/identity-protection/hello-for-business/deploy/images/cloud-trust-prereq-check.png
deleted file mode 100644
index f327f79f32..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/deploy/images/cloud-trust-prereq-check.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/deploy/images/group-policy.svg b/windows/security/identity-protection/hello-for-business/deploy/images/group-policy.svg
index ace95add6b..c9cb511415 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/images/group-policy.svg
+++ b/windows/security/identity-protection/hello-for-business/deploy/images/group-policy.svg
@@ -1,3 +1,9 @@
-
\ No newline at end of file
+
diff --git a/windows/security/identity-protection/hello-for-business/deploy/images/haadj-whfb-pin-provisioning.gif b/windows/security/identity-protection/hello-for-business/deploy/images/haadj-whfb-pin-provisioning.gif
deleted file mode 100644
index 7bff02eada..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/deploy/images/haadj-whfb-pin-provisioning.gif and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/deploy/images/hello-cloud-trust-intune-large.png b/windows/security/identity-protection/hello-for-business/deploy/images/hello-cloud-trust-intune-large.png
deleted file mode 100644
index e9d0876738..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/deploy/images/hello-cloud-trust-intune-large.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/deploy/images/hello-cloud-trust-intune.png b/windows/security/identity-protection/hello-for-business/deploy/images/hello-cloud-trust-intune.png
deleted file mode 100644
index fd6644b8b7..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/deploy/images/hello-cloud-trust-intune.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/deploy/images/whfb-intune-account-protection-cert-enable.png b/windows/security/identity-protection/hello-for-business/deploy/images/whfb-intune-account-protection-cert-enable.png
deleted file mode 100644
index ec2ba07684..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/deploy/images/whfb-intune-account-protection-cert-enable.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/deploy/images/whfb-intune-account-protection-enable.png b/windows/security/identity-protection/hello-for-business/deploy/images/whfb-intune-account-protection-enable.png
deleted file mode 100644
index b5ff9bbb58..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/deploy/images/whfb-intune-account-protection-enable.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-additional-servers.md b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-additional-servers.md
new file mode 100644
index 0000000000..04964c59b0
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-additional-servers.md
@@ -0,0 +1,95 @@
+---
+ms.date: 01/03/2024
+ms.topic: include
+---
+
+## Additional federation servers
+
+Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm.
+
+### Server authentication certificate
+
+Each server you add to the AD FS farm must have a proper server authentication certificate. Refer to the [Enroll for a TLS Server Authentication Certificate](#enroll-for-a-tls-server-authentication-certificate) section of this document to determine the requirements for your server authentication certificate. As previously stated, AD FS servers used exclusively for on-premises deployments of Windows Hello for Business can use enterprise server authentication certificates rather than server authentication certificates issued by public certificate authorities.
+
+### Install additional servers
+
+Adding federation servers to the existing AD FS farm begins with ensuring the server are fully patched, to include Windows Server 2016 Update needed to support Windows Hello for Business deployments (https://aka.ms/whfbadfs1703). Next, install the Active Directory Federation Service role on the additional servers and then configure the server as an additional server in an existing farm.
+
+## Load balance AD FS
+
+Many environments load balance using hardware devices. Environments without hardware load-balancing capabilities can take advantage the network load-balancing feature included in Windows Server to load balance the AD FS servers in the federation farm. Install the Windows Network Load Balancing feature on all nodes participating in the AD FS farm that should be load balanced.
+
+### Install Network Load Balancing Feature on AD FS Servers
+
+Sign-in the federation server with *Enterprise Administrator* equivalent credentials.
+
+1. Start **Server Manager**. Select **Local Server** in the navigation pane
+1. Select **Manage** and then select **Add Roles and Features**
+1. Select **Next** On the **Before you begin** page
+1. On the **Select installation type** page, select **Role-based or feature-based installation** and select **Next**
+1. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Select **Next**
+1. On the **Select server roles** page, select **Next**
+1. Select **Network Load Balancing** on the **Select features** page
+1. Select **Install** to start the feature installation
+
+### Configure Network Load Balancing for AD FS
+
+Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster. Once you have created the cluster, then you can add new nodes to that cluster.
+
+Sign-in a node of the federation farm with *Administrator* equivalent credentials.
+
+1. Open **Network Load Balancing Manager** from **Administrative Tools**
+1. Right-click **Network Load Balancing Clusters**, and then select **New Cluster**
+1. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then select **Connect**
+1. Select the interface that you want to use with the cluster, and then select **Next** (the interface hosts the virtual IP address and receives the client traffic to load balance)
+1. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Select **Next**
+1. In **Cluster IP Addresses**, select **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Select **Next**
+1. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster
+1. In **Cluster operation mode**, select **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Select **Next**
+1. In Port Rules, select Edit to modify the default port rules to use port 443
+
+### Additional AD FS Servers
+
+1. To add more hosts to the cluster, right-click the new cluster, and then select **Add Host to Cluster**
+1. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same
+
+## Configure DNS for Device Registration
+
+Sign-in the domain controller or administrative workstation with domain administrator equivalent credentials.\
+You'll need the *federation service* name to complete this task. You can view the federation service name by selecting **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server.
+
+1. Open the **DNS Management** console
+1. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**
+1. In the navigation pane, select the node that has the name of your internal Active Directory domain name
+1. In the navigation pane, right-click the domain name node and select **New Host (A or AAAA)**
+1. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Select **Add Host**
+1. Right-click the `
|
+ | *General* |
|
+ | *Subject Name* |
|
+ |*Cryptography*|
|
+ |*Request Handling*|Select the **Renew with same key** check box|
+ |*Security*|
|
+
+1. Select **OK** to finalize your changes and create the new template
+1. Close the console
+
+#### Mark the template as the Windows Hello Sign-in template
+
+Sign in to a CA or management workstations with *Enterprise Administrator* equivalent credentials
+
+Open an elevated command prompt end execute the following command
+
+```cmd
+certutil.exe -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY
+```
+
+If the template was changed successfully, the output of the command will contain old and new values of the template parameters. The new value must contain the `CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY` parameter. Example:
+
+```cmd
+CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=[yourdomain]:WHFBAuthentication
+
+Old Value:
+msPKI-Private-Key-Flag REG_DWORD = 5050080 (84213888)
+CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128)
+CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0
+TEMPLATE_SERVER_VER_WINBLUE<
|
+ | *General* |
|
+ | *Subject Name* | Select **Supply in the request**
**Note:** Group Managed Service Accounts (GMSA) don't support the *Build from this Active Directory information* option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with *Supply in the request* to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.|
+ | *Cryptography* |
|
+
+1. Select **OK** to finalize your changes and create the new template
+1. Close the console
+
+#### Create an enrollment agent certificate for a standard service account
+
+Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials.
+
+1. Open the **Certification Authority** management console
+1. Right-click **Certificate Templates** and select **Manage**
+1. In the **Certificate Template Console**, right-click on the **Exchange Enrollment Agent (Offline request)** template details pane and select **Duplicate Template**
+1. Use the following table to configure the template:
+
+ | Tab Name | Configurations |
+ | --- | --- |
+ | *Compatibility* |
|
+ | *General* |
|
+ | *Subject Name* |
|
+ |*Cryptography*|
|
+ | *Security* |
|
+
+1. Select **OK** to finalize your changes and create the new template
+1. Close the console
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/web-server-certificate-template.md b/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-web-server.md
similarity index 98%
rename from windows/security/identity-protection/hello-for-business/deploy/includes/web-server-certificate-template.md
rename to windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-web-server.md
index 1bde4860fe..c75a03a96f 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/web-server-certificate-template.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-web-server.md
@@ -1,5 +1,5 @@
---
-ms.date: 12/15/2023
+ms.date: 01/03/2024
ms.topic: include
---
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-deployment.md b/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-deployment.md
index 07d8c9cc38..77fad7cbbf 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-deployment.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-deployment.md
@@ -1,5 +1,5 @@
---
-ms.date: 12/15/2023
+ms.date: 01/03/2024
ms.topic: include
---
@@ -29,4 +29,3 @@ Sign in to domain controller or management workstations with *Domain Administrat
1. In the navigation pane, expand the domain and expand the node with the Active Directory domain name. Right-click the **Domain Controllers** organizational unit and select **Link an existing GPO…**
1. In the **Select GPO** dialog box, select *Domain Controller Auto Certificate Enrollment* or the name of the domain controller certificate enrollment Group Policy object you previously created
1. Select **OK**
-
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-supersede.md b/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-supersede.md
index 92853ac52e..e2d6f588de 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-supersede.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-supersede.md
@@ -1,5 +1,5 @@
---
-ms.date: 12/15/2023
+ms.date: 01/03/2024
ms.topic: include
---
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-validate.md b/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-validate.md
index ec0faae68f..87e7467d71 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-validate.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-validate.md
@@ -1,5 +1,5 @@
---
-ms.date: 12/15/2023
+ms.date: 01/03/2024
ms.topic: include
---
@@ -11,14 +11,14 @@ Confirm your domain controllers enroll the correct certificates and not any supe
Sign in to domain controller or management workstations with *Domain Administrator* equivalent credentials.
-1. Using the Event Viewer, navigate to the **Application and Services > Microsoft > Windows > CertificateServices-Lifecycles-System** event log
+1. Using the Event Viewer, navigate to the **Application and Services** > **Microsoft** > **Windows** > **CertificateServices-Lifecycles-System** event log
1. Look for an event indicating a new certificate enrollment (autoenrollment):
- The details of the event include the certificate template on which the certificate was issued
- The name of the certificate template used to issue the certificate should match the certificate template name included in the event
- The certificate thumbprint and EKUs for the certificate are also included in the event
- The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template
-Certificates superseded by your new domain controller certificate generate an archive event in the event log. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate.
+Certificates superseded by your new domain controller certificate generate an *archive event* in the Event Log. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate.
### Certificate Manager
@@ -26,9 +26,17 @@ You can use the Certificate Manager console to validate the domain controller ha
### Certutil.exe
-You can use `certutil.exe` command to view enrolled certificates in the local computer. Certutil shows enrolled and archived certificates for the local computer. From an elevated command prompt, run `certutil.exe -q -store my` to view locally enrolled certificates.
+You can use `certutil.exe` command to view enrolled certificates in the local computer. Certutil shows enrolled and archived certificates for the local computer. From an elevated command prompt, run the following command:
-To view detailed information about each certificate in the store, use `certutil.exe -q -v -store my` to validate automatic certificate enrollment enrolled the proper certificates.
+```cmd
+certutil.exe -q -store my
+```
+
+To view detailed information about each certificate in the store, and to validate automatic certificate enrollment enrolled the proper certificates, use the following command:
+
+```cmd
+certutil.exe -q -v -store my
+```
### Troubleshooting
@@ -36,4 +44,4 @@ Windows triggers automatic certificate enrollment for the computer during boot,
Alternatively, you can forcefully trigger automatic certificate enrollment using `certreq.exe -autoenroll -q` from an elevated command prompt.
-Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certification authority and the allow auto enrollment permissions.
\ No newline at end of file
+Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certification authority and the *allow* auto enrollment permissions.
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/enrollment-agent-certificate-template.md b/windows/security/identity-protection/hello-for-business/deploy/includes/enrollment-agent-certificate-template.md
deleted file mode 100644
index 8e3cfc064b..0000000000
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/enrollment-agent-certificate-template.md
+++ /dev/null
@@ -1,79 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-### Configure an enrollment agent certificate template
-
-A certificate registration authority (CRA) is a trusted authority that validates certificate request. Once it validates the request, it presents the request to the certification authority (CA) for issuance. The CA issues the certificate, returns it to the CRA, which returns the certificate to the requesting user. Windows Hello for Business certificate trust deployments use AD FS as the CRA.
-
-The CRA enrolls for an *enrollment agent certificate*. Once the CRA verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the CA. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. The CA only issues a certificate for that template if the registration authority signs the certificate request.
-
-> [!IMPORTANT]
-> Follow the procedures below based on the AD FS service account used in your environment.
-
-#### Create an enrollment agent certificate for Group Managed Service Accounts (GMSA)
-
-Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials.
-
-1. Open the **Certification Authority** management console
-1. Right-click **Certificate Templates** and select **Manage**
-1. In the **Certificate Template Console**, right-click on the **Exchange Enrollment Agent (Offline request)** template details pane and select **Duplicate Template**
-1. On the **Compatibility** tab:
- - Clear the **Show resulting changes** check box
- - Select **Windows Server 2016** from the **Certification Authority** list.
- - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list
-1. On the **General** tab:
- - Type *WHFB Enrollment Agent* in **Template display name**
- - Adjust the validity and renewal period to meet your enterprise's needs
-1. On the **Subject** tab, select the **Supply in the request** button if it isn't already selected
-
- > [!NOTE]
- > Group Managed Service Accounts (GMSA) do not support the *Build from this Active Directory information* option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with *Supply in the request* to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
-
-1. On the **Cryptography** tab:
- - Select **Key Storage Provider** from the **Provider Category** list
- - Select **RSA** from the **Algorithm name** list
- - Type *2048* in the **Minimum key size** text box
- - Select **SHA256** from the **Request hash** list
-1. On the **Security** tab, select **Add**
-1. Select **Object Types** and select the **Service Accounts** check box. Select **OK**
-1. Type *adfssvc* in the **Enter the object names to select** text box and select **OK**
-1. Select the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section:
- - In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission
- - Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list
- - Select **OK**
-1. Close the console
-
-#### Create an enrollment agent certificate for a standard service account
-
-Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials.
-
-1. Open the **Certification Authority** management console
-1. Right-click **Certificate Templates** and select **Manage**
-1. In the **Certificate Template Console**, right-click on the **Exchange Enrollment Agent (Offline request)** template details pane and select **Duplicate Template**
-1. On the **Compatibility** tab:
- - Clear the **Show resulting changes** check box
- - Select **Windows Server 2016** from the **Certification Authority** list.
- - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list
-1. On the **General** tab:
- - Type *WHFB Enrollment Agent* in **Template display name**
- - Adjust the validity and renewal period to meet your enterprise's needs
-1. On the **Subject** tab:
- - Select the **Build from this Active Directory information** button
- - Select **Fully distinguished name** from the **Subject name format**
- - Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
-1. On the **Cryptography** tab:
- - Select **Key Storage Provider** from the **Provider Category** list
- - Select **RSA** from the **Algorithm name** list
- - Type *2048* in the **Minimum key size** text box
- - Select **SHA256** from the **Request hash** list
-1. On the **Security** tab, select **Add**
-1. Select **Object Types** and select the **Service Accounts** check box. Select **OK**
-1. Type *adfssvc* in the **Enter the object names to select** text box and select **OK**
-1. Select the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section:
- - In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission
- - Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list
- - Select **OK**
-1. Close the console
-
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/gpo-enable-whfb.md b/windows/security/identity-protection/hello-for-business/deploy/includes/gpo-enable-whfb.md
new file mode 100644
index 0000000000..4a2a01ac0b
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/gpo-enable-whfb.md
@@ -0,0 +1,11 @@
+---
+ms.date: 01/03/2024
+ms.topic: include
+---
+
+You can configure the [Use Windows Hello for Business](../../policy-settings.md#use-windows-hello-for-business) policy setting in the computer or user node of a GPO:
+
+- Deploying the computer node policy setting, results in all users that sign-in to the targeted devices to attempt a Windows Hello for Business enrollment
+- Deploying the user node policy setting, results in only the targeted users to attempt a Windows Hello for Business enrollment
+
+If both user and computer policy settings are deployed, the user policy setting has precedence.
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/intro.md b/windows/security/identity-protection/hello-for-business/deploy/includes/intro.md
index 89062e7d07..6f98abf51b 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/intro.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/intro.md
@@ -1,6 +1,6 @@
---
-ms.date: 12/15/2023
+ms.date: 01/03/2024
ms.topic: include
---
-This document describes Windows Hello for Business functionalities or scenarios that apply to:
\ No newline at end of file
+**This article describes Windows Hello for Business functionalities or scenarios that apply to:**
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/lab-based-pki-deploy.md b/windows/security/identity-protection/hello-for-business/deploy/includes/lab-based-pki-deploy.md
index 2ccadb00cb..c0ad0664a4 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/lab-based-pki-deploy.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/lab-based-pki-deploy.md
@@ -1,5 +1,5 @@
---
-ms.date: 12/15/2023
+ms.date: 01/03/2024
ms.topic: include
---
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/requirements.md b/windows/security/identity-protection/hello-for-business/deploy/includes/requirements.md
new file mode 100644
index 0000000000..86a5353764
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/requirements.md
@@ -0,0 +1,10 @@
+---
+ms.date: 01/03/2024
+ms.topic: include
+---
+
+## Requirements
+
+Before starting the deployment, review the requirements described in the [Plan a Windows Hello for Business Deployment](../index.md) article.
+
+Ensure that the following requirements are met before you begin:
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md
index fa5e9a3489..128a9cd1a5 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md
@@ -1,6 +1,6 @@
---
-ms.date: 12/15/2023
+ms.date: 01/03/2024
ms.topic: include
---
-[cloud :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#cloud-deployment "For organizations using Microsoft Entra-only identities. Device management is usually done via Intune/MDM")
+[cloud-only :::image type="icon" source="../images/information.svg" border="false":::](../index.md#deployment-models "For organizations using Microsoft Entra-only identities. Device management is usually done via Intune/MDM")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md
index d273002ddd..7ebb44bfc0 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md
@@ -1,6 +1,6 @@
---
-ms.date: 12/15/2023
+ms.date: 01/03/2024
ms.topic: include
---
-[hybrid :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#hybrid-deployment "For organizations using Active Directory identities synchronized to Microsoft Entra ID. Device management is usually done via Group Policy or Intune/MDM")
+[hybrid :::image type="icon" source="../images/information.svg" border="false":::](../index.md#deployment-models "For organizations using Active Directory identities synchronized to Microsoft Entra ID. Device management is usually done via Group Policy or Intune/MDM")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md
index 5594bf39dd..6406e82fc4 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md
@@ -1,6 +1,6 @@
---
-ms.date: 12/15/2023
+ms.date: 01/03/2024
ms.topic: include
---
-[on-premises :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#on-premises-deployment "For organizations using Active Directory identities, not synchronized to Microsoft Entra ID. Device management is usually done via Group Policy")
+[on-premises :::image type="icon" source="../images/information.svg" border="false":::](../index.md#deployment-models "For organizations using Active Directory identities, not synchronized to Microsoft Entra ID. Device management is usually done via Group Policy")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md
index 5e4dd851b9..512be88987 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md
@@ -1,6 +1,6 @@
---
-ms.date: 12/15/2023
+ms.date: 01/03/2024
ms.topic: include
---
-[domain join :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md)
+[domain join :::image type="icon" source="../images/information.svg" border="false":::](../index.md "Devices that are Active Directory joined don't have any dependencies on Microsoft Entra ID. Only local users accounts and Active Directory users can sign in to these devices")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md
index dbddf38006..05bbdd63e1 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md
@@ -1,6 +1,6 @@
---
-ms.date: 12/15/2023
+ms.date: 01/03/2024
ms.topic: include
---
-[Microsoft Entra join :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#azure-active-directory-join "Devices that are Microsoft Entra joined do not have any dependencies on Active Directory. Only local users accounts and Microsoft Entra users can sign in to these devices")
+[Microsoft Entra join :::image type="icon" source="../images/information.svg" border="false":::](../index.md "Devices that are Microsoft Entra joined don't have any dependencies on Active Directory. Only local users accounts and Microsoft Entra users can sign in to these devices")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md
index 206857ace8..b878a41559 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md
@@ -1,6 +1,6 @@
---
-ms.date: 12/15/2023
+ms.date: 01/03/2024
ms.topic: include
---
-[Microsoft Entra hybrid join :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#hybrid-azure-ad-join "Devices that are Microsoft Entra hybrid joined don't have any dependencies on Microsoft Entra ID. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Microsoft Entra ID will have single-sign on to both Active Directory and Microsoft Entra protected resources")
+[Microsoft Entra hybrid join :::image type="icon" source="../images/information.svg" border="false":::](../index.md "Devices that are Microsoft Entra hybrid joined don't have any dependencies on Microsoft Entra ID. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Microsoft Entra ID have single-sign on to both Active Directory and Microsoft Entra protected resources")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md
index 8719e2a1cc..17ffcc98b4 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md
@@ -1,6 +1,6 @@
---
-ms.date: 12/15/2023
+ms.date: 01/03/2024
ms.topic: include
---
-[certificate trust :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#certificate-trust "This trust type uses a certificate to authenticate the users to Active Directory. It's required to issue certificates to the users and to the domain controllers")
\ No newline at end of file
+[certificate trust :::image type="icon" source="../images/information.svg" border="false":::](../index.md#trust-types "This trust type uses a certificate to authenticate the users to Active Directory. It's required to issue certificates to the users and to the domain controllers")
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md
index 57fd74f5c3..58bad86a1c 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md
@@ -3,4 +3,4 @@ ms.date: 12/08/2022
ms.topic: include
---
-[cloud Kerberos trust :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#cloud-kerberos-trust "This trust type uses security keys to authenticate the users to Active Directory. It's not required to issue any certificates, making it the recommended choice for environments that don't need certificate authentication")
\ No newline at end of file
+[cloud Kerberos trust :::image type="icon" source="../images/information.svg" border="false":::](../index.md#trust-types "This trust type uses security keys to authenticate the users to Active Directory. It's not required to issue any certificates, making it the recommended choice for environments that don't need certificate authentication")
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md
index 3bbbe2214f..41d9b6cdf9 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md
@@ -3,4 +3,4 @@ ms.date: 12/08/2022
ms.topic: include
---
-[key trust :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#key-trust "This trust type uses a raw key to authenticate the users to Active Directory. It's not required to issue certificates to users, but it's required to deploy certificates to domain controllers")
\ No newline at end of file
+[key trust :::image type="icon" source="../images/information.svg" border="false":::](../index.md#trust-types "This trust type uses a raw key to authenticate the users to Active Directory. It's not required to issue certificates to users, but it's required to deploy certificates to domain controllers")
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/unpublish-superseded-templates.md b/windows/security/identity-protection/hello-for-business/deploy/includes/unpublish-superseded-templates.md
index 22db188040..94d2e088de 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/unpublish-superseded-templates.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/unpublish-superseded-templates.md
@@ -1,5 +1,5 @@
---
-ms.date: 12/15/2023
+ms.date: 01/03/2024
ms.topic: include
---
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/user-experience.md b/windows/security/identity-protection/hello-for-business/deploy/includes/user-experience.md
new file mode 100644
index 0000000000..e8185673e6
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/user-experience.md
@@ -0,0 +1,12 @@
+---
+ms.date: 01/03/2024
+ms.topic: include
+---
+
+After a user signs in, the Windows Hello for Business enrollment process begins:
+
+1. If the device supports biometric authentication, the user is prompted to set up a biometric gesture. This gesture can be used to unlock the device and authenticate to resources that require Windows Hello for Business. The user can skip this step if they don't want to set up a biometric gesture
+1. The user is prompted to use Windows Hello with the organization account. The user selects **OK**
+1. The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry
+1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device
+1. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with the IdP to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and access their desktop
diff --git a/windows/security/identity-protection/hello-for-business/deploy/index.md b/windows/security/identity-protection/hello-for-business/deploy/index.md
index 46c44a5c62..061c4a62e1 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/index.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/index.md
@@ -1,65 +1,310 @@
---
-title: Windows Hello for Business Deployment Overview
-description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment.
-ms.date: 02/15/2022
+title: Plan a Windows Hello for Business Deployment
+description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure.
+ms.date: 01/02/2024
ms.topic: overview
-appliesto:
---
-# Windows Hello for Business Deployment Overview
+# Plan a Windows Hello for Business deployment
-Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair.
+This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure.
-This deployment overview is to guide you through deploying Windows Hello for Business. Your first step should be to use the Passwordless Wizard in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup) or the [Planning a Windows Hello for Business Deployment](../hello-planning-guide.md) guide to determine the right deployment model for your organization.
+This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure.
-Once you've chosen a deployment model, the deployment guide for that model will provide you with the information needed to successfully deploy Windows Hello for Business in your environment. Read the [Windows Hello for Business Deployment Prerequisite Overview](requirements.md) for a summary of the prerequisites for each different Windows Hello for Business deployment model.
+> [!TIP]
+> If you have a Microsoft Entra ID tenant, you can use our online, interactive Passwordless Wizard which walks through the same choices instead of using our manual guide below. The Passwordless Wizard is available in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup).
-## Requirements
+## Using this guide
-This guide assumes that baseline infrastructure exists which meets the requirements for your deployment. For either hybrid or on-premises deployments, it is expected that you have:
+There are many options available for deploying Windows Hello for Business, ensuring compatibility with various organizational infrastructures. While the deployment process may appear complex, most organizations will find that they have already implemented the necessary infrastructure. It is important to note that Windows Hello for Business is a distributed system and requires proper planning across multiple teams within an organization.
-- A well-connected, working network
-- Internet access
-- Multi-factor Authentication is required during Windows Hello for Business provisioning
-- Proper name resolution, both internal and external names
-- Active Directory and an adequate number of domain controllers per site to support authentication
-- Active Directory Certificate Services 2012 or later (Note: certificate services aren't needed for cloud Kerberos trust deployments)
-- One or more workstation computers running Windows 10, version 1703 or later
+This guide aims to simplify the deployment process by helping you make informed decisions about each aspect of your Windows Hello for Business deployment. It provides information on the options available and assists in selecting the deployment approach that best suits your environment.
-If you're installing a server role for the first time, ensure the appropriate server operating system is installed, updated with the latest patches, and joined to the domain. This document provides guidance to install and configure the specific roles on that server.
+### How to proceed
-Don't begin your deployment until the hosting servers and infrastructure (not roles) identified in your prerequisite worksheet are configured and properly working.
+Read this document and record your decisions. When finished, you should have all the necessary information to evaluate the available options and to determine requirements for your Windows Hello for Business deployment.
-## Deployment and trust models
+There are seven main areas to consider when planning a Windows Hello for Business deployment:
-Windows Hello for Business has three deployment models: Microsoft Entra cloud only, hybrid, and on-premises. Hybrid has three trust models: *Key Trust*, *Certificate Trust*, and *cloud Kerberos trust*. On-premises deployment models only support *Key Trust* and *Certificate Trust*.
+> [!div class="checklist"]
+>
+> - [Deployment options](#deployment-options)
+> - [Public Key Infrastructure (PKI) requirements](#pki-requirements)
+> - [Authentication to Microsoft Entra ID requirements](#authentication-to-microsoft-entra-id)
+> - [Device configuration options](#device-configuration-options)
+> - [Licensing for cloud services requirements](#licensing-for-cloud-services-requirements)
+> - [Operating System requirements](#operating-system-requirements)
+> - [Prepare users](#prepare-users)
-Hybrid deployments are for enterprises that use Microsoft Entra ID. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Microsoft Entra ID must use the hybrid deployment model for all domains in that forest.
+## Deployment options
-The trust model determines how you want users to authenticate to the on-premises Active Directory:
+The goal of Windows Hello for Business is to enable deployments for all organizations of any size or scenario. To provide this type of granular deployment, Windows Hello for Business offers a diverse choice of deployment options.
-- The key-trust model is for enterprises who don't want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This still requires Active Directory Certificate Services for domain controller certificates.
-- The cloud-trust model is also for hybrid enterprises who don't want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This trust model is simpler to deploy than key trust and doesn't require Active Directory Certificate Services. We recommend using **cloud Kerberos trust** instead of **Key Trust** if the clients in your enterprise support it.
-- The certificate-trust model is for enterprises that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today.
-- The certificate trust model also supports enterprises, which aren't ready to deploy Windows Server 2016 Domain Controllers.
+### Deployment models
-> [!NOTE]
-> RDP does not support authentication with Windows Hello for Business Key Trust or cloud Kerberos trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business Key Trust and cloud Kerberos trust can be used with [Remote Credential Guard](../../remote-credential-guard.md).
+It's fundamentally important to understand which deployment model to use for a successful deployment. Some aspects of the deployment might have already been decided for you based on your current infrastructure.
-Following are the various deployment guides and models included in this topic:
+There are three deployment models from which you can choose:
-- [Microsoft Entra hybrid joined cloud Kerberos trust Deployment](hybrid-cloud-kerberos-trust.md)
-- [Microsoft Entra hybrid joined Key Trust Deployment](hybrid-key-trust.md)
-- [Microsoft Entra hybrid joined Certificate Trust Deployment](hybrid-cert-trust.md)
-- [Microsoft Entra join Single Sign-on Deployment Guides](../hello-hybrid-aadj-sso.md)
-- [On Premises Key Trust Deployment](hybrid-cloud-kerberos-trust.md)
-- [On Premises Certificate Trust Deployment](on-premises-cert-trust.md)
+| | Deployment model | Description |
+|--|--|--|
+| **🔲** | **Cloud-only** | For organizations that only have cloud identities and don't access on-premises resources. These organizations typically join their devices to the cloud and exclusively use resources in the cloud such as SharePoint Online, OneDrive, and others. Also, since the users don't use on-premises resources, they don't need certificates for things like VPN because everything they need is hosted in cloud services. |
+| **🔲** | **Hybrid** | For organizations that have identities synchronized from Active Directory to Microsoft Entra ID. These organizations use applications registered in Microsoft Entra ID, and want a single sign-on (SSO) experience for both on-premises and Microsoft Entra resources. |
+| **🔲** | **On-premises** | For organizations that don't have cloud identities or use applications hosted in Microsoft Entra ID. These organizations use on-premises applications, integrated in Active Directory, and want an SSO user experiences when accessing them. |
-For Windows Hello for Business hybrid [certificate trust prerequisites](/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust#directory-synchronization) and [key trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust#directory-synchronization) deployments, you'll need Microsoft Entra Connect to synchronize user accounts in the on-premises Active Directory with Microsoft Entra ID. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials aren't synchronized to Microsoft Entra ID. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](on-premises-key-trust-mfa.md) and [for certificate trust](on-premises-cert-trust-mfa.md) deployments.
+>[!NOTE]
+>
+>- Main use case of On-Premises deployment is for "Enhanced Security Administrative Environments" also known as "Red Forests"
+>- Migration from on-premise to hybrid deployment requires redeployment
-## Provisioning
+### Trust types
-Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
+A deployment's trust type defines how Windows Hello for Business clients **authenticate to Active Directory**. The trust type doesn't affect authentication to Microsoft Entra ID. For this reason, the trust type isn't applicable to a cloud-only deployment model.
-> [!NOTE]
-> You must allow access to the URL `account.microsoft.com` to initiate Windows Hello for Business provisioning. This URL launches the subsequent steps in the provisioning process and is required to successfully complete Windows Hello for Business provisioning. This URL doesn't require any authentication and as such, doesn't collect any user data.
+Windows Hello for Business authentication to Microsoft Entra ID always uses the key, not a certificate (excluding smart card authentication in a federated environment).
+
+The trust type determines whether you issue authentication certificates to your users. One trust model isn't more secure than the other.
+
+The deployment of certificates to users and Domain Controllers requires more configuration and infrastructure, which could also be a factor to consider in your decision. More infrastructure needed for certificate-trust deployments includes a certificate registration authority. In a federated environment, you must activate the Device Writeback option in Microsoft Entra Connect.
+
+There are three trust types from which you can choose:
+
+|| Trust type | Description |
+|--|--|--|
+| **🔲**| **Cloud Kerberos**| Users authenticate to Active Directory by requesting a TGT from Microsoft Entra ID, using Microsoft Entra Kerberos. The on-premises domain controllers are still responsible for Kerberos service tickets and authorization. Cloud Kerberos trust uses the same infrastructure required for FIDO2 security key sign-in, and it can be used for new or existing Windows Hello for Business deployments. |
+| **🔲**| **Key**| Users authenticate to the on-premises Active Directory using a device-bound key (hardware or software) created during the Windows Hello provisioning experience. It requires to distribute certificates to domain controllers. |
+| **🔲**| **Certificate**| The certificate trust type issues authentication certificates to users. Users authenticate using a certificate requested using a device-bound key (hardware or software) created during the Windows Hello provisioning experience. |
+
+*Key trust* and *certificate trust* use certificate authentication-based Kerberos when requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust.
+
+The goal of Windows Hello for Business cloud Kerberos trust is to provide a simpler deployment experience, when compared to the other trust types:
+
+- No need to deploy a public key infrastructure (PKI) or to change an existing PKI
+- No need to synchronize public keys between Microsoft Entra ID and Active Directory for users to access on-premises resources. There isn't any delay between the user's Windows Hello for Business provisioning, and being able to authenticate to Active Directory
+- [FIDO2 security key sign-in][ENTRA-1] can be deployed with minimal extra setup
+
+> [!TIP]
+> Windows Hello for Business cloud Kerberos trust is the recommended deployment model when compared to the *key trust model*. It is also the preferred deployment model if you do not need to support certificate authentication scenarios.
+
+Cloud Kerberos trust requires the deployment of Microsoft Entra Kerberos. For more information about how Microsoft Entra Kerberos enables access to on-premises resources, see [enabling passwordless security key sign-in to on-premises resources][ENTRA-1].
+
+## PKI requirements
+
+Cloud Kerberos trust is the only hybrid deployment option that doesn't require the deployment of any certificates. The other hybrid and on-premises models depend on an enterprise PKI as a trust anchor for authentication:
+
+- Domain controllers for hybrid and on-premises deployments need a certificate for Windows devices to trust the domain controller as legitimate
+- Deployments using the certificate trust type require an enterprise PKI and a certificate registration authority (CRA) to issue authentication certificates to users. AD FS is used as a CRA
+- Hybrid deployments might need to issue VPN certificates to users to enable connectivity on-premises resources
+
+| | Deployment model | Trust type | PKI required? |
+|--|--|--|--|
+| **🔲** | **Cloud-only** | n/a | no |
+| **🔲** | **Hybrid** | Cloud Kerberos | no |
+| **🔲** | **Hybrid** | Key | yes |
+| **🔲** | **Hybrid** | Certificate | yes |
+| **🔲** | **On-premises** | Key | yes |
+| **🔲** | **On-premises** | Certificate | yes |
+
+## Authentication to Microsoft Entra ID
+
+Users can authenticate to Microsoft Entra ID using federated authentication or cloud (nonfederated) authentication. Requirements vary based on trust type:
+
+| | Deployment model | Trust type | Authentication to Microsoft Entra ID | Requirements |
+|--|--|--|--|--|
+| **🔲** | **Cloud-only** | n/a | Cloud authentication | n/a |
+| **🔲** | **Cloud-only** | n/a | Federated authentication | Third-party federation service |
+| **🔲** | **Hybrid** | Cloud Kerberos trust | Cloud authentication | Password hash sync (PHS) or Pass-through authentication (PTA) |
+| **🔲** | **Hybrid** | Cloud Kerberos trust | Federated authentication | AD FS or third-party federation service |
+| **🔲** | **Hybrid** | Key trust | Cloud authentication | Password hash sync (PHS) or Pass-through authentication (PTA) |
+| **🔲** | **Hybrid** | Key trust | Federated authentication | AD FS or third-party federation service |
+| **🔲** | **Hybrid** | Certificate trust | Federated authentication | This deployment model doesn't support PTA or PHS. Active Directory must be federated with Microsoft Entra ID using AD FS|
+
+To learn more:
+
+- [Federation with Microsoft Entra ID][ENTRA-10]
+- [Password hash synchronization (PHS)][ENTRA-6]
+- [Pass-through authentication (PTA)][ENTRA-7]
+
+### Device registration
+
+For on-premises deployments, the server running the Active Directory Federation Services (AD FS) role is responsible for device registration. For cloud-only and hybrid deployments, devices must register in Microsoft Entra ID.
+
+| Deployment model | Supported join type | Device registration service provider |
+|-|-|-|
+| **Cloud-only** |Microsoft Entra joined
Microsoft Entra registered|Microsoft Entra ID |
+| **Hybrid** |Microsoft Entra joined
Microsoft Entra hybrid joined
Microsoft Entra registered|Microsoft Entra ID|
+| **On-premises** | Active Directory domain joined | AD FS |
+
+> [!IMPORTANT]
+> For *Microsoft Entra hybrid joined* guidance, review [Plan your Microsoft Entra hybrid join implementation][ENTRA-5].
+
+### Multifactor authentication
+
+The goal of Windows Hello for Business is to move organizations away from passwords by providing them with a *strong credential* that enables easy two-factor authentication. The built-in provisioning experience accepts the user's weak credentials (username and password) as the first factor authentication. However, the user must provide a second factor of authentication before Windows provisions a strong credential:
+
+- For cloud-only and hybrid deployments, there are different choices for multifactor authentication, including [Microsoft Entra MFA][ENTRA-1]
+- On-premises deployments must use a multifactor option that can integrate as an AD FS multifactor adapter. Organizations can choose from third-party options that offer an AD FS MFA adapter. For more information, see [Microsoft and third-party additional authentication methods][SER-2]
+
+> [!IMPORTANT]
+> As of July 1, 2019, Microsoft doesn't offer MFA Server for new deployments. New deployments that require multifactor authentication should use cloud-based Microsoft Entra multifactor authentication. Existing deployment where the MFA Server was activated prior to July 1, 2019 can download the latest version, future updates, and generate activation credentials. For more information, see [Getting started with the Azure Multi-Factor Authentication Server][ENTRA-2].
+
+|| Deployment model | MFA options |
+|--|--|--|
+| **🔲** | **Cloud-only** | Microsoft Entra MFA |
+| **🔲** | **Cloud-only** | Third-party MFA via Microsoft Entra ID custom controls or federation |
+| **🔲** | **Hybrid** | Microsoft Entra MFA |
+| **🔲** | **Hybrid** | Third-party MFA via Microsoft Entra ID custom controls or federation|
+| **🔲** | **On-premises** | AD FS MFA adapter |
+
+For more information how to configure Microsoft Entra multifactor authentication, see [Configure Microsoft Entra multifactor authentication settings][ENTRA-4].
+
+For more information how to configure AD FS to provide multifactor authentication, see [Configure Azure MFA as authentication provider with AD FS][SER-1].
+
+#### MFA and federated authentication
+
+It's possible for federated domains to configure the *FederatedIdpMfaBehavior* flag. The flag instructs Microsoft Entra ID to accept, enforce, or reject the MFA challenge from the federated IdP. For more information, see [federatedIdpMfaBehavior values](/graph/api/resources/internaldomainfederation#federatedidpmfabehavior-values). To check this setting, use the following PowerShell command:
+
+```powershell
+Connect-MgGraph
+$DomainId = "
- Windows 11 21H2, with [KB5010414][KB-2] and later |
+| **🔲** | **Hybrid** | Key | All supported versions |
+| **🔲** | **Hybrid** | Certificate | All supported versions |
+| **🔲** | **On-premises** | Key| All supported versions |
+| **🔲** | **On-premises** | Certificate | All supported versions |
+
+### Windows Server requirements
+
+All supported Windows Server versions can be used with Windows Hello for Business as Domain Controller. However, cloud Kerberos trust requires minimum versions:
+
+| | Deployment model | Trust type | Domain Controller OS version |
+|--|--|--|--|
+| **🔲** | **Cloud-only** | n/a | All supported versions |
+| **🔲** | **Hybrid** | Cloud Kerberos | - Windows Server 2016, with [KB3534307][KB-3] and later
- Windows Server 2019, with [KB4534321][KB-4] and later
- Windows Server 2022 |
+| **🔲** | **Hybrid** | Key | All supported versions |
+| **🔲** | **Hybrid** | Certificate | All supported versions |
+| **🔲** | **On-premises** | Key | All supported versions |
+| **🔲** | **On-premises** | Certificate | All supported versions |
+
+## Prepare users
+
+When you are ready to enable Windows Hello for Business in your organization, make sure to prepare the users by explaining how to provision and use Windows Hello.
+
+To learn more, see [Prepare users](prepare-users.md).
+
+## Next steps
+
+Now that you've read about the different deployment options and requirements, you can choose the implementation that best suits your organization.
+
+> [!div class="op_multi_selector" title1="Deployment model:" title2="Trust type:"]
+> To learn more about the deployment process, chose a deployment model and trust type from the following drop-down lists:
+>
+> - [(cloud-only|n/a)](cloud-only.md)
+> - [(hybrid | cloud Kerberos trust)](hybrid-cloud-kerberos-trust.md)
+> - [(hybrid | key trust)](hybrid-key-trust.md)
+> - [(hybrid | certificate trust)](hybrid-cert-trust.md)
+> - [(on-premises | key trust)](on-premises-key-trust.md)
+> - [(on-premises | certificate trust)](on-premises-cert-trust.md)
+
+
+
+[ENTRA-1]: /entra/identity/authentication/concept-mfa-howitworks
+[ENTRA-2]: /entra/identity/authentication/howto-mfaserver-deploy
+[ENTRA-3]: /entra/identity/hybrid/connect/how-to-connect-sync-whatis
+[ENTRA-4]: /entra/identity/authentication/howto-mfa-mfasettings
+[ENTRA-5]: /entra/identity/devices/hybrid-join-plan
+[ENTRA-6]: /entra/identity/hybrid/connect/whatis-phs
+[ENTRA-7]: /entra/identity/hybrid/connect/how-to-connect-pta
+[ENTRA-8]: /entra/identity/conditional-access/overview
+[ENTRA-9]: /entra/identity/authentication/concept-mfa-licensing
+[ENTRA-10]: /entra/identity/hybrid/connect/whatis-fed
+
+[SER-1]: /windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa
+[SER-2]: /windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods
+
+[KB-1]: https://support.microsoft.com/topic/5010415
+[KB-2]: https://support.microsoft.com/topic/5010414
+[KB-3]: https://support.microsoft.com/topic/4534307
+[KB-4]: https://support.microsoft.com/topic/4534321
+[MEM-1]: /mem/intune/enrollment/quickstart-setup-auto-enrollment
+[WIN-1]: /windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers#csps-in-windows-configuration-designer
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md
index 1757f9c6b1..335e4d5cb6 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md
@@ -1,180 +1,44 @@
---
-title: Prepare and deploy Active Directory Federation Services in an on-premises certificate trust model
-description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business on-premises certificate trust model.
-ms.date: 12/15/2023
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
-- ✅ Windows Server 2022
-- ✅ Windows Server 2019
-- ✅ Windows Server 2016
+title: Configure Active Directory Federation Services in an on-premises certificate trust model
+description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business on-premises certificate trust model.
+ms.date: 01/03/2024
ms.topic: tutorial
---
# Prepare and deploy Active Directory Federation Services - on-premises certificate trust
-[!INCLUDE [apply-to-on-premises-cert-trust-entra](includes/apply-to-on-premises-cert-trust-entra.md)]
+[!INCLUDE [apply-to-on-premises-cert-trust-entra](includes/apply-to-on-premises-cert-trust.md)]
-Windows Hello for Business works exclusively with the Active Directory Federation Service (AD FS) role included with Windows Server. The on-premises certificate trust deployment model uses AD FS for *certificate enrollment* and *device registration*.
+Windows Hello for Business works exclusively with the Active Directory Federation Service (AD FS) role included with Windows Server. The on-premises certificate trust deployment model uses AD FS for *certificate enrollment* (CRA) and *device registration*.
-The following guidance describes the deployment of a new instance of AD FS using the Windows Information Database (WID) as the configuration database.\
-WID is ideal for environments with no more than **30 federation servers** and no more than **100 relying party trusts**. If your environment exceeds either of these factors, or needs to provide *SAML artifact resolution*, *token replay detection*, or needs AD FS to operate as a federated provider role, then the deployment requires the use of SQL as a configuration database.\
-To deploy AD FS using SQL as its configuration database, review the [Deploying a Federation Server Farm](/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist.
+[!INCLUDE [adfs-validate](includes/adfs-validate.md)]
-A new AD FS farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with external networking peripherals, or with using the Network Load Balancing Role included in Windows Server.
-
-Prepare the AD FS deployment by installing and **updating** two Windows Servers.
-
-## Enroll for a TLS server authentication certificate
-
-Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity.
-
-The AD FS role needs a *server authentication* certificate for the federation services, and you can use a certificate issued by your enterprise (internal) CA. The server authentication certificate should have the following names included in the certificate, if you are requesting an individual certificate for each node in the federation farm:
-
- - **Subject Name**: the internal FQDN of the federation server
- - **Subject Alternate Name**: the federation service name (e.g. *sts.corp.contoso.com*) or an appropriate wildcard entry (e.g. *\*.corp.contoso.com*)
-
-The federation service name is set when the AD FS role is configured. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server *adfs* and the federation service *sts*. In this example, the FQDN of the host is *adfs.corp.contoso.com* and the FQDN of the federation service is *sts.corp.contoso.com*.
-
-You can also issue one certificate for all hosts in the farm. If you chose this option, leave the subject name *blank*, and include all the names in the subject alternate name when creating the certificate request. All names should include the FQDN of each host in the farm and the federation service name.
-
-When creating a wildcard certificate, mark the private key as exportable, so that the same certificate can be deployed across each federation server and web application proxy within the AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm.
-
-Be sure to enroll or import the certificate into the AD FS server's computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate.
-### AD FS authentication certificate enrollment
-
-Sign-in the federation server with *domain administrator* equivalent credentials.
-
-1. Start the Local Computer **Certificate Manager** (certlm.msc)
-1. Expand the **Personal** node in the navigation pane
-1. Right-click **Personal**. Select **All Tasks > Request New Certificate**
-1. Select **Next** on the **Before You Begin** page
-1. Select **Next** on the **Select Certificate Enrollment Policy** page
-1. On the **Request Certificates** page, select the **Internal Web Server** check box
-1. Select the **⚠️ More information is required to enroll for this certificate. Click here to configure settings** link
- :::image type="content" source="images/hello-internal-web-server-cert.png" lightbox="images/hello-internal-web-server-cert.png" alt-text="Screenshot that shows example of Certificate Properties Subject Tab - This is what shows when you select the above link.":::
-1. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the AD FS role and then select **Add**
-1. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name that you will use for your federation services (*sts.corp.contoso.com*). The name you use here MUST match the name you use when configuring the AD FS server role. Select **Add** and **OK** when finished
-1. Select **Enroll**
-
-A server authentication certificate should appear in the computer's personal certificate store.
-
-## Deploy the AD FS role
-
-AD FS provides the following services to support Windows Hello for Business on-premises deployments in a certificate trust model:
-
-- Device registration
-- Key registration
-- Certificate registration authority (CRA)
-
->[!IMPORTANT]
-> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm.
-
-Sign-in the federation server with *Enterprise Administrator* equivalent credentials.
-
-1. Start **Server Manager**. Select **Local Server** in the navigation pane
-1. Select **Manage > Add Roles and Features**
-1. Select **Next** on the **Before you begin** page
-1. On the **Select installation type** page, select **Role-based or feature-based installation > Next**
-1. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list and **Next**
-1. On the **Select server roles** page, select **Active Directory Federation Services** and **Next**
-1. Select **Next** on the **Select features** page
-1. Select **Next** on the **Active Directory Federation Service** page
-1. Select **Install** to start the role installation
-
-## Review to validate the AD FS deployment
-
-Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-
-> [!div class="checklist"]
-> * Confirm the AD FS farm uses the correct database configuration
-> * Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load
-> * Confirm **all** AD FS servers in the farm have the latest updates installed
-> * Confirm all AD FS servers have a valid server authentication certificate
-
-## Device registration service account prerequisites
-
-The use of Group Managed Service Accounts (GMSA) is the preferred way to deploy service accounts for services that support them. GMSAs have security advantages over normal user accounts because Windows handles password management. This means the password is long, complex, and changes periodically. AD FS supports GMSAs, and it should be configured using them for additional security.
-
-GSMA uses the *Microsoft Key Distribution Service* that is located on the domain controllers. Before you can create a GSMA, you must first create a root key for the service. You can skip this if your environment already uses GSMA.
-
-### Create KDS Root Key
-
-Sign-in a domain controller with *Enterprise Administrator* equivalent credentials.
-
-Start an elevated PowerShell console and execute the following command:
-```PowerShell
-Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)
-```
-
-## Configure the Active Directory Federation Service Role
-
-Use the following procedures to configure AD FS.
-
-Sign-in to the federation server with *Domain Administrator* equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm.
-
-1. Start **Server Manager**
-1. Select the notification flag in the upper right corner and select **Configure the federation services on this server**
-1. On the **Welcome** page, select **Create the first federation server farm > Next**
-1. On the **Connect to Active Directory Domain Services** page, select **Next**
-1. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *sts.corp.contoso.com*
-1. Select the federation service name from the **Federation Service Name** list
-1. Type the *Federation Service Display Name* in the text box. This is the name users see when signing in. Select **Next**
-1. On the **Specify Service Account** page, select **Create a Group Managed Service Account**. In the **Account Name** box, type *adfssvc*
-1. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and select **Next**
-1. On the **Review Options** page, select **Next**
-1. On the **Pre-requisite Checks** page, select **Configure**
-1. When the process completes, select **Close**
+[!INCLUDE [adfs-deploy](includes/adfs-deploy.md)]
> [!NOTE]
> For AD FS 2019 and later in a certificate trust model, a known PRT issue exists. You may encounter this error in AD FS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error:
>
> 1. Launch AD FS management console. Browse to ***Services > Scope Descriptions**
-> 2. Right-click **Scope Descriptions** and select **Add Scope Description**
-> 3. Under name type *ugs* and select **Apply > OK**
-> 4. Launch PowerShell as an administrator and execute the following commands:
-> ```PowerShell
-> $id = (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier
-> Set-AdfsApplicationPermission -TargetIdentifier $id -AddScope 'ugs'
-> ```
-> 7. Restart the AD FS service
-> 8. Restart the client. User should be prompted to provision Windows Hello for Business
-
-### Add the AD FS service account to the *Key Admins* group
-
-During Windows Hello for Business enrollment, the public key is registered in an attribute of the user object in Active Directory. To ensure that the AD FS service can add and remove keys are part of its normal workflow, it must be a member of the *Key Admins* global group.
-
-Sign-in to a domain controller or management workstation with *Domain Administrator* equivalent credentials.
-
-1. Open **Active Directory Users and Computers**
-1. Select the **Users** container in the navigation pane
-1. Right-click **Key Admins** in the details pane and select **Properties**
-1. Select the **Members > Add…**
-1. In the **Enter the object names to select** text box, type *adfssvc*. Select **OK**
-1. Select **OK** to return to **Active Directory Users and Computers**
-1. Change to server hosting the AD FS role and restart it
-
-Sign-in to the federation server with *Enterprise Administrator* equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm.
-
-1. Open the **AD FS management** console
-1. In the navigation pane, expand **Service**. Select **Device Registration**
-1. In the details pane, select **Configure device registration**
-1. In the **Configure Device Registration** dialog, Select **OK**
-
-:::image type="content" source="images/adfs-device-registration.png" lightbox="images/adfs-device-registration.png" alt-text="Screenshot that shows AD FS device registration: configuration of the service connection point.":::
-
-Triggering device registration from AD FS, creates the service connection point (SCP) in the Active Directory configuration partition. The SCP is used to store the device registration information that Windows clients will automatically discover.
-
-:::image type="content" source="images/adfs-scp.png" lightbox="images/adfs-scp.png" alt-text="Screenshot that shows AD FS device registration: service connection point object created by AD FS.":::
+> 1. Right-click **Scope Descriptions** and select **Add Scope Description**
+> 1. Under name type *ugs* and select **Apply > OK**
+> 1. Launch PowerShell as an administrator and execute the following commands:
+>
+> ```PowerShell
+> $id = (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier
+> Set-AdfsApplicationPermission -TargetIdentifier $id -AddScope 'ugs'
+> ```
+>
+> 1. Restart the AD FS service
+> 1. Restart the client. User should be prompted to provision Windows Hello for Business
## Review to validate the AD FS and Active Directory configuration
-Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-
> [!div class="checklist"]
-> * Record the information about the AD FS certificate, and set a renewal reminder at least six weeks before it expires. Relevant information includes: certificate serial number, thumbprint, common name, subject alternate name, name of the physical host server, the issued date, the expiration date, and issuing CA vendor (if a third-party certificate)
-> * Confirm you added the AD FS service account to the KeyAdmins group
-> * Confirm you enabled the Device Registration service
+> Before you continue with the deployment, validate your deployment progress by reviewing the following items:
+>
+> - Record the information about the AD FS certificate, and set a renewal reminder at least six weeks before it expires. Relevant information includes: certificate serial number, thumbprint, common name, subject alternate name, name of the physical host server, the issued date, the expiration date, and issuing CA vendor (if a third-party certificate)
+> - Confirm you added the AD FS service account to the KeyAdmins group
+> - Confirm you enabled the Device Registration service
## Configure the certificate registration authority
@@ -187,6 +51,7 @@ Open a **Windows PowerShell** prompt and type the following command:
```PowerShell
Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication
```
+
>[!NOTE]
> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace *WHFBEnrollmentAgent* and *WHFBAuthentication* in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name by using the `Get-CATemplate` PowerShell cmdlet on a CA.
@@ -196,111 +61,7 @@ AD FS performs its own certificate lifecycle management. Once the registration a
Approximately 60 days prior to enrollment agent certificate's expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate.
-## Additional federation servers
-
-Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm.
-
-### Server authentication certificate
-
-Each server you add to the AD FS farm must have a proper server authentication certificate. Refer to the [Enroll for a TLS Server Authentication Certificate](#enroll-for-a-tls-server-authentication-certificate) section of this document to determine the requirements for your server authentication certificate. As previously stated, AD FS servers used exclusively for on-premises deployments of Windows Hello for Business can use enterprise server authentication certificates rather than server authentication certificates issued by public certificate authorities.
-
-### Install additional servers
-
-Adding federation servers to the existing AD FS farm begins with ensuring the server are fully patched, to include Windows Server 2016 Update needed to support Windows Hello for Business deployments (https://aka.ms/whfbadfs1703). Next, install the Active Directory Federation Service role on the additional servers and then configure the server as an additional server in an existing farm.
-
-## Load balance AD FS
-
-Many environments load balance using hardware devices. Environments without hardware load-balancing capabilities can take advantage the network load-balancing feature included in Windows Server to load balance the AD FS servers in the federation farm. Install the Windows Network Load Balancing feature on all nodes participating in the AD FS farm that should be load balanced.
-
-### Install Network Load Balancing Feature on AD FS Servers
-
-Sign-in the federation server with *Enterprise Administrator* equivalent credentials.
-
-1. Start **Server Manager**. Select **Local Server** in the navigation pane
-1. Select **Manage** and then select **Add Roles and Features**
-1. Select **Next** On the **Before you begin** page
-1. On the **Select installation type** page, select **Role-based or feature-based installation** and select **Next**
-1. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Select **Next**
-1. On the **Select server roles** page, select **Next**
-1. Select **Network Load Balancing** on the **Select features** page
-1. Select **Install** to start the feature installation
-
-### Configure Network Load Balancing for AD FS
-
-Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster. Once you have created the cluster, then you can add new nodes to that cluster.
-
-Sign-in a node of the federation farm with *Administrator* equivalent credentials.
-
-1. Open **Network Load Balancing Manager** from **Administrative Tools**
-1. Right-click **Network Load Balancing Clusters**, and then select **New Cluster**
-1. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then select **Connect**
-1. Select the interface that you want to use with the cluster, and then select **Next** (the interface hosts the virtual IP address and receives the client traffic to load balance)
-1. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Select **Next**
-1. In **Cluster IP Addresses**, select **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Select **Next**
-1. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster
-1. In **Cluster operation mode**, select **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Select **Next**
-1. In Port Rules, select Edit to modify the default port rules to use port 443
-
-### Additional AD FS Servers
-
-1. To add more hosts to the cluster, right-click the new cluster, and then select **Add Host to Cluster**
-1. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same
-
-## Configure DNS for Device Registration
-
-Sign-in the domain controller or administrative workstation with domain administrator equivalent credentials.\
-You'll need the *federation service* name to complete this task. You can view the federation service name by selecting **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server.
-
-1. Open the **DNS Management** console
-1. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**
-1. In the navigation pane, select the node that has the name of your internal Active Directory domain name
-1. In the navigation pane, right-click the domain name node and select **New Host (A or AAAA)**
-1. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Select **Add Host**
-1. Right-click the `
or
**User Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use Windows Hello for Business| **Enabled**|
+| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**
or
**User Configuration\Administrative Templates\Windows Components\Windows Hello for Business**|Use certificate for on-premises authentication| **Enabled**|
+| **Computer Configuration\Windows Settings\Security Settings\Public Key Policies**
or
**User Configuration\Windows Settings\Security Settings\Public Key Policies** |Certificate Services Client - Auto-Enrollment| - Select **Enabled** from the **Configuration Model**
- Select the **Renew expired certificates, update pending certificates, and remove revoked certificates**
- Select **Update certificates that use certificate templates**|
+| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use a hardware security device| **Enabled**|
+
+> [!NOTE]
+> The enablement of the *Use a hardware security device* policy setting is optional, but recommended.
+
+[!INCLUDE [gpo-settings-2](../../../../../includes/configure/gpo-settings-2.md)]
+
+> [!TIP]
+> The best way to deploy the Windows Hello for Business GPO is to use security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all security principals. The security group filtering ensures that only the members of the global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business.
+
+Additional policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see [Windows Hello for Business policy settings](../policy-settings.md).
+
+## Enroll in Windows Hello for Business
+
+The Windows Hello for Business provisioning process begins immediately after the user profile is loaded and before the user receives their desktop. For the provisioning process to begin, all prerequisite checks must pass.
+
+You can determine the status of the prerequisite checks by viewing the **User Device Registration** admin log under **Applications and Services Logs > Microsoft > Windows**.\
+This information is also available using the `dsregcmd.exe /status` command from a console. For more information, see [dsregcmd][AZ-4].
+
+### User experience
+
+[!INCLUDE [user-experience](includes/user-experience.md)]
+
+After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows sends the certificate request to the AD FS server for certificate enrollment.
+
+The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.
+
+The CA validates that the certificate is signed by the registration authority. On successful validation, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user's certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user that they can use their PIN to sign-in through the Action Center.
+
+### Sequence diagram
+
+To better understand the provisioning flows, review the following sequence diagram:
+
+- [Provisioning in an on-premises certificate trust deployment model](../how-it-works-provisioning.md#provisioning-in-an-on-premises-certificate-trust-deployment-model)
+
+
+[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-mfa.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-mfa.md
deleted file mode 100644
index 35fd08dd4d..0000000000
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-mfa.md
+++ /dev/null
@@ -1,31 +0,0 @@
----
-title: Validate and Deploy MFA for Windows Hello for Business with certificate trust
-description: Validate and deploy multifactor authentication (MFA) for Windows Hello for Business in an on-premises certificate trust model.
-ms.date: 12/15/2023
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
-- ✅ Windows Server 2022
-- ✅ Windows Server 2019
-- ✅ Windows Server 2016
-ms.topic: tutorial
----
-
-# Validate and deploy multifactor authentication - on-premises certificate trust
-
-[!INCLUDE [apply-to-on-premises-cert-trust-entra](includes/apply-to-on-premises-cert-trust-entra.md)]
-
-Windows Hello for Business requires users perform multifactor authentication (MFA) prior to enroll in the service. On-premises deployments can use, as MFA option:
-
-- third-party authentication providers for AD FS
-- custom authentication provider for AD FS
-
-> [!IMPORTANT]
-> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multifactor authentication from their users should use cloud-based Microsoft Entra multifactor authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
-
-For information about third-party authentication methods, see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). To create a custom authentication method, see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method).
-
-Follow the integration and deployment guide for the authentication provider you plan to integrate to AD FS. Make sure that the authentication provider is selected as a multifactor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies, see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies).
-
-> [!div class="nextstepaction"]
-> [Next: configure Windows Hello for Business Policy settings >](on-premises-cert-trust-enroll.md)
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-pki.md
deleted file mode 100644
index 2c8db04a8f..0000000000
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-pki.md
+++ /dev/null
@@ -1,60 +0,0 @@
----
-title: Configure and validate the Public Key Infrastructure in an on-premises certificate trust model
-description: Configure and validate the Public Key Infrastructure the Public Key Infrastructure when deploying Windows Hello for Business in a certificate trust model.
-ms.date: 12/15/2023
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
-- ✅ Windows Server 2022
-- ✅ Windows Server 2019
-- ✅ Windows Server 2016
-ms.topic: tutorial
----
-
-# Configure and validate the Public Key Infrastructure - on-premises certificate trust
-
-[!INCLUDE [apply-to-on-premises-cert-trust-entra](includes/apply-to-on-premises-cert-trust-entra.md)]
-
-Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate.
-
-[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)]
-
-## Configure the enterprise PKI
-
-[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)]
-
-[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
-
-[!INCLUDE [web-server-certificate-template](includes/web-server-certificate-template.md)]
-
-[!INCLUDE [enrollment-agent-certificate-template](includes/enrollment-agent-certificate-template.md)]
-
-[!INCLUDE [auth-certificate-template](includes/auth-certificate-template.md)]
-
-[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
-
-### Publish certificate templates to the CA
-
-A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them.
-
-Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials.
-
-1. Open the **Certification Authority** management console
-1. Expand the parent node from the navigation pane
-1. Select **Certificate Templates** in the navigation pane
-1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue
-1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)*, *Internal Web Server*, *WHFB Enrollment Agent* and *WHFB Authentication* templates you created in the previous steps. Select **OK** to publish the selected certificate templates to the certification authority
-1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list
- - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation
-1. Close the console
-
-## Configure and deploy certificates to domain controllers
-
-[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)]
-
-## Validate the configuration
-
-[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)]
-
-> [!div class="nextstepaction"]
-> [Next: prepare and deploy AD FS >](on-premises-cert-trust-adfs.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md
index 4c3f3c04e8..6bd1a94800 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md
@@ -1,43 +1,94 @@
---
-title: Deployment guide for the on-premises certificate trust model
-description: Learn how to deploy Windows Hello for Business in an on-premises, certificate trust model.
-ms.date: 12/15/2023
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
-- ✅ Windows Server 2022
-- ✅ Windows Server 2019
-- ✅ Windows Server 2016
+title: Windows Hello for Business on-premises certificate trust deployment guide
+description: Learn how to deploy Windows Hello for Business in an on-premises, certificate trust scenario.
+ms.date: 01/03/2024
ms.topic: tutorial
---
-# Deployment guide for the on-premises certificate trust model
+# On-premises certificate trust deployment guide
-[!INCLUDE [apply-to-on-premises-cert-trust-entra](includes/apply-to-on-premises-cert-trust-entra.md)]
-Windows Hello for Business replaces username and password authentication to Windows with an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in an on-premises environment.
+[!INCLUDE [apply-to-on-premises-cert-trust](includes/apply-to-on-premises-cert-trust.md)]
-There are four steps to deploying Windows Hello for Business in an on-premises certificate trust model:
+[!INCLUDE [requirements](includes/requirements.md)]
-1. [Validate and configure a PKI](on-premises-cert-trust-pki.md)
-1. [Prepare and deploy AD FS](on-premises-cert-trust-adfs.md)
-1. [Validate and deploy multi-factor authentication (MFA)](on-premises-cert-trust-mfa.md)
-1. [Configure Windows Hello for Business Policy settings](on-premises-cert-trust-enroll.md)
+> [!div class="checklist"]
+>
+> - [Public Key Infrastructure](index.md#pki-requirements)
+> - [Authentication](index.md#authentication-to-microsoft-entra-id)
+> - [Device configuration](index.md#device-configuration-options)
+> - [Licensing for cloud services](index.md#licensing-for-cloud-services-requirements)
+> - [Windows requirements](index.md#windows-requirements)
+> - [Windows Server requirements](index.md#windows-server-requirements)
+> - [Prepare users to use Windows Hello](prepare-users.md)
-## Create the Windows Hello for Business Users security group
+## Deployment steps
-While this is not a required step, it is recommended to create a security group to simplify the deployment.
+Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps:
-The *Windows Hello for Business Users* group is used to make it easy to deploy Windows Hello for Business in phases. You assign certificate templates and group policy permissions to this group to simplify the deployment by adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business.
+> [!div class="checklist"]
+>
+> - [Configure and validate the Public Key Infrastructure](#configure-and-validate-the-public-key-infrastructure)
+> - [Prepare and deploy AD FS with MFA](on-premises-cert-trust-adfs.md)
+> - [Configure and enroll in Windows Hello for Business](on-premises-cert-trust-enroll.md)
-Sign-in to a domain controller or to a management workstation with a *Domain Administrator* equivalent credentials.
+## Configure and validate the Public Key Infrastructure
-1. Open **Active Directory Users and Computers**
-1. Select **View > Advanced Features**
-1. Expand the domain node from the navigation pane
-1. Right-click the **Users** container. Select **New > Group**
-1. Type *Windows Hello for Business Users* in the **Group Name**
-1. Select **OK**
+[!INCLUDE [apply-to-on-premises-cert-trust](includes/apply-to-on-premises-cert-trust.md)]
+
+Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate.
+
+[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)]
+
+## Configure the enterprise PKI
+
+[!INCLUDE [dc-certificate-template](includes/certificate-template-dc.md)]
+
+[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
+
+[!INCLUDE [web-server-certificate-template](includes/certificate-template-web-server.md)]
+
+[!INCLUDE [enrollment-agent-certificate-template](includes/certificate-template-enrollment-agent.md)]
+
+[!INCLUDE [auth-certificate-template](includes/certificate-template-auth.md)]
+
+[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
+
+### Publish certificate templates to the CA
+
+A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them.
+
+Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials.
+
+1. Open the **Certification Authority** management console
+1. Expand the parent node from the navigation pane
+1. Select **Certificate Templates** in the navigation pane
+1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue
+1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)*, *Internal Web Server*, *WHFB Enrollment Agent* and *WHFB Authentication* templates you created in the previous steps. Select **OK** to publish the selected certificate templates to the certification authority
+1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list
+ - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation
+1. Close the console
+
+## Configure and deploy certificates to domain controllers
+
+[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)]
+
+## Validate the configuration
+
+[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)]
+
+## Section review and next steps
+
+> [!div class="checklist"]
+> Before moving to the next section, ensure the following steps are complete:
+>
+> - Configure domain controller and web server certificate templates
+> - Supersede existing domain controller certificates
+> - Unpublish superseded certificate templates
+> - Configure an enrollment agent certificate template
+> - Publish the certificate templates to the CA
+> - Deploy certificates to the domain controllers
+> - Validate the domain controllers configuration
> [!div class="nextstepaction"]
-> [Next: validate and configure a PKI >](on-premises-cert-trust-pki.md)
\ No newline at end of file
+> [Next: prepare and deploy AD FS >](on-premises-cert-trust-adfs.md)
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md
index 4446ced825..12685b46eb 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md
@@ -1,264 +1,46 @@
---
-ms.date: 09/07/2023
-title: Prepare and deploy Active Directory Federation Services in an on-premises key trust
-description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business key trust model.
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
-- ✅ Windows Server 2022
-- ✅ Windows Server 2019
-- ✅ Windows Server 2016
+title: Configure Active Directory Federation Services in an on-premises key trust model
+description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business key trust model.
+ms.date: 01/03/2024
ms.topic: tutorial
---
+
# Prepare and deploy Active Directory Federation Services - on-premises key trust
[!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)]
Windows Hello for Business works exclusively with the Active Directory Federation Service (AD FS) role included with Windows Server. The on-premises key trust deployment model uses AD FS for *key registration* and *device registration*.
-The following guidance describes the deployment of a new instance of AD FS using the Windows Information Database (WID) as the configuration database.\
-WID is ideal for environments with no more than **30 federation servers** and no more than **100 relying party trusts**. If your environment exceeds either of these factors, or needs to provide *SAML artifact resolution*, *token replay detection*, or needs AD FS to operate as a federated provider role, then the deployment requires the use of SQL as a configuration database.\
-To deploy AD FS using SQL as its configuration database, review the [Deploying a Federation Server Farm](/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist.
+[!INCLUDE [adfs-validate](includes/adfs-validate.md)]
-A new AD FS farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with external networking peripherals, or with using the Network Load Balancing Role included in Windows Server.
-
-Prepare the AD FS deployment by installing and **updating** two Windows Servers.
-
-## Enroll for a TLS server authentication certificate
-
-Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity.
-
-The AD FS role needs a *server authentication* certificate for the federation services, and you can use a certificate issued by your enterprise (internal) CA. The server authentication certificate should have the following names included in the certificate, if you are requesting an individual certificate for each node in the federation farm:
- - **Subject Name**: the internal FQDN of the federation server
- - **Subject Alternate Name**: the federation service name (e.g. *sts.corp.contoso.com*) or an appropriate wildcard entry (e.g. *\*.corp.contoso.com*)
-
-The federation service name is set when the AD FS role is configured. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server *adfs* and the federation service *sts*. In this example, the FQDN of the host is *adfs.corp.contoso.com* and the FQDN of the federation service is *sts.corp.contoso.com*.
-
-You can also issue one certificate for all hosts in the farm. If you chose this option, leave the subject name *blank*, and include all the names in the subject alternate name when creating the certificate request. All names should include the FQDN of each host in the farm and the federation service name.
-
-When creating a wildcard certificate, mark the private key as exportable, so that the same certificate can be deployed across each federation server and web application proxy within the AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm.
-
-Be sure to enroll or import the certificate into the AD FS server's computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate.
-
-### AD FS authentication certificate enrollment
-
-Sign-in the federation server with *domain administrator* equivalent credentials.
-
-1. Start the Local Computer **Certificate Manager** (certlm.msc)
-1. Expand the **Personal** node in the navigation pane
-1. Right-click **Personal**. Select **All Tasks > Request New Certificate**
-1. Select **Next** on the **Before You Begin** page
-1. Select **Next** on the **Select Certificate Enrollment Policy** page
-1. On the **Request Certificates** page, select the **Internal Web Server** check box
-1. Select the **⚠️ More information is required to enroll for this certificate. Click here to configure settings** link
- :::image type="content" source="images/hello-internal-web-server-cert.png" lightbox="images/hello-internal-web-server-cert.png" alt-text="Example of Certificate Properties Subject Tab - This is what shows when you select the above link.":::
-1. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the AD FS role and then select **Add**
-1. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name that you will use for your federation services (*sts.corp.contoso.com*). The name you use here MUST match the name you use when configuring the AD FS server role. Select **Add** and **OK** when finished
-1. Select **Enroll**
-
-A server authentication certificate should appear in the computer's personal certificate store.
-
-## Deploy the AD FS role
-
-AD FS provides *device registration* and *key registration* services to support the Windows Hello for Business on-premises deployments.
-
->[!IMPORTANT]
-> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm.
-
-Sign-in the federation server with *Enterprise Administrator* equivalent credentials.
-
-1. Start **Server Manager**. Select **Local Server** in the navigation pane
-1. Select **Manage > Add Roles and Features**
-1. Select **Next** on the **Before you begin** page
-1. On the **Select installation type** page, select **Role-based or feature-based installation > Next**
-1. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list and **Next**
-1. On the **Select server roles** page, select **Active Directory Federation Services** and **Next**
-1. Select **Next** on the **Select features** page
-1. Select **Next** on the **Active Directory Federation Service** page
-1. Select **Install** to start the role installation
-
-## Review to validate the AD FS deployment
-
-Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-
-> [!div class="checklist"]
-> * Confirm the AD FS farm uses the correct database configuration
-> * Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load
-> * Confirm **all** AD FS servers in the farm have the latest updates installed
-> * Confirm all AD FS servers have a valid server authentication certificate
-
-## Device registration service account prerequisites
-
-The use of Group Managed Service Accounts (GMSA) is the preferred way to deploy service accounts for services that support them. GMSAs have security advantages over normal user accounts because Windows handles password management. This means the password is long, complex, and changes periodically. AD FS supports GMSAs, and it should be configured using them for additional security.
-
-GSMA uses the *Microsoft Key Distribution Service* that is located on the domain controllers. Before you can create a GSMA, you must first create a root key for the service. You can skip this if your environment already uses GSMA.
-
-### Create KDS Root Key
-
-Sign-in a domain controller with *Enterprise Administrator* equivalent credentials.
-
-Start an elevated PowerShell console and execute the following command:
-```PowerShell
-Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)
-```
-
-## Configure the Active Directory Federation Service Role
-
-Use the following procedures to configure AD FS.
-
-Sign-in to the federation server with *Domain Administrator* equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm.
-
-1. Start **Server Manager**
-1. Select the notification flag in the upper right corner and select **Configure the federation services on this server**
-1. On the **Welcome** page, select **Create the first federation server farm > Next**
-1. On the **Connect to Active Directory Domain Services** page, select **Next**
-1. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *sts.corp.contoso.com*
-1. Select the federation service name from the **Federation Service Name** list
-1. Type the *Federation Service Display Name* in the text box. This is the name users see when signing in. Select **Next**
-1. On the **Specify Service Account** page, select **Create a Group Managed Service Account**. In the **Account Name** box, type *adfssvc*
-1. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and select **Next**
-1. On the **Review Options** page, select **Next**
-1. On the **Pre-requisite Checks** page, select **Configure**
-1. When the process completes, select **Close**
-
-### Add the AD FS service account to the *Key Admins* group
-
-During Windows Hello for Business enrollment, the public key is registered in an attribute of the user object in Active Directory. To ensure that the AD FS service can add and remove keys are part of its normal workflow, it must be a member of the *Key Admins* global group.
-
-Sign-in to a domain controller or management workstation with *Domain Administrator* equivalent credentials.
-
-1. Open **Active Directory Users and Computers**
-1. Select the **Users** container in the navigation pane
-1. Right-click **Key Admins** in the details pane and select **Properties**
-1. Select the **Members > Add…**
-1. In the **Enter the object names to select** text box, type *adfssvc*. Select **OK**
-1. Select **OK** to return to **Active Directory Users and Computers**
-1. Change to server hosting the AD FS role and restart it
-
-## Configure the device registration service
-
-Sign-in to the federation server with *Enterprise Administrator* equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm.
-
-1. Open the **AD FS management** console
-1. In the navigation pane, expand **Service**. Select **Device Registration**
-1. In the details pane, select **Configure device registration**
-1. In the **Configure Device Registration** dialog, Select **OK**
-
-:::image type="content" source="images/adfs-device-registration.png" lightbox="images/adfs-device-registration.png" alt-text="AD FS device registration: configuration of the service connection point.":::
-
-Triggering device registration from AD FS, creates the service connection point (SCP) in the Active Directory configuration partition. The SCP is used to store the device registration information that Windows clients will automatically discover.
-
-:::image type="content" source="images/adfs-scp.png" lightbox="images/adfs-scp.png" alt-text="AD FS device registration: service connection point object created by AD FS.":::
+[!INCLUDE [adfs-deploy](includes/adfs-deploy.md)]
## Review to validate the AD FS and Active Directory configuration
Before you continue with the deployment, validate your deployment progress by reviewing the following items:
> [!div class="checklist"]
-> * Record the information about the AD FS certificate, and set a renewal reminder at least six weeks before it expires. Relevant information includes: certificate serial number, thumbprint, common name, subject alternate name, name of the physical host server, the issued date, the expiration date, and issuing CA vendor (if a third-party certificate)
-> * Confirm you added the AD FS service account to the KeyAdmins group
-> * Confirm you enabled the Device Registration service
+>
+> - Record the information about the AD FS certificate, and set a renewal reminder at least six weeks before it expires. Relevant information includes: certificate serial number, thumbprint, common name, subject alternate name, name of the physical host server, the issued date, the expiration date, and issuing CA vendor (if a third-party certificate)
+> - Confirm you added the AD FS service account to the KeyAdmins group
+> - Confirm you enabled the Device Registration service
-## Additional federation servers
+[!INCLUDE [adfs-additional-servers](includes/adfs-additional-servers.md)]
-Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm.
-
-### Server authentication certificate
-
-Each server you add to the AD FS farm must have a proper server authentication certificate. Refer to the [Enroll for a TLS Server Authentication Certificate](#enroll-for-a-tls-server-authentication-certificate) section of this document to determine the requirements for your server authentication certificate. As previously stated, AD FS servers used exclusively for on-premises deployments of Windows Hello for Business can use enterprise server authentication certificates rather than server authentication certificates issued by public certificate authorities.
-
-### Install additional servers
-
-Adding federation servers to the existing AD FS farm begins with ensuring the server are fully patched, to include Windows Server 2016 Update needed to support Windows Hello for Business deployments (https://aka.ms/whfbadfs1703). Next, install the Active Directory Federation Service role on the additional servers and then configure the server as an additional server in an existing farm.
-
-## Load balance AD FS
-
-Many environments load balance using hardware devices. Environments without hardware load-balancing capabilities can take advantage the network load-balancing feature included in Windows Server to load balance the AD FS servers in the federation farm. Install the Windows Network Load Balancing feature on all nodes participating in the AD FS farm that should be load balanced.
-
-### Install Network Load Balancing Feature on AD FS Servers
-
-Sign-in the federation server with *Enterprise Administrator* equivalent credentials.
-
-1. Start **Server Manager**. Select **Local Server** in the navigation pane
-1. Select **Manage** and then select **Add Roles and Features**
-1. Select **Next** On the **Before you begin** page
-1. On the **Select installation type** page, select **Role-based or feature-based installation** and select **Next**
-1. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Select **Next**
-1. On the **Select server roles** page, select **Next**
-1. Select **Network Load Balancing** on the **Select features** page
-1. Select **Install** to start the feature installation
-
-### Configure Network Load Balancing for AD FS
-
-Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster. Once you have created the cluster, then you can add new nodes to that cluster.
-
-Sign-in a node of the federation farm with *Administrator* equivalent credentials.
-
-1. Open **Network Load Balancing Manager** from **Administrative Tools**
-1. Right-click **Network Load Balancing Clusters**, and then select **New Cluster**
-1. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then select **Connect**
-1. Select the interface that you want to use with the cluster, and then select **Next** (the interface hosts the virtual IP address and receives the client traffic to load balance)
-1. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Select **Next**
-1. In **Cluster IP Addresses**, select **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Select **Next**
-1. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster
-1. In **Cluster operation mode**, select **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Select **Next**
-1. In Port Rules, select Edit to modify the default port rules to use port 443
-
-### Additional AD FS Servers
-
-1. To add more hosts to the cluster, right-click the new cluster, and then select **Add Host to Cluster**
-1. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same
-
-## Configure DNS for Device Registration
-
-Sign-in the domain controller or administrative workstation with domain administrator equivalent credentials.\
-You'll need the *federation service* name to complete this task. You can view the federation service name by selecting **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server.
-
-1. Open the **DNS Management** console
-1. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**
-1. In the navigation pane, select the node that has the name of your internal Active Directory domain name
-1. In the navigation pane, right-click the domain name node and select **New Host (A or AAAA)**
-1. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Select **Add Host**
-1. Right-click the `
or
**User Configuration\Administrative Templates\Windows Components\Windows Hello for Business**|Use Windows Hello for Business| **Enabled**|
+| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use a hardware security device| **Enabled**|
+
+[!INCLUDE [gpo-settings-2](../../../../../includes/configure/gpo-settings-2.md)]
+
+> [!TIP]
+> The best way to deploy the Windows Hello for Business GPO is to use security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all security principals. The security group filtering ensures that only the members of the global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business.
+
+Additional policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see [Windows Hello for Business policy settings](../policy-settings.md).
+
+## Enroll in Windows Hello for Business
+
+The Windows Hello for Business provisioning process begins immediately after the user profile is loaded and before the user receives their desktop. For the provisioning process to begin, all prerequisite checks must pass.
+
+You can determine the status of the prerequisite checks by viewing the **User Device Registration** admin log under **Applications and Services Logs > Microsoft > Windows**.\
+This information is also available using the `dsregcmd.exe /status` command from a console. For more information, see [dsregcmd][AZ-4].
+
+### User experience
+
+[!INCLUDE [user-experience](includes/user-experience.md)]
+
+### Sequence diagram
+
+To better understand the provisioning flows, review the following sequence diagram:
+
+- [Provisioning in an on-premises key trust deployment model](../how-it-works-provisioning.md#provisioning-in-an-on-premises-key-trust-deployment-model)
+
+[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-pki.md
deleted file mode 100644
index 6d7aef36c5..0000000000
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-pki.md
+++ /dev/null
@@ -1,55 +0,0 @@
----
-title: Configure and validate the Public Key Infrastructure in an on-premises key trust model
-description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a key trust model.
-ms.date: 09/07/2023
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
-- ✅ Windows Server 2022
-- ✅ Windows Server 2019
-- ✅ Windows Server 2016
-ms.topic: tutorial
----
-# Configure and validate the Public Key Infrastructure - on-premises key trust
-
-[!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)]
-
-Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
-
-[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)]
-
-## Configure the enterprise PKI
-
-[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)]
-
-[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
-
-[!INCLUDE [web-server-certificate-template](includes/web-server-certificate-template.md)]
-
-[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
-
-### Publish certificate templates to the CA
-
-A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them.
-
-Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials.
-
-1. Open the **Certification Authority** management console
-1. Expand the parent node from the navigation pane
-1. Select **Certificate Templates** in the navigation pane
-1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue
-1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)*, and *Internal Web Server* templates you created in the previous steps. Select **OK** to publish the selected certificate templates to the certification authority
-1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list
- - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation
-1. Close the console
-
-## Configure and deploy certificates to domain controllers
-
-[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)]
-
-## Validate the configuration
-
-[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)]
-
-> [!div class="nextstepaction"]
-> [Next: prepare and deploy AD FS >](on-premises-key-trust-adfs.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md
index 961219b27e..a5a2281196 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md
@@ -1,35 +1,86 @@
---
-title: Windows Hello for Business deployment guide for the on-premises key trust model
-description: Learn how to deploy Windows Hello for Business in an on-premises, key trust model.
-ms.date: 12/12/2022
+title: Windows Hello for Business on-premises key trust deployment guide
+description: Learn how to deploy Windows Hello for Business in an on-premises, key trust scenario.
+ms.date: 01/03/2024
ms.topic: tutorial
---
-# Deployment guide overview - on-premises key trust
+# On-premises key trust deployment guide
[!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)]
-Windows Hello for Business replaces username and password authentication to Windows with an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in an on-premises environment:
+[!INCLUDE [requirements](includes/requirements.md)]
-1. [Validate and configure a PKI](on-premises-key-trust-pki.md)
-1. [Prepare and deploy AD FS](on-premises-key-trust-adfs.md)
-1. [Validate and deploy multifactor authentication (MFA)](on-premises-key-trust-mfa.md)
-1. [Configure Windows Hello for Business Policy settings](on-premises-key-trust-enroll.md)
+> [!div class="checklist"]
+>
+> - [Public Key Infrastructure](index.md#pki-requirements)
+> - [Authentication](index.md#authentication-to-microsoft-entra-id)
+> - [Device configuration](index.md#device-configuration-options)
+> - [Licensing for cloud services](index.md#licensing-for-cloud-services-requirements)
+> - [Windows requirements](index.md#windows-requirements)
+> - [Windows Server requirements](index.md#windows-server-requirements)
+> - [Prepare users to use Windows Hello](prepare-users.md)
-## Create the Windows Hello for Business Users security group
+## Deployment steps
-While this isn't a required step, it's recommended to create a security group to simplify the deployment.
+Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps:
-The *Windows Hello for Business Users* group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy permissions to this group to simplify the deployment by adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business.
+> [!div class="checklist"]
+>
+> - [Configure and validate the Public Key Infrastructure](#configure-and-validate-the-public-key-infrastructure)
+> - [Prepare and deploy AD FS with MFA](on-premises-key-trust-adfs.md)
+> - [Configure and enroll in Windows Hello for Business](on-premises-key-trust-enroll.md)
-Sign-in to a domain controller or to a management workstation with a *Domain Administrator* equivalent credentials.
+## Configure and validate the Public Key Infrastructure
-1. Open **Active Directory Users and Computers**
-1. Select **View > Advanced Features**
-1. Expand the domain node from the navigation pane
-1. Right-click the **Users** container. Select **New > Group**
-1. Type *Windows Hello for Business Users* in the **Group Name**
-1. Select **OK**
+Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
+
+[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)]
+
+## Configure the enterprise PKI
+
+[!INCLUDE [dc-certificate-template](includes/certificate-template-dc.md)]
+
+[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
+
+[!INCLUDE [web-server-certificate-template](includes/certificate-template-web-server.md)]
+
+[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
+
+### Publish certificate templates to the CA
+
+A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them.
+
+Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials.
+
+1. Open the **Certification Authority** management console
+1. Expand the parent node from the navigation pane
+1. Select **Certificate Templates** in the navigation pane
+1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue
+1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)*, and *Internal Web Server* templates you created in the previous steps. Select **OK** to publish the selected certificate templates to the certification authority
+1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list
+ - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation
+1. Close the console
+
+## Configure and deploy certificates to domain controllers
+
+[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)]
+
+## Validate the configuration
+
+[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)]
+
+## Section review and next steps
+
+> [!div class="checklist"]
+> Before moving to the next section, ensure the following steps are complete:
+>
+> - Configure domain controller and web server certificate templates
+> - Supersede existing domain controller certificates
+> - Unpublish superseded certificate templates
+> - Publish the certificate templates to the CA
+> - Deploy certificates to the domain controllers
+> - Validate the domain controllers configuration
> [!div class="nextstepaction"]
-> [Next: validate and configure PKI >](on-premises-key-trust-pki.md)
\ No newline at end of file
+> [Next: prepare and deploy AD FS >](on-premises-key-trust-adfs.md)
diff --git a/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md b/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md
new file mode 100644
index 0000000000..9dbdfc8a07
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md
@@ -0,0 +1,45 @@
+---
+title: Prepare users to provision and use Windows Hello for Business
+description: Learn how to prepare users to enroll and to use Windows Hello for Business.
+ms.date: 01/02/2024
+ms.topic: end-user-help
+---
+
+# Prepare users to provision and use Windows Hello for Business
+
+This article provides guidance on how to prepare users to enroll and to use Windows Hello for Business. It also provides guidance on how to communicate the benefits of Windows Hello for Business to users.
+
+## Multi-factor authentication
+
+The provisioning of Windows Hello requires users to authenticate with multi-factor (MFA). Ensure that you have a solution in place for users to use MFA during the process.
+
+> [!TIP]
+> To facilitate user communication and to ensure a successful Windows Hello for Business deployment, you can find customizable material (email templates, posters, trainings, etc.) at [Microsoft Entra templates](https://aka.ms/adminmails).
+
+## Biometric gestures
+
+Depending on the hardware, users might be prompted to register their fingerprint or face. Explain to users that for convenience, they should register their biometric gesture during the provisioning process. The biometric gesture can be used to unlock the device and to authenticate to resources that require Windows Hello for Business. Biometric gestures are valid only on the enrolled device and are not stored outside the device.
+
+## User experience
+
+The next video shows the Windows Hello for Business enrollment experience after a user signs in with a password:
+
+1. Since the device supports biometric authentication, the user is prompted to set up a biometric gesture. This gesture can be used to unlock the device and authenticate to resources that require Windows Hello for Business. The user can skip this step if they don't want to set up a biometric gesture
+1. The user is prompted to use Windows Hello with the organization account. The user selects **OK**
+1. The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry
+1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device
+
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]
+
+After enrollment in Windows Hello, users should use their gesture (such as a PIN or fingerprint) for access to their devices and corporate resources. The unlock gesture is valid only on the enrolled device.
+
+> [!IMPORTANT]
+> Although the organization might require users to change their Active Directory or Microsoft Entra account password at regular intervals, changes to their passwords have no effect on Hello.
+
+The next video shows the Windows Hello for Business enrollment experience as part of the out-of-box-experience (OOBE) process:
+
+1. The user joins the device to Microsoft Entra ID and is prompted for MFA during the join process
+1. The device is Managed by Microsoft Intune and applies Windows Hello for Business policy settings
+1. After the user profile is loaded, but before the access to the desktop is granted, the user must enroll in Windows Hello
+
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=44c16430-756f-490a-9fc1-80e2724fef8d alt-text="Video showing the Windows Hello for Business enrollment steps after the out-of-box-experience process."]
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/requirements.md b/windows/security/identity-protection/hello-for-business/deploy/requirements.md
deleted file mode 100644
index 61dffe9d37..0000000000
--- a/windows/security/identity-protection/hello-for-business/deploy/requirements.md
+++ /dev/null
@@ -1,55 +0,0 @@
----
-ms.date: 10/09/2023
-title: Windows Hello for Business Deployment Prerequisite Overview
-description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models
-ms.topic: overview
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
-- ✅ Windows Server 2022
-- ✅ Windows Server 2019
-- ✅ Windows Server 2016
----
-
-# Windows Hello for Business Deployment Prerequisite Overview
-
-This article lists the infrastructure requirements for the different deployment models for Windows Hello for Business.
-
-
-
-## Microsoft Entra Cloud Only Deployment
-
-- Microsoft Entra ID
-- Microsoft Entra multifactor authentication
-- Device management solution (Intune or supported third-party MDM), *optional*
-- Microsoft Entra ID P1 or P2 subscription - *optional*, needed for automatic MDM enrollment when the device joins Microsoft Entra ID
-
-## Hybrid Deployments
-
-The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process.
-
-| Requirement | Cloud Kerberos trust
Group Policy or Modern managed | Key trust
Group Policy or Modern managed | Certificate Trust
Mixed managed | Certificate Trust
Modern managed |
-| --- | --- | --- | --- | --- |
-| **Windows Version** | Any supported Windows client versions| Any supported Windows client versions | Any supported Windows client versions |
-| **Schema Version** | No specific Schema requirement | Windows Server 2016 or later schema | Windows Server 2016 or later schema | Windows Server 2016 or later schema |
-| **Domain and Forest Functional Level** | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |Windows Server 2008 R2 Domain/Forest functional level |
-| **Domain Controller Version** | Any supported Windows Server versions | Any supported Windows Server versions | Any supported Windows Server versions | Any supported Windows Server versions |
-| **Certificate Authority**| Not required |Any supported Windows Server versions | Any supported Windows Server versions | Any supported Windows Server versions |
-| **AD FS Version** | Not required | Not required | Any supported Windows Server versions | Any supported Windows Server versions |
-| **MFA Requirement** | Azure MFA, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter |
-| **Microsoft Entra Connect** | Not required. It's recommended to use [Microsoft Entra Connect cloud sync](/azure/active-directory/hybrid/cloud-sync/what-is-cloud-sync) | Required | Required | Required |
-| **Microsoft Entra ID license** | Microsoft Entra ID P1 or P2, optional | Microsoft Entra ID P1 or P2, optional | Microsoft Entra ID P1 or P2, needed for device write-back | Microsoft Entra ID P1 or P2, optional. Intune license required |
-
-## On-premises Deployments
-
-The table shows the minimum requirements for each deployment.
-
-| Requirement | Key trust
Group Policy managed | Certificate trust
Group Policy managed|
-| --- | --- | ---|
-| **Windows Version** | Any supported Windows client versions|Any supported Windows client versions|
-| **Schema Version**| Windows Server 2016 Schema | Windows Server 2016 Schema|
-| **Domain and Forest Functional Level**| Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |
-| **Domain Controller Version**| Any supported Windows Server versions | Any supported Windows Server versions |
-| **Certificate Authority**| Any supported Windows Server versions | Any supported Windows Server versions |
-| **AD FS Version**| Any supported Windows Server versions | Any supported Windows Server versions |
-| **MFA Requirement**| AD FS with 3rd Party MFA Adapter | AD FS with 3rd Party MFA Adapter |
diff --git a/windows/security/identity-protection/hello-for-business/deploy/toc.yml b/windows/security/identity-protection/hello-for-business/deploy/toc.yml
index 87ab1eb026..55964be416 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/deploy/toc.yml
@@ -1,29 +1,18 @@
items:
-- name: Windows Hello for Business deployment overview
+- name: Plan a Windows Hello for Business Deployment
href: index.md
-- name: Deployment prerequisite overview
- href: requirements.md
- name: Cloud-only deployment
- href: cloud.md
+ href: cloud-only.md
- name: Hybrid deployments
items:
- name: Cloud Kerberos trust deployment
- items:
- - name: Overview
- href: hybrid-cloud-kerberos-trust.md
- displayName: cloud Kerberos trust
- - name: Configure and provision Windows Hello for Business
- href: hybrid-cloud-kerberos-trust-enroll.md
- displayName: cloud Kerberos trust
+ href: hybrid-cloud-kerberos-trust.md
- name: Key trust deployment
items:
- - name: Overview
+ - name: Requirements and validation
href: hybrid-key-trust.md
displayName: key trust
- - name: Configure and validate the PKI
- href: hybrid-key-trust-pki.md
- displayName: key trust
- - name: Configure and provision Windows Hello for Business
+ - name: Configure and enroll in Windows Hello for Business
href: hybrid-key-trust-enroll.md
displayName: key trust
- name: Configure SSO for Microsoft Entra joined devices
@@ -31,7 +20,7 @@ items:
displayName: key trust
- name: Certificate trust deployment
items:
- - name: Overview
+ - name: Requirements and validation
href: hybrid-cert-trust.md
displayName: certificate trust
- name: Configure and validate Public Key Infrastructure (PKI)
@@ -53,25 +42,19 @@ items:
items:
- name: Key trust deployment
items:
- - name: Overview
- href: hybrid-cloud-kerberos-trust.md
- - name: Configure and validate the PKI
- href: on-premises-key-trust-pki.md
+ - name: Requirements and validation
+ href: on-premises-key-trust.md
- name: Prepare and deploy Active Directory Federation Services (AD FS)
href: on-premises-key-trust-adfs.md
- - name: Validate and deploy multi-factor authentication (MFA) services
- href: on-premises-key-trust-mfa.md
- - name: Configure Windows Hello for Business policy settings
+ - name: Configure and enroll in Windows Hello for Business
href: on-premises-key-trust-enroll.md
- name: Certificate trust deployment
items:
- - name: Overview
+ - name: Requirements and validation
href: on-premises-cert-trust.md
- - name: Configure and validate Public Key Infrastructure (PKI)
- href: on-premises-cert-trust-pki.md
- name: Prepare and Deploy Active Directory Federation Services (AD FS)
href: on-premises-cert-trust-adfs.md
- - name: Validate and deploy multi-factor authentication (MFA)
- href: on-premises-cert-trust-mfa.md
- name: Configure and enroll in Windows Hello for Business
href: on-premises-cert-trust-enroll.md
+- name: Prepare users to provision and use Hello
+ href: prepare-users.md
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/faq.yml
similarity index 58%
rename from windows/security/identity-protection/hello-for-business/hello-faq.yml
rename to windows/security/identity-protection/hello-for-business/faq.yml
index 6f42bde365..1b9e0947ca 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/faq.yml
@@ -5,7 +5,7 @@ metadata:
author: paolomatarazzo
ms.author: paoloma
ms.topic: faq
- ms.date: 12/08/2023
+ ms.date: 01/03/2024
title: Common questions about Windows Hello for Business
summary: Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This Frequently Asked Questions (FAQ) article is intended to help you learn more about Windows Hello for Business.
@@ -17,45 +17,31 @@ sections:
- question: What's the difference between Windows Hello and Windows Hello for Business?
answer: |
Windows Hello represents the biometric framework provided in Windows. Windows Hello lets users use biometrics to sign in to their devices by securely storing their user name and password and releasing it for authentication when the user successfully identifies themselves using biometrics. Windows Hello for Business uses asymmetric keys protected by the device's security module that requires a user gesture (PIN or biometrics) to authenticate.
- - question: How can a PIN be more secure than a password?
+ - question: Why a PIN is better than an online password
answer: |
- When using Windows Hello for Business, the PIN isn't a symmetric key, whereas the password is a symmetric key. With passwords, there's a server that has some representation of the password. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). The server doesn't have a copy of the PIN. For that matter, the Windows client doesn't have a copy of the current PIN either. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key.
- The statement "PIN is stronger than Password" is not directed at the strength of the entropy used by the PIN. It's about the difference between providing entropy versus continuing the use of a symmetric key (the password). The TPM has anti-hammering features that thwart brute-force PIN attacks (an attacker's continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increase the complexity of the PIN, implement the [Multifactor Unlock](feature-multifactor-unlock.md) feature.
- - question: How does Windows Hello for Business authentication work?
- answer: |
- When a user wants to access protected key material, the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called releasing the key. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. The user's PIN unlocks the protector key for the container on the device. When that container is unlocked, applications (and thus the user) can use whatever IDP keys reside inside the container.
- These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. It's important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or sign in to a website). Access through these APIs doesn't require explicit validation through a user gesture, and the key material isn't exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure an application to require re-authentication anytime a specific operation is performed, even though the same account and PIN or gesture were already used to unlock the device.
- For more information about the different authentication flows used by Windows Hello for Business, see [Windows Hello for Business and Authentication](hello-how-it-works-authentication.md).
- - question: What happens after a user registers a PIN during the Windows Hello for Business enrollment process?
- answer: |
- Windows Hello generates a new public-private key pair on the device. The TPM generates and protects this private key; if the device doesn't have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the *protector key*. It's associated only with a single gesture; in other words, if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures will have a unique protector key. **Each unique gesture generates a unique protector key**. The protector key securely wraps the *authentication key*. The container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys. Windows Hello also generates an administrative key that the user or administrator can use to reset credentials, when necessary (for example, when using the PIN reset service). In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM.
- At this point, the user has a PIN gesture defined on the device and an associated protector key for that PIN gesture. That means the user is able to securely sign in to the device with the PIN and thus be able to establish a trusted session with the device to add support for a biometric gesture as an alternative for the PIN. When you add a biometric gesture, it follows the same basic sequence: the user authenticates to the system by using the PIN, and then registers the new biometric, after which Windows generates a unique key pair and stores it securely. Future sign-ins can then use either the PIN or the registered biometric gestures.
- - question: What's a container?
- answer: |
- In the context of Windows Hello for Business, a container is a logical grouping of *key material* or data. Windows Hello uses a single container that holds user key material for personal accounts, including key material associated with the user's Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account.
- The container holds enterprise credentials only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Microsoft Entra ID.
-
- > [!NOTE]
- > There are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials that Windows Hello stores, are protected without the creation of actual containers or folders.
+ Three main reasons:
+ 1. **A PIN is tied to a device**: one important difference between an online password and a Hello PIN is that the PIN is tied to the specific device on which it's set up. That PIN is useless to anyone without that specific hardware. Someone who obtains your online password can sign in to your account from anywhere, but if they obtain your PIN, they'd have to access your device too. The PIN can't be used anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device
+ 1. **A PIN is local to the device**: an online password is transmitted to the server. The password can be intercepted in transmission or obtained from a server. A PIN is local to the device, never transmitted anywhere, and it isn't stored on the server. When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, you unlock the authentication key, which is used to sign the request that is sent to the authenticating server. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). The server doesn't have a copy of the PIN. For that matter, the Windows client doesn't have a copy of the current PIN either. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key
+ 1. **A PIN is backed by hardware**: the Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Windows doesn't link local passwords to TPM, therefore PINs are considered more secure than local passwords. User key material is generated and available within the TPM of the device. The TPM protects the key material from attackers who want to capture and reuse it. Since Hello uses asymmetric key pairs, users credentials can't be stolen in cases where the identity provider or websites the user accesses have been compromised. The TPM protects against various known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked
- The container contains a set of keys, some of which are used to protect other keys. The following image shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container. Each logical container holds one or more sets of keys.\
- :::image type="content" source="images/passport-fig3-logicalcontainer.png" alt-text="logical container with set of keys":::
-
- Containers can contain several types of key material:
- - An authentication key, which is always an asymmetric public-private key pair. This key pair is generated during registration. It must be unlocked each time it's accessed, by using either the user's PIN or a biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key will be generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key.
- - The IDP key. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP key). IDP keys are stored in the container. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this device to the IDP. IDP keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Microsoft Entra accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways:
- - The IDP key pair can be associated with an enterprise Certificate Authority (CA) through the Windows Network Device Enrollment Service (NDES). In this case, Windows Hello requests a new certificate with the same key as the certificate from the existing PKI. This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as VPN solutions, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the enterprise to store additional certificates in the protected container.
- - The IDP can generate the IDP key pair directly, which allows quick, lower-overhead deployment of Windows Hello in environments that don't have or need a PKI.
+ The statement *A PIN is stronger than a password* is not directed at the strength of the entropy used by the PIN. It's about the difference between providing entropy versus continuing the use of a symmetric key (the password). The TPM has anti-hammering features that thwart brute-force PIN attacks (an attacker's continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increase the complexity of the PIN, implement the [Multifactor Unlock](multifactor-unlock.md) feature.
+ - question: What if someone steals the device?
+ answer: |
+ To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device. Then, the attacker must find a way to spoof the user's biometrics or guess the PIN. All these actions must be done before [TPM anti-hammering](/windows/device-security/tpm/tpm-fundamentals#anti-hammering) protection locks the device.
+ - question: Why do you need a PIN to use biometrics?
+ answer: |
+ Windows Hello enables biometric sign-in with fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN after the biometric setup. The PIN enables you to sign in when you can't use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
+ If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you with the same level of protection as Hello.
- question: How are keys protected?
answer: |
- Anytime key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There's a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Business implementation takes advantage of onboard TPM hardware to generate and protect keys. Administrators can choose to allow key operations in software, but it's recommended the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means the user will have to use MFA to reauthenticate to the IDP before the IDP allows re-registration). Resetting the PIN means that all keys and certificates encrypted with the old key material will be removed.
+ Anytime key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There's a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Business implementation takes advantage of onboard TPM hardware to generate and protect keys. Administrators can choose to allow key operations in software, but it's recommended the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means the user will have to use MFA to reauthenticate to the IdP before the IdP allows re-registration). Resetting the PIN means that all keys and certificates encrypted with the old key material will be removed.
- question: How does PIN caching work with Windows Hello for Business?
answer: |
Windows Hello for Business provides a PIN caching user experience by using a ticketing system. Rather than caching a PIN, processes cache a ticket they can use to request private key operations. Microsoft Entra ID and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting, as long as the user is interactively signed-in. Microsoft Account sign-in keys are transactional keys, which means the user is always prompted when accessing the key.
- Beginning with Windows 10, version 1709, Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching. Each process requesting a private key operation will prompt the user for the PIN on first use. Subsequent private key operations won't prompt the user for the PIN.
+ Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching. Each process requesting a private key operation prompts the user for the PIN on first use. Subsequent private key operations won't prompt the user for the PIN.
- The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process doesn't receive the PIN, but rather the ticket that grants them private key operations. Windows 10 doesn't provide any Group Policy settings to adjust this caching.
+ The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process doesn't receive the PIN, but rather the ticket that grants them private key operations. There isn't a policy setting to adjust the caching.
- question: Where is Windows Hello biometrics data stored?
answer: |
When you enroll in Windows Hello, a representation of your biometrics, called an enrollment profile, is created more information can be found on [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details, see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored).
@@ -65,34 +51,26 @@ sections:
- question: Who has access on Windows Hello biometrics data?
answer: |
Since Windows Hello biometrics data is stored in encrypted format, no user, or any process other than Windows Hello has access to it.
- - question: What's the difference between non-destructive and destructive PIN reset?
- answer: |
- Windows Hello for Business has two types of PIN reset: non-destructive and destructive. Organizations running Windows 10 version 1903 and later and Microsoft Entra ID can take advantage of the Microsoft PIN Reset service. Once on-boarded to a tenant and deployed to computers, users who have forgotten their PINs can authenticate to Azure, provide a second factor of authentication, and reset their PIN without reprovisioning a new Windows Hello for Business enrollment. This flow is a non-destructive PIN reset because the user doesn't delete the current credential and obtain a new one. For more information, see [PIN Reset](hello-feature-pin-reset.md).
-
- Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 version 1903 and later can use destructive PIN reset. With destructive PIN reset, users that have forgotten their PIN can authenticate by using their password and then performing a second factor of authentication to reprovision their Windows Hello for Business credential. Reprovisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. For Microsoft Entra hybrid joined devices, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services.
- question: When is Windows Hello biometrics database file created? How is a user enrolled into Windows Hello face or fingerprint authentication?
answer: |
- Windows Hello biometrics template database file is created on the device only when a user is enrolled into Windows Hello biometrics-based authentication. Your workplace or IT administrator may have turned certain authentication functionality, however, it is always your choice if you want to use Windows Hello or an alternative method, like a PIN. Users can check their current enrollment into Windows Hello biometrics by going to sign-in options on their device. Go to **Start > Settings > Accounts > Sign-in** options. If you don't see Windows Hello in Sign-in options, then it may not be available for your device or blocked by admin via policy. Admins can request users to enroll into Windows Hello during Autopilot or during the initial setup of the device. Admins can disallow users to enroll into biometrics via Windows Hello for Business policy configurations. However, when allowed via policy configurations, enrollment into Windows Hello biometrics is always optional for users.
+ Windows Hello biometrics template database file is created on the device only when a user is enrolled into Windows Hello biometrics-based authentication. An IT administrator may configure policy settings, but it's always a user's choice if they want to use biometrics or PIN. Users can check their current enrollment into Windows Hello biometrics by going to sign-in options on their device. Go to **Start > Settings > Accounts > Sign-in** options. If you don't see Windows Hello in Sign-in options, then it may not be available for your device or blocked by admin via policy. Admins can request users to enroll into Windows Hello during Autopilot or during the initial setup of the device. Admins can disallow users to enroll into biometrics via Windows Hello for Business policy configurations. However, when allowed via policy configurations, enrollment into Windows Hello biometrics is always optional for users.
- question: When is Windows Hello biometrics database file deleted? How can a user be unenrolled from Windows Hello face or fingerprint authentication?
answer: |
- To remove Windows Hello and any associated biometric identification data from the device, user can go to **Start > Settings > Accounts > Sign-in options**. Select the Windows Hello biometrics authentication method you want to remove, and then select **Remove**. This will u-enroll the user from Windows Hello biometrics authentication and will also delete the associated biometrics template database file. For more details, see [Windows sign-in options and account protection (microsoft.com)](https://support.microsoft.com/windows/windows-sign-in-options-and-account-protection-7b34d4cf-794f-f6bd-ddcc-e73cdf1a6fbf#bkmk_helloandprivacy).
+ To remove Windows Hello and any associated biometric identification data from the device, open **Start > Settings > Accounts > Sign-in options**. Select the Windows Hello biometrics authentication method you want to remove, and then select **Remove**. The action unenrolls from Windows Hello biometrics authentication and deletes the associated biometrics template database file. For more details, see [Windows sign-in options and account protection (microsoft.com)](https://support.microsoft.com/windows/windows-sign-in-options-and-account-protection-7b34d4cf-794f-f6bd-ddcc-e73cdf1a6fbf#bkmk_helloandprivacy).
- name: Management and operations
questions:
- - question: Can I deploy and manage Windows Hello for Business using Microsoft Intune?
- answer: |
- Yes, hybrid and cloud-only Windows Hello for Business deployments can use Microsoft Intune. For more information, see [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello).
- question: Can I deploy and manage Windows Hello for Business by using Microsoft Configuration Manager?
answer: |
Starting in Configuration Manager, version 2203, Windows Hello for Business deployments using Configuration Manager are no longer supported.
- question: How do I delete a Windows Hello for Business container on a device?
answer: |
- You can effectively disable Windows Hello for Business by launching `certutil.exe -deleteHelloContainer` on the end device under a user account, and then restarting the device.
+ You can delete the Windows Hello for Business container by executing the command `certutil.exe -deleteHelloContainer`.
- question: What happens when a user forgets their PIN?
answer: |
- If the user can sign in with a password, they can reset their PIN by selecting the *I forgot my PIN* link in the Settings app. Users can reset also their PIN from the lock screen by selecting the *I forgot my PIN* link on the PIN credential provider.
+ If the user can sign in with a password, they can reset their PIN by selecting the *I forgot my PIN* link in the Settings app or from the lock screen, by selecting the *I forgot my PIN* link on the PIN credential provider.
- For on-premises deployments, devices must be connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid deployments can onboard their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs. Non-destructive PIN reset works without access to the corporate network. Destructive PIN reset requires access to the corporate network. For more details about destructive and non-destructive PIN reset, see [PIN reset](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset).
+ For on-premises deployments, devices must be connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid deployments can onboard their Microsoft Entra tenant to use the *Windows Hello for Business PIN reset service* to reset their PINs. Non-destructive PIN reset works without access to the corporate network. Destructive PIN reset requires access to the corporate network. For more details about destructive and non-destructive PIN reset, see [PIN reset](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset).
- question: Does Windows Hello for Business prevent the use of simple PINs?
answer: |
Yes. Our simple PIN algorithm looks for and disallows any PIN that has a constant delta from one digit to the next. The algorithm counts the number of steps required to reach the next digit, overflowing at 10 ('zero').
@@ -118,9 +96,6 @@ sections:
- question: Can I disable the PIN while using Windows Hello for Business?
answer: |
No. The movement away from passwords is accomplished by gradually reducing the use of the password. In situations where you can't authenticate by using biometrics, you need a fallback mechanism that isn't a password. The PIN is the fallback mechanism. Disabling or hiding the PIN credential provider will disable the use of biometrics.
- - question: What is Event ID 300?
- answer: |
- This event is created when Windows Hello for Business is successfully created and registered with Microsoft Entra ID. Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request. This is a normal condition and no further action is required.
- question: What happens when an unauthorized user gains possession of a device enrolled in Windows Hello for Business?
answer: |
The unauthorized user won't be able to utilize any biometric options and will have the only option to enter a PIN.
@@ -144,7 +119,7 @@ sections:
No. If your organization is using Microsoft cloud services, then you must use a hybrid deployment model. On-premises deployments are exclusive to organizations who need more time before moving to the cloud and exclusively use Active Directory.
- question: What attributes are synchronized by Microsoft Entra Connect with Windows Hello for Business?
answer: |
- Review [Microsoft Entra Connect Sync: Attributes synchronized to Microsoft Entra ID](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized) for a list of attributes that sync based on scenarios. The base scenarios that include Windows Hello for Business are the [Windows 10](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#windows-10) scenario and the [Device writeback](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#device-writeback) scenario. Your environment may include other attributes.
+ Review [Microsoft Entra Connect Sync: Attributes synchronized to Microsoft Entra ID](/entra/identity/hybrid/connect/reference-connect-sync-attributes-synchronized) for a list of attributes that sync based on scenarios. The base scenarios that include Windows Hello for Business are the [Windows 10](/entra/identity/hybrid/connect/reference-connect-sync-attributes-synchronized#windows-10) scenario and the [Device writeback](/entra/identity/hybrid/connect/reference-connect-sync-attributes-synchronized#device-writeback) scenario. Your environment may include other attributes.
- question: Can I use third-party MFA providers with Windows Hello for Business?
answer: |
Yes, if you're using federated hybrid deployment, you can use any third-party that provides an AD FS MFA adapter. A list of third-party MFA adapters can be found [here](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods).
@@ -166,19 +141,19 @@ sections:
Read [Windows Hello biometric requirements](/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) for more information.
- question: Can I wear a mask to enroll or unlock using Windows Hello face authentication?
answer: |
- Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. The product group is aware of this behavior and is investigating this article further. Remove a mask if you're wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn't allow you to remove a mask temporarily, consider un-enrolling from face authentication and only using PIN or fingerprint.
+ Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. Remove a mask if you're wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn't allow you to remove a mask temporarily, consider un-enrolling from face authentication and only using PIN or fingerprint.
- question: How does Windows Hello for Business work with Microsoft Entra registered devices?
answer: |
- A user will be prompted to set up a Windows Hello for Business key on a Microsoft Entra registered devices if the feature is enabled by policy. If the user has an existing Windows Hello container, the Windows Hello for Business key will be enrolled in that container and will be protected using existing gestures.
+ A user will be prompted to set up a Windows Hello for Business key on a Microsoft Entra registered devices if the feature is enabled by policy. If the user has an existing Windows Hello container, the Windows Hello for Business key will be enrolled in that container and will be protected using existing gestures.
If a user has signed into their Microsoft Entra registered device with Windows Hello, their Windows Hello for Business key will be used to authenticate the user's work identity when they try to use Microsoft Entra resources. The Windows Hello for Business key meets Microsoft Entra multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources.
It's possible to Microsoft Entra register a domain joined device. If the domain joined device has a convenience PIN, sign in with the convenience PIN will no longer work. This configuration isn't supported by Windows Hello for Business.
- For more information, please read [Microsoft Entra registered devices](/azure/active-directory/devices/concept-azure-ad-register).
+ For more information, see [Microsoft Entra registered devices](/azure/active-directory/devices/concept-azure-ad-register).
- question: Does Windows Hello for Business work with non-Windows operating systems?
answer: |
- Windows Hello for Business is a feature of the Windows platform. At this time, Microsoft isn't developing clients for other platforms. However, Microsoft is open to third-parties who are interested in moving these platforms away from passwords. Interested third-parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration).
+ Windows Hello for Business is a feature of the Windows platform.
- question: Does Windows Hello for Business work with Microsoft Entra Domain Services clients?
answer: |
No, Microsoft Entra Domain Services is a separately managed environment in Azure, and hybrid device registration with cloud Microsoft Entra ID isn't available for it via Microsoft Entra Connect. Hence, Windows Hello for Business doesn't work with Microsoft Entra Domain Services.
@@ -191,7 +166,7 @@ sections:
- question: Which is a better or more secure for of authentication, key or certificate?
answer: |
Both types of authentication provide the same security; one is not more secure than the other.
- The trust models of your deployment determine how you authenticate to Active Directory (on-premises). Both key trust and certificate trust use the same hardware-backed, two-factor credential. The difference between the two trust types is the issuance of end-entity certificates:
+ The trust models of your deployment determine how you authenticate to Active Directory. Both key trust and certificate trust use the same hardware-backed, two-factor credential. The difference between the two trust types is the issuance of end-entity certificates:
- The *key trust* model authenticates to Active Directory by using a raw key. Key trust doesn't require an enterprise-issued certificate, therefore you don't need to issue certificates to users (domain controller certificates are still needed)
- The *certificate trust* model authenticates to Active Directory by using a certificate. Therefore, you need to issue certificates to users. The certificate used in certificate trust uses the TPM-protected private key to request a certificate from your enterprise's issuing CA
- question: What is convenience PIN?
@@ -202,7 +177,7 @@ sections:
No. While it's possible to set a convenience PIN on Microsoft Entra joined and Microsoft Entra hybrid joined devices, convenience PIN isn't supported for Microsoft Entra user accounts (including synchronized identities). Convenience PIN is only supported for on-premises Active Directory users and local account users.
- question: What about virtual smart cards?
answer: |
- Windows Hello for Business is the modern, two-factor authentication for Windows. Microsoft will deprecate virtual smart cards in the near future. Customers using virtual smart cards are strongly encouraged to move to Windows Hello for Business. Microsoft will publish the deprecation date to ensure customers have adequate lead time to move to Windows Hello for Business. We recommend that new Windows deployments use Windows Hello for Business.
+ Windows Hello for Business is the modern, two-factor authentication for Windows. Customers using virtual smart cards are strongly encouraged to move to Windows Hello for Business.
- question: What URLs do I need to allow for a hybrid deployment?
answer: |
For a list of required URLs, see [Microsoft 365 Common and Office Online](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#microsoft-365-common-and-office-online).
@@ -222,13 +197,13 @@ sections:
Windows Hello for Business credentials need access to device state, which is not available in private browser mode or incognito mode. Hence it can't be used in private browser or Incognito mode.
- question: Can I use both a PIN and biometrics to unlock my device?
answer: |
- You can use *multifactor unlock* to require users to provide an extra factor to unlock their device. Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop. To learn more, see [Multifactor Unlock](feature-multifactor-unlock.md).
+ You can use *multifactor unlock* to require users to provide an extra factor to unlock their device. Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop. To learn more, see [Multifactor Unlock](multifactor-unlock.md).
- name: Cloud Kerberos trust
questions:
- question: What is Windows Hello for Business cloud Kerberos trust?
answer: |
- Windows Hello for Business *cloud Kerberos trust* is a *trust model* that enables Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [cloud Kerberos trust deployment](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust).
+ Windows Hello for Business *cloud Kerberos trust* is a *trust model* that enables Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [cloud Kerberos trust deployment](/windows/security/identity-protection/hello-for-business/deploy).
- question: Does Windows Hello for Business cloud Kerberos trust work in my on-premises environment?
answer: |
This feature doesn't work in a pure on-premises AD domain services environment.
@@ -242,7 +217,7 @@ sections:
- attempting to access on-premises resources secured by Active Directory
- question: Can I use RDP/VDI with Windows Hello for Business cloud Kerberos trust?
answer: |
- Windows Hello for Business cloud Kerberos trust can't be used as a supplied credential with RDP/VDI. Similar to key trust, cloud Kerberos trust can be used for RDP with [Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard) or if a [certificate is enrolled into Windows Hello for Business](rdp-sign-in.md) for this purpose.
+ Windows Hello for Business cloud Kerberos trust can't be used as a supplied credential with RDP/VDI. Similar to key trust, cloud Kerberos trust can be used for RDP if a [certificate is enrolled into Windows Hello for Business](rdp-sign-in.md) for this purpose. As an alternative, consider using [Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard) which doesn't require to deploy certificates.
- question: Do all my domain controllers need to be fully patched as per the prerequisites for me to use Windows Hello for Business cloud Kerberos trust?
answer: |
No, only the number necessary to handle the load from all cloud Kerberos trust devices.
@@ -254,4 +229,4 @@ sections:
In a hybrid deployment, a user's public key must sync from Microsoft Entra ID to Active Directory before it can be used to authenticate against a domain controller. This sync is handled by Microsoft Entra Connect and will occur during a normal sync cycle.
- question: Can I use Windows Hello for Business key trust and RDP?
answer: |
- Remote Desktop Protocol (RDP) doesn't currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. For more information, see [Deploying certificates to key trust users to enable RDP](hello-deployment-rdp-certs.md). In addition, Windows Hello for Business key trust can be also used with RDP with [Remote Credential Guard](../remote-credential-guard.md) without deploying certificates.
+ Remote Desktop Protocol (RDP) doesn't support using key-based authentication as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. For more information, see [Deploying certificates to key trust users to enable RDP](hello-deployment-rdp-certs.md). As an alternative, consider using [Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard) which doesn't require to deploy certificates.
diff --git a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
deleted file mode 100644
index 3d9b51898d..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
+++ /dev/null
@@ -1,33 +0,0 @@
----
-title: Windows Hello and password changes
-description: Learn the impact of changing a password when using Windows Hello.
-ms.date: 03/15/2023
-ms.topic: concept-article
----
-# Windows Hello and password changes
-
-When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If Windows Hello for Business isn't deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello.
-
-> [!Note]
-> This article doesn't apply to Windows Hello for Business. Change the account password will not affect sign-in or unlock, since Windows Hello for Business uses a key or certificate.
-
-**Example 1**
-
-Let's suppose that you have set up a PIN for your Microsoft account on **Device A**. You use your PIN to sign in on **Device A** and then change the password for your Microsoft account.
-Since you were using **Device A** when you changed your password, the PIN on **Device A** will continue to work with no other action on your part.
-
-**Example 2**
-
-Suppose that you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the account credentials that Hello on **Device A** knows will be outdated.
-
->[!NOTE]
->This example also applies to an Active Directory account when [Windows Hello for Business is not implemented](hello-manage-in-organization.md).
-
-## How to update Hello after you change your password on another device
-
-1. When you try to sign in using your PIN or biometric, you'll see the following message: **Your password was changed on a different device. You must sign in to this device once with your new password, and then you can sign in with your PIN.**
-1. Select **OK**
-1. Select **Sign-in options**
-1. Select **Password**
-1. Sign in with new password
-1. The next time that you sign in, you can select **Sign-in options > PIN** to resume using your PIN.
diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
deleted file mode 100644
index d80393b040..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ /dev/null
@@ -1,88 +0,0 @@
----
-title: Windows Hello biometrics in the enterprise
-description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition.
-ms.date: 01/12/2021
-ms.topic: concept-article
----
-
-# Windows Hello biometrics in the enterprise
-
-Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.
-
->[!NOTE]
->When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
-
-Because we realize your employees are going to want to use this new technology in your enterprise, we've been actively working with the device manufacturers to create strict design and performance recommendations that help to ensure that you can more confidently introduce Windows Hello biometrics into your organization.
-
-## How does Windows Hello work?
-
-Windows Hello lets your employees use fingerprint, facial recognition, or iris recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Windows Hello credentials.
-
-The Windows Hello authenticator works to authenticate and allow employees onto your enterprise network. Authentication doesn't roam among devices, isn't shared with a server, and can't easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device.
-
-## Why should I let my employees use Windows Hello?
-
-Windows Hello provides many benefits, including:
-
-- It helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it's much more difficult to gain access without the employee's knowledge.
-- Employees get a simple authentication method (backed up with a PIN) that's always with them, so there's nothing to lose. No more forgetting passwords!
-- Support for Windows Hello is built into the operating system so you can add additional biometric devices and policies as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.
For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](hello-manage-in-organization.md) topic.
-
-## Where is Windows Hello data stored?
-
-The biometric data used to support Windows Hello is stored on the local device only. It doesn't roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data from a device, it cannot be converted back into a raw biometric sample that could be recognized by the biometric sensor.
-
-> [!NOTE]
->Each sensor on a device will have its own biometric database file where template data is stored. Each database has a unique, randomly generated key that is encrypted to the system. The template data for the sensor will be encrypted with this per-database key using AES with CBC chaining mode. The hash is SHA256. Some fingerprint sensors have the capability to complete matching on the fingerprint sensor module instead of in the OS. These sensors will store biometric data on the fingerprint module instead of in the database file.
-
-## Has Microsoft set any device requirements for Windows Hello?
-
-We've been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements:
-
-- **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regard to the security of the biometric algorithm.
-
-- **False Reject Rate (FRR).** Represents the instances a biometric identification solution fails to verify an authorized person correctly. Usually represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection.
-
-### Fingerprint sensor requirements
-
-To allow fingerprint matching, you must have devices with fingerprint sensors and software. Fingerprint sensors, or sensors that use an employee's unique fingerprint as an alternative logon option, can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures (required).
-
-**Acceptable performance range for small to large size touch sensors**
-
-- False Accept Rate (FAR): <0.001 – 0.002%
-
-- Effective, real world FRR with Anti-spoofing or liveness detection: <10%
-
-**Acceptable performance range for swipe sensors**
-
-- False Accept Rate (FAR): <0.002%
-
-- Effective, real world FRR with Anti-spoofing or liveness detection: <10%
-
-### Facial recognition sensors
-
-To allow facial recognition, you must have devices with integrated special infrared (IR) sensors and software. Facial recognition sensors use special cameras that see in IR light, letting them tell the difference between a photo and a living person while scanning an employee's facial features. These sensors, like the fingerprint sensors, must also include anti-spoofing measures (required) and a way to configure them (optional).
-
-- False Accept Rate (FAR): <0.001%
-
-- False Reject Rate (FRR) without Anti-spoofing or liveness detection: <5%
-
-- Effective, real world FRR with Anti-spoofing or liveness detection: <10%
-
-> [!NOTE]
->Windows Hello face authentication does not currently support wearing a mask during enrollment or authentication. Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. The product group is aware of this behavior and is investigating this topic further. Please remove a mask if you are wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn't allow you to remove a mask temporarily, please consider unenrolling from face authentication and only using PIN or fingerprint.
-
-### Iris recognition sensor requirements
-
-To use Iris authentication, you'll need a [HoloLens 2 device](/hololens/). All HoloLens 2 editions are equipped with the same sensors. Iris is implemented the same way as other Windows Hello technologies and achieves biometrics security FAR of 1/100K.
-
-## Related topics
-
-- [Windows Hello for Business](deploy/requirements.md)
-- [How Windows Hello for Business works](hello-how-it-works.md)
-- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
-- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
-- [Windows Hello and password changes](hello-and-password-changes.md)
-- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
index b5c4e51668..a1df8320f4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
@@ -4,12 +4,11 @@ description: This article is a troubleshooting guide for known Windows Hello for
ms.date: 06/02/2023
ms.topic: troubleshooting
---
+
# Windows Hello for Business known deployment issues
The content of this article is to help troubleshoot known deployment issues for Windows Hello for Business.
-
-
## PIN reset on Microsoft Entra join devices fails with *We can't open that page right now* error
PIN reset on Microsoft Entra joined devices uses a flow called *web sign-in* to authenticate the user above lock. Web sign in only allows navigation to specific domains. If web sign-in attempts to navigate to a domain that isn't allowed, it displays a page with the error message *We can't open that page right now*.
@@ -50,8 +49,6 @@ After the initial sign-in attempt, the user's Windows Hello for Business public
To resolve the issue, update Windows Server 2016 and 2019 domain controllers with the latest patches. For Windows Server 2016, the behavior is fixed in build *14393.4104* ([KB4593226](https://support.microsoft.com/help/4593226)) and later. For Windows Server 2019, the behavior is fixed in build *17763.1637* ([KB4592440](https://support.microsoft.com/help/4592440)).
-
-
## Microsoft Entra joined device access to on-premises resources using key trust and third-party Certificate Authority (CA)
Applies to:
@@ -71,10 +68,10 @@ The issue can be identified using network traces or Kerberos logging from the cl
Log Name: Microsoft-Windows-Kerberos/Operational
Source: Microsoft-Windows-Security-Kerberos
Event ID: 107
-GUID: {98e6cfcb-ee0a-41e0-a57b-622d4e1b30b1}
+GUID: {98e6cfcb-ee0a-41e0-a57b-622d4e1b30b1}
Task Category: None
Level: Error
-Keywords:
+Keywords:
User: SYSTEM
Description:
@@ -137,7 +134,7 @@ Date:
-or-
Token was not found in the Authorization header.
-or-
Failed to read one or more objects.
-or-
The request sent to the server was invalid.
-or-
User does not have permissions to join to Microsoft Entra ID. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure AD and rejoin.
Allow user(s) to join to Microsoft Entra ID under Microsoft Entra Device settings.
| 0x801C03EE | Attestation failed. | Sign out and then sign in again. |
| 0x801C03EF | The AIK certificate is no longer valid. | Sign out and then sign in again. |
-| 0x801C03F2 | Windows Hello key registration failed. | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in Microsoft Entra ID and the Primary SMTP address are the same in the proxy address.
+| 0x801C03F2 | Windows Hello key registration failed. | ERROR_BAD_DIRECTORY_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in Microsoft Entra ID and the Primary SMTP address are the same in the proxy address.
| 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Microsoft Entra ID and rejoin. |
| | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. |
| 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. |
-| 0x801C0451 | User token switch account. | Delete the Web Account Manager token broker files located in `%LOCALAPPDATA%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker\Accounts\*.*\` and reboot.|
+| 0x801C0451 | User token switch account. | Delete the Web Account Manager token broker files located in `%LOCALAPPDATA%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker\Accounts\*.*\` and reboot.|
| 0xC00000BB | Your PIN or this option is temporarily unavailable. | The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Another common cause can be the client cannot verify the KDC certificate CRL. Use a different login method.|
## Errors with unknown mitigation
@@ -70,9 +70,9 @@ For errors listed in this table, contact Microsoft Support for assistance.
| 0X80072F0C | Unknown |
| 0x80072F8F | A mismatch happens between the system's clock and the activation server's clock when attempting to activate Windows.|
| 0x80090010 | NTE_PERM |
-| 0x80090020 | NTE\_FAIL |
+| 0x80090020 | NTE_FAIL |
| 0x80090027 | Caller provided a wrong parameter. If third-party code receives this error, they must change their code. |
-| 0x8009002D | NTE\_INTERNAL\_ERROR |
+| 0x8009002D | NTE_INTERNAL_ERROR |
| 0x801C0001 | ADRS server response is not in a valid format. |
| 0x801C0002 | Server failed to authenticate the user. |
| 0x801C0006 | Unhandled exception from server. |
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
deleted file mode 100644
index 3ed49353ea..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ /dev/null
@@ -1,412 +0,0 @@
----
-title: How Windows Hello for Business works - technology and terms
-description: Explore technology and terms associated with Windows Hello for Business. Learn how Windows Hello for Business works.
-ms.date: 10/08/2018
-ms.topic: glossary
----
-
-# Technology and terms
-
-## Attestation identity keys
-
-Because the endorsement certificate is unique for each device and doesn't change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service.
-
-> [!NOTE]
-> The AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.
-> The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations.
-
-Windows creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft hosts a cloud service called Microsoft Cloud CA to establish cryptographically that it's communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows device.
-
-Many existing devices that will upgrade to Windows 10 won't have a TPM, or the TPM won't contain an endorsement certificate. **To accommodate those devices, Windows 10 or Windows 11 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates aren't issued by Microsoft Cloud CA. This behavior isn't as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM.
-
-In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be used by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that's not backed by an endorsement certificate.
-
-### Related to attestation identity keys
-
-- [Endorsement key](#endorsement-key)
-- [Storage root key](#storage-root-key)
-- [Trusted platform module](#trusted-platform-module)
-
-### More information about attestation identity keys
-
-- [Windows client certificate enrollment protocol: glossary](/openspecs/windows_protocols/ms-wcce/719b890d-62e6-4322-b9b1-1f34d11535b4#gt_70efa425-6b46-462f-911d-d399404529ab)
-- [TPM library specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
-
-
-
-## Microsoft Entra join
-
-Microsoft Entra join is intended for organizations that desire to be cloud-first or cloud-only. There's no restriction on the size or type of organizations that can deploy Microsoft Entra join. Microsoft Entra join also works in a hybrid environment and can enable access to on-premises applications and resources.
-
-
-
-### Related to Microsoft Entra join
-
-- [Join type](#join-type)
-- [Microsoft Entra hybrid join](#hybrid-azure-ad-join)
-
-
-
-### More information about Microsoft Entra join
-
-[Introduction to device identity in Microsoft Entra ID](/azure/active-directory/devices/overview).
-
-
-
-## Microsoft Entra registration
-
-The goal of Microsoft Entra registered devices is to provide you with support for the _bring your own device_ (BYOD) scenario. In this scenario, a user can access your organization's Microsoft Entra ID-controlled resources using a personal device.
-
-
-
-### Related to Microsoft Entra registration
-
-- [Microsoft Entra join](#azure-active-directory-join)
-- [Microsoft Entra hybrid join](#hybrid-azure-ad-join)
-- [Join type](#join-type)
-
-
-
-### More information about Microsoft Entra registration
-
-[Introduction to device identity in Microsoft Entra ID](/azure/active-directory/devices/overview).
-
-## Certificate trust
-
-The certificate trust model uses a securely issued certificate based on the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The certificate trust model is supported in hybrid and on-premises deployments and is compatible with Windows Server 2008 R2 and later domain controllers.
-
-### Related to certificate trust
-
-- [Deployment type](#deployment-type)
-- [Microsoft Entra hybrid join](#hybrid-azure-ad-join)
-- [Hybrid deployment](#hybrid-deployment)
-- [Cloud Kerberos trust](#cloud-kerberos-trust)
-- [Key trust](#key-trust)
-- [On-premises deployment](#on-premises-deployment)
-- [Trust type](#trust-type)
-
-### More information about certificate trust
-
-[Windows Hello for Business planning guide](hello-planning-guide.md)
-
-## Cloud deployment
-
-The Windows Hello for Business cloud deployment is exclusively for organizations using cloud-based identities and resources. Device management is accomplished using Intune or a modern management alternative. Cloud deployments use Microsoft Entra joined or Microsoft Entra registered devices.
-
-### Related to cloud deployment
-
-- [Microsoft Entra join](#azure-active-directory-join)
-- [Microsoft Entra registration](#azure-ad-registration)
-- [Deployment type](#deployment-type)
-- [Join type](#join-type)
-
-## Cloud experience host
-
-In Windows 10 and Windows 11, cloud experience host is an application used while joining the workplace environment or Microsoft Entra ID for rendering the experience when collecting your company-provided credentials. Once you enroll your device to your workplace environment or Microsoft Entra ID, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC.
-
-### Related to cloud experience host
-
-- [Windows Hello for Business](deploy/requirements.md)
-- [Managed Windows Hello in organization](hello-manage-in-organization.md)
-
-### More information on cloud experience host
-
-[Windows Hello for Business and device registration](/azure/active-directory/devices/device-registration-how-it-works)
-
-## Cloud Kerberos trust
-
-The cloud Kerberos trust model offers a simplified deployment experience, when compared to the other trust types.\
-With cloud Kerberos trust, there's no need to deploy certificates to the users or to the domain controllers, which is ideal for environments without an existing PKI.
-
-Giving the simplicity offered by this model, cloud Kerberos trust is the recommended model when compared to the key trust model. It is also the preferred deployment model if you do not need to support certificate authentication scenarios.
-
-### Related to cloud Kerberos trust
-
-- [Deployment type](#deployment-type)
-- [Microsoft Entra hybrid join](#hybrid-azure-ad-join)
-- [Hybrid deployment](#hybrid-deployment)
-- [Key trust](#key-trust)
-- [On-premises deployment](#on-premises-deployment)
-- [Trust type](#trust-type)
-
-### More information about cloud Kerberos trust
-
-[Cloud Kerberos trust deployment](deploy/hybrid-cloud-kerberos-trust.md)
-
-## Deployment type
-
-Windows Hello for Business has three deployment models to accommodate the needs of different organizations. The three deployment models include:
-
-- Cloud
-- Hybrid
-- On-premises
-
-### Related to deployment type
-
-- [Cloud deployment](#cloud-deployment)
-- [Hybrid deployment](#hybrid-deployment)
-- [On-premises deployment](#on-premises-deployment)
-
-### More information about deployment type
-
-[Windows Hello for Business planning guide](hello-planning-guide.md)
-
-## Endorsement key
-
-The TPM has an embedded unique cryptographic key called the endorsement key. The TPM endorsement key is a pair of asymmetric keys (RSA size 2048 bits).
-
-The endorsement key public key is used for sending securely sensitive parameters, such as when taking possession of the TPM that contains the defining hash of the owner password. The EK private key is used when creating secondary keys like AIKs.
-
-The endorsement key acts as an identity card for the TPM.
-
-The endorsement key is often accompanied by one or two digital certificates:
-
-- One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
-
-- The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device.
-
-For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10 and Windows 11.
-
-### Related to endorsement key
-
-- [Attestation identity keys](#attestation-identity-keys)
-- [Storage root key](#storage-root-key)
-- [Trusted platform module](#trusted-platform-module)
-
-### More information about endorsement key
-
-- [Understand the TPM endorsement key](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770443(v=ws.11))
-- [TPM library specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
-
-## Federated environment
-
-Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Microsoft Entra ID and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they don't have to sign in again to use Microsoft cloud services. This federated authentication model can provide extra authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Microsoft Entra ID.
-
-### Related to federated environment
-
-- [Hybrid deployment](#hybrid-deployment)
-- [Managed environment](#managed-environment)
-- [Pass-through authentication](#pass-through-authentication)
-- [Password hash sync](#password-hash-sync)
-
-### More information about federated environment
-
-[Choose the right authentication method for your Microsoft Entra hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn)
-
-
-
-## Microsoft Entra hybrid join
-
-For more than a decade, many organizations have used the domain join to their on-premises Active Directory to enable:
-
-- IT departments to manage work-owned devices from a central location.
-- Users to sign in to their devices with their Active Directory work or school accounts.
-
-Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use or group policy to manage them.
-
-If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Microsoft Entra ID, you can implement Microsoft Entra hybrid joined devices. These devices are joined to both your on-premises Active Directory and your Microsoft Entra ID.
-
-
-
-### Related to Microsoft Entra hybrid join
-
-- [Microsoft Entra join](#azure-active-directory-join)
-- [Microsoft Entra registration](#azure-ad-registration)
-- [Hybrid deployment](#hybrid-deployment)
-
-
-
-### More information about Microsoft Entra hybrid join
-
-[Introduction to device identity in Microsoft Entra ID](/azure/active-directory/devices/overview)
-
-## Hybrid deployment
-
-The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Microsoft Entra ID. Hybrid deployments support devices that are Microsoft Entra registered, Microsoft Entra joined, and Microsoft Entra hybrid joined. The Hybrid deployment model supports three trust types for on-premises authentication: cloud Kerberos trust, key trust and certificate trust.
-
-### Related to hybrid deployment
-
-- [Microsoft Entra join](#azure-active-directory-join)
-- [Microsoft Entra registration](#azure-ad-registration)
-- [Microsoft Entra hybrid join](#hybrid-azure-ad-join)
-
-### More information about hybrid deployment
-
-[Windows Hello for Business planning guide](hello-planning-guide.md)
-
-## Join type
-
-Join type is how devices are associated with Microsoft Entra ID. For a device to authenticate to Microsoft Entra it must be registered or joined.
-
-Registering a device to Microsoft Entra ID enables you to manage a device's identity. When a device is registered, Microsoft Entra device registration provides the device with an identity that is used to authenticate the device when a user signs-in to Microsoft Entra ID. You can use the identity to enable or disable a device.
-
-When combined with a mobile device management (MDM) solution such as Microsoft Intune, the device attributes in Microsoft Entra ID are updated with additional information about the device. This behavior allows you to create conditional access rules that enforce access from devices to meet your standards for security and compliance. For more information on enrolling devices in Microsoft Intune, see Enroll devices for management in Intune.
-
-Joining a device is an extension to registering a device. This method provides you with all the benefits of registering a device, and changes the local state of a device. Changing the local state enables your users to sign-in to a device using an organizational work or school account instead of a personal account.
-
-### Related to join type
-
-- [Microsoft Entra join](#azure-active-directory-join)
-- [Microsoft Entra registration](#azure-ad-registration)
-- [Microsoft Entra hybrid join](#hybrid-azure-ad-join)
-
-### More information about join type
-
-[Introduction to device identity in Microsoft Entra ID](/azure/active-directory/devices/overview)
-
-## Key trust
-
-The key trust model uses the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The key trust model is supported in hybrid and on-premises deployments and requires Windows Server 2016 domain controllers.
-
-### Related to key trust
-
-- [Cloud Kerberos trust](#cloud-kerberos-trust)
-- [Certificate trust](#certificate-trust)
-- [Deployment type](#deployment-type)
-- [Microsoft Entra hybrid join](#hybrid-azure-ad-join)
-- [Hybrid deployment](#hybrid-deployment)
-- [On-premises deployment](#on-premises-deployment)
-- [Trust type](#trust-type)
-
-### More information about key trust
-
-[Windows Hello for Business planning guide](hello-planning-guide.md)
-
-## Managed environment
-
-Managed environments are for non-federated environments where Microsoft Entra ID manages the authentication using technologies such as Password Hash Synchronization and Pass-through Authentication rather than a federation service such as Active Directory Federation Services (ADFS).
-
-### Related to managed environment
-
-- [Federated environment](#federated-environment)
-- [Pass-through authentication](#pass-through-authentication)
-- [Password hash synchronization](#password-hash-sync)
-
-## On-premises deployment
-
-The Windows Hello for Business on-premises deployment is for organizations that exclusively have on-premises resources that are accessed using Active Directory identities. On-premises deployments support domain joined devices. The on-premises deployment model supports two authentication trust types, key trust and certificate trust.
-
-### Related to on-premises deployment
-
-- [Cloud deployment](#cloud-deployment)
-- [Deployment type](#deployment-type)
-- [Hybrid deployment](#hybrid-deployment)
-
-### More information about on-premises deployment
-
-[Windows Hello for Business planning guide](hello-planning-guide.md)
-
-## Pass-through authentication
-
-Pass-through authentication provides a simple password validation for Microsoft Entra authentication services. It uses a software agent that runs on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Microsoft Entra ID and manage your users on-premises. Allows your users to sign in to both on-premises and Microsoft cloud resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Microsoft Entra ID. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Microsoft Entra ID when they are on their corporate devices and connected to your corporate network.
-
-### Related to pass-through authentication
-
-- [Federated environment](#federated-environment)
-- [Managed environment](#managed-environment)
-- [Password hash synchronization](#password-hash-sync)
-
-### More information about pass-through authentication
-
-[Choose the right authentication method for your Microsoft Entra hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn)
-
-## Password hash sync
-
-Password hash sync is the simplest way to enable authentication for on-premises directory objects in Microsoft Entra ID. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Microsoft Entra ID and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Microsoft Entra ID so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Microsoft Entra ID so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Microsoft Entra ID or stored in Microsoft Entra ID in clear text. Some premium features of Microsoft Entra ID, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Microsoft Entra ID when they are on their corporate devices and connected to your corporate network.
-
-### Related to password hash sync
-
-- [Federated environment](#federated-environment)
-- [Managed environment](#managed-environment)
-- [Pass-through authentication](#pass-through-authentication)
-
-### More information about password hash sync
-
-[Choose the right authentication method for your Microsoft Entra hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn)
-
-## Primary refresh token
-
-Single sign on (SSO) relies on special tokens obtained for each of the types of applications above. These special tokens are then used to obtain access tokens to specific applications. In the traditional Windows Integrated authentication case using Kerberos, this token is a Kerberos TGT (ticket-granting ticket). For Microsoft Entra ID and AD FS applications, this token is a _primary refresh token_ (PRT). It's a [JSON Web Token](https://openid.net/specs/draft-jones-json-web-token-07.html) that contains claims about both the user and the device.
-
-The PRT is initially obtained during Windows user sign-in or unlock in a similar way the Kerberos TGT is obtained. This behavior is true for both Microsoft Entra joined and Microsoft Entra hybrid joined devices. For personal devices registered with Microsoft Entra ID, the PRT is initially obtained upon Add Work or School Account. For a personal device the account to unlock the device isn't the work account, but a consumer account. For example, hotmail.com, live.com, or outlook.com.
-
-The PRT is needed for SSO. Without it, the user will be prompted for credentials when accessing applications every time. The PRT also contains information about the device. If you have any [device-based conditional access](/azure/active-directory/conditional-access/concept-conditional-access-grant) policy set on an application, without the PRT, access will be denied.
-
-## Storage root key
-
-The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048-bits length). The SRK has a major role and is used to protect TPM keys, so that these keys can't be used without the TPM. The SRK key is created when the ownership of the TPM is taken.
-
-### Related to storage root key
-
-- [Attestation identity keys](#attestation-identity-keys)
-- [Endorsement key](#endorsement-key)
-- [Trusted platform module](#trusted-platform-module)
-
-### More information about storage root key
-
-[TPM library specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
-
-## Trust type
-
-The trust type determines how a user authenticates to the Active Directory to access on-premises resources. There are two trust types, key trust and certificate trust. The hybrid and on-premises deployment models support both trust types. The trust type doesn't affect authentication to Microsoft Entra ID. Windows Hello for Business authentication to Microsoft Entra ID always uses the key, not a certificate (excluding smart card authentication in a federated environment).
-
-### Related to trust type
-
-- [Cloud Kerberos trust](#cloud-kerberos-trust)
-- [Certificate trust](#certificate-trust)
-- [Hybrid deployment](#hybrid-deployment)
-- [Key trust](#key-trust)
-- [On-premises deployment](#on-premises-deployment)
-
-### More information about trust type
-
-[Windows Hello for Business planning guide](hello-planning-guide.md)
-
-## Trusted platform module
-
-A trusted platform module (TPM) is a hardware component that provides unique security features.
-
-Windows uses security characteristics of a TPM for the following functions:
-
-- Measuring boot integrity sequence. Based on that sequence, it automatically unlocks BitLocker-protected drives
-- Protecting credentials
-- Health attestation
-
-A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). There are currently two versions of the TPM specification produced by TCG that aren't compatible with each other:
-
-- The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
-- The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
-
-Windows 10 and Windows 11 use the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows](../../hardware-security/tpm/tpm-recommendations.md).
-
-Windows recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 and Windows 11 support only TPM 2.0.
-
-TPM 2.0 provides a major revision to the capabilities over TPM 1.2:
-
-- Update cryptography strength to meet modern security needs
- - Support for SHA-256 for PCRs
- - Support for HMAC command
-- Cryptographic algorithms flexibility to support government needs
- - TPM 1.2 is severely restricted in terms of what algorithms it can support
- - TPM 2.0 can support arbitrary algorithms with minor updates to the TCG specification documents
-- Consistency across implementations
- - The TPM 1.2 specification allows vendors wide latitude when choosing implementation details
- - TPM 2.0 standardizes much of this behavior
-
-In a simplified manner, the TPM is a passive component with limited resources. It can calculate random numbers, RSA keys, decrypt short data, store hashes taken when booting the device. A TPM incorporates in a single component:
-
-- An RSA 2048-bit key generator
-- A random number generator
-- Nonvolatile memory for storing EK, SRK, and AIK keys
-- A cryptographic engine to encrypt, decrypt, and sign
-- Volatile memory for storing the PCRs and RSA keys
-
-### Related to trusted platform module
-
-- [Attestation identity keys](#attestation-identity-keys)
-- [Endorsement key](#endorsement-key)
-- [Storage root key](#storage-root-key)
-
-### More information about trusted platform module
-
-[TPM library specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
deleted file mode 100644
index d8f299c354..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-title: How Windows Hello for Business works
-description: Learn how Windows Hello for Business works, and how it can help your users authenticate to services.
-ms.date: 05/05/2018
-ms.topic: overview
----
-# How Windows Hello for Business works in Windows Devices
-
-Windows Hello for Business is a two-factor credential that is a more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Microsoft Entra joined, Microsoft Entra hybrid joined, or Microsoft Entra registered devices. Windows Hello for Business also works for domain joined devices.
-
-Watch this quick video where Pieter Wigleven gives a simple explanation of how Windows Hello for Business works and some of its supporting features.
-> [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8]
-
-## Technical Deep Dive
-
-Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the categories and how they support Windows Hello for Business.
-
-### Device Registration
-
-Registration is a fundamental prerequisite for Windows Hello for Business. Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Microsoft Entra ID and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS).
-
-For more information, read [how device registration works](/azure/active-directory/devices/device-registration-how-it-works).
-
-### Provisioning
-
-Provisioning is when the user uses one form of authentication to request a new Windows Hello for Business credential. Typically the user signs in to Windows using user name and password. The provisioning flow requires a second factor of authentication before it will create a strong, two-factor Windows Hello for Business credential.
-
-Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning works.
-
-> [!VIDEO https://www.youtube.com/embed/RImGsIjSJ1s]
-
-For more information, read [how provisioning works](hello-how-it-works-provisioning.md).
-
-### Authentication
-
-With the device registered and provisioning complete, users can sign-in to Windows using biometrics or a PIN. PIN is the most common gesture and is available on all computers unless restricted by policy requiring a TPM. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. Neither the PIN nor the private portion of the credential are ever sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential.
-
-Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business authentication works.
-
-> [!VIDEO https://www.youtube.com/embed/WPmzoP_vMek]
-
-For more information read [how authentication works](hello-how-it-works-authentication.md).
-
-## Related topics
-
-- [Technology and Terminology](hello-how-it-works-technology.md)
-- [Windows Hello for Business](deploy/requirements.md)
-- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
-- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
-- [Windows Hello and password changes](hello-and-password-changes.md)
-- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
-- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index ba06402421..1b1ad680bf 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -16,7 +16,7 @@ If you plan to use certificates for on-premises single-sign on, then follow thes
Steps you'll perform include:
-- [Prepare Microsoft Entra Connect](#prepare-azure-ad-connect)
+- [Prepare Microsoft Entra Connect](#prepare-microsoft-entra-connect)
- [Prepare the Network Device Enrollment Services Service Account](#prepare-the-network-device-enrollment-services-ndes-service-account)
- [Prepare Active Directory Certificate Services](#prepare-active-directory-certificate-authority)
- [Install the Network Device Enrollment Services Role](#install-and-configure-the-ndes-role)
@@ -49,8 +49,6 @@ If you need to deploy more than three types of certificates to the Microsoft Ent
All communication occurs securely over port 443.
-
-
## Prepare Microsoft Entra Connect
Successful authentication to on-premises resources using a certificate requires the certificate to provide a hint about the on-premises domain. The hint can be the user's Active Directory distinguished name as the subject of the certificate, or the hint can be the user's user principal name where the suffix matches the Active Directory domain name.
@@ -59,8 +57,6 @@ Most environments change the user principal name suffix to match the organizatio
To include the on-premises distinguished name in the certificate's subject, Microsoft Entra Connect must replicate the Active Directory **distinguishedName** attribute to the Microsoft Entra ID **onPremisesDistinguishedName** attribute. Microsoft Entra Connect version 1.1.819 includes the proper synchronization rules needed for these attributes.
-
-
### Verify Microsoft Entra Connect version
Sign-in to computer running Microsoft Entra Connect with access equivalent to _local administrator_.
@@ -287,8 +283,6 @@ Sign-in to the issuing certificate authority or management workstations with _Do
11. Select on the **Apply** to save changes and close the console.
-
-
### Create a Microsoft Entra joined Windows Hello for Business authentication certificate template
During Windows Hello for Business provisioning, Windows requests an authentication certificate from Microsoft Intune, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring the NDES Server.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
index 4a2846f9e6..f1666e6453 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@@ -4,6 +4,7 @@ description: Learn how to configure single sign-on to on-premises resources for
ms.date: 12/30/2022
ms.topic: how-to
---
+
# Configure single sign-on for Microsoft Entra joined devices
[!INCLUDE [apply-to-hybrid-key-and-cert-trust](deploy/includes/apply-to-hybrid-key-and-cert-trust.md)]
@@ -65,7 +66,7 @@ Use this set of procedures to update the CA that issues domain controller certif
You need to host your new certificate revocation list on a web server so Microsoft Entra joined devices can easily validate certificates without authentication. You can host these files on web servers many ways. The following steps are just one and may be useful for admins unfamiliar with adding a new CRL distribution point.
> [!IMPORTANT]
-> Do not configure the IIS server hosting your CRL distribution point to use https or a server authentication certificate. Clients should access the distribution point using http.
+> Do not configure the IIS server hosting your CRL distribution point to use https or a server authentication certificate. Clients should access the distribution point using http.
### Install the web server
@@ -119,7 +120,7 @@ These procedures configure NTFS and share permissions on the web server to allow
> [!Tip]
> Make sure that users can access **\\\Server FQDN\sharename**.
-### Disable Caching
+### Disable Caching
1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server)
1. Right-click the **cdp** folder and select **Properties**. Select the **Sharing** tab. Select **Advanced Sharing**
1. Select **Caching**. Select **No files or programs from the shared folder are available offline**
@@ -190,7 +191,7 @@ Validate the new CRL distribution point is working.
#### Reissue domain controller certificates
-With the CA properly configured with a valid HTTP-based CRL distribution point, you need to reissue certificates to domain controllers as the old certificate doesn't have the updated CRL distribution point.
+With the CA properly configured with a valid HTTP-based CRL distribution point, you need to reissue certificates to domain controllers as the old certificate doesn't have the updated CRL distribution point.
1. Sign-in a domain controller using administrative credentials
1. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer
@@ -217,8 +218,6 @@ With the CA properly configured with a valid HTTP-based CRL distribution point,
1. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate. Select **OK**
-
-
## Deploy the root CA certificate to Microsoft Entra joined devices
The domain controllers have a certificate that includes the new CRL distribution point. Next, you need the enterprise root certificate so you can deploy it to Microsoft Entra joined devices. When you deploy the enterprise root certificates to a device, it ensures the device trusts any certificates issued by the certificate authority. Without the certificate, Microsoft Entra joined devices don't trust domain controller certificates and authentication fails.
diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
deleted file mode 100644
index 896453d0bf..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ /dev/null
@@ -1,103 +0,0 @@
----
-title: Manage Windows Hello in your organization
-description: Learn how to create a Group Policy or mobile device management (MDM) policy to configure and deploy Windows Hello for Business.
-ms.date: 9/25/2023
-ms.topic: reference
----
-
-# Manage Windows Hello for Business in your organization
-
-You can create a Group Policy or mobile device management (MDM) policy to configure Windows Hello for Business on Windows devices.
-
->[!IMPORTANT]
->Windows Hello as a convenience PIN is disabled by default on all domain joined and Microsoft Entra joined devices. To enable a convenience PIN, enable the Group Policy setting **Turn on convenience PIN sign-in**.
->
->Use **PIN Complexity** policy settings to manage PINs for Windows Hello for Business.
-
-## Group Policy settings for Windows Hello for Business
-
-The following table lists the Group Policy settings that you can configure for Windows Hello use in your organization. These policy settings are available in **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**.
-
-> [!NOTE]
-> The location of the PIN complexity section of the Group Policy is: **Computer Configuration > Administrative Templates > System > PIN Complexity**.
-
-|Policy|Scope|Options|
-|--- |--- |--- |
-|Use Windows Hello for Business|Computer or user|- **Not configured**: Device doesn't provision Windows Hello for Business for any user.
- **Enabled**: Device provisions Windows Hello for Business using keys or certificates for all users.
- **Disabled**: Device doesn't provision Windows Hello for Business for any user.|
-|Use a hardware security device|Computer|- **Not configured**: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.
- **Enabled**: Windows Hello for Business will only be provisioned using TPM. This feature will provision Windows Hello for Business using TPM 1.2 unless the option to exclude them is explicitly set.
- **Disabled**: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.|
-|Use certificate for on-premises authentication|Computer or user|- **Not configured**: Windows Hello for Business enrolls a key that is used for on-premises authentication.
- **Enabled**: Windows Hello for Business enrolls a sign-in certificate using ADFS that is used for on-premises authentication.
- **Disabled**: Windows Hello for Business enrolls a key that is used for on-premises authentication.|
-|Use PIN recovery|Computer|- Added in Windows 10, version 1703
- **Not configured**: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service
- **Enabled**: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset
- **Disabled**: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service.
- For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).|
-|Use biometrics|Computer|- **Not configured**: Biometrics can be used as a gesture in place of a PIN
- **Enabled**: Biometrics can be used as a gesture in place of a PIN.
- **Disabled**: Only a PIN can be used as a gesture.|
-
-### PIN Complexity
-
-|Policy|Scope|Options|
-|--- |--- |--- |
-|Require digits|Computer|- **Not configured**: Users must include a digit in their PIN.
- **Enabled**: Users must include a digit in their PIN.
- **Disabled**: Users can't use digits in their PIN.|
-|Require lowercase letters|Computer|- **Not configured**: Users can't use lowercase letters in their PIN
- **Enabled**: Users must include at least one lowercase letter in their PIN.
- **Disabled**: Users can't use lowercase letters in their PIN.|
-|Maximum PIN length|Computer|- **Not configured**: PIN length must be less than or equal to 127.
- **Enabled**: PIN length must be less than or equal to the number you specify.
- **Disabled**: PIN length must be less than or equal to 127.|
-|Minimum PIN length|Computer|- **Not configured**: PIN length must be greater than or equal to 4.
- **Enabled**: PIN length must be greater than or equal to the number you specify.
- **Disabled**: PIN length must be greater than or equal to 4.|
-|Expiration|Computer|- **Not configured**: PIN doesn't expire.
- **Enabled**: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.
- **Disabled**: PIN doesn't expire.|
-|History|Computer|- **Not configured**: Previous PINs aren't stored.
- **Enabled**: Specify the number of previous PINs that can be associated to a user account that can't be reused.
- **Disabled**: Previous PINs aren't stored.
**Note** Current PIN is included in PIN history.
-|Require special characters|Computer|- **Not configured**: Windows allows, but doesn't require, special characters in the PIN.
- **Enabled**: Windows requires the user to include at least one special character in their PIN.
- **Disabled**: Windows doesn't allow the user to include special characters in their PIN.|
-|Require uppercase letters|Computer|- **Not configured**: Users can't include an uppercase letter in their PIN.
- **Enabled**: Users must include at least one uppercase letter in their PIN.
- **Disabled**: Users can't include an uppercase letter in their PIN.|
-
-### Phone Sign-in
-
-|Policy|Scope|Options|
-|--- |--- |--- |
-|Use Phone Sign-in|Computer|Not currently supported.|
-
-## MDM policy settings for Windows Hello for Business
-
-The following table lists the MDM policy settings that you can configure for Windows Hello for Business use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](/windows/client-management/mdm/passportforwork-csp).
-
->[!IMPORTANT]
->All devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.
-
-|Policy|Scope|Default|Options|
-|--- |--- |--- |--- |
-|UsePassportForWork|Device or user|True|- True: Windows Hello for Business will be provisioned for all users on the device.
- False: Users won't be able to provision Windows Hello for Business.
**Note:** If Windows Hello for Business is enabled, and then the policy is changed to False, users who previously set up Windows Hello for Business can continue to use it, but won't be able to set up Windows Hello for Business on other devices|
-|RequireSecurityDevice|Device or user|False|- True: Windows Hello for Business will only be provisioned using TPM.
- False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.|
-|ExcludeSecurityDevice
- TPM12|Device|False|Added in Windows 10, version 1703
- True: TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.
- False: TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.|
-|EnablePinRecovery|Device or use|False|- Added in Windows 10, version 1703
- True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.
- False: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service. For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).|
-
-### Biometrics
-
-|Policy|Scope|Default|Options|
-|--- |--- |--- |--- |
-|UseBiometrics|Device |False|- True: Biometrics can be used as a gesture in place of a PIN for domain sign-in.
- False: Only a PIN can be used as a gesture for domain sign-in.|
-|- FacialFeaturesUser
- EnhancedAntiSpoofing|Device|Not configured|- Not configured: users can choose whether to turn on enhanced anti-spoofing.
- True: Enhanced anti-spoofing is required on devices which support it.
- False: Users can't turn on enhanced anti-spoofing.|
-
-### PINComplexity
-
-|Policy|Scope|Default|Options|
-|--- |--- |--- |--- |
-|Digits |Device or user|1 |- 0: Digits are allowed.
- 1: At least one digit is required.
- 2: Digits aren't allowed.|
-|Lowercase letters |Device or user|2|- 0: Lowercase letters are allowed.
- 1: At least one lowercase letter is required.
- 2: Lowercase letters aren't allowed.|
-|Special characters|Device or user|2|- 0: Special characters are allowed.
- 1: At least one special character is required.
- 2: Special characters aren't allowed.|
-|Uppercase letters|Device or user|2|- 0: Uppercase letters are allowed.
- 1: At least one uppercase letter is required.
- 2: Uppercase letters aren't allowed.|
-|Maximum PIN length |Device or user|127 |- Maximum length that can be set is 127. Maximum length can't be less than minimum setting.|
-|Minimum PIN length|Device or user|6|- Minimum length that can be set is 6. Minimum length can't be greater than maximum setting.|
-|Expiration |Device or user|0|- Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire.|
-|History|Device or user|0|- Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs isn't required.|
-
-### Remote
-
-|Policy|Scope|Default|Options|
-|--- |--- |--- |--- |
-|UseRemotePassport|Device or user|False|Not currently supported.|
-
->[!NOTE]
-> If a policy isn't explicitly configured to require letters or special characters, users can optionally set an alphanumeric PIN.
-
-## Policy conflicts from multiple policy sources
-
-Windows Hello for Business is designed to be managed by group policy or MDM, but not a combination of both. Avoid mixing group policy and MDM policy settings for Windows Hello for Business. If you mix group policy and MDM policy settings, the MDM settings are ignored until all group policy settings are cleared.
-
-> [!IMPORTANT]
-> The [*MDMWinsOverGP*](/windows/client-management/mdm/policy-csp-controlpolicyconflict#mdmwinsovergp) policy setting doesn't apply to Windows Hello for Business. MDMWinsOverGP only applies to policies in the *Policy CSP*, while the Windows Hello for Business policies are in the *PassportForWork CSP*.
-
-## Policy precedence
-
-Windows Hello for Business *user policies* take precedence over *computer policies*. If a user policy is set, the corresponded computer policy is ignored. If a user policy is not set, the computer policy is used.
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
deleted file mode 100644
index 55a70b9a89..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ /dev/null
@@ -1,342 +0,0 @@
----
-title: Plan a Windows Hello for Business Deployment
-description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure.
-ms.date: 09/16/2020
-ms.topic: overview
----
-
-# Plan a Windows Hello for Business Deployment
-
-Congratulations! You're taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure.
-
-This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. Armed with your planning worksheet, you'll use that information to select the correct deployment guide for your needs.
-
-> [!Note]
-> If you have a Microsoft Entra ID tenant, you can use our online, interactive Passwordless Wizard which walks through the same choices instead of using our manual guide below. The Passwordless Wizard is available in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup).
-
-## Using this guide
-
-There are many options from which you can choose when deploying Windows Hello for Business. Providing multiple options ensures nearly every organization can deploy Windows Hello for Business. Providing many options makes the deployment appear complex, however, most organization will realize they've already implemented most of the infrastructure on which the Windows Hello for Business deployment depends. It's important to understand that Windows Hello for Business is a distributed system and does take proper planning across multiple teams within an organization.
-
-This guide removes the appearance of complexity by helping you make decisions on each aspect of your Windows Hello for Business deployment and the options you'll need to consider. Using this guide also identifies the information needed to help you make decisions about the deployment that best suits your environment. Download the [Windows Hello for Business planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514) from the Microsoft Download Center to help track your progress and make your planning easier.
-
-### How to Proceed
-
-Read this document and record your decisions on the worksheet. When finished, your worksheet has all the necessary information for your Windows Hello for Business deployment.
-
-There are six major categories you need to consider for a Windows Hello for Business deployment. Those categories are:
-
-- Deployment Options
-- Client
-- Management
-- Active Directory
-- Public Key Infrastructure
-- Cloud
-
-### Baseline Prerequisites
-
-Windows Hello for Business has a few baseline prerequisites with which you can begin. These baseline prerequisites are provided in the worksheet.
-
-### Deployment Options
-
-The goal of Windows Hello for Business is to enable deployments for all organizations of any size or scenario. To provide this type of granular deployment, Windows Hello for Business offers a diverse choice of deployment options.
-
-#### Deployment models
-
-There are three deployment models from which you can choose: cloud only, hybrid, and on-premises.
-
-##### Cloud only
-
-The cloud only deployment model is for organizations who only have cloud identities and don't access on-premises resources. These organizations typically join their devices to the cloud and exclusively use resources in the cloud such as SharePoint, OneDrive, and others. Also, because these users don't use on-premises resources, they don't need certificates for things like VPN because everything they need is hosted in Azure.
-
-##### Hybrid
-
-The hybrid deployment model is for organizations that:
-
-- Are federated with Microsoft Entra ID
-- Have identities synchronized to Microsoft Entra ID using Microsoft Entra Connect
-- Use applications hosted in Microsoft Entra ID, and want a single sign-in user experience for both on-premises and Microsoft Entra resources
-
-> [!Important]
-> Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
->
-> **Requirements:**
-> - Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903
-> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
-
-##### On-premises
-The on-premises deployment model is for organizations that don't have cloud identities or use applications hosted in Microsoft Entra ID.
-
-> [!Important]
-> On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
->
-> **Requirements:**
-> - Reset from settings - Windows 10, version 1703, Professional
-> - Reset above lock screen - Windows 10, version 1709, Professional
-> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
-
-It's fundamentally important to understand which deployment model to use for a successful deployment. Some aspects of the deployment may have already been decided for you based on your current infrastructure.
-
-#### Trust types
-
-A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust.
-
-> [!NOTE]
-> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment](deploy/hybrid-cloud-kerberos-trust.md).
-
-The key trust type doesn't require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
-
-The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust doesn't require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller.
-
-> [!NOTE]
-> RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Remote Credential Guard](../remote-credential-guard.md).
-
-#### Device registration
-
-All devices included in the Windows Hello for Business deployment must go through device registration. Device registration enables devices to authenticate to identity providers. For cloud only and hybrid deployment, the identity provider is Microsoft Entra ID. For on-premises deployments, the identity provider is the on-premises server running the Windows Server 2016 Active Directory Federation Services (AD FS) role.
-
-#### Key registration
-
-The built-in Windows Hello for Business provisioning experience creates a hardware bound asymmetric key pair as their user's credentials. The private key is protected by the device's security modules; however, the credential is a user key (not a device key). The provisioning experience registers the user's public key with the identity provider. For cloud only and hybrid deployments, the identity provider is Microsoft Entra ID. For on-premises deployments, the identity provider is the on-premises server running Windows Server 2016 Active Directory Federation Services (AD FS) role.
-
-#### Multifactor authentication
-
-> [!IMPORTANT]
-> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who require multifactor authentication for their users should use cloud-based Microsoft Entra multifactor authentication. Existing customers who have activated MFA Server prior to July 1, 2019 will be able to download the latest version, future updates and generate activation credentials as usual. See [Getting started with the Azure Multi-Factor Authentication Server](/azure/active-directory/authentication/howto-mfaserver-deploy) for more details.
-
-The goal of Windows Hello for Business is to move organizations away from passwords by providing them with a strong credential that enables easy two-factor authentication. The built-in provisioning experience accepts the user's weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential.
-
-Cloud only and hybrid deployments provide many choices for multifactor authentication. On-premises deployments must use a multifactor authentication that provides an AD FS multifactor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use the on-premises Azure Multi-Factor Authentication Server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information).
-> [!NOTE]
-> Microsoft Entra multifactor authentication is available through:
-> * Microsoft Enterprise Agreement
-> * Open Volume License Program
-> * Cloud Solution Providers program
-> * Bundled with
-> * Microsoft Entra ID P1 or P2
-> * Enterprise Mobility Suite
-> * Enterprise Cloud Suite
-
-#### Directory synchronization
-
-Hybrid and on-premises deployments use directory synchronization, however, each for a different purpose. Hybrid deployments use Microsoft Entra Connect to synchronize Active Directory identities or credentials between itself and Microsoft Entra ID. This helps enable single sign-on to Microsoft Entra ID and its federated components. On-premises deployments use directory synchronization to import users from Active Directory to the Azure MFA Server, which sends data to the Azure MFA cloud service to perform the verification.
-
-### Management
-
-Windows Hello for Business provides organizations with a rich set of granular policy settings with which they can use to manage their devices and users. There are three ways in which you can manage Windows Hello for Business: Group Policy, Modern Management, and Mixed.
-
-#### Group Policy
-
-Group Policy is the easiest and most popular way to manage Windows Hello for Business on domain joined devices. Simply create a Group Policy object with the settings you desire. Link the Group Policy object high in your Active Directory and use security group filtering to target specific sets of computers or users. Or, link the GPO directly to the organizational units.
-
-#### Modern management
-
-Modern management is an emerging device management paradigm that leverages the cloud for managing domain joined and nondomain joined devices. Organizations can unify their device management into one platform and apply policy settings using a single platform
-
-### Client
-
-Windows Hello for Business is an exclusive Windows 10 and Windows 11 feature. As part of the Windows as a Service strategy, Microsoft has improved the deployment, management, and user experience with each new release of Windows and introduced support for new scenarios.
-
-Most deployment scenarios require a minimum of Windows 10, version 1511, also known as the November Update. The client requirement might change based on different components in your existing infrastructure, or other infrastructure choices made later in planning your deployment. Those components and choices might require a minimum client running Windows 10, version 1703, also known as the Creators Update.
-
-
-### Active Directory
-
-Hybrid and on-premises deployments include Active Directory as part of their infrastructure. Most of the Active Directory requirements, such as schema, and domain and forest functional levels are predetermined. However, your trust type choice for authentication determines the version of domain controller needed for the deployment.
-
-### Public Key Infrastructure
-
-The Windows Hello for Business deployment depends on an enterprise public key infrastructure as a trust anchor for authentication. Domain controllers for hybrid and on-premises deployments need a certificate in order for Windows devices to trust the domain controller as legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. Hybrid deployments might need to issue VPN certificates to users to enable connectivity on-premises resources.
-
-### Cloud
-
-Some deployment combinations require an Azure account, and some require Microsoft Entra ID for user identities. These cloud requirements may only need an Azure account while other features need a Microsoft Entra ID P1 or P2 subscription. The planning process identifies and differentiates the components that are needed from those that are optional.
-
-## Planning a Deployment
-
-Planning your Windows Hello for Business deployment begins with choosing a deployment type. Like all distributed systems, Windows Hello for Business depends on multiple components within your organization's infrastructure.
-
-Use the remainder of this guide to help with planning your deployment. As you make decisions, write the results of those decisions in your planning worksheet. When finished, you'll have all the information needed to complete the planning process and the appropriate deployment guide that best helps you with your deployment.
-
-### Deployment Model
-
-Choose the deployment model based on the resources your users access. Use the following guidance to make your decision.
-
-If your organization doesn't have on-premises resources, write **Cloud Only** in box **1a** on your planning worksheet.
-
-If your organization is federated with Azure or uses any service, such as AD Connect, Office365 or OneDrive, or your users access cloud and on-premises resources, write **Hybrid** in box **1a** on your planning worksheet.
-
-If your organization doesn't have cloud resources, write **On-Premises** in box **1a** on your planning worksheet.
-
->[!NOTE]
->
->- Main use case of On-Premises deployment is for "Enhanced Security Administrative Environments" also known as "Red Forests"
->- Migration from on-premise to hybrid deployment will require redeployment
-
-### Trust type
-
-Microsoft Entra hybrid joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Microsoft Entra hybrid joined devices and Microsoft Entra joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates.
-
-Choose a trust type that is best suited for your organizations. Remember, the trust type determines two things. Whether you issue authentication certificates to your users and if your deployment needs Windows Server 2016 domain controllers.
-
-One trust model isn't more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end entity certificates (key-trust) against using existing domain controllers and needing to enroll certificates for all their users (certificate trust).
-
-Because the certificate trust types issues certificates, there's more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority. In a federated environment, you need to activate the Device Writeback option in Microsoft Entra Connect.
-
-If your organization wants to use the key trust type, write **key trust** in box **1b** on your planning worksheet. Write **Windows Server 2016** in box **4d**. Write **N/A** in box **5b**.
-
-If your organization wants to use the certificate trust type, write **certificate trust** in box **1b** on your planning worksheet. Write **Windows Server 2008 R2 or later** in box **4d**. In box **5c**, write **smart card logon** under the **Template Name** column and write **users** under the **Issued To** column on your planning worksheet.
-
-### Device Registration
-
-A successful Windows Hello for Business requires all devices to register with the identity provider. The identity provider depends on the deployment model.
-
-If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, write **Azure** in box **1c** on your planning worksheet.
-
-If box **1a** on your planning worksheet reads **on-premises**, write **AD FS** in box **1c** on your planning worksheet.
-
-### Key Registration
-
-All users provisioning Windows Hello for Business have their public key registered with the identity provider. The identity provider depends on the deployment model.
-
-If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, write **Azure** in box **1d** on your planning worksheet.
-
-If box **1a** on your planning worksheet reads **on-premises**, write **AD FS** in box **1d** on your planning worksheet.
-
-### Directory Synchronization
-
-Windows Hello for Business is strong user authentication, which usually means there's an identity (a user or username) and a credential (typically a key pair). Some operations require writing or reading user data to or from the directory. For example, reading the user's phone number to perform multifactor authentication during provisioning or writing the user's public key.
-
-If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **1e**. User information is written directly to Microsoft Entra ID and there isn't another directory with which the information must be synchronized.
-
-If box **1a** on your planning worksheet reads **hybrid**, then write **Microsoft Entra Connect** in box **1e** on your planning worksheet.
-
-If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**. This deployment exclusively uses Active Directory for user information with the exception of the multifactor authentication. The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multifactor authentication while the user's credentials remain on the on-premises network.
-
-### Multifactor authentication
-
-The goal of Windows Hello for Business is to move user authentication away from passwords to a strong, key-based user authentication. Passwords are weak credentials and can't be trusted by themselves as an attacker with a stolen password could be attempting to enroll in Windows Hello for Business. To keep the transition from a weak to a strong credential secure, Windows Hello for Business relies on multifactor authentication during provisioning to have some assurances that the user identity provisioning a Windows Hello for Business credential is the proper identity.
-
-If box **1a** on your planning worksheet reads **cloud only**, then your only option is to use the Azure MFA cloud service. Write **Azure MFA** in box **1f** on your planning worksheet.
-
-If box **1a** on your planning worksheet reads **hybrid**, then you have a few options, some of which depend on your directory synchronization configuration. The options from which you may choose include:
-* Directly use Azure MFA cloud service
-* Use AD FS w/Azure MFA cloud service adapter
-* Use AD FS w/Azure MFA Server adapter
-* Use AD FS w/3rd Party MFA Adapter
-
-You can directly use the Azure MFA cloud service for the second factor of authentication. Users contacting the service must authenticate to Azure prior to using the service.
-
-If your Microsoft Entra Connect is configured to synchronize identities (usernames only), then your users are redirected to your local on-premises federation server for authentication and then redirected back to the Azure MFA cloud service. Otherwise, your Microsoft Entra Connect is configured to synchronize credentials (username and passwords), which enables your users to authenticate to Microsoft Entra ID and use the Azure MFA cloud service. If you choose to use the Azure MFA cloud service directly, write **Azure MFA** in box **1f** on your planning worksheet.
-
-You can configure your on-premises Windows Server 2016 AD FS role to use the Azure MFA service adapter. In this configuration, users are redirected to the on premises AD FS server (synchronizing identities only). The AD FS server uses the MFA adapter to communicate to the Azure MFA service to perform the second factor of authentication. If you choose to use AD FS with the Azure MFA cloud service adapter, write **AD FS with Azure MFA cloud adapter** in box **1f** on your planning worksheet.
-
-Alternatively, you can use AD FS with an on-premises Azure MFA server adapter. Rather than AD FS communicating directly with the Azure MFA cloud service, it communicates with an on-premises Azure MFA server that synchronizes user information with the on-premises Active Directory. The Azure MFA server communicates with Azure MFA cloud services to perform the second factor of authentication. If you choose to use AD FS with the Azure MFA server adapter, write **AD FS with Azure MFA server adapter** in box **1f** on your planning worksheet.
-
-The last option is for you to use AD FS with a third-party adapter as the second factor of authentication. If you choose to use AD FS with a third-party MFA adapter, write **AD FS with third party** in box **1f** on your planning worksheet.
-
-If box **1a** on your planning worksheet reads **on-premises**, then you have two-second factor authentication options. You must use Windows Server 2016 AD FS with your choice of the on-premises Azure MFA server or with a third-party MFA adapter.
-
-If you choose to use AD FS with the Azure MFA server adapter, write **AD FS with Azure MFA server adapter** in box **1f** on your planning worksheet. If you choose to use AD FS with a third-party MFA adapter, write **AD FS with third party** in box **1f** on your planning worksheet.
-
-### Management
-
-Windows Hello for Business provides organizations with many policy settings and granular control on how these settings may be applied to both computers and users. The type of policy management you can use depends on your selected deployment and trust models.
-
-If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **2a** on your planning worksheet. You have the option to manage nondomain joined devices. If you choose to manage Microsoft Entra joined devices, write **modern management** in box **2b** on your planning worksheet. Otherwise, write** N/A** in box **2b**.
-
-> [!NOTE]
-> Microsoft Entra joined devices without modern management automatically enroll in Windows Hello for Business using the default policy settings. Use modern management to adjust policy settings to match the business needs of your organization.
-
-If box **1a** on your planning worksheet reads **on-prem**, write **GP** in box **2a** on your planning worksheet. Write **N/A** in box **2b** on your worksheet.
-
-Managing hybrid deployments includes two categories of devices to consider for your Windows Hello for Business deployment—domain joined and nondomain joined. All devices are registered, however, not all devices are domain joined. You have the option of using Group Policy for domain joined devices and modern management for nondomain joined devices. Or, you can use modern management for both domain and nondomain joined devices.
-
-If you use Group Policy to manage your domain joined devices, write **GP** in box **2a** on your planning worksheet. Write **modern management** in box **2b** if you decide to manage nondomain joined devices; otherwise, write **N/A**.
-
-If you use modern management for both domain and nondomain joined devices, write **modern management** in box **2a** and **2b** on your planning worksheet.
-
-### Client
-
-Windows Hello for Business is a feature exclusive to Windows 10 and Windows 11. Some deployments and features are available using earlier versions of Windows 10. Others need the latest versions.
-
-If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **3a** on your planning worksheet. Optionally, you may write **1511 or later** in box **3b** on your planning worksheet if you plan to manage nondomain joined devices.
-> [!NOTE]
-> Microsoft Entra joined devices without modern management automatically enroll in Windows Hello for Business using the default policy settings. Use modern management to adjust policy settings to match the business needs of your organization.
-
-Write **1511 or later** in box **3a** on your planning worksheet if any of the following are true.
-* Box **2a** on your planning worksheet read **modern management**.
- * Optionally, you may write **1511 or later** in box **3b** on your planning worksheet if you plan to manage nondomain joined devices.
-* Box **1a** on your planning worksheet reads **hybrid**, box **1b** reads **key trust**, and box **2a** reads **GP**.
- Optionally, you may write **1511 or later* in box **3b** on your planning worksheet if you plan to manage nondomain joined devices.
-
-Write **1703 or later** in box **3a** on your planning worksheet if any of the following are true.
-* Box **1a** on your planning worksheet reads **on-premises**.
- Write **N/A** in box **3b** on your planning worksheet.
-* Box **1a** on your planning worksheet reads **hybrid**, box **1b** reads **certificate trust**, and box **2a** reads **GP**.
- * Optionally, you may write **1511 or later** in box **3b** on your planning worksheet if you plan to manage nondomain joined devices.
-
-### Active Directory
-
-The Active Directory portion of the planning guide should be complete. Most of the conditions are baseline prerequisites except for your domain controllers. The domain controllers used in your deployment are decided by the chosen trust type.
-
-Review the trust type portion of this section if box **4d** on your planning worksheet remains empty.
-
-### Public Key Infrastructure
-
-Public key infrastructure prerequisites already exist in your planning worksheet. These conditions are the minimum requirements for any hybrid or on-premises deployment. Additional conditions may be needed based on your trust type.
-
-If box **1a** on your planning worksheet reads **cloud only**, ignore the public key infrastructure section of your planning worksheet. Cloud only deployments don't use a public key infrastructure.
-
-If box **1b** on your planning worksheet reads **key trust**, write **N/A** in box **5b** on your planning worksheet. Key trust doesn't require any change in public key infrastructure, skip this part and go to **Cloud** section.
-
-The registration authority only relates to certificate trust deployments and the management used for domain and nondomain joined devices. Microsoft Entra hybrid joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Microsoft Entra hybrid joined devices and Microsoft Entra joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates.
-
-If box **2a** reads **GP** and box **2b** reads **modern management**, write **AD FS RA and NDES** in box **5b** on your planning worksheet. In box **5c**, write the following certificate templates names and issuances:
-
-| Certificate Template Name | Issued To |
-| --- | --- |
-| Exchange Enrollment Agent | AD FS RA |
-| Web Server | AD FS RA |
-| Exchange Enrollment Agent | NDES |
-| Web Server | NDES |
-| CEP Encryption | NDES |
-
-If box **2a** reads **GP** and box **2b** reads **N/A**, write **AD FS RA** in box **5b** and write the following certificate template names and issuances in box **5c** on your planning worksheet.
-
-| Certificate Template Name | Issued To |
-| --- | --- |
-| Exchange Enrollment Agent | AD FS RA |
-| Web Server | AD FS RA |
-
-If box **2a** or **2b** reads modern management, write **NDES** in box **5b** and write the following certificate template names and issuances in box 5c on your planning worksheet.
-
-| Certificate Template Name | Issued To |
-| --- | --- |
-| Exchange Enrollment Agent | NDES |
-| Web Server | NDES |
-| CEP Encryption | NDES |
-
-### Cloud
-
-Nearly all deployments of Windows Hello for Business require an Azure account.
-
-If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, write **Yes** in boxes **6a** and **6b** on your planning worksheet.
-
-If box **1a** on your planning worksheet reads **on-premises**, and box **1f** reads **AD FS with third party**, write **No** in box **6a** on your planning worksheet. Otherwise, write **Yes** in box **6a** as you need an Azure account for per-consumption MFA billing. Write **No** in box **6b** on your planning worksheet—on-premises deployments don't use the cloud directory.
-
-Windows Hello for Business doesn't require a Microsoft Entra ID P1 or P2 subscription. However, some dependencies, such as [MDM automatic enrollment](/mem/intune/enrollment/quickstart-setup-auto-enrollment) and [Conditional Access](/azure/active-directory/conditional-access/overview) do.
-
-If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet.
-
-If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the Microsoft Entra ID Free tier. All Microsoft Entra ID Free accounts can use Microsoft Entra multifactor authentication through the use of security defaults. Some Microsoft Entra multifactor authentication features require a license. For more details, see [Features and licenses for Microsoft Entra multifactor authentication](/azure/active-directory/authentication/concept-mfa-licensing).
-
-If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet. Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, a Microsoft Entra ID P1 or P2 feature.
-
-Modern managed devices don't require a Microsoft Entra ID P1 or P2 subscription. By forgoing the subscription, your users must manually enroll devices in the modern management software, such as Intune or a supported third-party MDM.
-
-If boxes **2a** or **2b** read **modern management** and you want devices to automatically enroll in your modern management software, write **Yes** in box **6c** on your planning worksheet. Otherwise, write **No** in box **6c**.
-
-## Congratulations, You're Done
-
-Your Windows Hello for Business planning worksheet should be complete. This guide provided understanding of the components used in the Windows Hello for Business infrastructure and rationalization of why they're used. The worksheet gives you an overview of the requirements needed to continue the next phase of the deployment. With this worksheet, you'll be able to identify key elements of your Windows Hello for Business deployment.
diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
deleted file mode 100644
index 52459fe655..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-title: Prepare people to use Windows Hello
-description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization.
-ms.date: 08/19/2018
-ms.topic: end-user-help
----
-# Prepare people to use Windows Hello
-
-When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization by explaining how to use Hello.
-
-After enrollment in Hello, users should use their gesture (such as a PIN or fingerprint) for access to corporate resources. Their gesture is only valid on the enrolled device.
-
-Although the organization may require users to change their Active Directory or Microsoft Entra account password at regular intervals, changes to their passwords have no effect on Hello.
-
-People who are currently using virtual or physical smart cards for authentication can use their virtual smart card to verify their identity when they set up Hello.
-
-[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)]
-
-## On devices owned by the organization
-
-When someone sets up a new device, they are prompted to choose who owns the device. For corporate devices, they select **This device belongs to my organization**.
-
-
-
-Next, they select a way to connect. Tell the people in your enterprise which option they should pick here.
-
-
-
-They sign in, and are then asked to verify their identity. People have options to choose from a text message, phone call, or the authentication application. After verification, they create their PIN. The **Create a PIN** screen displays any complexity requirements that you have set, such as minimum length.
-
-After Hello is set up, people use their PIN to unlock the device, and that will automatically log them on.
-
-## On personal devices
-
-People who want to access work resources on their personal devices can add a work or school account in **Settings** > **Accounts** > **Work or school**, and then sign in with work credentials. The person selects the method for receiving the verification code, such as text message or email. The verification code is sent and the person then enters the verification code. After verification, the person enters and confirms new PIN. The person can access any token-based resource using this device without being asked for credentials.
-
-People can go to **Settings** > **Accounts** > **Work or school**, select the work account, and then select **Unjoin** to remove the account from their device.
-
-## Using Windows Hello and biometrics
-
-If your policy allows it, people can use biometrics (fingerprint, iris, and facial recognition) with Windows Hello for Business, if the hardware supports it.
-
-:::image type="content" alt-text="This screenshot shows account sign-in options to windows, apps, and services using fingerprint or face." source="images/hellosettings.png":::
-
-## Related topics
-
-- [Windows Hello for Business](deploy/requirements.md)
-- [How Windows Hello for Business works](hello-how-it-works.md)
-- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
-- [Windows Hello and password changes](hello-and-password-changes.md)
-- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
-- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md
deleted file mode 100644
index 24b362c125..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-videos.md
+++ /dev/null
@@ -1,36 +0,0 @@
----
-title: Windows Hello for Business Videos
-description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10 and Windows 11.
-ms.date: 09/07/2023
-ms.topic: get-started
----
-# Windows Hello for Business Videos
-## Overview of Windows Hello for Business and Features
-
-Watch Pieter Wigleven explain Windows Hello for Business, Multi-factor Unlock, and Dynamic Lock
-
-> [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8]
-
-## Why PIN is more secure than a password
-
-Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than a password.
-
-> [!VIDEO https://www.youtube.com/embed/cC24rPBvdhA]
-
-## Microsoft's passwordless strategy
-
-Watch Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less**
-
-> [!VIDEO https://www.youtube.com/embed/mXJS615IGLM]
-
-## Windows Hello for Business Provisioning
-
-Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning works.
-
-> [!VIDEO https://www.youtube.com/embed/RImGsIjSJ1s]
-
-## Windows Hello for Business Authentication
-
-Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business authentication works.
-
-> [!VIDEO https://www.youtube.com/embed/WPmzoP_vMek]
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
deleted file mode 100644
index 6fe91595bc..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
+++ /dev/null
@@ -1,68 +0,0 @@
----
-title: Why a PIN is better than an online password
-description: Windows Hello enables users to sign in to their devices using a PIN. Learn how is a PIN different from (and better than) an online password.
-ms.date: 03/15/2023
-ms.topic: concept-article
----
-# Why a PIN is better than an online password
-
-Windows Hello enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a local password?
-On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might enforce complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than an online password, it's how it works. First, we need to distinguish between two types of passwords: *local passwords* are validated against the machine's password store, whereas *online passwords* are validated against a server. This article mostly covers the benefits a PIN has over an online password, and also why it can be considered even better than a local password.
-
-Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than an online password.
-
-> [!VIDEO https://www.youtube.com/embed/cC24rPBvdhA]
-
-## A PIN is tied to the device
-
-One important difference between an online password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who obtains your online password can sign in to your account from anywhere, but if they obtain your PIN, they'd have to access your device too.
-
-The PIN can't be used anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device.
-
-## PIN is local to the device
-
-An online password is transmitted to the server. The password can be intercepted in transmission or obtained from a server. A PIN is local to the device, never transmitted anywhere, and it isn't stored on the server.
-When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, you unlock the authentication key, which is used to sign the request that is sent to the authenticating server.
-Even though local passwords are local to the device, they're less secure than a PIN, as described in the next section.
-
->[!NOTE]
->For details on how Hello uses asymmetric key pairs for authentication, see [Windows Hello for Business](index.md#benefits-of-windows-hello).
-
-## PIN is backed by hardware
-
-The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Windows doesn't link local passwords to TPM, therefore PINs are considered more secure than local passwords.
-
-User key material is generated and available within the TPM of the device. The TPM protects the key material from attackers who want to capture and reuse it. Since Hello uses asymmetric key pairs, users credentials can't be stolen in cases where the identity provider or websites the user accesses have been compromised.
-
-The TPM protects against various known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.
-
-## PIN can be complex
-
-The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set [policies](hello-manage-in-organization.md) for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits.
-
-## What if someone steals the device?
-
-To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device. Then, the attacker must find a way to spoof the user's biometrics or guess the PIN. All these actions must be done before [TPM anti-hammering](/windows/device-security/tpm/tpm-fundamentals#anti-hammering) protection locks the device.
-You can provide more protection for laptops that don't have TPM by enabling BitLocker and setting a policy to limit failed sign-ins.
-
-### Configure BitLocker without TPM
-
-To enable BitLocker without TPM, follow these steps:
-
-1. Open the Local Group Policy Editor (gpedit.msc) and enable the policy: **Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup**
-1. In the policy option, select **Allow BitLocker without a compatible TPM > OK**
-1. On the device, open **Control Panel > System and Security > BitLocker Drive Encryption**
-1. Select the operating system drive to protect
-
-### Set account lockout threshold
-
-To configure account lockout threshold, follow these steps:
-
-1. Open the Local Group Policy Editor (gpedit.msc) and enable the policy: **Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy > Account lockout threshold**
-1. Set the number of invalid logon attempts to allow, and then select OK
-
-## Why do you need a PIN to use biometrics?
-
-Windows Hello enables biometric sign-in for Windows: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN after the biometric setup. The PIN enables you to sign in when you can't use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
-
-If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you with the same level of protection as Hello.
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/how-it-works-authentication.md
similarity index 81%
rename from windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
rename to windows/security/identity-protection/hello-for-business/how-it-works-authentication.md
index af0ff0de5a..5bd47775ff 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
+++ b/windows/security/identity-protection/hello-for-business/how-it-works-authentication.md
@@ -1,7 +1,7 @@
---
title: How Windows Hello for Business authentication works
description: Learn about the Windows Hello for Business authentication flows.
-ms.date: 05/24/2023
+ms.date: 01/03/2024
ms.topic: reference
---
# Windows Hello for Business authentication
@@ -10,11 +10,9 @@ Windows Hello for Business authentication is a passwordless, two-factor authenti
Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in and can, optionally, authenticate to Active Directory. Microsoft Entra hybrid joined devices authenticate to Active Directory during sign-in, and authenticate to Microsoft Entra ID in the background.
-
-
## Microsoft Entra join authentication to Microsoft Entra ID
-
+:::image type="content" source="images/howitworks/auth/entra-join-entra.png" alt-text="Diagram of a Microsoft Entra join device authenticating to Microsoft Entra ID." lightbox="images/howitworks/auth/entra-join-entra.png" border="false":::
> [!NOTE]
> All Microsoft Entra joined devices authenticate with Windows Hello for Business to Microsoft Entra ID the same way. The Windows Hello for Business trust type only impacts how the device authenticates to on-premises AD.
@@ -27,37 +25,31 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
|D | The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.|
|E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
-
-
## Microsoft Entra join authentication to Active Directory using cloud Kerberos trust
-
+:::image type="content" source="images/howitworks/auth/entra-join-ad-ckt.png" alt-text="Diagram of a Microsoft Entra join device authenticating to Active Directory using cloud Kerberos trust." lightbox="images/howitworks/auth/entra-join-ad-ckt.png" border="false":::
| Phase | Description |
| :----: | :----------- |
-|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a 2016 domain controller.
+|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller.
|B | After locating a domain controller, the Kerberos provider sends a partial TGT that it received from Microsoft Entra ID from a previous Microsoft Entra authentication to the domain controller. The partial TGT contains only the user SID, and it's signed by Microsoft Entra Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client.|
-
-
## Microsoft Entra join authentication to Active Directory using a key
-
+:::image type="content" source="images/howitworks/auth/entra-join-ad-kt.png" alt-text="Diagram of a Microsoft Entra join device authenticating to Active Directory using key trust." lightbox="images/howitworks/auth/entra-join-ad-kt.png" border="false":::
| Phase | Description |
| :----: | :----------- |
-|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After the provider locates a domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
-|B | The Kerberos provider sends the signed preauthentication data and its public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the 2016 domain controller in the form of a KERB_AS_REQ.
The 2016 domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
+|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates a domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
+|B | The Kerberos provider sends the signed preauthentication data and its public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.
The domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
> [!NOTE]
> You might have an on-premises domain federated with Microsoft Entra ID. Once you have successfully provisioned Windows Hello for Business PIN/Bio on the Microsoft Entra joined device, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Microsoft Entra ID to get PRT and trigger authenticate against your DC (if LOS to DC is available) to get Kerberos. It no longer uses AD FS to authenticate for Windows Hello for Business sign-ins.
-
-
## Microsoft Entra join authentication to Active Directory using a certificate
-
+:::image type="content" source="images/howitworks/auth/entra-join-ad-ct.png" alt-text="Diagram of a Microsoft Entra join device authenticating to Active Directory using certificate trust." lightbox="images/howitworks/auth/entra-join-ad-ct.png" border="false":::
| Phase | Description |
| :----: | :----------- |
@@ -68,11 +60,9 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
> [!NOTE]
> You may have an on-premises domain federated with Microsoft Entra ID. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Microsoft Entra ID to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation.
-
-
## Microsoft Entra hybrid join authentication using cloud Kerberos trust
-
+:::image type="content" source="images/howitworks/auth/hybrid-entra-join-ckt.png" alt-text="Diagram of a Microsoft Entra hybrid join device authenticating to Active Directory using cloud Kerberos trust." lightbox="images/howitworks/auth/hybrid-entra-join-ckt.png" border="false":::
| Phase | Description |
| :----: | :----------- |
@@ -80,18 +70,16 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
|B | Cloud AP signs the nonce using the user's private key and returns the signed nonce to Microsoft Entra ID.
|C | Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and creates a Partial TGT from Microsoft Entra Kerberos and returns them to Cloud AP.
|D | Cloud AP receives the encrypted PRT with session key. Using the device's private transport key, Cloud AP decrypts the session key and protects the session key using the device's TPM (if available). Cloud AP returns a successful authentication response to lsass. Lsass caches the PRT and the Partial TGT.
-|E | The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After locating an active 2016 domain controller, the Kerberos provider sends the partial TGT that it received from Microsoft Entra ID to the domain controller. The partial TGT contains only the user SID and is signed by Microsoft Entra Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client. Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests. Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
-
-
+|E | The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller. After locating an active domain controller, the Kerberos provider sends the partial TGT that it received from Microsoft Entra ID to the domain controller. The partial TGT contains only the user SID and is signed by Microsoft Entra Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client. Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests. Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
## Microsoft Entra hybrid join authentication using a key
-
+:::image type="content" source="images/howitworks/auth/hybrid-entra-join-kt.png" alt-text="Diagram of a Microsoft Entra hybrid join device authenticating to Active Directory using key trust." lightbox="images/howitworks/auth/hybrid-entra-join-kt.png" border="false":::
| Phase | Description |
| :----: | :----------- |
|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
-|B | The Kerberos provider sends the signed preauthentication data and the user's public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the 2016 domain controller in the form of a KERB_AS_REQ.
The 2016 domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
+|B | The Kerberos provider sends the signed preauthentication data and the user's public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.
The domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
|D | After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
|E | Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
@@ -101,11 +89,9 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
> [!IMPORTANT]
> In the above deployment model, a newly provisioned user will not be able to sign in using Windows Hello for Business until (a) Microsoft Entra Connect successfully synchronizes the public key to the on-premises Active Directory and (b) device has line of sight to the domain controller for the first time.
-
-
## Microsoft Entra hybrid join authentication using a certificate
-
+:::image type="content" source="images/howitworks/auth/hybrid-entra-join-ct.png" alt-text="Diagram of a Microsoft Entra hybrid join device authenticating to Active Directory using certificate trust." lightbox="images/howitworks/auth/hybrid-entra-join-ct.png" border="false":::
| Phase | Description |
| :----: | :----------- |
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/how-it-works-provisioning.md
similarity index 85%
rename from windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
rename to windows/security/identity-protection/hello-for-business/how-it-works-provisioning.md
index b2e01e88dd..9c6ef249eb 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/how-it-works-provisioning.md
@@ -1,7 +1,7 @@
---
title: How Windows Hello for Business provisioning works
description: Explore the provisioning flows for Windows Hello for Business, from within a variety of environments.
-ms.date: 12/12/2022
+ms.date: 01/03/2024
ms.topic: reference
appliesto:
---
@@ -14,23 +14,12 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
- The Windows Hello for Business deployment type
- If the environment is managed or federated
-List of provisioning flows:
-
-- [Microsoft Entra joined provisioning in a managed environment](#microsoft-entra-joined-provisioning-in-a-managed-environment)
-- [Microsoft Entra joined provisioning in a federated environment](#microsoft-entra-joined-provisioning-in-a-federated-environment)
-- [Microsoft Entra hybrid joined provisioning in a cloud Kerberos trust deployment in a managed environment](#microsoft-entra-hybrid-joined-provisioning-in-a-cloud-kerberos-trust-deployment-in-a-managed-environment)
-- [Microsoft Entra hybrid joined provisioning in a key trust deployment in a managed environment](#microsoft-entra-hybrid-joined-provisioning-in-a-key-trust-deployment-in-a-managed-environment)
-- [Microsoft Entra hybrid joined provisioning in a synchronous certificate trust deployment in a federated environment](#microsoft-entra-hybrid-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment)
-- [Domain joined provisioning in an On-premises key trust deployment](#domain-joined-provisioning-in-an-on-premises-key-trust-deployment)
-- [Domain joined provisioning in an On-premises certificate trust deployment](#domain-joined-provisioning-in-an-on-premises-certificate-trust-deployment)
-
> [!NOTE]
> The flows in this section are not exhaustive for every possible scenario. For example, Federated Key Trust is also a supported configuration.
-## Microsoft Entra joined provisioning in a managed environment
+## Provisioning for Microsoft Entra joined devices with managed authentication
-
-[Full size image](images/howitworks/prov-aadj-managed.png)
+:::image type="content" source="images/howitworks/prov/entra-join-managed.png" alt-text="Sequence diagram of the Windows Hello provisioning flow for Microsoft Entra joined devices with managed authentication." lightbox="images/howitworks/prov/entra-join-managed.png" border="false":::
| Phase | Description |
|:-:|:-|
@@ -38,10 +27,9 @@ List of provisioning flows:
| B | After receiving an ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pregeneration pool, which includes attestation data. This is the user key (ukpub/ukpriv). |
| C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Microsoft Entra ID, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Microsoft Entra ID returns a key ID to the application, which signals the end of user provisioning and the application exits. |
-## Microsoft Entra joined provisioning in a federated environment
+## Provisioning for Microsoft Entra joined devices with federated authentication
-
-[Full size image](images/howitworks/prov-aadj-federated.png)
+:::image type="content" source="images/howitworks/prov/entra-join-federated.png" alt-text="Sequence diagram of the Windows Hello provisioning flow for Microsoft Entra joined devices with federated authentication." lightbox="images/howitworks/prov/entra-join-federated.png" border="false":::
| Phase | Description |
|:-:|:-|
@@ -49,10 +37,9 @@ List of provisioning flows:
| B | After receiving an ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pregeneration pool, which includes attestation data. This is the user key (ukpub/ukpriv). |
| C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates MFA claim remains current. On successful validation, Azure DRS locates the user's object in Microsoft Entra ID, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Microsoft Entra ID returns key ID to the application, which signals the end of user provisioning and the application exits. |
-## Microsoft Entra hybrid joined provisioning in a cloud Kerberos trust deployment in a managed environment
+## Provisioning in a cloud Kerberos trust deployment model with managed authentication
-
-[Full size image](images/howitworks/prov-haadj-cloudtrust-managed.png)
+:::image type="content" source="images/howitworks/prov/hybrid-entra-join-ckt.png" alt-text="Sequence diagram of the Windows Hello provisioning flow in a hybrid cloud Kerberos trust deployment model with managed authentication." lightbox="images/howitworks/prov/hybrid-entra-join-ckt.png" border="false":::
| Phase | Description |
|:-:|:-|
@@ -63,25 +50,23 @@ List of provisioning flows:
> [!NOTE]
> Windows Hello for Business cloud Kerberos trust does not require users' keys to be synced from Microsoft Entra ID to Active Directory. Users can immediately authenticate to Microsoft Entra ID and AD after provisioning their credential.
-## Microsoft Entra hybrid joined provisioning in a key trust deployment in a managed environment
+## Provisioning in a hybrid key trust deployment model with managed authentication
-
-[Full size image](images/howitworks/prov-haadj-keytrust-managed.png)
+:::image type="content" source="images/howitworks/prov/hybrid-entra-join-managed-kt.png" alt-text="Sequence diagram of the Windows Hello provisioning flow in a hybrid key trust deployment model with managed authentication." lightbox="images/howitworks/prov/hybrid-entra-join-managed-kt.png" border="false":::
| Phase | Description |
|:-:|:-|
| A | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Microsoft Entra Web Account Manager plug-in.
Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. The Microsoft Entra multifactor authentication service provides the second factor of authentication. If the user has performed Microsoft Entra multifactor authentication within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they aren't prompted for MFA because the current MFA remains valid.
Microsoft Entra ID validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
| B | After receiving an ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pregeneration pool, which includes attestation data. This is the user key (ukpub/ukpriv). |
| C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Microsoft Entra ID, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Microsoft Entra ID returns a key ID to the application, which signals the end of user provisioning and the application exits. |
-| D | Microsoft Entra Connect requests updates on its next synchronization cycle. Microsoft Entra ID sends the user's public key that was securely registered through provisioning. Microsoft Entra Connect receives the public key and writes it to user's msDS-KeyCredentialLink attribute in Active Directory. |
+| D | Microsoft Entra Connect requests updates on its next synchronization cycle. Microsoft Entra ID sends the user's public key that was securely registered through provisioning. Microsoft Entra Connect receives the public key and writes it to user's `msDS-KeyCredentialLink` attribute in Active Directory. |
> [!IMPORTANT]
> The newly provisioned user will not be able to sign in using Windows Hello for Business until Microsoft Entra Connect successfully synchronizes the public key to the on-premises Active Directory.
-## Microsoft Entra hybrid joined provisioning in a synchronous certificate trust deployment in a federated environment
+## Provisioning in a hybrid certificate trust deployment model with federated authentication
-
-[Full size image](images/howitworks/prov-haadj-instant-certtrust-federated.png)
+:::image type="content" source="images/howitworks/prov/hybrid-entra-join-federated.png" alt-text="Sequence diagram of the Windows Hello provisioning flow in a hybrid certificate trust deployment model with federated authentication." lightbox="images/howitworks/prov/hybrid-entra-join-federated.png" border="false":::
| Phase | Description |
|:-|:-|
@@ -96,10 +81,9 @@ List of provisioning flows:
> [!IMPORTANT]
> Synchronous certificate enrollment doesn't depend on Microsoft Entra Connect to synchronize the user's public key to issue the Windows Hello for Business authentication certificate. Users can sign-in using the certificate immediately after provisioning completes. Microsoft Entra Connect continues to synchronize the public key to Active Directory, but is not shown in this flow.
-## Domain joined provisioning in an On-premises Key Trust deployment
+## Provisioning in an on-premises key trust deployment model
-
-[Full size image](images/howitworks/prov-onprem-keytrust.png)
+:::image type="content" source="images/howitworks/prov/onprem-kt.png" alt-text="Sequence diagram of the Windows Hello provisioning flow in an on-premises key trust deployment model." lightbox="images/howitworks/prov/onprem-kt.png" border="false":::
| Phase | Description |
| :----: | :----------- |
@@ -107,10 +91,9 @@ List of provisioning flows:
| B| After receiving an EDRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pregeneration pool, which includes attestation data. This is the user key (ukpub/ukpriv).|
|C | The application sends the EDRS token, ukpub, attestation data, and device information to the Enterprise DRS for user key registration. Enterprise DRS validates the MFA claim remains current. On successful validation, the Enterprise DRS locates the user's object in Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. The Enterprise DRS returns a key ID to the application, which represents the end of user key registration.|
-## Domain joined provisioning in an On-premises Certificate Trust deployment
+## Provisioning in an on-premises certificate trust deployment model
-
-[Full size image](images/howitworks/prov-onprem-certtrust.png)
+:::image type="content" source="images/howitworks/prov/onprem-ct.png" alt-text="Sequence diagram of the Windows Hello provisioning flow in an on-premises certificate trust deployment model." lightbox="images/howitworks/prov/onprem-ct.png" border="false":::
| Phase | Description |
| :----: | :----------- |
diff --git a/windows/security/identity-protection/hello-for-business/how-it-works.md b/windows/security/identity-protection/hello-for-business/how-it-works.md
new file mode 100644
index 0000000000..87250d1fa9
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/how-it-works.md
@@ -0,0 +1,236 @@
+---
+title: How Windows Hello for Business works
+description: Learn how Windows Hello for Business works, and how it can help you protect your organization.
+ms.date: 01/09/2024
+ms.topic: concept-article
+---
+
+# How Windows Hello for Business works
+
+Windows Hello for Business is a distributed system that requires multiple technologies to work together. To simplify the explanation of how Windows Hello for Business works, let's break it down into five phases, which represent the chronological order of the deployment process.
+
+> [!NOTE]
+> Two of these phases are required only for certain deployment scenarios.
+>
+> The deployment scenarios are described in the article: [Plan a Windows Hello for Business deployment](deploy/index.md).
+
+:::row:::
+ :::column span="1":::
+ :::image type="content" source="images/howitworks/device-registration.png" alt-text="Icon representing the device registration phase." border="false":::
+ :::column-end:::
+ :::column span="3":::
+ #### Device registration phase
+ :::column-end:::
+:::row-end:::
+
+In this phase, the device registers its identity with the identity provider (IdP), so that it can be associated and authenticate to the IdP.
+
+:::row:::
+ :::column span="1":::
+ :::image type="content" source="images/howitworks/provision.png" alt-text="Icon representing the provisioning phase." border="false":::
+ :::column-end:::
+ :::column span="3":::
+ #### Provisioning phase
+ :::column-end:::
+:::row-end:::
+
+During this phase, the user authenticates using one form of authentication (typically, username/password) to request a new Windows Hello for Business credential. The provisioning flow requires a second factor of authentication before it can generate a public/private key pair. The public key is registered with the IdP, mapped to the user account.
+
+:::row:::
+ :::column span="1":::
+ :::image type="content" source="images/howitworks/synchronization.png" alt-text="Icon representing the synchronization phase." border="false":::
+ :::column-end:::
+ :::column span="3":::
+ #### Key synchronization phase
+ :::column-end:::
+:::row-end:::
+
+In this phase, **required by some hybrid deployments**, the user's public key is synchronized from Microsoft Entra ID to Active Directory.
+
+:::row:::
+ :::column span="1":::
+ :::image type="content" source="images/howitworks/certificate-enrollment.png" alt-text="Icon representing the certificate enrollment phase." border="false":::
+ :::column-end:::
+ :::column span="3":::
+ #### Certificate enrollment phase
+ :::column-end:::
+:::row-end:::
+
+In this phase, **required only by deployments using certificates**, a certificate is issued to the user using the organization's public key infrastructure (PKI).
+
+:::row:::
+ :::column span="1":::
+ :::image type="content" source="images/howitworks/authentication.png" alt-text="Icon representing the authentication phase." border="false":::
+ :::column-end:::
+ :::column span="3":::
+ #### Authentication phase
+ :::column-end:::
+:::row-end:::
+
+In this last phase, the user can sign-in to Windows using biometrics or a PIN. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. The IdP validates the user identity by mapping the user account to the public key registered during the provisioning phase.
+
+The following sections provide deeper insights into each of these phases.
+
+## Device Registration
+
+All devices included in the Windows Hello for Business deployment must go through a process called *device registration*. Device registration enables devices to be associated and to authenticate to an IdP:
+
+- For cloud and hybrid deployments, the identity provider is Microsoft Entra ID, and the device registers with the *Device Registration Service*
+- For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the *Enterprise Device Registration Service* hosted on AD FS
+
+When a device is registered, the IdP provides the device with an identity that is used to authenticate the device when a user signs-in.
+
+There are different registration types, which are identified as *join type*. For more information, see [What is a device identity][ENTRA-1].
+
+For detailed sequence diagrams, see [how device registration works][ENTRA-4].
+
+## Provisioning
+
+:::row:::
+ :::column:::
+ Windows Hello provisioning is triggered once device registration completes, and after the device receives a policy that enables Windows Hello. If all the prerequisites are met, a Cloud eXperience Host (CXH) window is launched to take the user through the provisioning flow.
+ :::column-end:::
+ :::column:::
+ :::image type="content" source="images/howitworks/cxh-provision.png" alt-text="Screenshot of the Cloud Experience Host prompting the user to provision Windows Hello." border="false" lightbox="images/howitworks/cxh-provision.png":::
+ :::column-end:::
+:::row-end:::
+
+> [!NOTE]
+> The list of prerequisites varies depending on the deployment type, as described in the article [Plan a Windows Hello for Business deployment](deploy/index.md).
+
+During the provisioning phase, a *Windows Hello container* is created. A Windows Hello container is a logical grouping of *key material*, or data. The container holds organization's credentials only on devices that are *registered* with the organization's IdP.
+
+> [!NOTE]
+> There are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials that Windows Hello stores, are protected without the creation of actual containers or folders.
+
+Here are the steps involved with the provisioning phase:
+
+1. In the CXH window, the user is prompted to authenticate to the IdP with MFA
+1. After successful MFA, the user must provide a bio gesture (if available), and a PIN
+1. After the PIN confirmation, the Windows Hello container is created
+1. A public/private key pair is generated. The key pair is bound to the Trusted Platform Module (TPM), if available, or in software
+1. The private key is stored locally and protected by the TPM, and can't be exported
+1. The public key is registered with the IdP, mapped to the user account
+ 1. The Device Registration Service writes the key to the user object in Microsoft Entra ID
+ 1. For on-premises scenarios, AD FS writes the key to Active Directory
+
+The following video shows the Windows Hello for Business enrollment steps after signing in with a password:
+
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]
+
+For more information and detailed sequence diagrams, see [how provisioning works](how-it-works-provisioning.md).
+
+### Windows Hello container details
+
+:::row:::
+ :::column:::
+ During the provisioning phase, Windows Hello generates a new public/private key pair on the device. The TPM generates and protects the private key. If the device doesn't have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the *protector key*. The protector key is associated with a single gesture: if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures has a unique protector key.
+
+ The protector key securely wraps the *authentication key*. The authentication key is used to unlock the *user ID keys*. The container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys.
+ :::column-end:::
+ :::column:::
+ :::image type="content" source="images/howitworks/hello-container.png" alt-text="Diagram of the Windows Hello container." border="false" lightbox="images/howitworks/hello-container.png":::
+ :::column-end:::
+:::row-end:::
+
+Each protector encrypts its own copy of the authentication key. How the encryption is performed is up to the protector itself. For example, the PIN protector performs a TPM seal operation using the PIN as entropy, or when no TPM is available, performs symmetric encryption of the authentication key using a key derived from the PIN itself.
+
+> [!IMPORTANT]
+> Keys can be generated in hardware (TPM 1.2 or 2.0) or software, based on the configured policy setting. To guarantee that keys are generated in hardware, you must configure a policy setting. For more information, see [Use a hardware security device](policy-settings.md#use-a-hardware-security-device).
+
+Personal (Microsoft account) and Work or School (Active Directory or Microsoft Entra ID) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.
+
+Windows Hello also generates an *administrative key*. The administrative key can be used to reset credentials when necessary. For example, when using the [PIN reset service](pin-reset.md). In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM.
+
+Access to the key material stored in the container, is enabled only by the PIN or biometric gesture. The two-step verification that takes place during provisioning creates a trusted relationship between the IdP and the user. This happens when the public portion of the public/private key pair is sent to an identity provider and associated with the user account. When a user enters the gesture on the device, the identity provider knows that it's a verified identity, because of the combination of Windows Hello keys and gestures. It then provides an authentication token that allows Windows to access resources and services.
+
+A container can contain several types of key material:
+
+- An *authentication key*, which is always an asymmetric public-private key pair. This key pair is generated during registration. It must be unlocked each time it's accessed, by using either the user's PIN or a biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key is generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key
+- One or multiple *user ID keys*. These keys can be either symmetric or asymmetric, depending on which IdP you use. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the user ID key or key pair can request access. User ID keys are used to sign or encrypt authentication requests or tokens sent from this device to the IdP. User ID keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Microsoft Entra accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IdP (which stores it for later verification), and securely stores the private key. For organizatrons, the user ID keys can be generated in two ways:
+ - The user ID key pair can be associated with an organization's Certificate Authority (CA). This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as VPN solutions, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the organization to store other certificates in the protected container. For example, certificates that allows the user to authenticate via RDP
+ - The IdP can generate the user ID key pair directly, which allows quick, lower-overhead deployment of Windows Hello in environments that don't have or need a PKI
+
+User ID keys are used to authenticate the user to a service. For example, by signing a nonce to prove possession of the private key, which corresponds to a registered public key. Users with an Active Directory, Microsoft Entra ID or Microsoft account have a key associated with their account. The key can be used to sign into their Windows device by authenticating to a domain controller (Active Directory scenario), or to the cloud (Microsoft Entra ID and MSA scenarios).
+
+Windows Hello can also be used as a FIDO2 authenticator to authenticate to any website that supports WebAuthn. Websites or application can create a FIDO user ID key in the user's Windows Hello container using APIs. On subsequent visits, the user can authenticate to the website or app using their Windows Hello PIN or biometric gesture.
+
+To learn more how Windows uses the TPM in support of Windows Hello for Business, see [How Windows uses the Trusted Platform Module](../../hardware-security/tpm/how-windows-uses-the-tpm.md).
+
+### Biometric data storage
+
+The biometric data used to support Windows Hello is stored on the local device only. It doesn't roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Even if an attacker could obtain the biometric data from a device, it couldn't be converted back into a raw biometric sample recognizable by the biometric sensor.
+
+Each sensor has its own biometric database file where template data is stored (path `C:\WINDOWS\System32\WinBioDatabase`). Each database file has a unique, randomly generated key that is encrypted to the system. The template data for the sensor is encrypted with the per-database key using AES with CBC chaining mode. The hash is SHA256.
+
+> [!NOTE]
+>Some fingerprint sensors have the capability to complete matching on the fingerprint sensor module instead of in the OS. These sensors store biometric data on the fingerprint module instead of in the database file. For more information, see [Windows Hello Enhanced Security Sign-in (ESS)][WINH-1].
+
+## Key synchronization
+
+Key synchronization is required in hybrid environments. After the user provisions a Windows Hello for Business credential, the key must synchronize from Microsoft Entra ID to Active Directory.
+
+The user's public key is written to the `msDS-KeyCredentialLink` attribute of the user object in Active Directory. The synchronization is handled by Microsoft Entra Connect Sync.
+
+## Certificate enrollment
+
+For certificate deployments, after registering the key, the client generates a certificate request. The request is sent to the Certificate Registration Authority (CRA). The CRA is on the Active Directory Federation Services (AD FS) server, which validates the certificate request and fulfills it using the enterprise PKI.
+
+A certificate is enrolled on the user's Hello container, which is used to authenticate to on-premises resources.
+
+## Authentication
+
+Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials, and the token that is obtained using those credentials, are bound to the device.
+
+Authentication is the two-factor authentication with the combination of:
+
+- A key, or certificate, tied to a device and
+ - something that the person knows (a PIN) or
+ - something that the person is (biometrics)
+
+PIN entry and biometric gesture both trigger Windows to use the private key to cryptographically sign data that is sent to the identity provider. The IdP verifies the user's identity and authenticates the user.
+
+The PIN or the private portion of the credentials is never sent to the IdP, and the PIN isn't stored on the device. The PIN and bio gestures are *user-provided entropy* when performing operations that use the private portion of the credential.
+
+When a user wants to access protected key material, the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called *releasing the key*. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. The user's PIN unlocks the protector key for the container on the device. When that container is unlocked, applications (and thus the user) can use whatever User ID keys reside inside the container.
+
+These keys are used to sign requests that are sent to the IdP, requesting access to specified resources.
+
+> [!IMPORTANT]
+> Although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or sign in to a website). Access through these APIs doesn't require explicit validation through a user gesture, and the key material isn't exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure an application to require re-authentication anytime a specific operation is performed, even though the same account and PIN or gesture were already used to unlock the device.
+
+For more information and detailed sequence diagrams, see [how authentication works](how-it-works-authentication.md).
+
+### Primary refresh token
+
+Single sign-on (SSO) relies on special tokens obtained to access specific applications. In the traditional Windows Integrated authentication case using Kerberos, the token is a Kerberos TGT (ticket-granting ticket). For Microsoft Entra ID and AD FS applications, this token is a *primary refresh token* (PRT). It's a [JSON Web Token][WEB-1] that contains claims about both the user and the device.
+
+The PRT is initially obtained during sign-in or unlock in a similar way the Kerberos TGT is obtained. This behavior is true for both Microsoft Entra joined and Microsoft Entra hybrid joined devices. For personal devices registered with Microsoft Entra ID, the PRT is initially obtained upon *Add Work or School Account*. For a personal device, the account to unlock the device isn't the work account, but a consumer account (*Microsoft account*).
+
+The PRT is needed for SSO. Without it, users would be prompted for credentials every time they access applications. The PRT also contains information about the device. If you have any [device-based conditional access][ENTRA-3] policies set on an application, without the PRT access is denied.
+
+> [!TIP]
+> The Windows Hello for Business key meets Microsoft Entra multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources.
+
+For more information, see [What is a Primary Refresh Token][ENTRA-2].
+
+### Windows Hello for Business and password changes
+
+Changing a user account password doesn't affect sign-in or unlock, since Windows Hello for Business uses a key or certificate.
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> To accommodate the multitude of organizations needs and requirements, Windows Hello for Business offers different deployment options. To learn how to plan a Windows Hello for Business deployment, see:
+>
+> [Plan a Windows Hello for Business Deployment](deploy/index.md)
+
+
+
+[ENTRA-1]: /entra/identity/devices/overview
+[ENTRA-2]: /entra/identity/devices/concept-primary-refresh-token
+[ENTRA-3]: /entra/identity/conditional-access/concept-conditional-access-grant
+[ENTRA-4]: /entra/identity/devices/device-registration-how-it-works
+
+[WEB-1]: https://openid.net/specs/draft-jones-json-web-token-07.html
+[WINH-1]: /windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security
diff --git a/windows/security/identity-protection/hello-for-business/images/authflow.png b/windows/security/identity-protection/hello-for-business/images/authflow.png
deleted file mode 100644
index 1ddf18cc1f..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/authflow.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/connect.png b/windows/security/identity-protection/hello-for-business/images/connect.png
deleted file mode 100644
index 2338eda8d2..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/connect.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/corpown.png b/windows/security/identity-protection/hello-for-business/images/corpown.png
deleted file mode 100644
index f87d33ce86..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/corpown.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/fingerprint.svg b/windows/security/identity-protection/hello-for-business/images/fingerprint.svg
new file mode 100644
index 0000000000..e2b816716a
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/images/fingerprint.svg
@@ -0,0 +1,3 @@
+