diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 7cc99f80b3..df4ae61d44 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -12724,6 +12724,16 @@
"source_path": "windows/update/waas-wufb-group-policy.md",
"redirect_url": "/windows/deployment/update/waas-wufb-group-policy",
"redirect_document_id": false
+ },
+ {
+ "source_path": "windows/deployment/upgrade/windows-10-edition-upgrades.md",
+ "redirect_url": "/windows/deployment/upgrade/windows-edition-upgrades",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/deployment/windows-10-media.md",
+ "redirect_url": "/licensing/",
+ "redirect_document_id": false
}
]
}
diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md
index 35200347df..36a0de01ff 100644
--- a/education/windows/federated-sign-in.md
+++ b/education/windows/federated-sign-in.md
@@ -1,6 +1,6 @@
---
title: Configure federated sign-in for Windows devices
-description: Learn about federated sign-in in Windows how to configure it.
+description: Learn how federated sign-in in Windows works and how to configure it.
ms.date: 09/11/2023
ms.topic: how-to
appliesto:
diff --git a/includes/configure/provisioning-package-1.md b/includes/configure/provisioning-package-1.md
new file mode 100644
index 0000000000..951ca428e3
--- /dev/null
+++ b/includes/configure/provisioning-package-1.md
@@ -0,0 +1,9 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 09/12/2023
+ms.topic: include
+ms.prod: windows-client
+---
+
+Use the following settings to [create a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package):
diff --git a/includes/configure/provisioning-package-2.md b/includes/configure/provisioning-package-2.md
new file mode 100644
index 0000000000..b600e58e47
--- /dev/null
+++ b/includes/configure/provisioning-package-2.md
@@ -0,0 +1,9 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 09/12/2023
+ms.topic: include
+ms.prod: windows-client
+---
+
+[Apply the provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) to the devices that you want to configure.
diff --git a/includes/licensing/_edition-requirements.md b/includes/licensing/_edition-requirements.md
index d64cd242d4..fcb9271823 100644
--- a/includes/licensing/_edition-requirements.md
+++ b/includes/licensing/_edition-requirements.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/09/2023
+ms.date: 09/18/2023
ms.topic: include
---
@@ -9,79 +9,83 @@ ms.topic: include
|:---|:---:|:---:|:---:|:---:|
|**[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|
|**[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)**|Yes|Yes|Yes|Yes|
-|**[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)**|❌|Yes|❌|Yes|
+|**[Active Directory domain join, Microsoft Entra join, and Microsoft Entra Hybrid join with single sign-on (SSO)](/azure/active-directory/devices/concept-directory-join)**|Yes|Yes|Yes|Yes|
+|**[Always On VPN (device tunnel)](/Windows-server/remote/remote-access/overview-always-on-vpn)**|❌|Yes|❌|Yes|
|**[App containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|
-|**[AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview)**|Yes|Yes|Yes|Yes|
+|**[AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview)**|Yes|Yes|Yes|Yes|
|**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|
|**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|
-|**[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)**|Yes|Yes|Yes|Yes|
|**[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)**|Yes|Yes|Yes|Yes|
-|**[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)**|Yes|Yes|Yes|Yes|
-|**[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)**|Yes|Yes|Yes|Yes|
+|**[BitLocker enablement](/windows/security/operating-system-security/data-protection/bitlocker/)**|Yes|Yes|Yes|Yes|
+|**[BitLocker management](/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises)**|Yes|Yes|Yes|Yes|
|**Bluetooth pairing and connection protection**|Yes|Yes|Yes|Yes|
-|**[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)**|Yes|Yes|Yes|Yes|
+|**[Common Criteria certifications](/windows/security/security-foundations/certification/windows-platform-common-criteria)**|Yes|Yes|Yes|Yes|
|**[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)**|Yes|Yes|Yes|Yes|
-|**[Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|❌|Yes|
-|**[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)**|Yes|Yes|Yes|Yes|
+|**[Credential Guard](/windows/security/identity-protection/credential-guard/)**|❌|Yes|❌|Yes|
+|**[Device health attestation service](/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)**|Yes|Yes|Yes|Yes|
|**[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)**|❌|Yes|❌|Yes|
-|**[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)**|Yes|Yes|Yes|Yes|
-|**[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)**|Yes|Yes|Yes|Yes|
-|**[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)**|Yes|Yes|Yes|Yes|
+|**[Domain Name System (DNS) security](/windows-server/networking/dns/doh-client-support)**|Yes|Yes|Yes|Yes|
+|**[Email Encryption (S/MIME)](/windows/security/operating-system-security/data-protection/configure-s-mime)**|Yes|Yes|Yes|Yes|
+|**[Encrypted hard drive](/windows/security/operating-system-security/data-protection/encrypted-hard-drive)**|Yes|Yes|Yes|Yes|
+|**[Enhanced phishing protection with SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection)**|Yes|Yes|Yes|Yes|
|**[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)**|Yes|Yes|Yes|Yes|
-|**[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)**|Yes|Yes|Yes|Yes|
-|**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)**|Yes|Yes|Yes|Yes|
+|**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/security-foundations/certification/fips-140-validation)**|Yes|Yes|Yes|Yes|
|**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|Yes|Yes|
+|**[FIDO2 security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)**|Yes|Yes|Yes|Yes|
|**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|
|**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|
-|**[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|
+|**[Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|
|**[Local Security Authority (LSA) Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)**|Yes|Yes|Yes|Yes|
|**[Measured boot](/windows/compatibility/measured-boot)**|Yes|Yes|Yes|Yes|
|**[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)**|Yes|Yes|Yes|Yes|
|**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|❌|Yes|
-|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|❌|Yes|
-|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|❌|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)**|❌|Yes|❌|Yes|
|**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|❌|Yes|
|**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|Yes|Yes|Yes|Yes|
-|**[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)**|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/)**|Yes|Yes|Yes|Yes|
|**[Microsoft Pluton](/windows/security/hardware-security/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes|
|**[Microsoft Security Development Lifecycle (SDL)](/windows/security/security-foundations/msft-security-dev-lifecycle)**|Yes|Yes|Yes|Yes|
-|**[Microsoft vulnerable driver blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|
+|**[Microsoft vulnerable driver blocklist](/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|
|**[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)**|Yes|Yes|Yes|Yes|
|**[Modern device management through (MDM)](/windows/client-management/mdm-overview)**|Yes|Yes|Yes|Yes|
|**[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)**|Yes|Yes|Yes|Yes|
|**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|
-|**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**|❌|Yes|❌|Yes|
+|**[Passkeys](/windows/security/identity-protection/passkeys)**|Yes|Yes|Yes|Yes|
+|**[Personal data encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|❌|Yes|
|**Privacy Resource Usage**|Yes|Yes|Yes|Yes|
|**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes|
|**[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|
|**[Remote wipe](/windows/client-management/mdm/remotewipe-csp)**|Yes|Yes|Yes|Yes|
-|**[Secure Boot and Trusted Boot](/windows/security/trusted-boot)**|Yes|Yes|Yes|Yes|
+|**[Secure Boot and Trusted Boot](/windows/security/operating-system-security/system-security/trusted-boot)**|Yes|Yes|Yes|Yes|
|**[Secured-core configuration lock](/windows/client-management/config-lock)**|Yes|Yes|Yes|Yes|
|**[Secured-core PC firmware protection](/windows-hardware/design/device-experiences/oem-highly-secure-11)**|Yes|Yes|Yes|Yes|
-|**[Security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|
+|**[Security baselines](/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|
|**[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)**|Yes|Yes|Yes|Yes|
|**[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)**|Yes|Yes|Yes|Yes|
|**[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|
|**[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)**|Yes|Yes|Yes|Yes|
|**Software Bill of Materials (SBOM)**|Yes|Yes|Yes|Yes|
|**[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)**|Yes|Yes|Yes|Yes|
-|**[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)**|Yes|Yes|Yes|Yes|
+|**[Transport Layer Security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)**|Yes|Yes|Yes|Yes|
|**[Trusted Platform Module (TPM)](/windows/security/hardware-security/tpm/trusted-platform-module-overview)**|Yes|Yes|Yes|Yes|
|**[Universal Print](/universal-print/)**|Yes|Yes|Yes|Yes|
|**[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)**|Yes|Yes|Yes|Yes|
-|**[Virtual private network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)**|Yes|Yes|Yes|Yes|
+|**[Virtual private network (VPN)](/windows/security/operating-system-security/network-security/vpn/vpn-guide)**|Yes|Yes|Yes|Yes|
|**[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)**|Yes|Yes|Yes|Yes|
+|**[Web sign-in](/windows/security/identity-protection/web-sign-in)**|Yes|Yes|Yes|Yes|
|**[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)**|Yes|Yes|Yes|Yes|
|**[Windows application software development kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-sdk/)**|Yes|Yes|Yes|Yes|
|**[Windows Autopatch](/windows/deployment/windows-autopatch/)**|❌|Yes|❌|Yes|
-|**[Windows Autopilot](/windows/deployment/windows-autopilot)**|Yes|Yes|Yes|Yes|
+|**[Windows Autopilot](/autopilot/)**|Yes|Yes|Yes|Yes|
|**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|
|**[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|
-|**[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|
-|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)**|Yes|Yes|Yes|Yes|
+|**[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|
+|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)**|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|
|**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|
-|**[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|
+|**[Windows passwordless experience](/windows/security/identity-protection/passwordless-experience)**|Yes|Yes|Yes|Yes|
+|**[Windows presence sensing](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|
|**[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)**|Yes|Yes|Yes|Yes|
|**[Windows security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes|
diff --git a/includes/licensing/_licensing-requirements.md b/includes/licensing/_licensing-requirements.md
index d9d793ad2b..fce70cbf8d 100644
--- a/includes/licensing/_licensing-requirements.md
+++ b/includes/licensing/_licensing-requirements.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/09/2023
+ms.date: 09/18/2023
ms.topic: include
---
@@ -9,79 +9,83 @@ ms.topic: include
|:---|:---:|:---:|:---:|:---:|:---:|
|**[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|Yes|
|**[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)**|Yes|Yes|Yes|Yes|Yes|
-|**[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)**|❌|Yes|Yes|Yes|Yes|
+|**[Active Directory domain join, Microsoft Entra join, and Microsoft Entra Hybrid join with single sign-on (SSO)](/azure/active-directory/devices/concept-directory-join)**|Yes|Yes|Yes|Yes|Yes|
+|**[Always On VPN (device tunnel)](/Windows-server/remote/remote-access/overview-always-on-vpn)**|❌|Yes|Yes|Yes|Yes|
|**[App containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|Yes|
-|**[AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview)**|❌|Yes|Yes|Yes|Yes|
+|**[AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview)**|❌|Yes|Yes|Yes|Yes|
|**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|Yes|
|**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|Yes|
-|**[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)**|Yes|Yes|Yes|Yes|Yes|
|**[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)**|Yes|Yes|Yes|Yes|Yes|
-|**[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)**|Yes|Yes|Yes|Yes|Yes|
-|**[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)**|❌|Yes|Yes|Yes|Yes|
+|**[BitLocker enablement](/windows/security/operating-system-security/data-protection/bitlocker/)**|Yes|Yes|Yes|Yes|Yes|
+|**[BitLocker management](/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises)**|❌|Yes|Yes|Yes|Yes|
|**Bluetooth pairing and connection protection**|Yes|Yes|Yes|Yes|Yes|
-|**[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)**|Yes|Yes|Yes|Yes|Yes|
+|**[Common Criteria certifications](/windows/security/security-foundations/certification/windows-platform-common-criteria)**|Yes|Yes|Yes|Yes|Yes|
|**[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)**|Yes|Yes|Yes|Yes|Yes|
-|**[Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|Yes|Yes|Yes|
-|**[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)**|Yes|Yes|Yes|Yes|Yes|
+|**[Credential Guard](/windows/security/identity-protection/credential-guard/)**|❌|Yes|Yes|Yes|Yes|
+|**[Device health attestation service](/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)**|Yes|Yes|Yes|Yes|Yes|
|**[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)**|❌|Yes|Yes|Yes|Yes|
-|**[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)**|Yes|Yes|Yes|Yes|Yes|
-|**[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)**|Yes|Yes|Yes|Yes|Yes|
-|**[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)**|Yes|Yes|Yes|Yes|Yes|
+|**[Domain Name System (DNS) security](/windows-server/networking/dns/doh-client-support)**|Yes|Yes|Yes|Yes|Yes|
+|**[Email Encryption (S/MIME)](/windows/security/operating-system-security/data-protection/configure-s-mime)**|Yes|Yes|Yes|Yes|Yes|
+|**[Encrypted hard drive](/windows/security/operating-system-security/data-protection/encrypted-hard-drive)**|Yes|Yes|Yes|Yes|Yes|
+|**[Enhanced phishing protection with SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection)**|Yes|Yes|Yes|Yes|Yes|
|**[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)**|Yes|Yes|Yes|Yes|Yes|
-|**[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)**|Yes|Yes|Yes|Yes|Yes|
-|**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)**|Yes|Yes|Yes|Yes|Yes|
-|**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|❌|Yes|Yes|
+|**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/security-foundations/certification/fips-140-validation)**|Yes|Yes|Yes|Yes|Yes|
+|**[Federated sign-in](/education/windows/federated-sign-in)**|❌|Yes|Yes|❌|❌|
+|**[FIDO2 security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)**|Yes|Yes|Yes|Yes|Yes|
|**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|Yes|
|**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|Yes|
-|**[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|Yes|
+|**[Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|Yes|
|**[Local Security Authority (LSA) Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)**|Yes|Yes|Yes|Yes|Yes|
|**[Measured boot](/windows/compatibility/measured-boot)**|Yes|Yes|Yes|Yes|Yes|
|**[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)**|Yes|Yes|Yes|Yes|Yes|
|**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|Yes|Yes|Yes|
-|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|Yes|Yes|Yes|
-|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)**|❌|❌|❌|❌|❌|
|**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|Yes|Yes|Yes|
|**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|❌|❌|Yes|❌|Yes|
-|**[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/)**|Yes|Yes|Yes|Yes|Yes|
|**[Microsoft Pluton](/windows/security/hardware-security/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes|Yes|
|**[Microsoft Security Development Lifecycle (SDL)](/windows/security/security-foundations/msft-security-dev-lifecycle)**|Yes|Yes|Yes|Yes|Yes|
-|**[Microsoft vulnerable driver blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|Yes|
+|**[Microsoft vulnerable driver blocklist](/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|Yes|
|**[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)**|Yes|Yes|Yes|Yes|Yes|
|**[Modern device management through (MDM)](/windows/client-management/mdm-overview)**|Yes|Yes|Yes|Yes|Yes|
|**[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)**|Yes|Yes|Yes|Yes|Yes|
|**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|Yes|
-|**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**|❌|Yes|Yes|Yes|Yes|
+|**[Passkeys](/windows/security/identity-protection/passkeys)**|Yes|Yes|Yes|Yes|Yes|
+|**[Personal data encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|Yes|Yes|Yes|
|**Privacy Resource Usage**|Yes|Yes|Yes|Yes|Yes|
|**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes|Yes|
|**[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|Yes|
|**[Remote wipe](/windows/client-management/mdm/remotewipe-csp)**|Yes|Yes|Yes|Yes|Yes|
-|**[Secure Boot and Trusted Boot](/windows/security/trusted-boot)**|Yes|Yes|Yes|Yes|Yes|
+|**[Secure Boot and Trusted Boot](/windows/security/operating-system-security/system-security/trusted-boot)**|Yes|Yes|Yes|Yes|Yes|
|**[Secured-core configuration lock](/windows/client-management/config-lock)**|Yes|Yes|Yes|Yes|Yes|
|**[Secured-core PC firmware protection](/windows-hardware/design/device-experiences/oem-highly-secure-11)**|Yes|Yes|Yes|Yes|Yes|
-|**[Security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|Yes|
+|**[Security baselines](/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|Yes|
|**[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)**|Yes|Yes|Yes|Yes|Yes|
|**[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)**|Yes|Yes|Yes|Yes|Yes|
|**[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes|
|**[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)**|Yes|Yes|Yes|Yes|Yes|
|**Software Bill of Materials (SBOM)**|Yes|Yes|Yes|Yes|Yes|
|**[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)**|Yes|Yes|Yes|Yes|Yes|
-|**[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[Transport Layer Security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)**|Yes|Yes|Yes|Yes|Yes|
|**[Trusted Platform Module (TPM)](/windows/security/hardware-security/tpm/trusted-platform-module-overview)**|Yes|Yes|Yes|Yes|Yes|
|**[Universal Print](/universal-print/)**|❌|Yes|Yes|Yes|Yes|
|**[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)**|Yes|Yes|Yes|Yes|Yes|
-|**[Virtual private network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)**|Yes|Yes|Yes|Yes|Yes|
+|**[Virtual private network (VPN)](/windows/security/operating-system-security/network-security/vpn/vpn-guide)**|Yes|Yes|Yes|Yes|Yes|
|**[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)**|Yes|Yes|Yes|Yes|Yes|
+|**[Web sign-in](/windows/security/identity-protection/web-sign-in)**|Yes|Yes|Yes|Yes|Yes|
|**[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows application software development kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-sdk/)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Autopatch](/windows/deployment/windows-autopatch/)**|❌|Yes|Yes|❌|❌|
-|**[Windows Autopilot](/windows/deployment/windows-autopilot)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Autopilot](/autopilot/)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|Yes|
-|**[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|Yes|
-|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|Yes|
-|**[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows passwordless experience](/windows/security/identity-protection/passwordless-experience)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows presence sensing](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes|Yes|
diff --git a/includes/licensing/access-control-aclsacl.md b/includes/licensing/access-control-aclsacl.md
index 8adad0309e..7914dd8fd5 100644
--- a/includes/licensing/access-control-aclsacl.md
+++ b/includes/licensing/access-control-aclsacl.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/account-lockout-policy.md b/includes/licensing/account-lockout-policy.md
index 1e7a0d8661..3ca26ae6ea 100644
--- a/includes/licensing/account-lockout-policy.md
+++ b/includes/licensing/account-lockout-policy.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/active-directory-domain-join-microsoft-entra-join-and-microsoft-entra-hybrid-join-with-single-sign-on-sso.md b/includes/licensing/active-directory-domain-join-microsoft-entra-join-and-microsoft-entra-hybrid-join-with-single-sign-on-sso.md
new file mode 100644
index 0000000000..dadb8c49ae
--- /dev/null
+++ b/includes/licensing/active-directory-domain-join-microsoft-entra-join-and-microsoft-entra-hybrid-join-with-single-sign-on-sso.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 09/18/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Active Directory domain join, Microsoft Entra join, and Microsoft Entra Hybrid join with single sign-on (SSO):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Active Directory domain join, Microsoft Entra join, and Microsoft Entra Hybrid join with single sign-on (SSO) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/always-on-vpn-device-tunnel.md b/includes/licensing/always-on-vpn-device-tunnel.md
index 08d98ed800..c02b90d456 100644
--- a/includes/licensing/always-on-vpn-device-tunnel.md
+++ b/includes/licensing/always-on-vpn-device-tunnel.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/app-containers.md b/includes/licensing/app-containers.md
index 0d698a7bfb..8777c075d8 100644
--- a/includes/licensing/app-containers.md
+++ b/includes/licensing/app-containers.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/applocker.md b/includes/licensing/applocker.md
index 54cc165d41..26e08b6b83 100644
--- a/includes/licensing/applocker.md
+++ b/includes/licensing/applocker.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/assigned-access-kiosk-mode.md b/includes/licensing/assigned-access-kiosk-mode.md
index 066c7badc4..f14704f482 100644
--- a/includes/licensing/assigned-access-kiosk-mode.md
+++ b/includes/licensing/assigned-access-kiosk-mode.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/attack-surface-reduction-asr.md b/includes/licensing/attack-surface-reduction-asr.md
index 7d481ce4bf..3f2b9094aa 100644
--- a/includes/licensing/attack-surface-reduction-asr.md
+++ b/includes/licensing/attack-surface-reduction-asr.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/azure-code-signing.md b/includes/licensing/azure-code-signing.md
index dc29a35e27..ace7222901 100644
--- a/includes/licensing/azure-code-signing.md
+++ b/includes/licensing/azure-code-signing.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/bitlocker-enablement.md b/includes/licensing/bitlocker-enablement.md
index 56f85845aa..42fdd23a24 100644
--- a/includes/licensing/bitlocker-enablement.md
+++ b/includes/licensing/bitlocker-enablement.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/bitlocker-management.md b/includes/licensing/bitlocker-management.md
index a0c68f72ee..c9c3827684 100644
--- a/includes/licensing/bitlocker-management.md
+++ b/includes/licensing/bitlocker-management.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/bluetooth-pairing-and-connection-protection.md b/includes/licensing/bluetooth-pairing-and-connection-protection.md
index 171fe3f9b2..62054635e0 100644
--- a/includes/licensing/bluetooth-pairing-and-connection-protection.md
+++ b/includes/licensing/bluetooth-pairing-and-connection-protection.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/common-criteria-certifications.md b/includes/licensing/common-criteria-certifications.md
index 528a497f37..1eef471e1f 100644
--- a/includes/licensing/common-criteria-certifications.md
+++ b/includes/licensing/common-criteria-certifications.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/controlled-folder-access.md b/includes/licensing/controlled-folder-access.md
index 25d04b1c49..653c17f98a 100644
--- a/includes/licensing/controlled-folder-access.md
+++ b/includes/licensing/controlled-folder-access.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/credential-guard.md b/includes/licensing/credential-guard.md
index b5eea7128d..43c956dd67 100644
--- a/includes/licensing/credential-guard.md
+++ b/includes/licensing/credential-guard.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/device-health-attestation-service.md b/includes/licensing/device-health-attestation-service.md
index 7ed2add45f..8262e8af6c 100644
--- a/includes/licensing/device-health-attestation-service.md
+++ b/includes/licensing/device-health-attestation-service.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/direct-access.md b/includes/licensing/direct-access.md
index 057c5a2cea..7ff5d0349a 100644
--- a/includes/licensing/direct-access.md
+++ b/includes/licensing/direct-access.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/fast-identity-online-fido2-security-key.md b/includes/licensing/domain-name-system-dns-security.md
similarity index 70%
rename from includes/licensing/fast-identity-online-fido2-security-key.md
rename to includes/licensing/domain-name-system-dns-security.md
index 9985309552..6c201664a7 100644
--- a/includes/licensing/fast-identity-online-fido2-security-key.md
+++ b/includes/licensing/domain-name-system-dns-security.md
@@ -1,19 +1,19 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
## Windows edition and licensing requirements
-The following table lists the Windows editions that support Fast Identity Online (FIDO2) security key:
+The following table lists the Windows editions that support Domain Name System (DNS) security:
|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|
-Fast Identity Online (FIDO2) security key license entitlements are granted by the following licenses:
+Domain Name System (DNS) security license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|
diff --git a/includes/licensing/email-encryption-smime.md b/includes/licensing/email-encryption-smime.md
index 6895c5b618..0b6eba0e94 100644
--- a/includes/licensing/email-encryption-smime.md
+++ b/includes/licensing/email-encryption-smime.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/encrypted-hard-drive.md b/includes/licensing/encrypted-hard-drive.md
index 16225d6ee6..250860e3d7 100644
--- a/includes/licensing/encrypted-hard-drive.md
+++ b/includes/licensing/encrypted-hard-drive.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/enhanced-phishing-protection-with-smartscreen.md b/includes/licensing/enhanced-phishing-protection-with-smartscreen.md
index ae4cd8568a..f3e9d9e7eb 100644
--- a/includes/licensing/enhanced-phishing-protection-with-smartscreen.md
+++ b/includes/licensing/enhanced-phishing-protection-with-smartscreen.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/exploit-protection.md b/includes/licensing/exploit-protection.md
index 7a46f2cc0a..e3cc381820 100644
--- a/includes/licensing/exploit-protection.md
+++ b/includes/licensing/exploit-protection.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/federal-information-processing-standard-fips-140-validation.md b/includes/licensing/federal-information-processing-standard-fips-140-validation.md
index a06133b313..255e023c53 100644
--- a/includes/licensing/federal-information-processing-standard-fips-140-validation.md
+++ b/includes/licensing/federal-information-processing-standard-fips-140-validation.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/federated-sign-in.md b/includes/licensing/federated-sign-in.md
index 0d01c1968f..701d2a3bde 100644
--- a/includes/licensing/federated-sign-in.md
+++ b/includes/licensing/federated-sign-in.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
@@ -17,6 +17,6 @@ Federated sign-in license entitlements are granted by the following licenses:
|Windows Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|
-|Yes|No|No|Yes|Yes|
+|Yes|Yes|Yes|No|No|
For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/access-control-aclsscals.md b/includes/licensing/fido2-security-key.md
similarity index 72%
rename from includes/licensing/access-control-aclsscals.md
rename to includes/licensing/fido2-security-key.md
index 9d8830c6cd..a75a664ba2 100644
--- a/includes/licensing/access-control-aclsscals.md
+++ b/includes/licensing/fido2-security-key.md
@@ -1,19 +1,19 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
## Windows edition and licensing requirements
-The following table lists the Windows editions that support Access Control (ACLs/SCALS):
+The following table lists the Windows editions that support FIDO2 security key:
|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|
-Access Control (ACLs/SCALS) license entitlements are granted by the following licenses:
+FIDO2 security key license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|
diff --git a/includes/licensing/hardware-enforced-stack-protection.md b/includes/licensing/hardware-enforced-stack-protection.md
index 8a2fe75e78..015c2029c7 100644
--- a/includes/licensing/hardware-enforced-stack-protection.md
+++ b/includes/licensing/hardware-enforced-stack-protection.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/hypervisor-protected-code-integrity-hvci.md b/includes/licensing/hypervisor-protected-code-integrity-hvci.md
index a6800d9403..6ec3e17ec0 100644
--- a/includes/licensing/hypervisor-protected-code-integrity-hvci.md
+++ b/includes/licensing/hypervisor-protected-code-integrity-hvci.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/kernel-direct-memory-access-dma-protection.md b/includes/licensing/kernel-direct-memory-access-dma-protection.md
index 52b159827e..b6a67f8b82 100644
--- a/includes/licensing/kernel-direct-memory-access-dma-protection.md
+++ b/includes/licensing/kernel-direct-memory-access-dma-protection.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/local-security-authority-lsa-protection.md b/includes/licensing/local-security-authority-lsa-protection.md
index fafa59de66..9fb5ffeb78 100644
--- a/includes/licensing/local-security-authority-lsa-protection.md
+++ b/includes/licensing/local-security-authority-lsa-protection.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/measured-boot.md b/includes/licensing/measured-boot.md
index 407e64eefe..6d62dc4f3e 100644
--- a/includes/licensing/measured-boot.md
+++ b/includes/licensing/measured-boot.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/microsoft-defender-antivirus.md b/includes/licensing/microsoft-defender-antivirus.md
index 357e6daa39..bfa1a523e4 100644
--- a/includes/licensing/microsoft-defender-antivirus.md
+++ b/includes/licensing/microsoft-defender-antivirus.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-configure-via-mdm.md b/includes/licensing/microsoft-defender-application-guard-mdag-configure-via-mdm.md
index bd87e59e22..8b1f61512a 100644
--- a/includes/licensing/microsoft-defender-application-guard-mdag-configure-via-mdm.md
+++ b/includes/licensing/microsoft-defender-application-guard-mdag-configure-via-mdm.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md b/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md
index 8e546d7248..92bde833e7 100644
--- a/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md
+++ b/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md b/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md
index 5d3024ffc9..40bd08c713 100644
--- a/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md
+++ b/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-for-microsoft-office.md b/includes/licensing/microsoft-defender-application-guard-mdag-for-microsoft-office.md
index 6284c03484..a808fad367 100644
--- a/includes/licensing/microsoft-defender-application-guard-mdag-for-microsoft-office.md
+++ b/includes/licensing/microsoft-defender-application-guard-mdag-for-microsoft-office.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-public-apis.md b/includes/licensing/microsoft-defender-application-guard-mdag-public-apis.md
index de70847881..1451e70955 100644
--- a/includes/licensing/microsoft-defender-application-guard-mdag-public-apis.md
+++ b/includes/licensing/microsoft-defender-application-guard-mdag-public-apis.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/microsoft-defender-for-endpoint.md b/includes/licensing/microsoft-defender-for-endpoint.md
index 56edc6e24e..3c405e4747 100644
--- a/includes/licensing/microsoft-defender-for-endpoint.md
+++ b/includes/licensing/microsoft-defender-for-endpoint.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/microsoft-defender-smartscreen.md b/includes/licensing/microsoft-defender-smartscreen.md
index d5b7aae9bd..4f8c6afb14 100644
--- a/includes/licensing/microsoft-defender-smartscreen.md
+++ b/includes/licensing/microsoft-defender-smartscreen.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/microsoft-pluton.md b/includes/licensing/microsoft-pluton.md
index 31058f139d..6d127fec25 100644
--- a/includes/licensing/microsoft-pluton.md
+++ b/includes/licensing/microsoft-pluton.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/microsoft-security-development-lifecycle-sdl.md b/includes/licensing/microsoft-security-development-lifecycle-sdl.md
index 7b9411b126..c772ef45b4 100644
--- a/includes/licensing/microsoft-security-development-lifecycle-sdl.md
+++ b/includes/licensing/microsoft-security-development-lifecycle-sdl.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/microsoft-vulnerable-driver-blocklist.md b/includes/licensing/microsoft-vulnerable-driver-blocklist.md
index 449ac22b52..58866a171a 100644
--- a/includes/licensing/microsoft-vulnerable-driver-blocklist.md
+++ b/includes/licensing/microsoft-vulnerable-driver-blocklist.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/microsoft-windows-insider-preview-bounty-program.md b/includes/licensing/microsoft-windows-insider-preview-bounty-program.md
index c3cd9dbaf1..fe6aa10f30 100644
--- a/includes/licensing/microsoft-windows-insider-preview-bounty-program.md
+++ b/includes/licensing/microsoft-windows-insider-preview-bounty-program.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/modern-device-management-through-mdm.md b/includes/licensing/modern-device-management-through-mdm.md
index f2a71b791d..07bac3574c 100644
--- a/includes/licensing/modern-device-management-through-mdm.md
+++ b/includes/licensing/modern-device-management-through-mdm.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/onefuzz-service.md b/includes/licensing/onefuzz-service.md
index 25e6a5ef43..d58b1b1f23 100644
--- a/includes/licensing/onefuzz-service.md
+++ b/includes/licensing/onefuzz-service.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/opportunistic-wireless-encryption-owe.md b/includes/licensing/opportunistic-wireless-encryption-owe.md
index 4629b28a5f..2954ec4c83 100644
--- a/includes/licensing/opportunistic-wireless-encryption-owe.md
+++ b/includes/licensing/opportunistic-wireless-encryption-owe.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/passkeys.md b/includes/licensing/passkeys.md
new file mode 100644
index 0000000000..dae8584454
--- /dev/null
+++ b/includes/licensing/passkeys.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 09/18/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support passkeys:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Passkeys license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/personal-data-encryption-pde.md b/includes/licensing/personal-data-encryption-pde.md
index ed0e014d0e..ff1909674e 100644
--- a/includes/licensing/personal-data-encryption-pde.md
+++ b/includes/licensing/personal-data-encryption-pde.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/privacy-resource-usage.md b/includes/licensing/privacy-resource-usage.md
index 080229688a..656e7d6bde 100644
--- a/includes/licensing/privacy-resource-usage.md
+++ b/includes/licensing/privacy-resource-usage.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/privacy-transparency-and-controls.md b/includes/licensing/privacy-transparency-and-controls.md
index fd57043298..09a88191f1 100644
--- a/includes/licensing/privacy-transparency-and-controls.md
+++ b/includes/licensing/privacy-transparency-and-controls.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/remote-credential-guard.md b/includes/licensing/remote-credential-guard.md
index 8e80d94a84..a9d5e47bfa 100644
--- a/includes/licensing/remote-credential-guard.md
+++ b/includes/licensing/remote-credential-guard.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/remote-wipe.md b/includes/licensing/remote-wipe.md
index 6557c69147..416338f11f 100644
--- a/includes/licensing/remote-wipe.md
+++ b/includes/licensing/remote-wipe.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/secure-boot-and-trusted-boot.md b/includes/licensing/secure-boot-and-trusted-boot.md
index b29dea38c5..1a28ce37fb 100644
--- a/includes/licensing/secure-boot-and-trusted-boot.md
+++ b/includes/licensing/secure-boot-and-trusted-boot.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/secured-core-configuration-lock.md b/includes/licensing/secured-core-configuration-lock.md
index 8acee3baef..065fb9930f 100644
--- a/includes/licensing/secured-core-configuration-lock.md
+++ b/includes/licensing/secured-core-configuration-lock.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/secured-core-pc-firmware-protection.md b/includes/licensing/secured-core-pc-firmware-protection.md
index 21a3a0651a..17d33cd9dd 100644
--- a/includes/licensing/secured-core-pc-firmware-protection.md
+++ b/includes/licensing/secured-core-pc-firmware-protection.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/security-baselines.md b/includes/licensing/security-baselines.md
index bda8037388..697e3c1347 100644
--- a/includes/licensing/security-baselines.md
+++ b/includes/licensing/security-baselines.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/server-message-block-direct-smb-direct.md b/includes/licensing/server-message-block-direct-smb-direct.md
index 683fa8db2e..e40088e7da 100644
--- a/includes/licensing/server-message-block-direct-smb-direct.md
+++ b/includes/licensing/server-message-block-direct-smb-direct.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/server-message-block-smb-file-service.md b/includes/licensing/server-message-block-smb-file-service.md
index cd9276809b..c2417234ba 100644
--- a/includes/licensing/server-message-block-smb-file-service.md
+++ b/includes/licensing/server-message-block-smb-file-service.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/smart-app-control.md b/includes/licensing/smart-app-control.md
index fbc05610fb..8a281fcbd6 100644
--- a/includes/licensing/smart-app-control.md
+++ b/includes/licensing/smart-app-control.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/smart-cards-for-windows-service.md b/includes/licensing/smart-cards-for-windows-service.md
index eb5061e582..f89dfe5b27 100644
--- a/includes/licensing/smart-cards-for-windows-service.md
+++ b/includes/licensing/smart-cards-for-windows-service.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/software-bill-of-materials-sbom.md b/includes/licensing/software-bill-of-materials-sbom.md
index 4d6f832194..72c7191537 100644
--- a/includes/licensing/software-bill-of-materials-sbom.md
+++ b/includes/licensing/software-bill-of-materials-sbom.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/tamper-protection-settings-for-mde.md b/includes/licensing/tamper-protection-settings-for-mde.md
index fe7d7c2314..5fc00e80ef 100644
--- a/includes/licensing/tamper-protection-settings-for-mde.md
+++ b/includes/licensing/tamper-protection-settings-for-mde.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/transport-layer-security-tls.md b/includes/licensing/transport-layer-security-tls.md
index 5642121480..e3893e47b5 100644
--- a/includes/licensing/transport-layer-security-tls.md
+++ b/includes/licensing/transport-layer-security-tls.md
@@ -1,19 +1,19 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
## Windows edition and licensing requirements
-The following table lists the Windows editions that support Transport layer security (TLS):
+The following table lists the Windows editions that support Transport Layer Security (TLS):
|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|
-Transport layer security (TLS) license entitlements are granted by the following licenses:
+Transport Layer Security (TLS) license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|
diff --git a/includes/licensing/trusted-platform-module-tpm.md b/includes/licensing/trusted-platform-module-tpm.md
index 6f757d623a..1c441f151a 100644
--- a/includes/licensing/trusted-platform-module-tpm.md
+++ b/includes/licensing/trusted-platform-module-tpm.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/universal-print.md b/includes/licensing/universal-print.md
index 87828b2774..100a608c5e 100644
--- a/includes/licensing/universal-print.md
+++ b/includes/licensing/universal-print.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/user-account-control-uac.md b/includes/licensing/user-account-control-uac.md
index c34f82f836..5aad4958ad 100644
--- a/includes/licensing/user-account-control-uac.md
+++ b/includes/licensing/user-account-control-uac.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/virtual-private-network-vpn.md b/includes/licensing/virtual-private-network-vpn.md
index eb309a2554..812d47fa6b 100644
--- a/includes/licensing/virtual-private-network-vpn.md
+++ b/includes/licensing/virtual-private-network-vpn.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/virtualization-based-security-vbs.md b/includes/licensing/virtualization-based-security-vbs.md
index 70827aebce..912d2c961d 100644
--- a/includes/licensing/virtualization-based-security-vbs.md
+++ b/includes/licensing/virtualization-based-security-vbs.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/web-sign-in.md b/includes/licensing/web-sign-in.md
new file mode 100644
index 0000000000..73f9fd09e5
--- /dev/null
+++ b/includes/licensing/web-sign-in.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 09/18/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Web sign-in:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Web sign-in license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/wifi-security.md b/includes/licensing/wifi-security.md
index 3d4a3e17c3..9e2cf75579 100644
--- a/includes/licensing/wifi-security.md
+++ b/includes/licensing/wifi-security.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/windows-application-software-development-kit-sdk.md b/includes/licensing/windows-application-software-development-kit-sdk.md
index d97a10562a..65ba17659f 100644
--- a/includes/licensing/windows-application-software-development-kit-sdk.md
+++ b/includes/licensing/windows-application-software-development-kit-sdk.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/windows-autopatch.md b/includes/licensing/windows-autopatch.md
index 4c866c7106..9d5dab8d27 100644
--- a/includes/licensing/windows-autopatch.md
+++ b/includes/licensing/windows-autopatch.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/windows-autopilot.md b/includes/licensing/windows-autopilot.md
index 1eee13f367..ae6d646c68 100644
--- a/includes/licensing/windows-autopilot.md
+++ b/includes/licensing/windows-autopilot.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/windows-defender-application-control-wdac.md b/includes/licensing/windows-defender-application-control-wdac.md
index 86ab8d5f14..52264205ff 100644
--- a/includes/licensing/windows-defender-application-control-wdac.md
+++ b/includes/licensing/windows-defender-application-control-wdac.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/windows-defender-system-guard.md b/includes/licensing/windows-defender-system-guard.md
index 7e8c06b51d..cecce5edd5 100644
--- a/includes/licensing/windows-defender-system-guard.md
+++ b/includes/licensing/windows-defender-system-guard.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/windows-firewall.md b/includes/licensing/windows-firewall.md
index 8e0bc9faf0..cfdbbca9d9 100644
--- a/includes/licensing/windows-firewall.md
+++ b/includes/licensing/windows-firewall.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/windows-hello-for-business-enhanced-security-sign-in-ess.md b/includes/licensing/windows-hello-for-business-enhanced-security-sign-in-ess.md
index 56e03e6bd4..780134b0ae 100644
--- a/includes/licensing/windows-hello-for-business-enhanced-security-sign-in-ess.md
+++ b/includes/licensing/windows-hello-for-business-enhanced-security-sign-in-ess.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/windows-hello-for-business.md b/includes/licensing/windows-hello-for-business.md
index 95ffbf43a9..229a6ae597 100644
--- a/includes/licensing/windows-hello-for-business.md
+++ b/includes/licensing/windows-hello-for-business.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/windows-laps.md b/includes/licensing/windows-laps.md
index eaddd61d61..d0fa59421e 100644
--- a/includes/licensing/windows-laps.md
+++ b/includes/licensing/windows-laps.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/azure-ad-join-active-directory-domain-join-and-hybrid-azure-ad-join-with-single-sign-on-sso.md b/includes/licensing/windows-passwordless-experience.md
similarity index 64%
rename from includes/licensing/azure-ad-join-active-directory-domain-join-and-hybrid-azure-ad-join-with-single-sign-on-sso.md
rename to includes/licensing/windows-passwordless-experience.md
index 5ae19412dd..e24ee8935e 100644
--- a/includes/licensing/azure-ad-join-active-directory-domain-join-and-hybrid-azure-ad-join-with-single-sign-on-sso.md
+++ b/includes/licensing/windows-passwordless-experience.md
@@ -1,19 +1,19 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
## Windows edition and licensing requirements
-The following table lists the Windows editions that support Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO):
+The following table lists the Windows editions that support Windows passwordless experience:
|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|
-Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO) license entitlements are granted by the following licenses:
+Windows passwordless experience license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|
diff --git a/includes/licensing/windows-presence-sensing.md b/includes/licensing/windows-presence-sensing.md
index 977c729c0c..aba249fcb0 100644
--- a/includes/licensing/windows-presence-sensing.md
+++ b/includes/licensing/windows-presence-sensing.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/windows-sandbox.md b/includes/licensing/windows-sandbox.md
index a486fd64de..65198775ad 100644
--- a/includes/licensing/windows-sandbox.md
+++ b/includes/licensing/windows-sandbox.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/includes/licensing/windows-security-policy-settings-and-auditing.md b/includes/licensing/windows-security-policy-settings-and-auditing.md
index a1742270bf..07f612b6ae 100644
--- a/includes/licensing/windows-security-policy-settings-and-auditing.md
+++ b/includes/licensing/windows-security-policy-settings-and-auditing.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
diff --git a/windows/client-management/declared-configuration-extensibility.md b/windows/client-management/declared-configuration-extensibility.md
new file mode 100644
index 0000000000..3121be77f0
--- /dev/null
+++ b/windows/client-management/declared-configuration-extensibility.md
@@ -0,0 +1,251 @@
+---
+title: Declared configuration extensibility
+description: Learn more about declared configuration extensibility through native WMI providers.
+ms.date: 09/26/2023
+ms.topic: how-to
+---
+
+# Declared configuration extensibility providers
+
+The declared configuration enrollment, which supports the declared configuration client stack, offers extensibility through native WMI providers. This feature instantiates and interfaces with a Windows Management Instrumentation (WMI) provider that has implemented a management infrastructure (MI) interface. The interface must implement GetTargetResource, TestTargetResource, and SetTargetResource methods, and may implement any number of string properties.
+
+> [!NOTE]
+> Only string properties are currently supported by extensibility providers.
+
+```mof
+[static, Description ("Get resource state based on input configuration file." )]
+uint32 GetTargetResource(
+ [in, EmbeddedInstance ("MSFT_FileDirectoryConfiguration"), Description ("Configuration document that is to be applied.")]
+ string InputResource,
+ [in, Description ("Flags passed to the provider. Reserved for future use." )]
+ uint32 Flags,
+ [out, EmbeddedInstance ("MSFT_FileDirectoryConfiguration"), Description ("The current state of the specified configuration resources." )]
+ string OutputResource
+);
+
+[static, Description ("Test resource state based on input configuration file." )]
+uint32 TestTargetResource(
+ [in, EmbeddedInstance("MSFT_FileDirectoryConfiguration"), Description ("Configuration document to be applied." )]
+ string InputResource,
+ [in, Description ("Flags passed to the provider. reserved for future use." )]
+ uint32 Flags,
+ [out, Description ("True if identical. False otherwise." )]
+ boolean Result,
+ [out, Description ("Context information the provider can use to optimize the set. This is optional." )]
+ uint64 ProviderContext
+);
+
+[static, Description ("Set resource state based on input configuration file." )]
+uint32 SetTargetResource(
+ [in, EmbeddedInstance ("MSFT_FileDirectoryConfiguration"),
+ Description ("Configuration document to be applied." )]
+ string InputResource,
+ [in, Description ("Context information the provider can use to optimize the set from SetTargetResource. This is optional." )]
+ uint64 ProviderContext,
+ [in, Description ("Flags passed to the provider. reserved for future use." )]
+ uint32 Flags
+);
+```
+
+## Author desired state configuration resources
+
+To create a native WMI provider, follow the steps outlined in [How to implement an MI provider](/previous-versions/windows/desktop/wmi_v2/how-to-implement-an-mi-provider). These steps include how to generate the source code for an MI interface using the `Convert-MofToProvider.exe` tool to generate the DLL and prepare it for placement.
+
+1. Create a MOF file that defines the schema for the desired state configuration resource including parameters and methods. This file includes the required parameters for the resource.
+2. Copy the schema MOF file along with any required files into the provider tools directory, for example: ProviderGenerationTool.
+3. Edit the required files and include the correct file names and class names.
+4. Invoke the provider generator tool to generate the provider's project files.
+5. Copy the generated files into the provider's project folder.
+6. Start the development process.
+
+## Example
+
+This example provides more details about each step to demonstrate how to implement a sample native resource named `MSFT_FileDirectoryConfiguration`.
+
+### Step 1: Create the resource schema MOF file
+
+Create a sample schema MOF file used to generate the initial source code for the `MSFT_FileDirectoryConfiguration` native resource. Place it in the project directory named `MSFT_FileDirectoryConfiguration`.
+
+```mof
+#pragma include ("cim_schema_2.26.0.mof")
+#pragma include ("OMI_BaseResource.mof")
+#pragma include ("MSFT_Credential.mof")
+
+[ClassVersion("1.0.0"), Description("The configuration provider for files and directories.")]
+class MSFT_FileDirectoryConfiguration : OMI_BaseResource
+{
+ [Key, Description("File name and path on target node to copy or create.")]
+ string DestinationPath;
+
+ [Write, Description("The name and path of the file to copy from.")]
+ string SourcePath;
+
+ [Write, Description("Contains a string that represents the contents of the file. To create an empty file, the string must be empty. The contents will be written and compared using UTF-8 character encoding.")]
+ string Contents;
+
+ [static, Description ("Get resource states based on input configuration file." )]
+ uint32 GetTargetResource(
+ [in, EmbeddedInstance ("MSFT_FileDirectoryConfiguration"), Description ("Configuration document that is to be applied." )]
+ string InputResource,
+
+ [in,Description ("Flags passed to the providers. Reserved for future use." )]
+ uint32 Flags,
+
+ [out, EmbeddedInstance ("MSFT_FileDirectoryConfiguration"), Description ("The current state of the specified configuration resources." )]
+ string OutputResource
+ );
+
+ [static, Description ("Test resource states based on input configuration file." )]
+ uint32 TestTargetResource(
+ [in, EmbeddedInstance("MSFT_FileDirectoryConfiguration"), Description ("Configuration document that to be applied." )]
+ string InputResource,
+
+ [in, Description ("Flags passed to the providers. reserved for future use." )]
+ uint32 Flags,
+
+ [out, Description ("True if identical. False otherwise." )]
+ boolean Result,
+
+ [out, Description ("Context information that the provider can use to optimize the set, This is optional." )]
+ uint64 ProviderContext
+ );
+
+ [static, Description ("Set resource states based on input configuration file." )]
+ uint32 SetTargetResource(
+ [in, EmbeddedInstance ("MSFT_FileDirectoryConfiguration"), Description ("Configuration document that to be applied." )]
+ string InputResource,
+
+ [in, Description ("Context information that the provider can use to optimize the set from TestTargetResource, This is optional." )]
+ uint64 ProviderContext,
+
+ [in, Description ("Flags passed to the providers. reserved for future use." )]
+ uint32 Flags
+ );
+};
+```
+
+> [!NOTE]
+>
+> - The class name and DLL file name should be the same, as defined in the `Provider.DEF` file.
+> - The type qualifier `[Key]` on a property indicates that it uniquely identifies the resource instance. At least one `[Key]` property is required.
+> - The `[Required]` qualifier indicates that the property is required. In other words, a value must be specified in any configuration script that uses this resource.
+> - The `[write]` qualifier indicates that the property is optional when using the custom resource in a configuration script. The `[read]` qualifier indicates that a property can't be set by a configuration, and is for reporting purposes only.
+> - The `[Values]` qualifier restricts the values that can be assigned to the property. Define the list of allowed values in `[ValueMap]`. For more information, see [ValueMap and value qualifiers](/windows/win32/wmisdk/value-map).
+> - Any new MOF file should include the following lines at the top of the file:
+>
+> ```mof
+> #pragma include ("cim_schema_2.26.0.mof")
+> #pragma include ("OMI_BaseResource.mof")
+> #pragma include ("MSFT_Credential.mof")
+> ```
+>
+> - Method names and its parameters should be same for every resource. Change `MSFT_FileDirectoryConfiguration` from EmbeddedInstance value to the class name of the desired provider. There should be only one provider per MOF file.
+
+### Step 2: Copy the schema MOF files
+
+Copy these required files and folders to the project directory you created in step 1:
+
+- `CIM-2.26.0`
+- `codegen.cmd`
+- `Convert-MofToProvider.exe`
+- `MSFT_Credential.mof`
+- `MSFT_DSCResource.mof`
+- `OMI_BaseResource.mof`
+- `OMI_Errors.mof`
+- `Provider.DEF`
+- `wmicodegen.dll`
+
+For more information on how to obtain the required files, see [How to implement an MI provider](/previous-versions/windows/desktop/wmi_v2/how-to-implement-an-mi-provider).
+
+### Step 3: Edit the required files
+
+Modify the following files in the project directory:
+
+- `MSFT_FileDirectoryConfiguration.mof`: You created this file in step 1.
+- `Provider.DEF`: This file contains the DLL name, for example, `MSFT_FileDirectoryConfiguration.dll`.
+- `codegen.cmd`: This file contains the command to invoke `convert-moftoprovider.exe`.
+
+ ```cmd
+ "convert-moftoprovider.exe" ^
+ -MofFile MSFT_FileDirectoryConfiguration.mof ^
+ MSFT_DSCResource.mof ^
+ OMI_Errors.mof ^
+ -ClassList MSFT_FileDirectoryConfiguration ^
+ -IncludePath CIM-2.26.0 ^
+ -ExtraClass OMI_Error ^
+ MSFT_DSCResource ^
+ -OutPath temp
+ ```
+
+### Step 4: Run the provider generator tool
+
+Run `codegen.cmd`, which runs the `convert-moftoprovider.exe` command. Alternatively, you can run the command directly.
+
+### Step 5: Copy the generated source files
+
+The command in step 3 specifies the `-OutPath` parameter, which in this example is a folder named `temp`. When you run the tool in step 4, it creates new files in this folder. Copy the generated files from this `temp` folder to the project directory. You created the project directory in step 1, which in this example is `MSFT_FileDirectoryConfiguration`.
+
+> [!NOTE]
+> Any time you update the schema MOF file, run the `codegen.cmd` script to regenerate the source files. Rerunning the generator tool overwrites any existing the source files. To prevent this behavior, this example uses a temporary folder. Minimize updates to the schema MOF file since the main implementation should be merged with the most recent auto-generated source files.
+
+### About the `MSFT_FileDirectoryConfiguration` resource
+
+After you run the provider generator tool, it creates several source and header files:
+
+- `MSFT_FileDirectoryConfiguration.c`
+- `MSFT_FileDirectoryConfiguration.h`
+- `module.c`
+- `schema.c`
+- `WMIAdapter.c`
+
+From this list, you only need to modify `MSFT_FileDirectoryConfiguration.c` and `MSFT_FileDirectoryConfiguration.h`. You can also change the extension for the source files from `.c` to `.cpp`, which is the case for this resource. The business logic for this resource is implemented in `MSFT_FileDirectoryConfigurationImp.cpp` and `MSFT_FileDirectoryConfigurationImp.h`. These new files are added to the `MSFT_FileDirectoryConfiguration` project directory after you run the provider generator tool.
+
+For a native desired state configuration resource, you have to implement three autogenerated functions in `MSFT_FileDirectoryConfiguration.cpp`:
+
+- `MSFT_FileDirectoryConfiguration_Invoke_GetTargetResource`
+- `MSFT_FileDirectoryConfiguration_Invoke_TestTargetResource`
+- `MSFT_FileDirectoryConfiguration_Invoke_SetTargetResource`
+
+From these three functions, only `MSFT_FileDirectoryConfiguration_Invoke_GetTargetResource` is required for a Get scenario. `MSFT_FileDirectoryConfiguration_Invoke_TestTargetResource` and `MSFT_FileDirectoryConfiguration_Invoke_SetTargetResource` are used when remediation is needed.
+
+There are several other autogenerated functions in `MSFT_FileDirectoryConfiguration.cpp` that don't need implementation for a native desired state configuration resource. You don't need to modify the following functions:
+
+- `MSFT_FileDirectoryConfiguration_Load`
+- `MSFT_FileDirectoryConfiguration_Unload`
+- `MSFT_FileDirectoryConfiguration_EnumerateInstances`
+- `MSFT_FileDirectoryConfiguration_GetInstance`
+- `MSFT_FileDirectoryConfiguration_CreateInstance`
+- `MSFT_FileDirectoryConfiguration_ModifyInstance`
+- `MSFT_FileDirectoryConfiguration_DeleteInstance`
+
+### About `MSFT_FileDirectoryConfiguration_Invoke_GetTargetResource`
+
+The `MSFT_FileDirectoryConfiguration_Invoke_GetTargetResource` function does the following steps to complete its task:
+
+1. Validate the input resource.
+1. Ensure the keys and required parameters are present.
+1. Create a resource instance that is used as the output of the Get method. This instance is of type `MSFT_FileDirectoryConfiguration`, which is derived from `MI_Instance`.
+1. Create the output resource instance from the modified resource instance and return it to the MI client by calling these functions:
+
+ - `MSFT_FileDirectoryConfiguration_GetTargetResource_Construct`
+ - `MSFT_FileDirectoryConfiguration_GetTargetResource_SetPtr_OutputResource`
+ - `MSFT_FileDirectoryConfiguration_GetTargetResource_Set_MIReturn`
+ - `MSFT_FileDirectoryConfiguration_GetTargetResource_Post`
+ - `MSFT_FileDirectoryConfiguration_GetTargetResource_Destruct`
+
+1. Clean up resources, for example, free allocated memory.
+
+## MI implementation references
+
+- [Introducing the management infrastructure (MI) API](/archive/blogs/wmi/introducing-new-management-infrastructure-mi-api)
+- [Implementing MI provider (1) - Overview](/archive/blogs/wmi/implementing-mi-provider-1-overview)
+- [Implementing MI provider (2) - Define schema](/archive/blogs/wmi/implementing-mi-provider-2-define-schema)
+- [Implementing MI provider (3) - Generate code](/archive/blogs/wmi/implementing-mi-provider-3-generate-code)
+- [Implementing MI provider (4) - Generate code (continue)](/archive/blogs/wmi/implementing-mi-provider-4-generate-code-continute)
+- [Implementing MI provider (5) - Implement](/archive/blogs/wmi/implementing-mi-provider-5-implement)
+- [Implementing MI provider (6) - Build, register, and debug](/archive/blogs/wmi/implementing-mi-provider-6-build-register-and-debug)
+- [MI interfaces](/previous-versions/windows/desktop/wmi_v2/mi-interfaces)
+- [MI datatypes](/previous-versions/windows/desktop/wmi_v2/mi-datatypes)
+- [MI structures and unions](/previous-versions/windows/desktop/wmi_v2/mi-structures-and-unions)
+- [MI_Result enumeration (mi.h)](/windows/win32/api/mi/ne-mi-mi_result)
+- [MI_Type enumeration (mi.h)](/windows/win32/api/mi/ne-mi-mi_type)
diff --git a/windows/client-management/declared-configuration.md b/windows/client-management/declared-configuration.md
new file mode 100644
index 0000000000..f655d1ae19
--- /dev/null
+++ b/windows/client-management/declared-configuration.md
@@ -0,0 +1,65 @@
+---
+title: Declared configuration protocol
+description: Learn more about using declared configuration protocol for desired state management of Windows devices.
+ms.date: 09/26/2023
+ms.topic: overview
+---
+
+# What is the declared configuration protocol
+
+The declared configuration protocol is based on a desired state device configuration model, though it still uses the underlying OMA-DM Syncml protocol. Through a dedicated OMA-DM server, it provides all the settings in a single batch through this protocol. The device's declared configuration client stack can reason over the settings to achieve the desired scenario in the most efficient and reliable manner.
+
+The declared configuration protocol requires that a device has a separate [OMA-DM enrollment](mdm-overview.md), which is dependent on the device being enrolled with the primary OMA-DM server. The desired state model is a different model from the current model where the server is responsible for the device's desire state. This dual enrollment is only allowed if the device is already enrolled into a primary MDM server. This other enrollment separates the desired state management functionality from the primary functionality. The declared configuration enrollment's first desired state management model feature is called [extensibility](declared-configuration-extensibility.md).
+
+:::image type="content" source="images/declared-configuration-model.png" alt-text="Diagram illustrating the declared configuration model.":::
+
+With the [Declared Configuration CSP](mdm/declaredconfiguration-csp.md), the OMA-DM server can provide the device with the complete collection of setting names and associated values based on a specified scenario. The declared configuration stack on the device is responsible for handling the configuration request, and maintaining its state including updates to the scenario.
+
+The benefit of the declared configuration desired state model is that it's efficient and accurate, especially since it's the responsibility of the declared configuration client to configure the device. The efficiency of declared configuration is because the client can asynchronously process batches of scenario settings, which free up the server resources to do other work. Thus the declared configuration protocol has low latency. As for configuration quality and accuracy, the declared configuration client stack has detailed knowledge of the configuration surface area of the device. This behavior includes the proper handling of continuous device updates that affect the configuration scenario.
+
+## Declared configuration enrollment
+
+[Mobile Device Enrollment Protocol version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692) describes enrollment including discovery, which covers the primary and declared configuration enrollments. The device uses the following new [DMClient CSP](mdm/dmclient-csp.md) policies for declared configuration dual enrollment:
+
+- [LinkedEnrollment/Enroll](mdm/dmclient-csp.md#deviceproviderprovideridlinkedenrollmentenroll)
+- [LinkedEnrollment/Unenroll](mdm/dmclient-csp.md#deviceproviderprovideridlinkedenrollmentunenroll)
+- [LinkedEnrollment/EnrollStatus](mdm/dmclient-csp.md#deviceproviderprovideridlinkedenrollmentenrollstatus)
+- [LinkedEnrollment/LastError](mdm/dmclient-csp.md#deviceproviderprovideridlinkedenrollmentlasterror)
+- [LinkedEnrollment/DiscoveryEndpoint](mdm/dmclient-csp.md#deviceproviderprovideridlinkedenrollmentdiscoveryendpoint)
+
+The following SyncML example sets **LinkedEnrolment/DiscoveryEndpoint** and triggers **LinkedEnrollment/Enroll**:
+
+```xml
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/DMClient/Provider/MS%20DM%20SERVER/LinkedEnrollment/DiscoveryEndpoint
+
+ https://discovery.dm.microsoft.com/EnrollmentConfiguration?api-version=1.0
+
+
+
+
+
+
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/DMClient/Provider/MS%20DM%20SERVER/LinkedEnrollment/Enroll
+
+
+
+
+
+
+```
+
+## Related content
+
+- [Declared Configuration extensibility](declared-configuration-extensibility.md)
diff --git a/windows/client-management/images/declared-configuration-model.png b/windows/client-management/images/declared-configuration-model.png
new file mode 100644
index 0000000000..7708eedf57
Binary files /dev/null and b/windows/client-management/images/declared-configuration-model.png differ
diff --git a/windows/client-management/images/icons/group-policy.svg b/windows/client-management/images/icons/group-policy.svg
new file mode 100644
index 0000000000..ace95add6b
--- /dev/null
+++ b/windows/client-management/images/icons/group-policy.svg
@@ -0,0 +1,3 @@
+
\ No newline at end of file
diff --git a/windows/client-management/images/icons/intune.svg b/windows/client-management/images/icons/intune.svg
new file mode 100644
index 0000000000..6e0d938aed
--- /dev/null
+++ b/windows/client-management/images/icons/intune.svg
@@ -0,0 +1,24 @@
+
\ No newline at end of file
diff --git a/windows/client-management/implement-server-side-mobile-application-management.md b/windows/client-management/implement-server-side-mobile-application-management.md
index 2927f3eefe..9f3374bb96 100644
--- a/windows/client-management/implement-server-side-mobile-application-management.md
+++ b/windows/client-management/implement-server-side-mobile-application-management.md
@@ -1,29 +1,29 @@
---
-title: Support for mobile application management on Windows
-description: Learn about implementing the Windows version of mobile application management (MAM), which is a lightweight solution for managing company data access and security on personal devices.
+title: Support for Windows Information Protection (WIP) on Windows
+description: Learn about implementing the Windows version of Windows Information Protection (WIP), which is a lightweight solution for managing company data access and security on personal devices.
ms.topic: article
ms.date: 08/10/2023
---
-# Support for mobile application management on Windows
+# Support for Windows Information Protection (WIP) on Windows
-The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP).
+Windows Information Protection (WIP) is a lightweight solution for managing company data access and security on personal devices. WIP support is built into Windows.
[!INCLUDE [Deprecate Windows Information Protection](../security/information-protection/windows-information-protection/includes/wip-deprecation.md)]
## Integration with Azure AD
-MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD-integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).
+WIP is integrated with Azure Active Directory (Azure AD) identity service. The WIP service supports Azure AD-integrated authentication for the user and the device during enrollment and the downloading of WIP policies. WIP integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).
-MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD-integrated MDM services are provided in an organization, a user's personal devices are enrolled to MAM or MDM, depending on the user's actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device is enrolled to MAM. If a user joins their device to Azure AD, it's enrolled to MDM. In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices.
+WIP uses Workplace Join (WPJ). WPJ is integrated with adding a work account flow to a personal device. If a user adds their work or school Entra ID account as a secondary account to the machine, their device registered with WPJ. If a user joins their device to Azure AD, it's enrolled to MDM. In general, a device that has a personal account as its primary account is considered a personal device and should be registered with WPJ. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices.
On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD-integrated application, such as the next update of Microsoft 365 apps. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**.
Regular non administrator users can enroll to MAM.
-## Integration with Windows Information Protection
+## Understand Windows Information Protection
-MAM on Windows takes advantage of [built-in Windows Information Protection (WIP) policies](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, MAM limits enforcement of WIP policies to [enlightened apps](/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they don't handle personal data, and therefore, it's safe for Windows to protect data on their behalf.
+WIP takes advantage of [built-in policies](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, WPJ limits enforcement of WIP policies to [enlightened apps](/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they don't handle personal data, and therefore, it's safe for Windows to protect data on their behalf.
To make applications WIP-aware, app developers need to include the following data in the app resource file.
@@ -74,7 +74,7 @@ Since the [Poll](mdm/dmclient-csp.md#deviceproviderprovideridpoll) node isn't pr
## Supported CSPs
-MAM on Windows supports the following configuration service providers (CSPs). All other CSPs are blocked. Note the list may change later based on customer feedback:
+WIP supports the following configuration service providers (CSPs). All other CSPs are blocked. Note the list may change later based on customer feedback:
- [AppLocker CSP](mdm/applocker-csp.md) for configuration of Windows Information Protection enterprise allowed apps.
- [ClientCertificateInstall CSP](mdm/clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs.
diff --git a/windows/client-management/index.yml b/windows/client-management/index.yml
index 9501d46c0a..b0c40d0dca 100644
--- a/windows/client-management/index.yml
+++ b/windows/client-management/index.yml
@@ -12,10 +12,10 @@ metadata:
ms.collection:
- highpri
- tier1
- author: aczechowski
- ms.author: aaroncz
+ author: vinaypamnani-msft
+ ms.author: vinpa
manager: aaroncz
- ms.date: 04/13/2023
+ ms.date: 09/26/2023
localization_priority: medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
@@ -32,33 +32,28 @@ landingContent:
url: mdm-overview.md
- linkListType: concept
links:
- - text: MDM for device updates
- url: device-update-management.md
- - text: Enterprise settings, policies, and app management
+ - text: Manage settings
url: windows-mdm-enterprise-settings.md
- - text: Windows Tools/Administrative Tools
- url: client-tools/administrative-tools-in-windows.md
- - text: Create mandatory user profiles
- url: client-tools/mandatory-user-profile.md
+ - text: Manage updates
+ url: device-update-management.md
+ - text: Manage apps
+ url: enterprise-app-management.md
+ - text: Manage Copilot in Windows
+ url: manage-windows-copilot.md
- - title: Device enrollment
+ - title: Copilot in Windows
linkLists:
- - linkListType: overview
- links:
- - text: Mobile device enrollment
- url: mobile-device-enrollment.md
- - linkListType: concept
- links:
- - text: Enroll Windows devices
- url: mdm-enrollment-of-windows-devices.md
- - text: Automatic enrollment using Azure AD
- url: azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
- - text: Automatic enrollment using group policy
- url: enroll-a-windows-10-device-automatically-using-group-policy.md
- - text: Bulk enrollment
- url: bulk-enrollment-using-windows-provisioning-tool.md
+ - links:
+ - text: Manage Copilot in Windows
+ url: manage-windows-copilot.md
+ linkListType: how-to-guide
+ - links:
+ - text: Welcome overview
+ url: https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0
+ - text: Your data and privacy
+ url: https://support.microsoft.com/windows/privacy-in-windows-copilot-3e265e82-fc76-4d0a-afc0-4a0de528b73a
+ linkListType: overview
- # Card (optional)
- title: Configuration service provider reference
linkLists:
- linkListType: overview
@@ -82,8 +77,36 @@ landingContent:
- text: Policy CSP - Update
url: mdm/policy-csp-update.md
+ - title: Device enrollment
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Mobile device enrollment
+ url: mobile-device-enrollment.md
+ - linkListType: concept
+ links:
+ - text: Enroll Windows devices
+ url: mdm-enrollment-of-windows-devices.md
+ - text: Automatic enrollment using Azure AD
+ url: azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
+ - text: Automatic enrollment using group policy
+ url: enroll-a-windows-10-device-automatically-using-group-policy.md
+ - text: Bulk enrollment
+ url: bulk-enrollment-using-windows-provisioning-tool.md
+
+ - title: Client management tools
+ linkLists:
+ - linkListType: learn
+ links:
+ - text: Windows Tools/Administrative Tools
+ url: client-tools/administrative-tools-in-windows.md
+ - text: Use Quick assist
+ url: client-tools/quick-assist.md
+ - text: Connect to Azure AD devices
+ url: client-tools/connect-to-remote-aadj-pc.md
+ - text: Create mandatory user profiles
+ url: client-tools/mandatory-user-profile.md
- # Card (optional)
- title: Troubleshoot Windows clients
linkLists:
- linkListType: how-to-guide
diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md
new file mode 100644
index 0000000000..d8b9867283
--- /dev/null
+++ b/windows/client-management/manage-windows-copilot.md
@@ -0,0 +1,31 @@
+---
+title: Manage Copilot in Windows
+description: Learn how to manage Copilot in Windows using MDM and group policy.
+ms.topic: article
+ms.date: 09/26/2023
+appliesto:
+- ✅ Windows 11
+---
+
+# Manage Copilot in Windows
+
+Windows is the first PC platform to provide centralized AI assistance for customers. Together, with Bing Chat, Copilot in Windows helps you bring your ideas to life, complete complex projects and collaborate instead of spending energy finding, launching and working across multiple applications.
+
+This article lists settings available to manage Copilot in Windows. To learn more about Copilot in Windows, see [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0).
+
+## Turn off Copilot in Windows
+
+This policy setting allows you to turn off Copilot in Windows. If you enable this policy setting, users can't use Copilot. The Copilot icon doesn't appear on the taskbar either. If you disable or don't configure this policy setting, users can use Copilot when it's available to them.
+
+| | Setting |
+|------------------|---------------------------------------------------------------------------------------------------------|
+| **CSP** | ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) |
+| **Group policy** | User Configuration > Administrative Templates > Windows Copilot > **Turn off Windows Copilot** |
+
+
+
+## Related articles
+
+- [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0)
+
+- [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/copilot-in-windows-your-data-and-privacy-3e265e82-fc76-4d0a-afc0-4a0de528b73a)
diff --git a/windows/client-management/mdm/configuration-service-provider-ddf.md b/windows/client-management/mdm/configuration-service-provider-ddf.md
index 121ac1c046..ad995b441b 100644
--- a/windows/client-management/mdm/configuration-service-provider-ddf.md
+++ b/windows/client-management/mdm/configuration-service-provider-ddf.md
@@ -20,7 +20,7 @@ This article lists the OMA DM device description framework (DDF) files for vario
As of December 2022, DDF XML schema was updated to include additional information such as OS build applicability. DDF v2 XML files for Windows 10 and Windows 11 are combined, and provided in a single download:
-- [DDF v2 Files, December 2022](https://download.microsoft.com/download/7/4/c/74c6daca-983e-4f16-964a-eef65b553a37/DDFv2December2022.zip)
+- [DDF v2 Files, September 2023](https://download.microsoft.com/download/0/e/c/0ec027e5-8971-49a2-9230-ec9352bc3ead/DDFv2September2023.zip)
## DDF v2 schema
@@ -582,6 +582,7 @@ DDF v2 XML schema definition is listed below along with the schema definition fo
You can download the older DDF files for various CSPs from the links below:
+- [Download all the DDF files for Windows 10 and 11 December 2022](https://download.microsoft.com/download/7/4/c/74c6daca-983e-4f16-964a-eef65b553a37/DDFv2December2022.zip)
- [Download all the DDF files for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/Windows10_2004_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1903](https://download.microsoft.com/download/6/F/0/6F019079-6EB0-41B5-88E8-D1CE77DBA27B/Windows10_1903_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1809](https://download.microsoft.com/download/6/A/7/6A735141-5CFA-4C1B-94F4-B292407AF662/Windows10_1809_DDF_download.zip)
diff --git a/windows/client-management/mdm/declaredconfiguration-csp.md b/windows/client-management/mdm/declaredconfiguration-csp.md
new file mode 100644
index 0000000000..ac422bfdcc
--- /dev/null
+++ b/windows/client-management/mdm/declaredconfiguration-csp.md
@@ -0,0 +1,1049 @@
+---
+title: DeclaredConfiguration CSP
+description: Learn more about the DeclaredConfiguration CSP.
+author: vinaypamnani-msft
+manager: aaroncz
+ms.author: vinpa
+ms.date: 09/27/2023
+ms.localizationpriority: medium
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
+---
+
+
+
+
+# DeclaredConfiguration CSP
+
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
+
+
+The primary MDM model is one where the MDM server is solely responsible for orchestration and continuous maintenance of the state of the device for configuration scenarios. This behavior results in intensive network traffic and high network latency due to the synchronous configuration model based on the OMA-DM Syncml standard. It's also error-prone given that the server needs deep knowledge of the client.
+
+The declared configuration device management model requires the server to deliver all the setting values to the device for the scenario configuration. The server sends them asynchronously in batches through the client declared configuration CSP.
+
+- During the client-initiated OMA-DM session, the declared configuration server sends a configuration or an inventory declared configuration document to the client through the [Declared Configuration CSP URI](#declared-configuration-oma-uri). If the device verifies the syntax of the document is correct, the client stack pushes the request to its orchestrator to process the request asynchronously. The client stack then exits, and returns control back to the declared configuration service. This behavior allows the device to asynchronously process the request.
+
+- On the client, if there are any requests in process or completed, it sends a [generic alert](#declared-configuration-generic-alert) to the server. This alert summarizes each document's status, state, and progress. Every client HTTPS request to the declared configuration OMA-DM server includes this summary.
+
+- The declared configuration server uses the generic alert to determine which requests are completed successfully or with errors. The server can then synchronously retrieve the declared configuration document process results through the [Declared Configuration CSP URI](#declared-configuration-oma-uri).
+
+
+
+The following list shows the DeclaredConfiguration configuration service provider nodes:
+
+- ./Device/Vendor/MSFT/DeclaredConfiguration
+ - [Host](#host)
+ - [Complete](#hostcomplete)
+ - [Documents](#hostcompletedocuments)
+ - [{DocID}](#hostcompletedocumentsdocid)
+ - [Document](#hostcompletedocumentsdociddocument)
+ - [Properties](#hostcompletedocumentsdocidproperties)
+ - [Abandoned](#hostcompletedocumentsdocidpropertiesabandoned)
+ - [Results](#hostcompleteresults)
+ - [{DocID}](#hostcompleteresultsdocid)
+ - [Document](#hostcompleteresultsdociddocument)
+ - [Inventory](#hostinventory)
+ - [Documents](#hostinventorydocuments)
+ - [{DocID}](#hostinventorydocumentsdocid)
+ - [Document](#hostinventorydocumentsdociddocument)
+ - [Results](#hostinventoryresults)
+ - [{DocID}](#hostinventoryresultsdocid)
+ - [Document](#hostinventoryresultsdociddocument)
+
+
+
+## Host
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host
+```
+
+
+
+
+The Host internal node indicates that the target of the configuration request or inventory request is the host OS. This node is for scope in case enclaves are ever targeted for configuration.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+### Host/Complete
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete
+```
+
+
+
+
+This internal node indicates that the configuration has discrete settings values and is self-contained with complete setting and value pairs that don't contain placeholders that the need to be resolved later with additional data. The request is ready to be processed as is.
+
+
+
+
+The server to client flow of the **Complete** request is the same as an **Inventory** request.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+#### Host/Complete/Documents
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents
+```
+
+
+
+
+The Documents node indicates that the configuration is in the form of a document, which is a collection of settings used to configure a scenario by the Declared Configuration stack.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+##### Host/Complete/Documents/{DocID}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/{DocID}
+```
+
+
+
+
+Uniquely identifies the configuration document. No other document can have this id. The Id should be a GUID.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+| Allowed Values | Regular Expression: `[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}` |
+
+
+
+
+
+
+
+
+
+###### Host/Complete/Documents/{DocID}/Document
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/{DocID}/Document
+```
+
+
+
+
+The Document node's value is an XML based document containing a collection of settings and values to configure the specified scenario. The Declared Configuration stack verifies the syntax of the document, the stack marks the document to be processed asynchronously by the client. The stack then returns control back to the OMA-DM service. The stack, in turn, asynchronously processes the request. Below is an example of a specified desired state configuration using the Declared Configuration URI ./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/27FEA311-68. B9-4320-9. FC4-296. F6FDFAFE2/Document.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+###### Host/Complete/Documents/{DocID}/Properties
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/{DocID}/Properties
+```
+
+
+
+
+The Properties node encapsulates the list of properties that apply to the specified document referenced by [DocID].
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+###### Host/Complete/Documents/{DocID}/Properties/Abandoned
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/{DocID}/Properties/Abandoned
+```
+
+
+
+
+The Abandoned node allows the OMA-DM server to indicate that the document is no longer managed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | The document is no longer managed. |
+| 1 | The document is managed. |
+
+
+
+
+
+
+
+
+
+#### Host/Complete/Results
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Results
+```
+
+
+
+
+The Results node indicates that this is part of the URI path that will return an XML document containing the results of the configuration request.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Host/Complete/Results/{DocID}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Results/{DocID}
+```
+
+
+
+
+Uniquely identifies the configuration document in which results of the configuration request will be returned.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Get |
+| Dynamic Node Naming | ClientInventory |
+
+
+
+
+
+
+
+
+
+###### Host/Complete/Results/{DocID}/Document
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Results/{DocID}/Document
+```
+
+
+
+
+The Document node's value is an XML based document containing a collection of setting results from the configuration request specified by [DocId].
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Host/Inventory
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory
+```
+
+
+
+
+The Inventory internal node indicates that this is an inventory request. The setting values to be retrieved are specified in an XML document through the Document leaf node.
+
+
+
+
+The server to client flow of the **Inventory** request is the same as the **Complete** request.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+#### Host/Inventory/Documents
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Documents
+```
+
+
+
+
+The Documents node indicates that the inventory request is in the form of a document, which is a collection of settings used to retrieve their values.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+##### Host/Inventory/Documents/{DocID}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Documents/{DocID}
+```
+
+
+
+
+Uniquely identifies the inventory document. No other document can have this id. The Id should be a GUID.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+| Allowed Values | Regular Expression: `[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}` |
+
+
+
+
+
+
+
+
+
+###### Host/Inventory/Documents/{DocID}/Document
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Documents/{DocID}/Document
+```
+
+
+
+
+The Document node's value is an XML based document containing a collection of settings that will be used to retrieve their values. The Declared Configuration stack verifies the syntax of the document, the stack marks the document to be processed asynchronously by the client. The stack then returns control back to the OMA-DM service. The stack, in turn, asynchronously processes the request. Below is an example of a specified desired state configuration using the Declared Configuration URI ./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Documents/27FEA311-68. B9-4320-9. FC4-296. F6FDFAFE2/Document.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Host/Inventory/Results
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Results
+```
+
+
+
+
+The Results node indicates that this is part of the URI path that will return an XML document containing the results of the inventory request.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Host/Inventory/Results/{DocID}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Results/{DocID}
+```
+
+
+
+
+Uniquely identifies the inventory document. No other document can have this id. The Id should be a GUID.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Get |
+| Dynamic Node Naming | ClientInventory |
+
+
+
+
+
+
+
+
+
+###### Host/Inventory/Results/{DocID}/Document
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Results/{DocID}/Document
+```
+
+
+
+
+The Document node's value is an XML based document containing a collection of setting results from the inventory request specified by [DocId].
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+
+## Declared configuration OMA URI
+
+A declared configuration request is sent using an OMA-URI similar to `./Device/Vendor/MSFT/DeclaredConfiguration/Host/[Complete|Inventory]/Documents/{DocID}/Document`.
+
+- The URI is prefixed with a targeted scope. The target of the scenario settings can only be device wide for extensibility. The scope should be `Device`.
+- `{DocID}` is a unique identifier for the desired state of the configuration scenario. Every document must have an ID, which must be a GUID.
+- The request can be a **Configuration**, **Inventory**, or **Complete** request.
+
+The following URI is an example of a **Complete** request: `./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Document`
+
+## DeclaredConfiguration document XML
+
+The value of the leaf node `Document` is an XML document that describes the request. The actual processing of the request pivots around the `osdefinedscenario` tag:
+
+- `MSFTExtensibilityMIProviderConfig`: Used to configure MI provider settings.
+- `MSFTExtensibilityMIProviderInventory`: Used to retrieve MI provider setting values.
+
+The DeclaredConfiguration CSP synchronously validates the batch of settings described by the `` element, which represents the declared configuration document. It checks for correct syntax based on the declared configuration XML schema. If there's a syntax error, the CSP returns an error immediately back to the server as part of the current OMA-DM session. If the syntax check passes, then the request is passed on to a Windows service. The Windows service asynchronously attempts the desired state configuration of the specified scenario. This process frees up the server to do other work thus the low latency of this declared configuration protocol. The Windows client service, the orchestrator, is responsible for driving the configuration of the device based on the server supplied desire state. The service also maintains this state throughout its lifetime, until the server removes or modifies it.
+
+The following example uses the built-in, native MI provider `MSFT_FileDirectoryConfiguration` with the OS-defined scenario `MSFTExtensibilityMIProviderConfig`:
+
+```xml
+
+
+ c:\data\test\bin\ut_extensibility.tmp
+ TestFileContentBlah
+
+
+```
+
+The standard OMA-DM SyncML syntax is used to specify the DeclaredConfiguration CSP operations such as **Replace**, **Set**, and **Delete**. The payload of the SyncML's `` element must be XML-encoded. For this XML encoding, there are various online encoders that you can use. To avoid encoding the payload, you can use [CDATA Section](https://www.w3.org/TR/REC-xml/#sec-cdata-sect) as shown in the following example:
+
+```xml
+
+
+
+
+ 14
+
+
+ ./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/99988660-9080-3433-96e8-f32e85011999/Document
+
+
+
+
+ c:\data\test\bin\ut_extensibility.tmp
+ TestFileContentBlah
+
+ ]]>
+
+
+
+
+
+
+```
+
+### DeclaredConfiguration XML document tags
+
+Both `MSFTExtensibilityMIProviderConfig` and `MSFTExtensibilityMIProviderInventory` are OS-defined scenarios that require the same tags and attributes.
+
+- The `` XML tag specifies the details of the declared configuration document to process. The document could be part of a configuration request or an inventory request. The DeclaredConfiguration CSP has two URIs to allow the specification of a configuration or an inventory request.
+
+ This tag has the following attributes:
+
+ | Attribute | Description |
+ |--|--|
+ | `schema` | The schema version of the xml. Currently `1.0`. |
+ | `context` | States that this document is targeting the device. The value should be `Device`. |
+ | `id` | The unique identifier of the document set by the server. This value should be a GUID. |
+ | `checksum` | This value is the server-supplied version of the document. |
+ | `osdefinedscenario` | The named scenario that the client should configure with the given configuration data. For extensibility, the scenario is either `MSFTExtensibilityMIProviderConfig` or `MSFTExtensibilityMIProviderInventory`. |
+
+- The `` XML tag describes the targeted WMI provider expressed by a namespace and class name along with the values either to be applied to the device or queried by the MI provider.
+
+ This tag has the following attributes:
+
+ | Attribute | Description |
+ |--|--|
+ | `namespace` | Specifies the targeted MI provider namespace. |
+ | `classname` | The targeted MI provider. |
+
+- The `` XML tag describes the required parameter name and value. It only needs a value for configuration. The name is an attribute and the value is `` content.
+
+ This tag has the following attributes:
+
+ | Attribute | Description |
+ |--|--|
+ | `name` | Specifies the name of an MI provider parameter. |
+
+- The `` XML tag describes the optional parameter name and value. It only needs a value for configuration. The name is an attribute and the value is `` content.
+
+ This tag has the following attributes:
+
+ | Attribute | Description |
+ |--|--|
+ | `name` | Specifies the name of an MI provider parameter. |
+
+## Declared configuration generic alert
+
+On every client response to the server's request, the client constructs a declared configuration alert. This alert summarizes the state of each of the documents that the Windows service has processed. The following XML is an example alert:
+
+```xml
+
+ 1
+ 1224
+
+
+ com.microsoft.mdm.declaredconfigurationdocuments
+
+
+
+
+
+
+
+
+```
+
+In this example, there's one declared configuration document listed in the alert summary. The alert summary lists every document that the client stack is processing, either a configuration or inventory request. It describes the context of the document that specifies the scope of how the document is applied. The **context** value should be `Device`.
+
+The **state** attribute has a value of `60`, which indicates that the document was processed successfully. The following class defines the other state values:
+
+```csharp
+enum class DCCSPURIState :unsigned long
+{
+ NotDefined = 0, // transient
+ ConfigRequest = 1, // transient
+ ConfigInprogress = 2, // transient
+ ConfigInProgressAsyncPending = 3, // transient: Async operation is performed but pending results
+ DeleteRequest = 10, // transient
+ DeleteInprogress = 11, // transient
+
+ GetRequest = 20, // transient
+ GetInprogress = 21, // transient
+
+ ConstructURIStorageSuccess = 40, // transient
+
+ ConfigCompletedSuccess = 60, // permanent
+ ConfigCompletedError = 61, // permanent
+ ConfigInfraError = 62, // permanent
+ ConfigCompletedSuccessNoRefresh = 63, // permanent
+
+ DeleteCompletedSuccess = 70, // permanent
+ DeleteCompletedError = 71, // permanent
+ DeleteInfraError = 72, // permanent
+
+ GetCompletedSuccess = 80, // permanent
+ GetCompletedError = 81, // permanent
+ GetInfraError = 82 // permanent
+};
+```
+
+## SyncML examples
+
+- Retrieve the results of a configuration or inventory request:
+
+ ```xml
+
+
+
+ 2
+
+
+ chr
+ text/plain
+
+
+ ./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Results/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Document
+
+
+
+
+
+
+ ```
+
+ ```xml
+
+ 2
+ 1
+ 2
+ Get
+ 200
+
+
+ 3
+ 1
+ 2
+
+
+ ./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Results/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Document
+
+
+
+
+
+
+
+
+
+
+
+ ```
+
+- Replace a configuration or inventory request
+
+ ```xml
+
+
+
+ 14
+
+
+ ./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Documents/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Document
+
+
+
+
+ c:/temp/foobar.tmp
+
+
+ ]]>
+
+
+
+
+
+
+ ```
+
+ ```xml
+
+ 2
+ 1
+ 2
+ Get
+ 200
+
+ 3
+ 1
+ 2
+
+
+ ./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Results/99998660-9080-3433-96e8-f32e85019999/Document
+
+
+
+
+ c:/temp/foobar.tmp
+ TestFileContent
+
+
+
+
+
+ ```
+
+- Abandon a configuration or inventory request. This process results in the client tracking the document but not reapplying it. The alert has the `Abandoned` property set to `1`, which indicates that the document is no longer managed by the declared configuration server.
+
+ ```xml
+
+
+
+ 2
+
+
+ int
+ text/plain
+
+
+ ./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Properties/Abandoned
+
+ 1
+
+
+
+
+
+ ```
+
+- Deletion of configuration or inventory request. The SyncML deletion of the document only removes the document but any extensibility settings persist on the device (tattoo).
+
+ ```xml
+
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Document
+
+
+
+
+
+
+ ```
+
+
+
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/declaredconfiguration-ddf-file.md b/windows/client-management/mdm/declaredconfiguration-ddf-file.md
new file mode 100644
index 0000000000..8f17e34ba0
--- /dev/null
+++ b/windows/client-management/mdm/declaredconfiguration-ddf-file.md
@@ -0,0 +1,482 @@
+---
+title: DeclaredConfiguration DDF file
+description: View the XML file containing the device description framework (DDF) for the DeclaredConfiguration configuration service provider.
+author: vinaypamnani-msft
+manager: aaroncz
+ms.author: vinpa
+ms.date: 09/27/2023
+ms.localizationpriority: medium
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
+---
+
+
+
+# DeclaredConfiguration DDF file
+
+The following XML file contains the device description framework (DDF) for the DeclaredConfiguration configuration service provider.
+
+```xml
+
+]>
+
+ 1.2
+
+
+
+ DeclaredConfiguration
+ ./Device/Vendor/MSFT
+
+
+
+
+ The Declared Configuration CSP (Configuration Service Provider) allows the OMA-DM server to provide the device with the complete collection of setting names and associated values based on a specified scenario. The Declared Configuration stack on the device is responsible for handling the configuration request along with maintaining its state including updates to the scenario. It also provides the means to retrieve a scenario’s settings from the device. The configuration request and settings retrieval request are performed asynchronously, freeing up the server’s worker thread to do other useful work. The subsequent results can be retrieved through Declared Configuration’s result nodes.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 99.9.99999
+ 9.9
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+ Host
+
+
+
+
+
+
+ The Host internal node indicates that the target of the configuration request or inventory request is the host OS. This node is for scope in case enclaves are ever targeted for configuration.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Complete
+
+
+
+
+
+
+ This internal node indicates that the configuration has discrete settings values and is self-contained with complete setting and value pairs that do not contain placeholders that the need to be resolved later with additional data. The request is ready to be processed as is.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Documents
+
+
+
+
+
+
+ The Documents node indicates that the configuration is in the form of a document, which is a collection of settings used to configure a scenario by the Declared Configuration stack.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Uniquely identifies the configuration document. No other document can have this id. The Id should be a GUID.
+
+
+
+
+
+
+
+
+
+ DocID
+
+
+
+
+
+
+
+ [0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}
+
+
+
+ Document
+
+
+
+
+
+
+
+ The Document node's value is an XML based document containing a collection of settings and values to configure the specified scenario. The Declared Configuration stack verifies the syntax of the document, the stack marks the document to be processed asynchronously by the client. The stack then returns control back to the OMA-DM service. The stack, in turn, asynchronously processes the request. Below is an example of a specified desired state configuration using the Declared Configuration URI ./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Document
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Properties
+
+
+
+
+
+
+ The Properties node encapsulates the list of properties that apply to the specified document referenced by [DocID].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Abandoned
+
+
+
+
+
+
+
+ 0
+ The Abandoned node allows the OMA-DM server to indicate that the document is no longer managed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ The document is no longer managed.
+
+
+ 1
+ The document is managed.
+
+
+
+
+
+
+
+
+ Results
+
+
+
+
+ The Results node indicates that this is part of the URI path that will return an XML document containing the results of the configuration request.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Uniquely identifies the configuration document in which results of the configuration request will be returned.
+
+
+
+
+
+
+
+
+
+ DocID
+
+
+
+
+
+
+
+
+ Document
+
+
+
+
+ The Document node's value is an XML based document containing a collection of setting results from the configuration request specified by [DocId].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Inventory
+
+
+
+
+
+
+ The Inventory internal node indicates that this is an inventory request. The setting values to be retrieved are specified in an XML document through the Document leaf node.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Documents
+
+
+
+
+
+
+ The Documents node indicates that the inventory request is in the form of a document, which is a collection of settings used to retrieve their values.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Uniquely identifies the inventory document. No other document can have this id. The Id should be a GUID.
+
+
+
+
+
+
+
+
+
+ DocID
+
+
+
+
+
+
+
+ [0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}
+
+
+
+ Document
+
+
+
+
+
+
+
+ The Document node's value is an XML based document containing a collection of settings that will be used to retrieve their values. The Declared Configuration stack verifies the syntax of the document, the stack marks the document to be processed asynchronously by the client. The stack then returns control back to the OMA-DM service. The stack, in turn, asynchronously processes the request. Below is an example of a specified desired state configuration using the Declared Configuration URI ./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Documents/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Document
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Results
+
+
+
+
+ The Results node indicates that this is part of the URI path that will return an XML document containing the results of the inventory request.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Uniquely identifies the inventory document. No other document can have this id. The Id should be a GUID.
+
+
+
+
+
+
+
+
+
+ DocID
+
+
+
+
+
+
+
+
+ Document
+
+
+
+
+ The Document node's value is an XML based document containing a collection of setting results from the inventory request specified by [DocId].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+## Related articles
+
+[DeclaredConfiguration configuration service provider reference](declaredconfiguration-csp.md)
diff --git a/windows/client-management/mdm/devicepreparation-csp.md b/windows/client-management/mdm/devicepreparation-csp.md
index 1f3ec6eaa1..d8b4a5ca6e 100644
--- a/windows/client-management/mdm/devicepreparation-csp.md
+++ b/windows/client-management/mdm/devicepreparation-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the DevicePreparation CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -430,7 +430,7 @@ This node provides status of the Device Preparation page. Values are an enum: 0
| Property name | Property value |
|:--|:--|
| Format | `int` |
-| Access Type | Get |
+| Access Type | Get, Replace |
diff --git a/windows/client-management/mdm/devicepreparation-ddf-file.md b/windows/client-management/mdm/devicepreparation-ddf-file.md
index 3174ac4dab..4f948ac7b5 100644
--- a/windows/client-management/mdm/devicepreparation-ddf-file.md
+++ b/windows/client-management/mdm/devicepreparation-ddf-file.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 06/02/2023
+ms.date: 10/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -88,6 +88,7 @@ The following XML file contains the device description framework (DDF) for the D
+ This node provides status of the Device Preparation page. Values are an enum: 0 = Disabled; 1 = Enabled; 2 = InProgress; 3 = ExitedOnSuccess; 4 = ExitedOnFailure.
diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md
index 7c11cf5f09..80b8fa7703 100644
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the DMClient CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 09/27/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -80,10 +80,10 @@ The following list shows the DMClient configuration service provider nodes:
- [HelpWebsite](#deviceproviderprovideridhelpwebsite)
- [HWDevID](#deviceproviderprovideridhwdevid)
- [LinkedEnrollment](#deviceproviderprovideridlinkedenrollment)
+ - [DiscoveryEndpoint](#deviceproviderprovideridlinkedenrollmentdiscoveryendpoint)
- [Enroll](#deviceproviderprovideridlinkedenrollmentenroll)
- [EnrollStatus](#deviceproviderprovideridlinkedenrollmentenrollstatus)
- [LastError](#deviceproviderprovideridlinkedenrollmentlasterror)
- - [Priority](#deviceproviderprovideridlinkedenrollmentpriority)
- [Unenroll](#deviceproviderprovideridlinkedenrollmentunenroll)
- [ManagementServerAddressList](#deviceproviderprovideridmanagementserveraddresslist)
- [ManagementServerToUpgradeTo](#deviceproviderprovideridmanagementservertoupgradeto)
@@ -2411,6 +2411,45 @@ The interior node for linked enrollment.
+
+##### Device/Provider/{ProviderID}/LinkedEnrollment/DiscoveryEndpoint
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/LinkedEnrollment/DiscoveryEndpoint
+```
+
+
+
+
+Endpoint Discovery is the process where a specific URL (the "discovery endpoint") is accessed, which returns a directory of endpoints for using the system including enrollment. On Get, if the endpoint isn't set, client will return an rmpty string with S_OK.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
##### Device/Provider/{ProviderID}/LinkedEnrollment/Enroll
@@ -2428,12 +2467,12 @@ The interior node for linked enrollment.
-Trigger to enroll for the Linked Enrollment.
+This is an execution node and will trigger a silent Declared Configuration unenroll, there is no user interaction needed. On un-enrollment, all the settings/resources set by Declared Configuration will be rolled back (rollback details will be covered later).
-This is an execution node and will trigger a silent MMP-C enrollment, using the Azure Active Directory device token pulled from the Azure AD-joined device. There is no user interaction needed.
+This is an execution node and will trigger a silent Declared Configuration enrollment, using the AAD device token pulled from the Azure AD-joined device. There is no user interaction needed. When the **DiscoveryEndpoint** is not set, the Enroll node will fail with `ERROR_FILE_NOT_FOUND (0x80070002)` and there is no scheduled task created for dual enrollment.
@@ -2468,7 +2507,7 @@ This is an execution node and will trigger a silent MMP-C enrollment, using the
-Returns the current enrollment or un-enrollment status of the linked enrollment.
+Returns the current enrollment or un-enrollment status of the linked enrollment. Supports Get only.
@@ -2523,7 +2562,7 @@ Returns the current enrollment or un-enrollment status of the linked enrollment.
-return the last error for enroll/unenroll.
+Supports Get Only. Returns the HRESULT for the last error when enroll/unenroll fails.
@@ -2545,54 +2584,6 @@ return the last error for enroll/unenroll.
-
-##### Device/Provider/{ProviderID}/LinkedEnrollment/Priority
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2009 [10.0.19042.2193] and later ✅ Windows 10, version 21H1 [10.0.19043.2193] and later ✅ Windows 10, version 21H2 [10.0.19044.2193] and later ✅ Windows 11, version 21H2 [10.0.22000.918] and later ✅ Windows 11, version 22H2 [10.0.22621] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/LinkedEnrollment/Priority
-```
-
-
-
-
-Optional. Allowed value is 0 or 1. 0 means the main enrollment has authority for MDM settings and resources, 1 means the linked enrollment has authority.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `int` |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-**Allowed values**:
-
-| Value | Description |
-|:--|:--|
-| 0 | The main enrollment has priority over linked enrollment. |
-| 1 | The linked enrollment has priority over the main enrollment. |
-
-
-
-
-
-
-
-
##### Device/Provider/{ProviderID}/LinkedEnrollment/Unenroll
@@ -2615,7 +2606,7 @@ Trigger Unenroll for the Linked Enrollment.
-This is an execution node and will trigger a silent MMP-C unenroll, there is no user interaction needed. On un-enrollment, all the settings/resources set by MMPC will be rolled back.
+This is an execution node and will trigger a silent Declared Configuration unenroll, without any user interaction. On un-enrollment, all the settings/resources set by Declared Configuration will be rolled back.
@@ -3973,7 +3964,7 @@ The following SyncML shows how to remotely unenroll the device. This command sho
./Vendor/MSFT/DMClient/Provider//Unenroll
- chr
+ chr
TestMDMServer
diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md
index 8940dcd7f9..f47fafa391 100644
--- a/windows/client-management/mdm/dmclient-ddf-file.md
+++ b/windows/client-management/mdm/dmclient-ddf-file.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 06/02/2023
+ms.date: 09/27/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -2548,47 +2548,13 @@ The following XML file contains the device description framework (DDF) for the D
1.6
-
- Priority
-
-
-
-
-
-
-
- Optional. Allowed value is 0 or 1. 0 means the main enrollment has authority for mdm settings and resources, 1 means the linked enrollment has authority.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 0
- The main enrollment has priority over linked enrollment.
-
-
- 1
- The linked enrollment has priority over the main enrollment.
-
-
-
- LastError
- return the last error for enroll/unenroll.
+ Supports Get Only. Returns the HRESULT for the last error when enroll/unenroll fails.
@@ -2609,7 +2575,7 @@ The following XML file contains the device description framework (DDF) for the D
- Returns the current enrollment or un-enrollment status of the linked enrollment.
+ Returns the current enrollment or un-enrollment status of the linked enrollment. Supports Get only.
@@ -2668,7 +2634,7 @@ The following XML file contains the device description framework (DDF) for the D
- Trigger to enroll for the Linked Enrollment
+ This is an execution node and will trigger a silent Declared Configuration unenroll, there is no user interaction needed. On un-enrollment, all the settings/resources set by Declared Configuration will be rolled back (rollback details will be covered later).
@@ -2704,6 +2670,36 @@ The following XML file contains the device description framework (DDF) for the D
+
+ DiscoveryEndpoint
+
+
+
+
+
+
+
+ Endpoint Discovery is the process where a specific URL (the "discovery endpoint") is accessed, which returns a directory of endpoints for using the system including enrollment. On Get, if the endpoint is not set, client will return an rmpty string with S_OK.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 99.9.99999
+ 9.9
+
+
+
+
+ MultipleSession
diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md
index 3f61327719..6bfcf539e2 100644
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the Firewall CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -3472,7 +3472,7 @@ This value represents the order of rule enforcement. A lower priority rule is ev
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later ✅ Windows Insider Preview [10.0.25398] |
@@ -3547,7 +3547,7 @@ Specifies the profiles to which the rule belongs: Domain, Private, Public. See [
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-65535]` |
+| Allowed Values | Range: `[0-255]` |
@@ -3812,7 +3812,7 @@ VM Creator ID that these settings apply to. Valid format is a GUID.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later ✅ Windows Insider Preview [10.0.25398] |
@@ -3961,7 +3961,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later ✅ Windows Insider Preview [10.0.25398] |
@@ -3999,7 +3999,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later ✅ Windows Insider Preview [10.0.25398] |
@@ -4049,7 +4049,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later ✅ Windows Insider Preview [10.0.25398] |
@@ -4099,7 +4099,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later ✅ Windows Insider Preview [10.0.25398] |
@@ -4149,7 +4149,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later ✅ Windows Insider Preview [10.0.25398] |
@@ -4296,7 +4296,7 @@ This value is an on/off switch for loopback traffic. This determines if this VM
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later ✅ Windows Insider Preview [10.0.25398] |
@@ -4334,7 +4334,7 @@ This value is an on/off switch for loopback traffic. This determines if this VM
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later ✅ Windows Insider Preview [10.0.25398] |
@@ -4384,7 +4384,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later ✅ Windows Insider Preview [10.0.25398] |
@@ -4434,7 +4434,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later ✅ Windows Insider Preview [10.0.25398] |
@@ -4484,7 +4484,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later ✅ Windows Insider Preview [10.0.25398] |
@@ -4533,7 +4533,7 @@ This value is an on/off switch for the Hyper-V Firewall enforcement.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later ✅ Windows Insider Preview [10.0.25398] |
@@ -4571,7 +4571,7 @@ This value is an on/off switch for the Hyper-V Firewall enforcement.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later ✅ Windows Insider Preview [10.0.25398] |
@@ -4621,7 +4621,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later ✅ Windows Insider Preview [10.0.25398] |
@@ -4671,7 +4671,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later ✅ Windows Insider Preview [10.0.25398] |
@@ -4721,7 +4721,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later ✅ Windows Insider Preview [10.0.25398] |
diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md
index 8a398f09ae..1d38c29221 100644
--- a/windows/client-management/mdm/firewall-ddf-file.md
+++ b/windows/client-management/mdm/firewall-ddf-file.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/02/2023
+ms.date: 10/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -3030,7 +3030,7 @@ The following XML file contains the device description framework (DDF) for the F
- 10.0.25398
+ 10.0.25398, 10.0.22621.23521.0
@@ -3064,7 +3064,7 @@ The following XML file contains the device description framework (DDF) for the F
- 10.0.25398
+ 10.0.25398, 10.0.22621.23521.0
@@ -3257,7 +3257,7 @@ The following XML file contains the device description framework (DDF) for the F
- 10.0.25398
+ 10.0.25398, 10.0.22621.23521.0
@@ -3450,7 +3450,7 @@ The following XML file contains the device description framework (DDF) for the F
- 10.0.25398
+ 10.0.25398, 10.0.22621.23521.0
@@ -4597,7 +4597,7 @@ If not specified the detault is OUT.
- [0-65535]
+ [0-255]
@@ -4833,7 +4833,7 @@ If not specified - a new rule is disabled by default.
- 10.0.25398
+ 10.0.25398, 10.0.22621.23521.0
diff --git a/windows/client-management/mdm/includes/mdm-insider-csp-note.md b/windows/client-management/mdm/includes/mdm-insider-csp-note.md
index 5c8c70b1fe..bc1fc814b6 100644
--- a/windows/client-management/mdm/includes/mdm-insider-csp-note.md
+++ b/windows/client-management/mdm/includes/mdm-insider-csp-note.md
@@ -7,4 +7,4 @@ ms.date: 05/09/2023
---
> [!IMPORTANT]
-> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview.
+> This CSP contains some settings that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These settings are subject to change and may have dependencies on other features or services in preview.
diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md
index d5c2ebe843..8b5404c152 100644
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the PassportForWork CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -32,6 +32,7 @@ The following list shows the PassportForWork configuration service provider node
- ./Device/Vendor/MSFT/PassportForWork
- [{TenantId}](#devicetenantid)
- [Policies](#devicetenantidpolicies)
+ - [DisablePostLogonCredentialCaching](#devicetenantidpoliciesdisablepostlogoncredentialcaching)
- [DisablePostLogonProvisioning](#devicetenantidpoliciesdisablepostlogonprovisioning)
- [EnablePinRecovery](#devicetenantidpoliciesenablepinrecovery)
- [EnableWindowsHelloProvisioningForSecurityKeys](#devicetenantidpoliciesenablewindowshelloprovisioningforsecuritykeys)
@@ -164,6 +165,55 @@ Root node for policies.
+
+#### Device/{TenantId}/Policies/DisablePostLogonCredentialCaching
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/DisablePostLogonCredentialCaching
+```
+
+
+
+
+Disable caching of the Windows Hello for Business credential after sign-in.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `bool` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
#### Device/{TenantId}/Policies/DisablePostLogonProvisioning
diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md
index 8a2ac551bc..6cfc4fabfc 100644
--- a/windows/client-management/mdm/passportforwork-ddf.md
+++ b/windows/client-management/mdm/passportforwork-ddf.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/02/2023
+ms.date: 10/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -892,6 +892,45 @@ If you disable or do not configure this policy setting, the PIN recovery secret
+
+ DisablePostLogonCredentialCaching
+
+
+
+
+
+
+
+ False
+ Disable caching of the Windows Hello for Business credential after sign-in.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 99.9.99999
+ 1.6
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+ UseCertificateForOnPremAuth
diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
index d949612f72..bc9ea26ab4 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
@@ -4,7 +4,7 @@ description: Learn about the ADMX-backed policies in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/29/2023
+ms.date: 10/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -2144,6 +2144,7 @@ This article lists the ADMX-backed policies in Policy CSP.
- [EnableAdditionalSources](policy-csp-desktopappinstaller.md)
- [EnableAllowedSources](policy-csp-desktopappinstaller.md)
- [EnableMSAppInstallerProtocol](policy-csp-desktopappinstaller.md)
+- [EnableWindowsPackageManagerCommandLineInterfaces](policy-csp-desktopappinstaller.md)
## DeviceInstallation
@@ -2416,7 +2417,10 @@ This article lists the ADMX-backed policies in Policy CSP.
- [InternetZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md)
- [InternetZoneLogonOptions](policy-csp-internetexplorer.md)
+- [IntranetZoneLogonOptions](policy-csp-internetexplorer.md)
+- [TrustedSitesZoneLogonOptions](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneLogonOptions](policy-csp-internetexplorer.md)
+- [LocalMachineZoneLogonOptions](policy-csp-internetexplorer.md)
- [DisableDeletingUserVisitedWebsites](policy-csp-internetexplorer.md)
- [DisableIgnoringCertificateErrors](policy-csp-internetexplorer.md)
- [PreventPerUserInstallationOfActiveXControls](policy-csp-internetexplorer.md)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
index abaed7483e..a1d5758c14 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
@@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 09/25/2023
+ms.date: 10/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -383,10 +383,18 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [Devices_AllowedToFormatAndEjectRemovableMedia](policy-csp-localpoliciessecurityoptions.md)
- [Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters](policy-csp-localpoliciessecurityoptions.md)
- [Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly](policy-csp-localpoliciessecurityoptions.md)
+- [Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly](policy-csp-localpoliciessecurityoptions.md)
+- [DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways](policy-csp-localpoliciessecurityoptions.md)
+- [DomainMember_DigitallyEncryptSecureChannelDataWhenPossible](policy-csp-localpoliciessecurityoptions.md)
+- [DomainMember_DigitallySignSecureChannelDataWhenPossible](policy-csp-localpoliciessecurityoptions.md)
+- [DomainMember_DisableMachineAccountPasswordChanges](policy-csp-localpoliciessecurityoptions.md)
+- [DomainMember_MaximumMachineAccountPasswordAge](policy-csp-localpoliciessecurityoptions.md)
+- [DomainMember_RequireStrongSessionKey](policy-csp-localpoliciessecurityoptions.md)
- [InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](policy-csp-localpoliciessecurityoptions.md)
- [InteractiveLogon_DoNotRequireCTRLALTDEL](policy-csp-localpoliciessecurityoptions.md)
- [InteractiveLogon_DoNotDisplayLastSignedIn](policy-csp-localpoliciessecurityoptions.md)
- [InteractiveLogon_DoNotDisplayUsernameAtSignIn](policy-csp-localpoliciessecurityoptions.md)
+- [InteractiveLogon_MachineAccountThreshold](policy-csp-localpoliciessecurityoptions.md)
- [InteractiveLogon_MachineInactivityLimit](policy-csp-localpoliciessecurityoptions.md)
- [InteractiveLogon_MessageTextForUsersAttemptingToLogOn](policy-csp-localpoliciessecurityoptions.md)
- [InteractiveLogon_MessageTitleForUsersAttemptingToLogOn](policy-csp-localpoliciessecurityoptions.md)
@@ -394,11 +402,13 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [MicrosoftNetworkClient_DigitallySignCommunicationsAlways](policy-csp-localpoliciessecurityoptions.md)
- [MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees](policy-csp-localpoliciessecurityoptions.md)
- [MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers](policy-csp-localpoliciessecurityoptions.md)
+- [MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession](policy-csp-localpoliciessecurityoptions.md)
- [MicrosoftNetworkServer_DigitallySignCommunicationsAlways](policy-csp-localpoliciessecurityoptions.md)
- [MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees](policy-csp-localpoliciessecurityoptions.md)
- [NetworkAccess_AllowAnonymousSIDOrNameTranslation](policy-csp-localpoliciessecurityoptions.md)
- [NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts](policy-csp-localpoliciessecurityoptions.md)
- [NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares](policy-csp-localpoliciessecurityoptions.md)
+- [NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers](policy-csp-localpoliciessecurityoptions.md)
- [NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares](policy-csp-localpoliciessecurityoptions.md)
- [NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM](policy-csp-localpoliciessecurityoptions.md)
- [NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM](policy-csp-localpoliciessecurityoptions.md)
@@ -412,8 +422,10 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic](policy-csp-localpoliciessecurityoptions.md)
- [NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic](policy-csp-localpoliciessecurityoptions.md)
- [NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers](policy-csp-localpoliciessecurityoptions.md)
+- [RecoveryConsole_AllowAutomaticAdministrativeLogon](policy-csp-localpoliciessecurityoptions.md)
- [Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn](policy-csp-localpoliciessecurityoptions.md)
- [Shutdown_ClearVirtualMemoryPageFile](policy-csp-localpoliciessecurityoptions.md)
+- [SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems](policy-csp-localpoliciessecurityoptions.md)
- [UserAccountControl_UseAdminApprovalMode](policy-csp-localpoliciessecurityoptions.md)
- [UserAccountControl_AllowUIAccessApplicationsToPromptForElevation](policy-csp-localpoliciessecurityoptions.md)
- [UserAccountControl_BehaviorOfTheElevationPromptForAdministrators](policy-csp-localpoliciessecurityoptions.md)
diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md
index 0d8d931bf2..88fd182beb 100644
--- a/windows/client-management/mdm/policy-csp-applicationdefaults.md
+++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md
@@ -4,7 +4,7 @@ description: Learn more about the ApplicationDefaults Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -37,7 +37,7 @@ ms.topic: reference
-This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml). The file can be further edited by adding attributes to control how often associations are applied by the policy. The file then needs to be base64 encoded before being added to SyncML. If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied.
+This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc. xml), and then needs to be base64 encoded before being added to SyncML. If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied.
diff --git a/windows/client-management/mdm/policy-csp-clouddesktop.md b/windows/client-management/mdm/policy-csp-clouddesktop.md
index 6fbb9672f7..66d7fcc0ad 100644
--- a/windows/client-management/mdm/policy-csp-clouddesktop.md
+++ b/windows/client-management/mdm/policy-csp-clouddesktop.md
@@ -4,7 +4,7 @@ description: Learn more about the CloudDesktop Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 09/14/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -16,8 +16,6 @@ ms.topic: reference
# Policy CSP - CloudDesktop
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
@@ -28,7 +26,7 @@ ms.topic: reference
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2338] and later |
@@ -77,7 +75,7 @@ This policy allows the user to configure the boot to cloud mode. Boot to Cloud m
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.22631.2050] |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2338] and later |
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 7216ad6c03..325dcb5961 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -4,7 +4,7 @@ description: Learn more about the Defender Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -1074,10 +1074,18 @@ This policy setting allows you to configure the maximum percentage CPU utilizati
- If you enable this setting, CPU utilization won't exceed the percentage specified.
- If you disable or don't configure this setting, CPU utilization won't exceed the default value.
+
+
+> [!NOTE]
+> If you enable both of the following policies, then Windows ignores the value of **AvgCPULoadFactor**:
+>
+> - [ScanOnlyIfIdle](defender-csp.md#configurationscanonlyifidleenabled): Instructs the product to scan only when the computer isn't in use.
+> - [DisableCpuThrottleOnIdleScans](defender-csp.md#configurationdisablecputhrottleonidlescans): Instructs the product to disable CPU throttling on idle scans.
+
@@ -2902,7 +2910,9 @@ Valid remediation action values are:
[TAMPER-1]: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection
+
[TAMPER-2]: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#what-about-exclusions
+
@@ -2910,3 +2920,4 @@ Valid remediation action values are:
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)
+
diff --git a/windows/client-management/mdm/policy-csp-desktopappinstaller.md b/windows/client-management/mdm/policy-csp-desktopappinstaller.md
index 0e8a4f4777..700a225113 100644
--- a/windows/client-management/mdm/policy-csp-desktopappinstaller.md
+++ b/windows/client-management/mdm/policy-csp-desktopappinstaller.md
@@ -4,7 +4,7 @@ description: Learn more about the DesktopAppInstaller Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -18,6 +18,8 @@ ms.topic: reference
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
@@ -723,6 +725,56 @@ The settings are stored inside of a .json file on the user’s system. It may be
+
+## EnableWindowsPackageManagerCommandLineInterfaces
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableWindowsPackageManagerCommandLineInterfaces
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | EnableWindowsPackageManagerCommandLineInterfaces |
+| ADMX File Name | DesktopAppInstaller.admx |
+
+
+
+
+
+
+
+
## SourceAutoUpdateInterval
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index c0b5145841..d707b4af93 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -4,7 +4,7 @@ description: Learn more about the InternetExplorer Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -18,6 +18,8 @@ ms.topic: reference
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
@@ -7727,6 +7729,78 @@ High Safety enables applets to run in their sandbox. Disable Java to prevent any
+
+## IntranetZoneLogonOptions
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneLogonOptions
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneLogonOptions
+```
+
+
+
+
+This policy setting allows you to manage settings for logon options.
+
+- If you enable this policy setting, you can choose from the following logon options.
+
+Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.
+
+Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response isn't supported by the server, the user is queried to provide the user name and password.
+
+- If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.
+
+- If you don't configure this policy setting, logon is set to Automatic logon only in Intranet zone.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | IZ_PolicyLogon_3 |
+| Friendly Name | Logon options |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone |
+| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 |
+| ADMX File Name | inetres.admx |
+
+
+
+
+
+
+
+
## IntranetZoneNavigateWindowsAndFrames
@@ -8730,6 +8804,78 @@ High Safety enables applets to run in their sandbox. Disable Java to prevent any
+
+## LocalMachineZoneLogonOptions
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneLogonOptions
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneLogonOptions
+```
+
+
+
+
+This policy setting allows you to manage settings for logon options.
+
+- If you enable this policy setting, you can choose from the following logon options.
+
+Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.
+
+Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response isn't supported by the server, the user is queried to provide the user name and password.
+
+- If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.
+
+- If you don't configure this policy setting, logon is set to Automatic logon with current username and password.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | IZ_PolicyLogon_9 |
+| Friendly Name | Logon options |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone |
+| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 |
+| ADMX File Name | inetres.admx |
+
+
+
+
+
+
+
+
## LocalMachineZoneNavigateWindowsAndFrames
@@ -17229,6 +17375,78 @@ High Safety enables applets to run in their sandbox. Disable Java to prevent any
+
+## TrustedSitesZoneLogonOptions
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneLogonOptions
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneLogonOptions
+```
+
+
+
+
+This policy setting allows you to manage settings for logon options.
+
+- If you enable this policy setting, you can choose from the following logon options.
+
+Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.
+
+Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response isn't supported by the server, the user is queried to provide the user name and password.
+
+- If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.
+
+- If you don't configure this policy setting, logon is set to Automatic logon with current username and password.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | IZ_PolicyLogon_5 |
+| Friendly Name | Logon options |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone |
+| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 |
+| ADMX File Name | inetres.admx |
+
+
+
+
+
+
+
+
## TrustedSitesZoneNavigateWindowsAndFrames
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index 9e5011246e..f3317c93af 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -4,7 +4,7 @@ description: Learn more about the LocalPoliciesSecurityOptions Area in Policy CS
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -367,6 +367,134 @@ Accounts: Rename guest account This security setting determines whether a differ
+
+## Audit_AuditTheUseOfBackupAndRestoreprivilege
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Audit_AuditTheUseOfBackupAndRestoreprivilege
+```
+
+
+
+
+Audit: Audit the use of Backup and Restore privilege This security setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use policy is in effect. Enabling this option when the Audit privilege use policy is also enabled generates an audit event for every file that's backed up or restored. If you disable this policy, then use of the Backup or Restore privilege isn't audited even when Audit privilege use is enabled.
+
+> [!NOTE]
+> On Windows versions prior to Windows Vista configuring this security setting, changes won't take effect until you restart Windows. Enabling this setting can cause a LOT of events, sometimes hundreds per second, during a backup operation. Default: Disabled.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `b64` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: ``) |
+
+
+
+
+
+
+
+
+
+## Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings
+```
+
+
+
+
+Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings Windows Vista and later versions of Windows allow audit policy to be managed in a more precise way using audit policy subcategories. Setting audit policy at the category level will override the new subcategory audit policy feature. Group Policy only allows audit policy to be set at the category level, and existing group policy may override the subcategory settings of new machines as they're joined to the domain or upgraded to Windows Vista or later versions. To allow audit policy to be managed using subcategories without requiring a change to Group Policy, there is a new registry value in Windows Vista and later versions, SCENoApplyLegacyAuditPolicy, which prevents the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool. If the category level audit policy set here isn't consistent with the events that are currently being generated, the cause might be that this registry key is set. Default: Enabled.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 1 |
+
+
+
+
+
+
+
+
+
+## Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits
+```
+
+
+
+
+Audit: Shut down system immediately if unable to log security audits This security setting determines whether the system shuts down if it's unable to log security events. If this security setting is enabled, it causes the system to stop if a security audit can't be logged for any reason. Typically, an event fails to be logged when the security audit log is full and the retention method that's specified for the security log is either Do Not Overwrite Events or Overwrite Events by Days. If the security log is full and an existing entry can't be overwritten, and this security option is enabled, the following Stop error appears: STOP: C0000244 {Audit Failed} An attempt to generate a security audit failed. To recover, an administrator must log on, archive the log (optional), clear the log, and reset this option as desired. Until this security setting is reset, no users, other than a member of the Administrators group will be able to log on to the system, even if the security log isn't full.
+
+> [!NOTE]
+> On Windows versions prior to Windows Vista configuring this security setting, changes won't take effect until you restart Windows. Default: Disabled.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
## Devices_AllowedToFormatAndEjectRemovableMedia
@@ -588,6 +716,381 @@ Devices: Restrict CD-ROM access to locally logged-on user only This security set
+
+## Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly
+```
+
+
+
+
+Devices: Restrict floppy access to locally logged-on user only This security setting determines whether removable floppy media are accessible to both local and remote users simultaneously. If this policy is enabled, it allows only the interactively logged-on user to access removable floppy media. If this policy is enabled and no one is logged-on interactively, the floppy can be accessed over the network. Default: This policy isn't defined and floppy disk drive access isn't restricted to the locally logged-on user.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Devices: Restrict floppy access to locally logged-on user only |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+
+
+
+
+
+
+
+
+
+## DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways
+```
+
+
+
+
+Domain member: Digitally encrypt or sign secure channel data (always) This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc. This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel won't be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies: Domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when possible) Default: Enabled.
+
+> [!NOTE]
+> If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 1 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Domain member: Digitally encrypt or sign secure channel data (always) |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+
+
+
+
+
+
+
+
+
+## DomainMember_DigitallyEncryptSecureChannelDataWhenPossible
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible
+```
+
+
+
+
+Domain member: Digitally encrypt secure channel data (when possible) This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc. This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member won't attempt to negotiate secure channel encryption. Default: Enabled.
+
+> [!IMPORTANT]
+> There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted.
+
+> [!NOTE]
+> Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 1 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Domain member: Digitally encrypt secure channel data (when possible) |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+
+
+
+
+
+
+
+
+
+## DomainMember_DigitallySignSecureChannelDataWhenPossible
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/DomainMember_DigitallySignSecureChannelDataWhenPossible
+```
+
+
+
+
+Domain member: Digitally sign secure channel data (when possible) This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc. This setting determines whether or not the domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it can't be tampered with in transit. Default: Enabled.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 1 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Domain member: Digitally sign secure channel data (when possible) |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+
+
+
+
+
+
+
+
+
+## DomainMember_DisableMachineAccountPasswordChanges
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges
+```
+
+
+
+
+Domain member: Disable machine account password changes Determines whether a domain member periodically changes its computer account password.
+
+- If this setting is enabled, the domain member doesn't attempt to change its computer account password.
+
+- If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days. Default: Disabled.
+
+> [!NOTE]
+> This security setting shouldn't be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it's established, the secure channel is used to transmit sensitive information that's necessary for making authentication and authorization decisions. This setting shouldn't be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 0 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Domain member: Disable machine account password changes |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+
+
+
+
+
+
+
+
+
+## DomainMember_MaximumMachineAccountPasswordAge
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/DomainMember_MaximumMachineAccountPasswordAge
+```
+
+
+
+
+Domain member: Maximum machine account password age This security setting determines how often a domain member will attempt to change its computer account password. Default: 30 days.
+
+> [!IMPORTANT]
+> This setting applies to Windows 2000 computers, but it isn't available through the Security Configuration Manager tools on these computers.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-999]` |
+| Default Value | 30 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Domain member: Maximum machine account password age |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+
+
+
+
+
+
+
+
+
+## DomainMember_RequireStrongSessionKey
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/DomainMember_RequireStrongSessionKey
+```
+
+
+
+
+Domain member: Require strong (Windows 2000 or later) session key This security setting determines whether 128-bit key strength is required for encrypted secure channel data. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller within the domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup, and so on. Depending on what version of Windows is running on the domain controller that the domain member is communicating with and the settings of the parameters: Domain member: Digitally encrypt or sign secure channel data (always) Domain member: Digitally encrypt secure channel data (when possible) Some or all of the information that's transmitted over the secure channel will be encrypted. This policy setting determines whether or not 128-bit key strength is required for the secure channel information that's encrypted.
+
+- If this setting is enabled, then the secure channel won't be established unless 128-bit encryption can be performed.
+
+- If this setting is disabled, then the key strength is negotiated with the domain controller. Default: Enabled.
+
+> [!IMPORTANT]
+> In order to take advantage of this policy on member workstations and servers, all domain controllers that constitute the member's domain must be running Windows 2000 or later. In order to take advantage of this policy on domain controllers, all domain controllers in the same domain as well as all trusted domains must run Windows 2000 or later.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 1 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Domain member: Require strong (Windows 2000 or later) session key |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+
+
+
+
+
+
+
+
## InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
@@ -822,6 +1325,56 @@ Interactive logon: Don't require CTRL+ALT+DEL This security setting determines w
+
+## InteractiveLogon_MachineAccountThreshold
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_MachineAccountThreshold
+```
+
+
+
+
+Interactive logon: Machine account threshold. The machine lockout policy is enforced only on those machines that have BitLocker enabled for protecting OS volumes. Please ensure that appropriate recovery password backup policies are enabled. This security setting determines the number of failed logon attempts that causes the machine to be locked out. A locked out machine can only be recovered by providing recovery key at console. You can set the value between 1 and 999 failed logon attempts. If you set the value to 0, the machine will never be locked out. Values from 1 to 3 will be interpreted as 4. Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password protected screen savers counts as failed logon attempts. The machine lockout policy is enforced only on those machines that have BitLocker enabled for protecting OS volumes. Please ensure that the appropriate recovery password backup policies are enabled. Default: 0.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-999]` |
+| Default Value | 0 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Interactive logon: Machine account lockout threshold |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+
+
+
+
+
+
+
+
## InteractiveLogon_MachineInactivityLimit
@@ -972,6 +1525,87 @@ Interactive logon: Message title for users attempting to log on This security se
+
+## InteractiveLogon_NumberOfPreviousLogonsToCache
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_NumberOfPreviousLogonsToCache
+```
+
+
+
+
+Interactive logon: Number of previous logons to cache (in case domain controller isn't available) Each unique user's logon information is cached locally so that, in the event that a domain controller is unavailable during subsequent logon attempts, they're able to log on. The cached logon information is stored from the previous logon session. If a domain controller is unavailable and a user's logon information isn't cached, the user is prompted with this message: There are currently no logon servers available to service the logon request. In this policy setting, a value of 0 disables logon caching. Any value above 50 only caches 50 logon attempts. Windows supports a maximum of 50 cache entries and the number of entries consumed per user depends on the credential. For example, a maximum of 50 unique password user accounts can be cached on a Windows system, but only 25 smart card user accounts can be cached because both the password information and the smart card information are stored. When a user with cached logon information logs on again, the user's individual cached information is replaced. Default: Windows Server 2008: 25 All Other Versions: 10.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 10 |
+
+
+
+
+
+
+
+
+
+## InteractiveLogon_PromptUserToChangePasswordBeforeExpiration
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_PromptUserToChangePasswordBeforeExpiration
+```
+
+
+
+
+Interactive logon: Prompt user to change password before expiration Determines how far in advance (in days) users are warned that their password is about to expire. With this advance warning, the user has time to construct a password that's sufficiently strong. Default: 5 days.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-999]` |
+| Default Value | 5 |
+
+
+
+
+
+
+
+
## InteractiveLogon_SmartCardRemovalBehavior
@@ -1226,6 +1860,56 @@ Microsoft network client: Send unencrypted password to connect to third-party SM
+
+## MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession
+```
+
+
+
+
+Microsoft network server: Amount of idle time required before suspending a session This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity. Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy. Default: This policy isn't defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-15]` |
+| Default Value | 15 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Microsoft network server: Amount of idle time required before suspending session |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+
+
+
+
+
+
+
+
## MicrosoftNetworkServer_DigitallySignCommunicationsAlways
@@ -1359,6 +2043,88 @@ Microsoft network server: Digitally sign communications (if client agrees) This
+
+## MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire
+```
+
+
+
+
+Microsoft network server: Disconnect clients when logon hours expire This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. When this policy is enabled, it causes client sessions with the SMB Service to be forcibly disconnected when the client's logon hours expire. If this policy is disabled, an established client session is allowed to be maintained after the client's logon hours have expired. Default on Windows Vista and above: Enabled. Default on Windows XP: Disabled.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 1 |
+
+
+
+
+
+
+
+
+
+## MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel
+```
+
+
+
+
+Microsoft network server: Server SPN target name validation level This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that's provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SMB) protocol provides the basis for file and print sharing and other networking operations, such as remote Windows administration. The SMB protocol supports validating the SMB server service principal name (SPN) within the authentication blob provided by a SMB client to prevent a class of attacks against SMB servers referred to as SMB relay attacks. This setting will affect both SMB1 and SMB2. This security setting determines the level of validation a SMB server performs on the service principal name (SPN) provided by the SMB client when trying to establish a session to an SMB server. The options are: Off - the SPN isn't required or validated by the SMB server from a SMB client. Accept if provided by client - the SMB server will accept and validate the SPN provided by the SMB client and allow a session to be established if it matches the SMB server's list of SPN's for itself. If the SPN does NOT match, the session request for that SMB client will be denied. Required from client - the SMB client MUST send a SPN name in session setup, and the SPN name provided MUST match the SMB server that's being requested to establish a connection. If no SPN is provided by client, or the SPN provided doesn't match, the session is denied. Default: Off All Windows operating systems support both a client-side SMB component and a server-side SMB component. This setting affects the server SMB behavior, and its implementation should be carefully evaluated and tested to prevent disruptions to file and print serving capabilities. Additional information on implementing and using this to secure your SMB servers can be found at the Microsoft website (https://go.microsoft.com/fwlink/?LinkId=144505).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-2]` |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
## NetworkAccess_AllowAnonymousSIDOrNameTranslation
@@ -1540,6 +2306,227 @@ Network access: Don't allow anonymous enumeration of SAM accounts and shares Thi
+
+## NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication
+```
+
+
+
+
+Network access: Don't allow storage of passwords and credentials for network authentication This security setting determines whether Credential Manager saves passwords and credentials for later use when it gains domain authentication.
+
+- If you enable this setting, Credential Manager doesn't store passwords and credentials on the computer.
+
+- If you disable or don't configure this policy setting, Credential Manager will store passwords and credentials on this computer for later use for domain authentication.
+
+> [!NOTE]
+> When configuring this security setting, changes won't take effect until you restart Windows. Default: Disabled.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+## NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers
+```
+
+
+
+
+Network access: Let Everyone permissions apply to anonymous users This security setting determines what additional permissions are granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that doesn't maintain a reciprocal trust. By Default, the Everyone security identifier (SID) is removed from the token created for anonymous connections. Therefore, permissions granted to the Everyone group don't apply to anonymous users. If this option is set, anonymous users can only access those resources for which the anonymous user has been explicitly given permission. If this policy is enabled, the Everyone SID is added to the token that's created for anonymous connections. In this case, anonymous users are able to access any resource for which the Everyone group has been given permissions. Default: Disabled.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 0 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Network access: Let Everyone permissions apply to anonymous users |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+
+
+
+
+
+
+
+
+
+## NetworkAccess_NamedPipesThatCanBeAccessedAnonymously
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_NamedPipesThatCanBeAccessedAnonymously
+```
+
+
+
+
+Network access: Named pipes that can be accessed anonymously This security setting determines which communication sessions (pipes) will have attributes and permissions that allow anonymous access. Default: None.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+## NetworkAccess_RemotelyAccessibleRegistryPaths
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_RemotelyAccessibleRegistryPaths
+```
+
+
+
+
+Network access: Remotely accessible registry paths This security setting determines which registry keys can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Default: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion Caution Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
+
+> [!NOTE]
+> This security setting isn't available on earlier versions of Windows. The security setting that appears on computers running Windows XP, "Network access: Remotely accessible registry paths" corresponds to the "Network access: Remotely accessible registry paths and subpaths" security option on members of the Windows Server 2003 family. For more information, see Network access: Remotely accessible registry paths and subpaths.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+## NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths
+```
+
+
+
+
+Network access: Remotely accessible registry paths and subpaths This security setting determines which registry paths and subpaths can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Default: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog System\CurrentControlSet\Services\CertSvc System\CurrentControlSet\Services\Wins Caution Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
+
+> [!NOTE]
+> On Windows XP, this security setting was called "Network access: Remotely accessible registry paths". If you configure this setting on a member of the Windows Server 2003 family that's joined to a domain, this setting is inherited by computers running Windows XP, but will appear as the "Network access: Remotely accessible registry paths" security option. For more information, see Network access: Remotely accessible registry paths and subpaths.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
## NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
@@ -1646,6 +2633,130 @@ Network access: Restrict clients allowed to make remote calls to SAM This policy
+
+## NetworkAccess_SharesThatCanBeAccessedAnonymously
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_SharesThatCanBeAccessedAnonymously
+```
+
+
+
+
+Network access: Shares that can be accessed anonymously This security setting determines which network shares can accessed by anonymous users. Default: None specified.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+## NetworkAccess_SharingAndSecurityModelForLocalAccounts
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_SharingAndSecurityModelForLocalAccounts
+```
+
+
+
+
+Network access: Sharing and security model for local accounts This security setting determines how network logons that use local accounts are authenticated. If this setting is set to Classic, network logons that use local account credentials authenticate by using those credentials. The Classic model allows fine control over access to resources. By using the Classic model, you can grant different types of access to different users for the same resource. If this setting is set to Guest only, network logons that use local accounts are automatically mapped to the Guest account. By using the Guest model, you can have all users treated equally. All users authenticate as Guest, and they all receive the same level of access to a given resource, which can be either Read-only or Modify. Default on domain computers: Classic. Default on stand-alone computers: Guest only Important With the Guest only model, any user who can access your computer over the network (including anonymous Internet users) can access your shared resources. You must use the Windows Firewall or another similar device to protect your computer from unauthorized access. Similarly, with the Classic model, local accounts must be password protected; otherwise, those user accounts can be used by anyone to access shared system resources.
+
+> [!NOTE]
+> This setting doesn't affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services. Remote Desktop Services was called Terminal Services in previous versions of Windows Server. This policy will have no impact on computers running Windows 2000. When the computer isn't joined to a domain, this setting also modifies the Sharing and Security tabs in File Explorer to correspond to the sharing and security model that's being used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+## NetworkSecurity_AllowLocalSystemNULLSessionFallback
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemNULLSessionFallback
+```
+
+
+
+
+Network security: Allow LocalSystem NULL session fallback Allow NTLM to fall back to NULL session when used with LocalSystem. The default is TRUE up to Windows Vista and FALSE in Windows 7.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 1 |
+
+
+
+
+
+
+
+
## NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM
@@ -1961,6 +3072,53 @@ Network security LAN Manager authentication level This security setting determin
+
+## NetworkSecurity_LDAPClientSigningRequirements
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkSecurity_LDAPClientSigningRequirements
+```
+
+
+
+
+Network security: LDAP client signing requirements This security setting determines the level of data signing that's requested on behalf of clients issuing LDAP BIND requests, as follows: None: The LDAP BIND request is issued with the options that are specified by the caller. Negotiate signing: If Transport Layer Security/Secure Sockets Layer (TLS\SSL) hasn't been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the options specified by the caller. If TLS\SSL has been started, the LDAP BIND request is initiated with the options that are specified by the caller. Require signature: This is the same as Negotiate signing. However, if the LDAP server's intermediate saslBindInProgress response doesn't indicate that LDAP traffic signing is required, the caller is told that the LDAP BIND command request failed.
+
+> [!CAUTION]
+> If you set the server to Require signature, you must also set the client. Not setting the client results in a loss of connection with the server.
+
+> [!NOTE]
+> This setting doesn't have any impact on ldap_simple_bind or ldap_simple_bind_s. No Microsoft LDAP clients that are shipped with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to talk to a domain controller. Default: Negotiate signing.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-2]` |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
## NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients
@@ -2320,6 +3478,97 @@ Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers This po
+
+## RecoveryConsole_AllowAutomaticAdministrativeLogon
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon
+```
+
+
+
+
+Recovery console: Allow automatic administrative logon This security setting determines if the password for the Administrator account must be given before access to the system is granted. If this option is enabled, the Recovery Console doesn't require you to provide a password, and it automatically logs on to the system. Default: This policy isn't defined and automatic administrative logon isn't allowed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 0 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Recovery console: Allow automatic administrative logon |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+
+
+
+
+
+
+
+
+
+## RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders
+```
+
+
+
+
+Recovery console: Allow floppy copy and access to all drives and all folders Enabling this security option makes the Recovery Console SET command available, which allows you to set the following Recovery Console environment variables: AllowWildCards: Enable wildcard support for some commands (such as the DEL command). AllowAllPaths: Allow access to all files and folders on the computer. AllowRemovableMedia: Allow files to be copied to removable media, such as a floppy disk. NoCopyPrompt: Don't prompt when overwriting an existing file. Default: This policy isn't defined and the recover console SET command isn't available.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
## Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
@@ -2436,6 +3685,138 @@ Shutdown: Clear virtual memory pagefile This security setting determines whether
+
+## SystemCryptography_ForceStrongKeyProtection
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/SystemCryptography_ForceStrongKeyProtection
+```
+
+
+
+
+System Cryptography: Force strong key protection for user keys stored on the computer This security setting determines if users' private keys require a password to be used. The options are: User input isn't required when new keys are stored and used User is prompted when the key is first used User must enter a password each time they use a key For more information, see Public key infrastructure. Default: This policy isn't defined.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-2]` |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+## SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems
+```
+
+
+
+
+System objects: Require case insensitivity for non-Windows subsystems This security setting determines whether case insensitivity is enforced for all subsystems. The Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as POSIX. If this setting is enabled, case insensitivity is enforced for all directory objects, symbolic links, and IO objects, including file objects. Disabling this setting doesn't allow the Win32 subsystem to become case sensitive. Default: Enabled.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 1 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | System objects: Require case insensitivity for non-Windows subsystems |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+
+
+
+
+
+
+
+
+
+## SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects
+```
+
+
+
+
+System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links) This security setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. If this policy is enabled, the default DACL is stronger, allowing users who aren't administrators to read shared objects but not allowing these users to modify shared objects that they didn't create. Default: Enabled.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 1 |
+
+
+
+
+
+
+
+
## UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index cf9c04b176..9c9630b5ac 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -4,7 +4,7 @@ description: Learn more about the Update Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/28/2023
+ms.date: 10/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -293,7 +293,7 @@ Allows the IT admin to manage whether Automatic Updates accepts updates signed b
-This policy enables devices to get offered optional updates and users interact with the 'Get the latest updates as soon as they're available' toggle on the Windows Update Settings page.
+This policy enables devices to get optional updates (including gradual feature rollouts (CFRs) - learn more by visiting aka.ms/AllowOptionalContent)
@@ -1281,7 +1281,7 @@ If the status is set to Disabled or Not Configured, Windows will check for avail
> If the "Configure Automatic Updates" policy is disabled, this policy has no effect.
> [!NOTE]
-> This policy isn't supported on %WINDOWS_ARM_VERSION_6_2%. Setting this policy won't have any effect on %WINDOWS_ARM_VERSION_6_2% PCs.
+> This policy isn't supported on Windows RT. Setting this policy won't have any effect on Windows RT PCs.
@@ -1459,7 +1459,7 @@ Allows Windows Update Agent to determine the download URL when it's missing from
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.371] and later ✅ Windows 10, version 2004 [10.0.19041.1202] and later ✅ Windows 10, version 2009 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 [10.0.19043.1202] and later ✅ Windows 10, version 21H2 [10.0.19044.1288] and later ✅ Windows 10, version 22H2 [10.0.19045.2130] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
@@ -1528,7 +1528,7 @@ Configure this policy to specify whether to receive **Windows Driver Updates** f
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.371] and later ✅ Windows 10, version 2004 [10.0.19041.1202] and later ✅ Windows 10, version 2009 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 [10.0.19043.1202] and later ✅ Windows 10, version 21H2 [10.0.19044.1288] and later ✅ Windows 10, version 22H2 [10.0.19045.2130] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
@@ -1597,7 +1597,7 @@ Configure this policy to specify whether to receive **Windows Feature Updates**
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.371] and later ✅ Windows 10, version 2004 [10.0.19041.1202] and later ✅ Windows 10, version 2009 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 [10.0.19043.1202] and later ✅ Windows 10, version 21H2 [10.0.19044.1288] and later ✅ Windows 10, version 22H2 [10.0.19045.2130] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
@@ -1666,7 +1666,7 @@ Configure this policy to specify whether to receive **Other Updates** from Windo
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.371] and later ✅ Windows 10, version 2004 [10.0.19041.1202] and later ✅ Windows 10, version 2009 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 [10.0.19043.1202] and later ✅ Windows 10, version 21H2 [10.0.19044.1288] and later ✅ Windows 10, version 22H2 [10.0.19045.2130] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md
index 6f0c889771..01d78ef14f 100644
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@@ -4,7 +4,7 @@ description: Learn more about the WindowsLogon Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -18,8 +18,6 @@ ms.topic: reference
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
@@ -565,7 +563,7 @@ The locations that Switch User interface appear are in the Logon UI, the Start m
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2338] and later |
@@ -591,7 +589,6 @@ OverrideShellProgram policy allows IT admin to configure the shell program for W
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
-| Dependency [BootToCloudModeDependencyGroup] | Dependency Type: `DependsOn` Dependency URI: `Device/Vendor/MSFT/Policy/Config/CloudDesktop/BootToCloudMode` Dependency Allowed Value: `[1]` Dependency Allowed Value Type: `Range` |
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml
index 9125eb9388..2ca71c81c0 100644
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@@ -29,6 +29,15 @@ items:
href: ../structure-of-oma-dm-provisioning-files.md
- name: Server requirements for OMA DM
href: ../server-requirements-windows-mdm.md
+ - name: Declared Configuration protocol
+ href: ../declared-configuration.md
+ items:
+ - name: Declared Configuration extensibility
+ href: ../declared-configuration-extensibility.md
+ - name: DeclaredConfiguration CSP
+ href: declaredconfiguration-csp.md
+ - name: DMClient CSP
+ href: dmclient-csp.md
- name: Configuration service providers (CSPs)
expanded: true
items:
@@ -652,6 +661,11 @@ items:
items:
- name: CustomDeviceUI DDF file
href: customdeviceui-ddf.md
+ - name: DeclaredConfiguration
+ href: declaredconfiguration-csp.md
+ items:
+ - name: DeclaredConfiguration DDF file
+ href: declaredconfiguration-ddf-file.md
- name: Defender
href: defender-csp.md
items:
diff --git a/windows/client-management/toc.yml b/windows/client-management/toc.yml
index 9a48d7372f..2fa1371357 100644
--- a/windows/client-management/toc.yml
+++ b/windows/client-management/toc.yml
@@ -48,6 +48,8 @@ items:
href: enterprise-app-management.md
- name: Manage updates
href: device-update-management.md
+ - name: Manage Copilot in Windows
+ href: manage-windows-copilot.md
- name: Secured-Core PC Configuration Lock
href: config-lock.md
- name: Certificate renewal
diff --git a/windows/configuration/windows-accessibility-for-ITPros.md b/windows/configuration/windows-accessibility-for-ITPros.md
index 34434f0a9d..cda104c484 100644
--- a/windows/configuration/windows-accessibility-for-ITPros.md
+++ b/windows/configuration/windows-accessibility-for-ITPros.md
@@ -5,7 +5,7 @@ ms.prod: windows-client
ms.technology: itpro-configure
ms.author: lizlong
author: lizgt2000
-ms.date: 06/27/2023
+ms.date: 08/11/2023
ms.reviewer:
manager: aaroncz
ms.localizationpriority: medium
@@ -16,6 +16,9 @@ appliesto:
- ✅ Windows 11
---
+
+
+
# Accessibility information for IT professionals
Microsoft is dedicated to making its products and services accessible and usable for everyone. Windows includes accessibility features that benefit all users. These features make it easier to customize the computer and give users with different abilities options to improve their experience with Windows.
@@ -34,7 +37,7 @@ Windows 11, version 22H2, includes improvements for people with disabilities: sy
## Vision
-- [Use Narrator to use devices without a screen](https://support.microsoft.com/windows/complete-guide-to-narrator-e4397a0d-ef4f-b386-d8ae-c172f109bdb1). Narrator describes Windows and apps and enables you to control devices by using a keyboard, controller, or with a range of gestures on touch-supported devices. Starting in Windows 11, version 22H2, Narrator includes more natural voices.
+- [Use Narrator to use devices without a screen](https://support.microsoft.com/windows/complete-guide-to-narrator-e4397a0d-ef4f-b386-d8ae-c172f109bdb1). Narrator describes Windows and apps and enables you to control devices by using a keyboard, controller, or with a range of gestures on touch-supported devices. Now the user is able to download and install 10 more natural languages.
- [Create accessible apps](/windows/apps/develop/accessibility). You can develop accessible apps just like Mail, Groove, and Store that work well with Narrator and other leading screen readers.
@@ -109,8 +112,13 @@ Windows 11, version 22H2, includes improvements for people with disabilities: sy
- [Hear text read aloud with Narrator](https://support.microsoft.com/windows/hear-text-read-aloud-with-narrator-040f16c1-4632-b64e-110a-da4a0ac56917). Narrator reads text on your PC screen aloud and describes events, such as notifications or calendar appointments, so you can use your PC without a display.
+- Scripting functionality has been added to Narrator. There is store delivery of Narrator extension scripts which currently include an Outlook script and an Excel script.
+
- [Use voice recognition](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571).
+
+- With spellings experience in voice access, you can dictate a complex or non-standard word letter-by-letter and add it to Windows dictionary. The next time you try to dictate the same word, voice access improves its recognition.
+
- [Save time with keyboard shortcuts](https://support.microsoft.com/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec).
- [Use voice access to control your PC and author text with your voice](https://support.microsoft.com/en-us/topic/use-voice-access-to-control-your-pc-author-text-with-your-voice-4dcd23ee-f1b9-4fd1-bacc-862ab611f55d).
diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml
index b8da7a6027..5d7ac4a474 100644
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@@ -124,16 +124,6 @@
href: deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
- name: In-place upgrade
href: deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
- - name: Subscription Activation
- items:
- - name: Windows subscription activation
- href: windows-10-subscription-activation.md
- - name: Windows Enterprise E3 in CSP
- href: windows-10-enterprise-e3-overview.md
- - name: Configure VDA for subscription activation
- href: vda-subscription-activation.md
- - name: Deploy Windows Enterprise licenses
- href: deploy-enterprise-licenses.md
- name: Deploy Windows client updates
items:
- name: Assign devices to servicing channels
@@ -184,6 +174,109 @@
href: update/deployment-service-drivers.md
- name: Troubleshoot Windows Update for Business deployment service
href: update/deployment-service-troubleshoot.md
+ - name: Activate
+ items:
+ - name: Windows subscription activation
+ href: windows-10-subscription-activation.md
+ - name: Windows Enterprise E3 in CSP
+ href: windows-10-enterprise-e3-overview.md
+ - name: Configure VDA for subscription activation
+ href: vda-subscription-activation.md
+ - name: Deploy Windows Enterprise licenses
+ href: deploy-enterprise-licenses.md
+ - name: Volume Activation
+ items:
+ - name: Overview
+ href: volume-activation/volume-activation-windows-10.md
+ - name: Plan for volume activation
+ href: volume-activation/plan-for-volume-activation-client.md
+ - name: Activate using Key Management Service
+ href: volume-activation/activate-using-key-management-service-vamt.md
+ - name: Activate using Active Directory-based activation
+ href: volume-activation/activate-using-active-directory-based-activation-client.md
+ - name: Activate clients running Windows 10
+ href: volume-activation/activate-windows-10-clients-vamt.md
+ - name: Monitor activation
+ href: volume-activation/monitor-activation-client.md
+ - name: Use the Volume Activation Management Tool
+ href: volume-activation/use-the-volume-activation-management-tool-client.md
+ href: volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
+ - name: Volume Activation Management Tool (VAMT)
+ items:
+ - name: VAMT technical reference
+ href: volume-activation/volume-activation-management-tool.md
+ - name: Introduction to VAMT
+ href: volume-activation/introduction-vamt.md
+ - name: Active Directory-Based Activation Overview
+ href: volume-activation/active-directory-based-activation-overview.md
+ - name: Install and Configure VAMT
+ items:
+ - name: Overview
+ href: volume-activation/install-configure-vamt.md
+ - name: VAMT Requirements
+ href: volume-activation/vamt-requirements.md
+ - name: Install VAMT
+ href: volume-activation/install-vamt.md
+ - name: Configure Client Computers
+ href: volume-activation/configure-client-computers-vamt.md
+ - name: Add and Manage Products
+ items:
+ - name: Overview
+ href: volume-activation/add-manage-products-vamt.md
+ - name: Add and Remove Computers
+ href: volume-activation/add-remove-computers-vamt.md
+ - name: Update Product Status
+ href: volume-activation/update-product-status-vamt.md
+ - name: Remove Products
+ href: volume-activation/remove-products-vamt.md
+ - name: Manage Product Keys
+ items:
+ - name: Overview
+ href: volume-activation/manage-product-keys-vamt.md
+ - name: Add and Remove a Product Key
+ href: volume-activation/add-remove-product-key-vamt.md
+ - name: Install a Product Key
+ href: volume-activation/install-product-key-vamt.md
+ - name: Install a KMS Client Key
+ href: volume-activation/install-kms-client-key-vamt.md
+ - name: Manage Activations
+ items:
+ - name: Overview
+ href: volume-activation/manage-activations-vamt.md
+ - name: Run Online Activation
+ href: volume-activation/online-activation-vamt.md
+ - name: Run Proxy Activation
+ href: volume-activation/proxy-activation-vamt.md
+ - name: Run KMS Activation
+ href: volume-activation/kms-activation-vamt.md
+ - name: Run Local Reactivation
+ href: volume-activation/local-reactivation-vamt.md
+ - name: Activate an Active Directory Forest Online
+ href: volume-activation/activate-forest-vamt.md
+ - name: Activate by Proxy an Active Directory Forest
+ href: volume-activation/activate-forest-by-proxy-vamt.md
+ - name: Manage VAMT Data
+ items:
+ - name: Overview
+ href: volume-activation/manage-vamt-data.md
+ - name: Import and Export VAMT Data
+ href: volume-activation/import-export-vamt-data.md
+ - name: Use VAMT in Windows PowerShell
+ href: volume-activation/use-vamt-in-windows-powershell.md
+ - name: VAMT Step-by-Step Scenarios
+ items:
+ - name: Overview
+ href: volume-activation/vamt-step-by-step.md
+ - name: "Scenario 1: Online Activation"
+ href: volume-activation/scenario-online-activation-vamt.md
+ - name: "Scenario 2: Proxy Activation"
+ href: volume-activation/scenario-proxy-activation-vamt.md
+ - name: "Scenario 3: KMS Client Activation"
+ href: volume-activation/scenario-kms-activation-vamt.md
+ - name: VAMT Known Issues
+ href: volume-activation/vamt-known-issues.md
+ - name: Information sent to Microsoft during activation
+ href: volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
- name: Monitor
items:
- name: Windows Update for Business reports
@@ -280,9 +373,9 @@
- name: How does Windows Update work?
href: update/how-windows-update-works.md
- name: Windows client upgrade paths
- href: upgrade/windows-10-upgrade-paths.md
+ href: upgrade/windows-upgrade-paths.md
- name: Windows client edition upgrade
- href: upgrade/windows-10-edition-upgrades.md
+ href: upgrade/windows-edition-upgrades.md
- name: Deploy Windows 10 with Microsoft 365
href: deploy-m365.md
- name: Understand the Unified Update Platform
@@ -327,82 +420,6 @@
href: planning/security-and-data-protection-considerations-for-windows-to-go.md
- name: "Windows To Go: frequently asked questions"
href: planning/windows-to-go-frequently-asked-questions.yml
-
- - name: Volume Activation Management Tool (VAMT) technical reference
- items:
- - name: VAMT technical reference
- href: volume-activation/volume-activation-management-tool.md
- - name: Introduction to VAMT
- href: volume-activation/introduction-vamt.md
- - name: Active Directory-Based Activation Overview
- href: volume-activation/active-directory-based-activation-overview.md
- - name: Install and Configure VAMT
- items:
- - name: Overview
- href: volume-activation/install-configure-vamt.md
- - name: VAMT Requirements
- href: volume-activation/vamt-requirements.md
- - name: Install VAMT
- href: volume-activation/install-vamt.md
- - name: Configure Client Computers
- href: volume-activation/configure-client-computers-vamt.md
- - name: Add and Manage Products
- items:
- - name: Overview
- href: volume-activation/add-manage-products-vamt.md
- - name: Add and Remove Computers
- href: volume-activation/add-remove-computers-vamt.md
- - name: Update Product Status
- href: volume-activation/update-product-status-vamt.md
- - name: Remove Products
- href: volume-activation/remove-products-vamt.md
- - name: Manage Product Keys
- items:
- - name: Overview
- href: volume-activation/manage-product-keys-vamt.md
- - name: Add and Remove a Product Key
- href: volume-activation/add-remove-product-key-vamt.md
- - name: Install a Product Key
- href: volume-activation/install-product-key-vamt.md
- - name: Install a KMS Client Key
- href: volume-activation/install-kms-client-key-vamt.md
- - name: Manage Activations
- items:
- - name: Overview
- href: volume-activation/manage-activations-vamt.md
- - name: Run Online Activation
- href: volume-activation/online-activation-vamt.md
- - name: Run Proxy Activation
- href: volume-activation/proxy-activation-vamt.md
- - name: Run KMS Activation
- href: volume-activation/kms-activation-vamt.md
- - name: Run Local Reactivation
- href: volume-activation/local-reactivation-vamt.md
- - name: Activate an Active Directory Forest Online
- href: volume-activation/activate-forest-vamt.md
- - name: Activate by Proxy an Active Directory Forest
- href: volume-activation/activate-forest-by-proxy-vamt.md
- - name: Manage VAMT Data
- items:
- - name: Overview
- href: volume-activation/manage-vamt-data.md
- - name: Import and Export VAMT Data
- href: volume-activation/import-export-vamt-data.md
- - name: Use VAMT in Windows PowerShell
- href: volume-activation/use-vamt-in-windows-powershell.md
- - name: VAMT Step-by-Step Scenarios
- items:
- - name: Overview
- href: volume-activation/vamt-step-by-step.md
- - name: "Scenario 1: Online Activation"
- href: volume-activation/scenario-online-activation-vamt.md
- - name: "Scenario 2: Proxy Activation"
- href: volume-activation/scenario-proxy-activation-vamt.md
- - name: "Scenario 3: KMS Client Activation"
- href: volume-activation/scenario-kms-activation-vamt.md
- - name: VAMT Known Issues
- href: volume-activation/vamt-known-issues.md
-
- name: User State Migration Tool (USMT) technical reference
items:
- name: USMT overview articles
@@ -570,25 +587,6 @@
href: planning/testing-your-application-mitigation-packages.md
- name: Use the Sdbinst.exe Command-Line Tool
href: planning/using-the-sdbinstexe-command-line-tool.md
- - name: Volume Activation
- items:
- - name: Overview
- href: volume-activation/volume-activation-windows-10.md
- - name: Plan for volume activation
- href: volume-activation/plan-for-volume-activation-client.md
- - name: Activate using Key Management Service
- href: volume-activation/activate-using-key-management-service-vamt.md
- - name: Activate using Active Directory-based activation
- href: volume-activation/activate-using-active-directory-based-activation-client.md
- - name: Activate clients running Windows 10
- href: volume-activation/activate-windows-10-clients-vamt.md
- - name: Monitor activation
- href: volume-activation/monitor-activation-client.md
- - name: Use the Volume Activation Management Tool
- href: volume-activation/use-the-volume-activation-management-tool-client.md
- - name: "Appendix: Information sent to Microsoft during activation "
- href: volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
-
- name: Install fonts in Windows client
href: windows-10-missing-fonts.md
- name: Customize Windows PE boot images
diff --git a/windows/deployment/do/delivery-optimization-endpoints.md b/windows/deployment/do/delivery-optimization-endpoints.md
index aa74140003..9189e7e85d 100644
--- a/windows/deployment/do/delivery-optimization-endpoints.md
+++ b/windows/deployment/do/delivery-optimization-endpoints.md
@@ -1,25 +1,24 @@
---
title: Microsoft Connected Cache content and services endpoints
-description: List of fully qualified domain names, ports, and associated content types to use Delivery Optimization and Microsoft Connected Cache.
-ms.date: 03/31/2023
+description: List of fully qualified domain names, ports, and associated content used by Microsoft Connected Cache.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: reference
-ms.localizationpriority: medium
author: cmknox
ms.author: carmenf
ms.reviewer: mstewart
manager: aaroncz
ms.collection: tier3
+ms.localizationpriority: medium
+appliesto:
+- ✅ Microsoft Connected Cache for ISPs
+- ✅ Microsoft Connected Cache for Enterprise and Education
+- ✅ Connected Cache on a Configuration Manager distribution point
+ms.date: 03/31/2023
---
# Microsoft Connected Cache content and services endpoints
-_Applies to:_
-
-- Windows 11
-- Windows 10
-
> [!NOTE]
> All ports are outbound.
diff --git a/windows/deployment/do/delivery-optimization-proxy.md b/windows/deployment/do/delivery-optimization-proxy.md
index 922909b41d..70feba838a 100644
--- a/windows/deployment/do/delivery-optimization-proxy.md
+++ b/windows/deployment/do/delivery-optimization-proxy.md
@@ -1,25 +1,24 @@
---
title: Using a proxy with Delivery Optimization
-manager: aaroncz
-description: Settings to use with various proxy configurations to allow Delivery Optimization to work
+description: Settings to use with various proxy configurations to allow Delivery Optimization to work in your environment.
ms.prod: windows-client
-author: cmknox
-ms.localizationpriority: medium
-ms.author: carmenf
-ms.topic: article
ms.technology: itpro-updates
-ms.date: 12/31/2017
-ms.collection: tier3
+ms.topic: conceptual
+author: cmknox
+ms.author: carmenf
+manager: aaroncz
ms.reviewer: mstewart
+ms.collection: tier3
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Delivery Optimization
+ms.date: 06/02/2023
---
# Using a proxy with Delivery Optimization
-**Applies to:**
-
-- Windows 11
-- Windows 10
-
When Delivery Optimization downloads content from HTTP sources, it uses the automatic proxy discovery capability of WinHttp to streamline and maximize the support for complex proxy configurations as it makes range requests from the content server. It does this by setting the **WINHTTP_ACCESS_TYPE_AUTOMATIC_PROXY** flag in all HTTP calls.
Delivery Optimization provides a token to WinHttp that corresponds to the user that is signed in currently. In turn, WinHttp automatically authenticates the user against the proxy server set either in Internet Explorer or in the **Proxy Settings** menu in Windows.
diff --git a/windows/deployment/do/delivery-optimization-test.md b/windows/deployment/do/delivery-optimization-test.md
index 978410d908..bb0123cd75 100644
--- a/windows/deployment/do/delivery-optimization-test.md
+++ b/windows/deployment/do/delivery-optimization-test.md
@@ -1,16 +1,20 @@
---
title: Testing Delivery Optimization
-description: Explanation of Delivery Optimization distributed cache and high-level design. Demonstrate how Delivery Optimization peer-to-peer works in different test scenarios.
-ms.date: 11/08/2022
+description: Explanation of Delivery Optimization distributed cache and high-level design. Demonstrate how Delivery Optimization peer-to-peer works in different scenarios.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: reference
-ms.localizationpriority: medium
author: cmknox
ms.author: carmenf
ms.reviewer: mstewart
manager: aaroncz
ms.collection: tier3
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Delivery Optimization
+ms.date: 11/08/2022
---
# Testing Delivery Optimization
diff --git a/windows/deployment/do/delivery-optimization-workflow.md b/windows/deployment/do/delivery-optimization-workflow.md
index c201a86893..b5082f4ec4 100644
--- a/windows/deployment/do/delivery-optimization-workflow.md
+++ b/windows/deployment/do/delivery-optimization-workflow.md
@@ -1,25 +1,25 @@
---
-title: Delivery Optimization client-service communication explained
-manager: aaroncz
+title: Delivery Optimization client-service communication
description: Details of how Delivery Optimization communicates with the server when content is requested to download.
ms.prod: windows-client
-author: cmknox
-ms.localizationpriority: medium
-ms.author: carmenf
-ms.topic: article
ms.technology: itpro-updates
-ms.date: 12/31/2017
-ms.collection: tier3
+ms.topic: conceptual
+author: cmknox
+ms.author: carmenf
+manager: aaroncz
ms.reviewer: mstewart
+ms.collection: tier3
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Delivery Optimization
+ms.date: 12/31/2017
---
# Delivery Optimization client-service communication explained
-**Applies to**
-
-- Windows 10
-- Windows 11
-
+Delivery Optimization is a cloud-managed solution that uses peer-to-peer (P2P) and local caching to deliver software updates and apps to Windows clients across your network. This article describes details of how Delivery Optimization communicates with the server when content is requested to download.
## Download request workflow
This workflow allows Delivery Optimization to securely and efficiently deliver requested content to the calling device. Delivery Optimization uses content metadata to verify the content and to determine all available locations to pull content from.
diff --git a/windows/deployment/do/mcc-ent-edu-overview.md b/windows/deployment/do/mcc-ent-edu-overview.md
index 566e605a7c..353a3d4dee 100644
--- a/windows/deployment/do/mcc-ent-edu-overview.md
+++ b/windows/deployment/do/mcc-ent-edu-overview.md
@@ -1,24 +1,23 @@
---
title: MCC for Enterprise and Education Overview
-manager: aaroncz
-description: Overview of Microsoft Connected Cache (MCC) for Enterprise and Education.
+description: Overview, supported scenarios, and content types for Microsoft Connected Cache (MCC) for Enterprise and Education.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
ms.author: carmenf
author: cmknox
-ms.topic: article
-ms.date: 05/09/2023
-ms.technology: itpro-updates
-ms.collection: tier3
+manager: aaroncz
ms.reviewer: mstewart
+ms.collection: tier3
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Microsoft Connected Cache for Enterprise and Education
+ms.date: 05/09/2023
---
# Microsoft Connected Cache for Enterprise and Education Overview
-**Applies to**
-
-- Windows 10
-- Windows 11
-
> [!IMPORTANT]
> - Microsoft Connected Cache is currently a preview feature. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
> - We're still accepting Enterprise and Education customers to join the early preview. To register your interest, fill out the survey located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
diff --git a/windows/deployment/do/mcc-enterprise-appendix.md b/windows/deployment/do/mcc-enterprise-appendix.md
index 1e998c0da5..1192eaf675 100644
--- a/windows/deployment/do/mcc-enterprise-appendix.md
+++ b/windows/deployment/do/mcc-enterprise-appendix.md
@@ -1,17 +1,21 @@
---
-title: Appendix
-manager: aaroncz
-description: Appendix on Microsoft Connected Cache (MCC) for Enterprise and Education.
+title: Appendix for MCC for Enterprise and Education
+description: This article contains reference information for Microsoft Connected Cache (MCC) for Enterprise and Education.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
ms.author: carmenf
author: cmknox
+manager: aaroncz
ms.reviewer: mstewart
-ms.topic: how-to
-ms.date: 12/31/2017
-ms.technology: itpro-updates
ms.collection:
- tier3
- must-keep
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Microsoft Connected Cache for Enterprise and Education
+ms.date: 02/06/2023
---
# Appendix
diff --git a/windows/deployment/do/mcc-enterprise-deploy.md b/windows/deployment/do/mcc-enterprise-deploy.md
index 53d2940cc1..10f5b9cddf 100644
--- a/windows/deployment/do/mcc-enterprise-deploy.md
+++ b/windows/deployment/do/mcc-enterprise-deploy.md
@@ -1,23 +1,24 @@
---
title: Deploying your cache node
-manager: aaroncz
-description: How to deploy a Microsoft Connected Cache (MCC) for Enterprise and Education cache node
+description: How to deploy a Microsoft Connected Cache (MCC) for Enterprise and Education cache node from the Auzre portal.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
ms.author: carmenf
author: cmknox
ms.reviewer: mstewart
-ms.topic: article
-ms.date: 12/31/2017
-ms.technology: itpro-updates
+manager: aaroncz
ms.collection: tier3
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Microsoft Connected Cache for Enterprise and Education
+ms.date: 03/10/2023
---
-# Deploying your cache node
+# Deploy your cache node
-**Applies to**
-
-- Windows 10
-- Windows 11
+This article describes how to deploy a Microsoft Connected Cache (MCC) for Enterprise and Education cache node.
## Steps to deploy MCC
diff --git a/windows/deployment/do/mcc-enterprise-prerequisites.md b/windows/deployment/do/mcc-enterprise-prerequisites.md
index dec45fd83c..2fa49f91cc 100644
--- a/windows/deployment/do/mcc-enterprise-prerequisites.md
+++ b/windows/deployment/do/mcc-enterprise-prerequisites.md
@@ -1,24 +1,23 @@
---
-title: Requirements for Microsoft Connected Cache (MCC) for Enterprise and Education
-manager: aaroncz
-description: Overview of requirements for Microsoft Connected Cache (MCC) for Enterprise and Education.
+title: Requirements for MCC for Enterprise and Education
+description: Overview of prerequisites and recommendations for using Microsoft Connected Cache (MCC) for Enterprise and Education.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
ms.author: carmenf
author: cmknox
+manager: aaroncz
ms.reviewer: mstewart
-ms.topic: article
-ms.date: 12/31/2017
-ms.technology: itpro-updates
ms.collection: tier3
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+- - ✅ Microsoft Connected Cache for Enterprise and Education
+ms.date: 05/01/2023
---
# Requirements of Microsoft Connected Cache for Enterprise and Education (early preview)
-**Applies to**
-
-- Windows 10
-- Windows 11
-
> [!NOTE]
> We're still accepting Enterprise and Education customers to join the early preview. To register your interest, fill out the survey located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
diff --git a/windows/deployment/do/mcc-enterprise-update-uninstall.md b/windows/deployment/do/mcc-enterprise-update-uninstall.md
index 410155b347..207c2cf5fb 100644
--- a/windows/deployment/do/mcc-enterprise-update-uninstall.md
+++ b/windows/deployment/do/mcc-enterprise-update-uninstall.md
@@ -1,17 +1,21 @@
---
-title: Update or uninstall Microsoft Connected Cache for Enterprise and Education
-manager: aaroncz
-description: Details on updating or uninstalling Microsoft Connected Cache (MCC) for Enterprise and Education.
+title: Update or uninstall MCC for Enterprise and Education
+description: Details on how to update or uninstall Microsoft Connected Cache (MCC) for Enterprise and Education for your environment.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
ms.author: carmenf
author: cmknox
+manager: aaroncz
ms.reviewer: mstewart
-ms.topic: how-to
-ms.date: 12/31/2017
-ms.technology: itpro-updates
ms.collection:
- tier3
- must-keep
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Microsoft Connected Cache for Enterprise and Education
+ms.date: 10/12/2022
---
# Update or uninstall Microsoft Connected Cache for Enterprise and Education
diff --git a/windows/deployment/do/mcc-isp-cache-node-configuration.md b/windows/deployment/do/mcc-isp-cache-node-configuration.md
index a4d800235c..3a8b22508f 100644
--- a/windows/deployment/do/mcc-isp-cache-node-configuration.md
+++ b/windows/deployment/do/mcc-isp-cache-node-configuration.md
@@ -1,17 +1,21 @@
---
-title: Cache node configuration
+title: Cache node configuration settings
manager: aaroncz
-description: Configuring a cache node on Azure portal.
+description: List of options that are available while configuring a cache node for your environment from the Azure portal.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
ms.author: carmenf
author: cmknox
ms.reviewer: mstewart
-ms.topic: reference
-ms.date: 12/31/2017
-ms.technology: itpro-updates
ms.collection:
- tier3
- must-keep
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Microsoft Connected Cache for ISPs
+ms.date: 08/16/2023
---
# Cache node configuration
diff --git a/windows/deployment/do/mcc-isp-create-provision-deploy.md b/windows/deployment/do/mcc-isp-create-provision-deploy.md
index d118693501..90165d9a23 100644
--- a/windows/deployment/do/mcc-isp-create-provision-deploy.md
+++ b/windows/deployment/do/mcc-isp-create-provision-deploy.md
@@ -1,24 +1,23 @@
---
-title: Create, provision, and deploy the cache node in Azure portal
-manager: aaroncz
+title: Create, provision, and deploy the cache node
description: Instructions for creating, provisioning, and deploying Microsoft Connected Cache for ISP on Azure portal
ms.prod: windows-client
+ms.technology: itpro-updates
+manager: aaroncz
author: nidos
ms.author: nidos
-ms.topic: article
-ms.date: 05/09/2023
-ms.technology: itpro-updates
-ms.collection: tier3
ms.reviewer: mstewart
+ms.topic: conceptual
+ms.collection: tier3
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Microsoft Connected Cache for ISPs
+ms.date: 05/09/2023
---
# Create, configure, provision, and deploy the cache node in Azure portal
-**Applies to**
-
-- Windows 10
-- Windows 11
-
This article outlines how to create, provision, and deploy your Microsoft Connected Cache nodes. The creation and provisioning of your cache node takes place in Azure portal. The deployment of your cache node requires downloading an installer script that will be run on your cache server.
> [!IMPORTANT]
diff --git a/windows/deployment/do/mcc-isp-faq.yml b/windows/deployment/do/mcc-isp-faq.yml
index f04f2e3dc9..4d845ee97e 100644
--- a/windows/deployment/do/mcc-isp-faq.yml
+++ b/windows/deployment/do/mcc-isp-faq.yml
@@ -2,6 +2,9 @@
metadata:
title: Microsoft Connected Cache Frequently Asked Questions
description: The following article is a list of frequently asked questions for Microsoft Connected Cache.
+ ms.prod: windows-client
+ ms.technology: itpro-updates
+ ms.topic: faq
ms.author: carmenf
author: cmknox
ms.reviewer: mstewart
@@ -9,14 +12,13 @@ metadata:
ms.collection:
- highpri
- tier3
- ms.topic: faq
- ms.date: 09/30/2022
- ms.prod: windows-client
- ms.technology: itpro-updates
+ appliesto:
+ - ✅ Windows 11
+ - ✅ Windows 10
+ ms.date: 04/27/2023
title: Microsoft Connected Cache Frequently Asked Questions
summary: |
- **Applies to**
- - Windows 10 and later
+ Frequently asked questions about Microsoft Connected Cache
sections:
- name: Ignored
diff --git a/windows/deployment/do/mcc-isp-overview.md b/windows/deployment/do/mcc-isp-overview.md
index 9c0aa7fd80..f299c32448 100644
--- a/windows/deployment/do/mcc-isp-overview.md
+++ b/windows/deployment/do/mcc-isp-overview.md
@@ -1,23 +1,22 @@
---
title: MCC for ISPs Overview
-manager: aaroncz
-description: Overview for Microsoft Connected Cache for ISPs
+description: Overview of Microsoft Connected Cache for ISPs. Learn about how MCC works, supported scenarios, and supported content.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: overview
+manager: aaroncz
ms.author: carmenf
author: cmknox
ms.reviewer: mstewart
-ms.topic: article
-ms.date: 07/27/2023
-ms.technology: itpro-updates
ms.collection: tier3
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Microsoft Connected Cache for ISPs
+ms.date: 07/27/2023
---
-# Microsoft Connected Cache for ISPs Overview
-
-**Applies to**
-
-- Windows 10
-- Windows 11
+# Microsoft Connected Cache for ISPs overview
Microsoft Connected Cache (MCC) for Internet Service Providers (preview) is a free software-only caching solution that delivers Microsoft content. MCC can be deployed free of charge to as many bare-metal servers or VMs as needed and is managed from a cloud portal. When deployed, MCC can help to reduce your network bandwidth usage for Microsoft software content and updates. Cache nodes are created in the cloud portal and are configured to deliver traffic to customers by manual CIDR or BGP routing.
diff --git a/windows/deployment/do/mcc-isp-signup.md b/windows/deployment/do/mcc-isp-signup.md
index 087a11d27f..c125b1e4e9 100644
--- a/windows/deployment/do/mcc-isp-signup.md
+++ b/windows/deployment/do/mcc-isp-signup.md
@@ -1,24 +1,23 @@
---
title: Operator sign up and service onboarding
-manager: aaroncz
-description: Service onboarding for Microsoft Connected Cache for ISP
+description: Instructions on how to go through the service onboarding process for Microsoft Connected Cache for ISPs.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
+manager: aaroncz
author: nidos
ms.author: nidos
-ms.topic: article
-ms.date: 12/31/2017
-ms.technology: itpro-updates
-ms.collection: tier3
ms.reviewer: mstewart
+ms.collection: tier3
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Microsoft Connected Cache for ISPs
+ms.date: 07/07/2023
---
# Operator sign up and service onboarding for Microsoft Connected Cache
-**Applies to**
-
-- Windows 10
-- Windows 11
-
This article details the process of signing up for Microsoft Connected Cache for Internet Service Providers (public preview).
> [!NOTE]
@@ -73,7 +72,7 @@ Before you begin sign up, ensure you have the following components:
:::image type="content" source="images/mcc-isp-operator-verification.png" alt-text="Screenshot of the sign up verification page on Azure portal for Microsoft Connected Cache." lightbox="./images/mcc-isp-operator-verification.png":::
> [!NOTE]
- > **Can't find the verification email in your inbox?** Check that the email under the NOC role is correct in [Peering DB](https://www.peeringdb.com/). Search for an email from the sender **microsoft-noreply@microsoft.com** with the email subject: "Here’s your Microsoft Connected Cache verification code" in your Spam folders. Still can't find it? Ensure that your email admin rules allow emails from the sender **microsoft-noreply@microsoft.com**.
+ > **Can't find the verification email in your inbox?** Check that the email under the NOC role is correct in [Peering DB](https://www.peeringdb.com/). Search for an email from the sender **microsoft-noreply@microsoft.com** with the email subject: "Here's your Microsoft Connected Cache verification code" in your Spam folders. Still can't find it? Ensure that your email admin rules allow emails from the sender **microsoft-noreply@microsoft.com**.
1. Once verified, follow the instructions in [Create, provision, and deploy cache node](mcc-isp-create-provision-deploy.md) to create your cache node.
diff --git a/windows/deployment/do/mcc-isp-support.md b/windows/deployment/do/mcc-isp-support.md
index dba3bbfc15..2916abf2ef 100644
--- a/windows/deployment/do/mcc-isp-support.md
+++ b/windows/deployment/do/mcc-isp-support.md
@@ -1,24 +1,23 @@
---
title: Support and troubleshooting
-manager: aaroncz
-description: Troubleshooting issues for Microsoft Connected Cache for ISP
+description: Troubleshooting information for commonly encountered issues for onboarding or using Microsoft Connected Cache for ISPs.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
author: nidos
ms.author: nidos
-ms.topic: reference
-ms.date: 12/31/2017
-ms.technology: itpro-updates
-ms.collection: tier3
+manager: aaroncz
ms.reviewer: mstewart
+ms.collection: tier3
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Microsoft Connected Cache for ISPs
+ms.date: 12/31/2017
---
# Support and troubleshooting
-**Applies to**
-
-- Windows 10
-- Windows 11
-
This article provides information on how to troubleshoot common issues with Microsoft Connected Cache for ISPs.
## Common issues
diff --git a/windows/deployment/do/mcc-isp-update.md b/windows/deployment/do/mcc-isp-update.md
index 5a3dcbd4fb..bd9f199feb 100644
--- a/windows/deployment/do/mcc-isp-update.md
+++ b/windows/deployment/do/mcc-isp-update.md
@@ -1,17 +1,21 @@
---
title: Update or uninstall your cache node
-manager: aaroncz
-description: How to update or uninstall your cache node
+description: This article contains information on how to update or uninstall your cache node for Microsoft Connected Cache for ISPs.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
ms.author: carmenf
author: cmknox
+manager: aaroncz
ms.reviewer: mstewart
-ms.topic: how-to
-ms.date: 12/31/2017
-ms.technology: itpro-updates
ms.collection:
- tier3
- must-keep
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Microsoft Connected Cache for ISPs
+ms.date: 10/10/2022
---
# Update or uninstall your cache node
diff --git a/windows/deployment/do/mcc-isp-verify-cache-node.md b/windows/deployment/do/mcc-isp-verify-cache-node.md
index 9dc6e22466..eb3063a44f 100644
--- a/windows/deployment/do/mcc-isp-verify-cache-node.md
+++ b/windows/deployment/do/mcc-isp-verify-cache-node.md
@@ -1,15 +1,18 @@
---
-title: Verify cache node functionality and monitor health and performance
-manager: aaroncz
-description: How to verify the functionality of a cache node
+title: Verify cache node functionality and monitor health
+titleSuffix: Microsoft Connected Cache for ISPs
+description: How to verify the functionality of a cache node, monitor health and performance, and review metrics.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
ms.author: carmenf
author: cmknox
+manager: aaroncz
ms.reviewer: mstewart
-ms.topic: article
-ms.date: 12/31/2017
-ms.technology: itpro-updates
ms.collection: tier3
+appliesto:
+- ✅ Microsoft Connected Cache for ISPs
+ms.date: 02/09/2023
---
# Verify cache node functionality and monitor health and performance
diff --git a/windows/deployment/do/mcc-isp-vm-performance.md b/windows/deployment/do/mcc-isp-vm-performance.md
index 7d3b9de1cc..18b1bb8b73 100644
--- a/windows/deployment/do/mcc-isp-vm-performance.md
+++ b/windows/deployment/do/mcc-isp-vm-performance.md
@@ -1,15 +1,18 @@
---
title: Enhancing cache performance
-manager: aaroncz
-description: How to enhance performance on a virtual machine used with Microsoft Connected Cache for ISPs
+titleSuffix: Microsoft Connected Cache for ISPs
+description: This article explains how to enhance performance on a virtual machine used with Microsoft Connected Cache for ISPs
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
ms.author: carmenf
author: cmknox
+manager: aaroncz
ms.reviewer: mstewart
-ms.topic: reference
-ms.technology: itpro-updates
-ms.date: 12/31/2017
ms.collection: tier3
+appliesto:
+- ✅ Microsoft Connected Cache for ISPs
+ms.date: 12/31/2017
---
# Enhancing cache performance
diff --git a/windows/deployment/do/mcc-isp.md b/windows/deployment/do/mcc-isp.md
index 097b922aa9..a8cdcfc4e1 100644
--- a/windows/deployment/do/mcc-isp.md
+++ b/windows/deployment/do/mcc-isp.md
@@ -1,30 +1,29 @@
---
-title: Microsoft Connected Cache for Internet Service Providers (ISPs)
-description: Details on Microsoft Connected Cache (MCC) for Internet Service Providers (ISPs).
+title: Microsoft Connected Cache for ISPs
+description: This article contains details about the early preview for Microsoft Connected Cache (MCC) for Internet Service Providers (ISPs).
ms.prod: windows-client
ms.technology: itpro-updates
-ms.localizationpriority: medium
+ms.topic: how-to
ms.author: carmenf
author: cmknox
ms.reviewer: mstewart
manager: aaroncz
-ms.topic: how-to
-ms.date: 05/20/2022
+ms.localizationpriority: medium
ms.collection: tier3
+ms.date: 03/07/2023
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Microsoft Connected Cache for ISPs (early preview)
---
# Microsoft Connected Cache for Internet Service Providers (early preview)
-*Applies to*
-
-- Windows 10
-- Windows 11
-
-## Overview
-
> [!IMPORTANT]
> This document is for Microsoft Connected Cache (early preview). Microsoft Connected Cache for ISPs is now in Public Preview - for our early preview customers, we highly encourage you to migrate your cache nodes to our public preview. See [instructions on how to migrate](#migrating-your-mcc-to-public-preview) below.
+## Overview
+
Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within operator networks. MCC can be deployed to as many physical servers or VMs as needed and is managed from a cloud portal. Microsoft cloud services handle routing of consumer devices to the cache server for content downloads.
Microsoft Connected Cache is a hybrid application, in that it's a mix of on-premises and cloud resources. It's composed of a Docker-compatible Linux container deployed to your server and a cloud management portal. Microsoft chose Azure IoT Edge as a secure and reliable control plane. For more information on IoT Edge, see the [Appendix](#appendix). Even though your scenario isn't related to IoT, Azure IoT Edge is our secure Linux container deployment and management infrastructure.
diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml
index d306d123f9..96509b2f68 100644
--- a/windows/deployment/do/waas-delivery-optimization-faq.yml
+++ b/windows/deployment/do/waas-delivery-optimization-faq.yml
@@ -2,21 +2,24 @@
metadata:
title: Delivery Optimization Frequently Asked Questions
description: List of frequently asked questions for Delivery Optimization.
- ms.reviewer: mstewart
ms.prod: windows-client
+ ms.technology: itpro-updates
+ ms.topic: faq
author: cmknox
ms.author: carmenf
manager: aaroncz
- ms.technology: itpro-updates
+ ms.reviewer: mstewart
ms.collection:
- highpri
- tier3
- ms.topic: faq
+ appliesto:
+ - ✅ Windows 11
+ - ✅ Windows 10
+ - ✅ Delivery Optimization
ms.date: 07/31/2023
title: Delivery Optimization Frequently Asked Questions
summary: |
- **Applies to**
- - Windows 10 and later
+ Frequently Asked Questions for Delivery Optimization
sections:
diff --git a/windows/deployment/do/waas-delivery-optimization-monitor.md b/windows/deployment/do/waas-delivery-optimization-monitor.md
index 2a44035bf3..512f9d41b7 100644
--- a/windows/deployment/do/waas-delivery-optimization-monitor.md
+++ b/windows/deployment/do/waas-delivery-optimization-monitor.md
@@ -1,17 +1,21 @@
---
-manager: aaroncz
title: Monitor Delivery Optimization
-description: How to monitor Delivery Optimization
-ms.collection:
- - tier3
+description: How to monitor Delivery Optimization using either the Windows Update for Business Delivery Optimization Report or Windows PowerShell cmdlets
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: reference
-ms.date: 08/13/2023
-ms.localizationpriority: medium
ms.author: carmenf
author: cmknox
+manager: aaroncz
ms.reviewer: mstewart
+ms.collection:
+ - tier3
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Delivery Optimization
+ms.date: 08/13/2023
---
# Monitor Delivery Optimization
diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md
index 2735892b16..a3302aa5c3 100644
--- a/windows/deployment/do/waas-delivery-optimization-reference.md
+++ b/windows/deployment/do/waas-delivery-optimization-reference.md
@@ -1,26 +1,25 @@
---
title: Delivery Optimization reference
-manager: aaroncz
description: This article provides a summary of references and descriptions for all of the Delivery Optimization settings.
ms.prod: windows-client
-author: cmknox
-ms.localizationpriority: medium
-ms.author: carmenf
-ms.topic: reference
ms.technology: itpro-updates
-ms.date: 07/31/2023
-ms.collection: tier3
+ms.topic: reference
+author: cmknox
+ms.author: carmenf
+manager: aaroncz
ms.reviewer: mstewart
+ms.collection: tier3
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Delivery Optimization
+ms.date: 07/31/2023
---
# Delivery Optimization reference
-**Applies to**
-
-- Windows 10
-- Windows 11
-
-> **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the Download Center [for Windows 11](https://www.microsoft.com/en-us/download/details.aspx?id=104594) or [for Windows 10](https://www.microsoft.com/en-us/download/details.aspx?id=104678).
+> **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the main spreadsheet available at the Download Center [for Windows 11](https://www.microsoft.com/en-us/download/details.aspx?id=104594) or [for Windows 10](https://www.microsoft.com/en-us/download/details.aspx?id=104678).
There are many configuration options you can set in Delivery Optimization to customize the content delivery experience specific to your environment needs. This article summarizes those configurations for your reference. If you just need an overview of Delivery Optimization, see [What is Delivery Optimization](waas-delivery-optimization.md). If you need information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows](waas-delivery-optimization-setup.md).
diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md
index 61df7a10d6..37bfca7312 100644
--- a/windows/deployment/do/waas-delivery-optimization-setup.md
+++ b/windows/deployment/do/waas-delivery-optimization-setup.md
@@ -1,25 +1,24 @@
---
title: Set up Delivery Optimization
-description: In this article, learn how to set up Delivery Optimization.
+description: In this article, learn how to set up Delivery Optimization for use by Windows clients in your organization.
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
author: cmknox
ms.author: carmenf
ms.reviewer: mstewart
manager: aaroncz
-ms.prod: windows-client
-ms.technology: itpro-updates
-ms.localizationpriority: medium
-ms.topic: how-to
-ms.date: 12/19/2022
ms.collection: tier3
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Delivery Optimization
+ms.date: 08/15/2023
---
# Set up Delivery Optimization for Windows
-**Applies to**
-
-- Windows 10
-- Windows 11
-
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
## Set up Delivery Optimization
diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md
index 14d8a8a7d9..d16c8dbb78 100644
--- a/windows/deployment/do/waas-delivery-optimization.md
+++ b/windows/deployment/do/waas-delivery-optimization.md
@@ -3,25 +3,23 @@ title: What is Delivery Optimization?
description: This article provides information about Delivery Optimization, a peer-to-peer distribution method in Windows 10 and Windows 11.
ms.prod: windows-client
ms.technology: itpro-updates
-ms.localizationpriority: medium
+ms.topic: overview
author: cmknox
ms.author: carmenf
manager: aaroncz
+ms.reviewer: mstewart
ms.collection:
- tier3
- highpri
-ms.topic: overview
-ms.date: 12/31/2017
-ms.reviewer: mstewart
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+ms.date: 06/02/2023
---
# What is Delivery Optimization?
-**Applies to**
-
-- Windows 10
-- Windows 11
-
> **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the Download Center [for Windows 11](https://www.microsoft.com/en-us/download/details.aspx?id=104594) or [for Windows 10](https://www.microsoft.com/en-us/download/details.aspx?id=104678).
Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. Delivery Optimization is a reliable HTTP downloader with a cloud-managed solution that allows Windows devices to download those packages from alternate sources if desired (such as other devices on the network and/or a dedicated cache server) in addition to the traditional internet-based servers (referred to as 'HTTP sources' throughout Delivery Optimization documents). You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment however, the use of peer-to-peer is optional.
diff --git a/windows/deployment/do/waas-microsoft-connected-cache.md b/windows/deployment/do/waas-microsoft-connected-cache.md
index 398ef9a635..e3c42165c0 100644
--- a/windows/deployment/do/waas-microsoft-connected-cache.md
+++ b/windows/deployment/do/waas-microsoft-connected-cache.md
@@ -1,25 +1,23 @@
---
title: Microsoft Connected Cache overview
-manager: aaroncz
description: This article provides information about Microsoft Connected Cache (MCC), a software-only caching solution.
ms.prod: windows-client
-author: cmknox
-ms.localizationpriority: medium
-ms.author: carmenf
-ms.topic: article
ms.technology: itpro-updates
-ms.date: 05/09/2023
-ms.collection: tier3
+ms.topic: overview
+author: cmknox
+ms.author: carmenf
+manager: aaroncz
ms.reviewer: mstewart
+ms.collection: tier3
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+ms.date: 06/02/2023
---
# What is Microsoft Connected Cache?
-**Applies to**
-
-- Windows 10
-- Windows 11
-
> [!IMPORTANT]
> Microsoft Connected Cache is currently a preview feature. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
diff --git a/windows/deployment/do/waas-optimize-windows-10-updates.md b/windows/deployment/do/waas-optimize-windows-10-updates.md
index e8fa21b8c3..7f07d6a15f 100644
--- a/windows/deployment/do/waas-optimize-windows-10-updates.md
+++ b/windows/deployment/do/waas-optimize-windows-10-updates.md
@@ -1,25 +1,23 @@
---
title: Optimize Windows update delivery
-description: Two methods of peer-to-peer content distribution are available, Delivery Optimization and BranchCache.
+description: Learn about the two methods of peer-to-peer content distribution that are available, Delivery Optimization and BranchCache.
ms.prod: windows-client
-ms.localizationpriority: medium
+ms.topic: conceptual
+ms.technology: itpro-updates
ms.author: carmenf
author: cmknox
ms.reviewer: mstewart
manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
-ms.date: 12/31/2017
ms.collection: tier3
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+ms.date: 02/14/2023
---
# Optimize Windows update delivery
-**Applies to**
-
-- Windows 10
-- Windows 11
-
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
When considering your content distribution strategy for Windows 10, think about enabling a form of peer-to-peer content sharing to reduce bandwidth issues during updates. Windows client offers two peer-to-peer options for update content distribution: Delivery Optimization and BranchCache. These technologies can be used with several of the servicing tools for Windows client.
@@ -41,8 +39,8 @@ Two methods of peer-to-peer content distribution are available.
| Method | Windows Update | Windows Update for Business | WSUS | Configuration Manager |
| --- | --- | --- | --- | --- |
-| Delivery Optimization |  |  |  |  |
-| BranchCache |  |  | |  |
+| Delivery Optimization | Yes | Yes | Yes | Yes |
+| BranchCache | No | No |Yes | Yes |
> [!NOTE]
> Microsoft Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](/configmgr/core/plan-design/hierarchy/client-peer-cache).
@@ -92,9 +90,9 @@ At this point, the download is complete and the update is ready to be installed.
| | |
| --- | --- |
-|  | [Learn about updates and servicing channels](../update/waas-overview.md) |
-|  | [Prepare servicing strategy for Windows client updates](../update/waas-servicing-strategy-windows-10-updates.md) |
-|  | [Build deployment rings for Windows client updates](../update/waas-deployment-rings-windows-10-updates.md) |
-|  | [Assign devices to servicing channels for Windows client updates](../update/waas-servicing-channels-windows-10-updates.md) |
-|  | Optimize update delivery for Windows 10 updates (this article) |
-|  | [Deploy updates using Windows Update for Business](../update/waas-manage-updates-wufb.md) or [Deploy Windows client updates using Windows Server Update Services](../update/waas-manage-updates-wsus.md) or [Deploy Windows client updates using Microsoft Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
+| ✅| [Learn about updates and servicing channels](../update/waas-overview.md) |
+| ✅ | [Prepare servicing strategy for Windows client updates](../update/waas-servicing-strategy-windows-10-updates.md) |
+| ✅ | [Build deployment rings for Windows client updates](../update/waas-deployment-rings-windows-10-updates.md) |
+| ✅| [Assign devices to servicing channels for Windows client updates](../update/waas-servicing-channels-windows-10-updates.md) |
+| ✅ | Optimize update delivery for Windows 10 updates (this article) |
+| | [Deploy updates using Windows Update for Business](../update/waas-manage-updates-wufb.md) or [Deploy Windows client updates using Windows Server Update Services](../update/waas-manage-updates-wsus.md) or [Deploy Windows client updates using Microsoft Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
diff --git a/windows/deployment/do/whats-new-do.md b/windows/deployment/do/whats-new-do.md
index 6236a48963..050b3310f5 100644
--- a/windows/deployment/do/whats-new-do.md
+++ b/windows/deployment/do/whats-new-do.md
@@ -1,25 +1,24 @@
---
title: What's new in Delivery Optimization
-manager: aaroncz
description: What's new in Delivery Optimization, a peer-to-peer distribution method in Windows 10 and Windows 11.
ms.prod: windows-client
-author: cmknox
-ms.localizationpriority: medium
-ms.author: carmenf
-ms.topic: article
ms.technology: itpro-updates
-ms.date: 12/31/2017
-ms.collection: tier3
+ms.topic: conceptual
+author: cmknox
+ms.author: carmenf
+manager: aaroncz
ms.reviewer: mstewart
+ms.collection: tier3
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+ms.date: 06/02/2023
---
# What's new in Delivery Optimization
-**Applies to**
-
-- Windows 10
-- Windows 11
-
+This article contains information about what's new in Delivery Optimization, a peer-to-peer distribution method in Windows 10 and Windows 11.
## Microsoft Connected Cache (early preview)
Microsoft Connected Cache (MCC) is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many bare-metal servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune.
diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md
deleted file mode 100644
index c3c3acaa55..0000000000
--- a/windows/deployment/upgrade/windows-10-edition-upgrades.md
+++ /dev/null
@@ -1,175 +0,0 @@
----
-title: Windows 10 edition upgrade (Windows 10)
-description: With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported.
-manager: aaroncz
-ms.author: frankroj
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.topic: conceptual
-ms.collection:
- - highpri
- - tier2
-ms.technology: itpro-deploy
-ms.date: 10/28/2022
----
-
-# Windows 10 edition upgrade
-
-**Applies to**
-
-- Windows 10
-
-With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkID=690882). For a comprehensive list of all possible upgrade paths to Windows 10, see [Windows 10 upgrade paths](windows-10-upgrade-paths.md). Downgrading the edition of Windows is discussed in the [License expiration](#license-expiration) section on this page.
-
-
-The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer.
-
-> [!NOTE]
-> The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607.
-
-> [!TIP]
-> Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](/configmgr/compliance/deploy-use/upgrade-windows-version) in Microsoft Configuration Manager.
-
- (X) = not supported
- (green checkmark) = supported, reboot required
- (blue checkmark) = supported, no reboot required
-
-
-
-| Edition upgrade | Using mobile device management (MDM) | Using a provisioning package | Using a command-line tool | Using Microsoft Store for Business or PC | Entering a product key manually | Purchasing a license from the Microsoft Store |
-|-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- |
-| **Home > Pro** |  |  |  |  |  |  |
-| **Home > Pro for Workstations** |  |  |  |  |  |  |
-| **Home > Pro Education** |  |  |  |  |  |  |
-| **Home > Education** |  |  |  |  |  |  |
-| **Pro > Pro for Workstations** |  |  |  |  (Microsoft Store for Business) |  |  |
-| **Pro > Pro Education** |  |  |  |  (Microsoft Store for Business) |  |  |
-| **Pro > Education** |  |  |  |  (Microsoft Store for Business) |  |  |
-| **Pro > Enterprise** |  |  |  |  (1703 - PC) (1709 - Microsoft Store for Business) |  |  |
-| **Pro for Workstations > Pro Education** |  |  |  |  (Microsoft Store for Business) |  |  |
-| **Pro for Workstations > Education** |  |  |  |  (Microsoft Store for Business) |  |  |
-| **Pro for Workstations > Enterprise** |  |  |  |  (1703 - PC) (1709 - Microsoft Store for Business) |  |  |
-| **Pro Education > Education** |  |  |  |  (Microsoft Store for Business) |  |  |
-| **Enterprise > Education** |  |  |  |  (Microsoft Store for Business) |  |  |
-
-> [!NOTE]
-> - For information about upgrade paths in Windows 10 in S mode (for Pro or Education), check out [Windows 10 Pro/Enterprise in S mode](../windows-10-pro-in-s-mode.md)
-> - Each desktop edition in the table also has an N and KN SKU. These editions have had media-related functionality removed. Devices with N or KN SKUs installed can be upgraded to corresponding N or KN SKUs using the same methods.
->
-
-## Upgrade using mobile device management (MDM)
-- To upgrade desktop editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp).
-
-
-## Upgrade using a provisioning package
-Use Windows Configuration Designer to create a provisioning package to upgrade a desktop edition. To get started, [install Windows Configuration Designer from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22).
-
-- To create a provisioning package for upgrading desktop editions of Windows 10, go to **Runtime settings > EditionUpgrade > UpgradeEditionWithProductKey** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition.
-
-For more info about Windows Configuration Designer, see these articles:
-- [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package)
-- [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package)
-
-
-## Upgrade using a command-line tool
-You can run the changepk.exe command-line tool to upgrade devices to a supported edition of Windows 10:
-
-`changepk.exe /ProductKey `
-
-You can also upgrade using slmgr.vbs and a [KMS client setup key](/windows-server/get-started/kmsclientkeys). For example, the following command will upgrade to Windows 10 Enterprise.
-
-`Cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43`
-
-
-## Upgrade by manually entering a product key
-If you're upgrading only a few devices, you may want to enter a product key for the upgraded edition manually.
-
-**To manually enter a product key**
-
-1. From either the Start menu or the Start screen, type 'Activation' and select on the Activation shortcut.
-
-2. Select **Change product key**.
-
-3. Enter your product key.
-
-4. Follow the on-screen instructions.
-
-## Upgrade by purchasing a license from the Microsoft Store
-If you don't have a product key, you can upgrade your edition of Windows 10 through the Microsoft Store.
-
-**To upgrade through the Microsoft Store**
-
-1. From either the **Start** menu or the **Start** screen, type 'Activation' and select on the Activation shortcut.
-
-2. Select **Go to Store**.
-
-3. Follow the on-screen instructions.
-
- > [!NOTE]
- > If you are a Windows 10 Home N or Windows 10 Home KN user and have trouble finding your applicable upgrade in the Microsoft Store, click [here](ms-windows-store://windowsupgrade/).
-
-## License expiration
-
-Volume license customers whose license has expired will need to change the edition of Windows 10 to an edition with an active license. Switching to a downgraded edition of Windows 10 is possible using the same methods that were used to perform an edition upgrade. If the downgrade path is supported, then your apps and settings can be migrated from the current edition. If a path isn't supported, then a clean install is required.
-
-Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a different product key isn't supported. You also can't downgrade from a later version to an earlier version of the same edition (Ex: Windows 10 Pro 1709 to 1703) unless the rollback process is used. This article doesn't discuss version downgrades.
-
-> [!NOTE]
-> If you are using [Windows 10 Enterprise Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation) and a license expires, devices will automatically revert to the original edition when the grace period expires.
-
-### Scenario example
-
-Downgrading from Enterprise
-
-- Original edition: **Professional OEM**
-- Upgrade edition: **Enterprise**
-- Valid downgrade paths: **Pro, Pro for Workstations, Pro Education, Education**
-
-You can move directly from Enterprise to any valid destination edition. In this example, downgrading to Pro for Workstations, Pro Education, or Education requires an additional activation key to supersede the firmware-embedded Pro key. In all cases, you must comply with [Microsoft License Terms](https://www.microsoft.com/useterms). If you're a volume license customer, refer to the [Microsoft Volume Licensing Reference Guide](https://www.microsoft.com/download/details.aspx?id=11091).
-
-### Supported Windows 10 downgrade paths
-
-✔ = Supported downgrade path
-
-S = Supported; Not considered a downgrade or an upgrade
-
-[blank] = Not supported or not a downgrade
-
-**Destination Edition: (Starting)**
-
- (green checkmark) = Supported downgrade path
- (blue checkmark) = Not considered a downgrade or an upgrade
- (X) = not supported or not a downgrade
-
-| **Edition** | **Home** | **Pro** | **Pro for Workstations** | **Pro Education** | **Education** | **Enterprise LTSC** | **Enterprise** |
-|-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- |--------------------------------------------- |
-| **Home** |  |  |  |  |  |  |  |
-| **Pro** |  |  |  |  |  |  |  |
-| **Pro for Workstations** |  |  |  |  |  |  |  |
-| **Pro Education** |  |  |  |  |  |  |  |
-| **Education** |  |  |  |  |  |  |  |
-| **Enterprise LTSC** |  |  |  |  |  |  |  |
-| **Enterprise** |  |  |  |  |  |  |  |
-
-> **Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown above.
-
-Some slightly more complex scenarios aren't represented by the table above. For example, you can perform an upgrade from Pro to Pro for Workstation on a computer with an embedded Pro key using a Pro for Workstation license key, and then later downgrade this computer back to Pro with the firmware-embedded key. The downgrade is allowed but only because the pre-installed OS is Pro.
-
-## Related articles
-
-[Windows 10 upgrade paths](./windows-10-upgrade-paths.md)
-[Windows 10 volume license media](../windows-10-media.md)
-[Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation)
diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md
index 9cd2a2aca9..7686e7d15b 100644
--- a/windows/deployment/upgrade/windows-10-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md
@@ -11,18 +11,26 @@ ms.collection:
- highpri
- tier2
ms.technology: itpro-deploy
-ms.date: 10/28/2022
+ms.date: 10/02/2023
+appliesto:
+ - ✅ Windows 10
---
# Windows 10 upgrade paths
-**Applies to**
-
-- Windows 10
+> [!IMPORTANT]
+>
+> This article deals with upgrading from Windows versions that are out of support. For a current version of this article, please see [Windows upgrade paths](windows-upgrade-paths.md) that deals with currently supported versions of Windows.
+>
+> For more information, see:
+>
+> - [Windows 8.1 support ended on January 10, 2023](https://support.microsoft.com/windows/windows-8-1-support-ended-on-january-10-2023-3cfd4cde-f611-496a-8057-923fba401e93).
+> - [Windows 7 support ended on January 14, 2020](https://support.microsoft.com/windows/windows-7-support-ended-on-january-14-2020-b75d4580-2cc7-895a-2c9c-1466d9a53962).
+> - [FAQ about Windows 7 ESU](/troubleshoot/windows-client/windows-7-eos-faq/windows-7-extended-security-updates-faq).
## Upgrade paths
-This article provides a summary of available upgrade paths to Windows 10. You can upgrade to Windows 10 from Windows 7 or a later operating system. This includes upgrading from one release of Windows 10 to later release of Windows 10. Migrating from one edition of Windows 10 to a different edition of the same release is also supported.
+This article provides a summary of available upgrade paths to Windows 10. You can upgrade to Windows 10 from Windows 7 or a later operating system. Paths include upgrading from one release of Windows 10 to later release of Windows 10. Migrating from one edition of Windows 10 to a different edition of the same release is also supported.
If you're also migrating to a different edition of Windows, see [Windows 10 edition upgrade](windows-10-edition-upgrades.md). Methods and supported paths are described on this page to change the edition of Windows. These methods require that you input a license or product key for the new Windows edition prior to starting the upgrade process. Edition downgrade is also supported for some paths. However, applications and settings aren't maintained when the Windows edition is downgraded.
@@ -30,9 +38,9 @@ If you're also migrating to a different edition of Windows, see [Windows 10 edit
- **In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 General Availability Channel](/windows/release-health/release-information)** to Windows 10 LTSC isn't supported. Windows 10 LTSC 2015 didn't block this in-place upgrade path. This issue was corrected in the Windows 10 LTSC 2016 release, which only allows data-only and clean install options.
- You can upgrade from Windows 10 LTSC to Windows 10 General Availability Channel if you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You'll need to use the Product Key switch if you want to keep your apps. If you don't use the switch, the option **Keep personal files and apps** option is grayed out. The command line would be `setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx`, using your relevant Windows 10 GA Channel product key. For example, if using a KMS, the command line would be `setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43`.
+ You can upgrade from Windows 10 LTSC to Windows 10 General Availability Channel if you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process using Windows setup. The Product Key switch needs to be used if you want to keep your apps. If you don't use the switch, the option **Keep personal files and apps** option is grayed out. The command line would be `setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx`, using your relevant Windows 10 GA Channel product key. For example, if using a KMS, the command line would be `setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43`.
-- **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions aren't the same type (for example, Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
+- **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown in the following tables. If the pre-upgrade and post-upgrade editions aren't the same type (for example, Windows 8.1 Pro N to Windows 10 Pro), personal data is kept but applications and settings are removed during the upgrade process.
- **Windows 8.0**: You can't upgrade directly from Windows 8.0 to Windows 10. To upgrade from Windows 8.0, you must first install the [Windows 8.1 update](https://support.microsoft.com/help/15356/windows-8-install-update-kb-2919355).
diff --git a/windows/deployment/upgrade/windows-edition-upgrades.md b/windows/deployment/upgrade/windows-edition-upgrades.md
new file mode 100644
index 0000000000..44c3c79c40
--- /dev/null
+++ b/windows/deployment/upgrade/windows-edition-upgrades.md
@@ -0,0 +1,213 @@
+---
+title: Windows edition upgrade
+description: With Windows, you can quickly upgrade from one edition of Windows to another, provided the upgrade path is supported.
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+ms.localizationpriority: medium
+author: frankroj
+ms.topic: conceptual
+ms.collection:
+ - highpri
+ - tier2
+ms.technology: itpro-deploy
+ms.date: 10/02/2023
+appliesto:
+ - ✅ Windows 10
+ - ✅ Windows 11
+---
+
+# Windows edition upgrade
+
+With Windows, you can quickly upgrade from one edition of Windows to another, provided the upgrade path is supported. For information on what edition of Windows is right for you, see the following articles:
+
+- [Compare Windows 11 Editions](https://www.microsoft.com/windows/business/compare-windows-11).
+- [Explore Windows 11 Pro features](https://www.microsoft.com/windows/business/windows-11-pro).
+- [Windows 10 Pro vs Windows 11 Pro](https://www.microsoft.com/windows/business/windows-10-pro-vs-windows-11-pro).
+- [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkID=690882).
+- [Windows For Business](https://www.microsoft.com/windows/business).
+
+For a comprehensive list of all possible upgrade paths to Windows, see [Windows upgrade paths](windows-upgrade-paths.md). Downgrading the edition of Windows is discussed in the [License expiration](#license-expiration) section in this article.
+
+The following table shows the methods and paths available to change the edition of Windows that is running on your computer.
+
+| Edition upgrade | MDM | Provisioning package | Command- line tool | Manually entering product key |
+|-----| ----- | ----- | ----- | ----- |
+| **Home > Pro** | ❌ | ❌ | ❌ | ☑️ |
+| **Home > Pro for Workstations** | ❌ | ❌ | ❌ | ☑️|
+| **Home > Pro Education** | ☑️ | ☑️ | ☑️ | ☑️ |
+| **Home > Education** | ☑️ | ☑️ | ☑️ | ☑️ |
+| **Pro > Pro for Workstations** | ✅ | ✅ | ✅ | ✅ |
+| **Pro > Pro Education** | ✅ | ✅ | ✅ | ✅ |
+| **Pro > Education** | ☑️ | ☑️ | ☑️ | ☑️ |
+| **Pro > Enterprise** | ✅ | ✅ | ✅ | ✅ |
+| **Pro for Workstations > Pro Education** | ✅ | ✅ | ✅ | ✅ |
+| **Pro for Workstations > Education** | ☑️ | ☑️ | ☑️ | ☑️ |
+| **Pro for Workstations > Enterprise** | ✅ | ✅ | ✅ | ✅ |
+| **Pro Education > Education** | ☑️ | ☑️ | ☑️ | ☑️ |
+| **Enterprise > Education** | ☑️ | ☑️ | ☑️ | ☑️ |
+
+- ✅ = Supported, no reboot required.
+- ☑️ = Supported, but reboot required.
+- ❌ = Not supported.
+- MDM = Modern device management.
+
+> [!NOTE]
+>
+> - Each desktop edition in the table also has an N and KN SKU. These editions have had media-related functionality removed. Devices with N or KN SKUs installed can be upgraded to corresponding N or KN SKUs using the same methods.
+>
+> - Edition upgrades via Microsoft Store for Business are no longer available with the retirement of the Microsoft Store for Business. For more information, see [Microsoft Store for Business and Education retiring March 31, 2023](/lifecycle/announcements/microsoft-store-for-business-education-retiring) and [Microsoft Store for Business and Microsoft Store for Education overview](/microsoft-store/microsoft-store-for-business-overview).
+
+> [!TIP]
+> Edition upgrade is also possible using edition upgrade policy in Microsoft Configuration Manager. For more information, see [Upgrade Windows devices to a new edition with Configuration Manager](/mem/configmgr/compliance/deploy-use/upgrade-windows-version).
+
+## Upgrade using modern device management (MDM)
+
+To upgrade desktop editions of Windows using MDM, enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp).
+
+For information on upgrading editions of Windows using Microsoft Intune, including switching out of S mode, see [Upgrade Windows 10/11 editions or switch out of S mode on devices using Microsoft Intune](/mem/intune/configuration/edition-upgrade-configure-windows-10).
+
+## Upgrade using a provisioning package
+
+Use Windows Configuration Designer to create a provisioning package to upgrade a desktop edition of Windows. Windows Configuration Designer is available as part of the Windows Assessment and Deployment Kit (Windows ADK) or as a stand-alone Microsoft Store app. Download the Windows Configuration Designer from one of the following locations:
+
+- [Download and install the Windows ADK](/windows-hardware/get-started/adk-install) - When installing the ADK, make sure to select **Configuration Designer**. After installation, Windows Configuration Designer can be found in the Start Menu under **Windows Kits** > **Windows Imaging and Configuration Designer**.
+
+- [Windows Configuration Designer](https://apps.microsoft.com/store/detail/windows-configuration-designer/9NBLGGH4TX22) - Microsoft Store app. After installation, Windows Configuration Designer can be found in the Start menu as **Windows Configuration Designer**.
+ > [!div class="nextstepaction"]
+ > [Download Windows Configuration Designer from the Microsoft Store](ms-windows-store://pdp/?ProductId=9NBLGGH4TX22)
+
+To create a provisioning package for upgrading desktop editions of Windows:
+
+1. Open Windows Configuration Designer.
+
+1. Select **Advanced provisioning**.
+
+1. In the **New project** window that opens:
+
+ 1. Under **Enter project details**, give the project a name and then select the **Next** button.
+
+ 1. Under **Choose which settings to view and configure**, select **All Windows desktop editions** and then select the **Next** button.
+
+ 1. Under **Import a provisioning package (optional)**, select the **Finish** button.
+
+1. Under **Available customizations**, expand **Runtime settings** > **EditionUpgrade** and then select **ChangeProductKey**.
+
+1. In the **EditionUpgrade/ChangeProductKey** pane, next to **ChangeProductKey**, enter the product key for the upgraded edition.
+
+1. Under the **File** menu, select **Save**.
+
+1. Under the **Export** menu, select **Provisioning package**.
+
+1. Step through the **Build** wizard to create the provisioning package, making sure to save the provisioning package to a known location.
+
+For more info about Windows Configuration Designer, see the following articles:
+
+- [Create a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
+- [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package)
+
+## Upgrade using a command-line tool
+
+The `changepk.exe` command-line tool can be used to upgrade devices to a supported edition of Windows:
+
+```cmd
+changepk.exe /ProductKey `
+```
+
+Upgrades can also be performed using `slmgr.vbs` and a [KMS client setup key](/windows-server/get-started/kmsclientkeys). For example:
+
+```cmd
+cscript.exe c:\windows\system32\slmgr.vbs /ipk
+```
+
+## Upgrade by manually entering a product key
+
+If only a few devices are being upgraded devices, a product key for the upgraded edition can be entered manually. To manually enter a product key:
+
+1. Right click on the **Start** menu and select **Run**.
+
+1. In the **Run** window, next to **Open**, enter
+
+ `ms-settings:activation`
+
+ and then select **OK**.
+
+1. Select **Change product key**.
+
+1. Enter your product key.
+
+1. Follow the on-screen instructions.
+
+Alternatively, select the following link to automatically open the **Settings** app to the activation page:
+
+> [!div class="nextstepaction"]
+> [Activation](ms-settings:activation)
+
+## Upgrade by purchasing a license from the Microsoft Store
+
+If you don't have a product key, you can upgrade your edition of Windows through the Microsoft Store. To upgrade through the Microsoft Store:
+
+1. Right click on the **Start** menu and select **Run**.
+
+1. In the **Run** window, next to **Open**, enter
+
+ `ms-windows-store://windowsupgrade/`
+
+ and then select **OK**.
+
+1. Follow the on-screen instructions.
+
+Alternatively, select the following link to automatically open the Microsoft Store to the page for upgrading the edition of Windows:
+
+> [!div class="nextstepaction"]
+> [Upgrade Windows Edition](ms-windows-store://windowsupgrade/)
+
+## License expiration
+
+Volume license customers whose license has expired need to change the edition of Windows to an edition with an active license. Downgrading the edition of Windows is possible using the same methods that were used to perform an edition upgrade. If the downgrade path is supported, then apps and settings can be migrated from the current edition. If a path isn't supported, then a clean install is required.
+
+The following scenarios aren't supported:
+
+- Downgrading Windows to a pervious version by entering a different product key, for example from Windows 11 Pro to Windows 10 Pro.
+
+- Downgrading from a later version to an earlier version of the same edition of Windows, for example from Windows 11 Pro 22H2 to Windows 11 Pro 22H1, unless using rollback.
+
+> [!NOTE]
+>
+> If you're using [Windows subscription activation](/windows/deployment/windows-10-enterprise-subscription-activation) and a license expires, devices automatically revert to the original edition when the grace period expires.
+
+## Supported Windows downgrade paths
+
+| Edition | Home | Pro | Pro for Workstations | Pro Education | Education | Enterprise LTSC | Enterprise |
+|-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- |--------------------------------------------- |
+| **Home** | - | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
+| **Pro** | ❌ | - | ❌ | ❌ | ❌ | ❌ | ❌ |
+| **Pro for Workstations** | ❌ | ❌ | - | ❌ | ❌ | ❌ | ❌ |
+| **Pro Education** | ❌ | ❌ | ❌ | - | ❌ | ❌ | ❌ |
+| **Education** | ❌ | ✅ | ✅ | ✅ | - | ❌ | - |
+| **Enterprise LTSC** | ❌ | ❌ | ❌ | ❌ | ❌ | - | ❌ |
+| **Enterprise** | ❌ | ✅ | ✅ | ✅ | - | ❌ | - |
+
+- ✅ = Supported downgrade path.
+- ❌ = not supported or not a downgrade.
+- \- = Not considered a downgrade or an upgrade.
+
+> [!NOTE]
+>
+> Windows **N** and Windows **KN** SKUs follow the same rules shown in the table.
+
+The table may not represent more complex scenarios. For example, you can perform an upgrade from Pro to Pro for Workstation on a computer with an embedded Pro key using a Pro for Workstation license key. You can then later downgrade this computer back to Pro with the firmware-embedded key. The downgrade is allowed but only because the pre-installed OS is Pro.
+
+### Scenario example: Downgrading from Enterprise
+
+- Original edition: **Professional OEM**
+- Upgrade edition: **Enterprise**
+- Valid downgrade paths: **Pro, Pro for Workstations, Pro Education, Education**
+
+You can move directly from Enterprise to any valid destination edition. In this example, downgrading to Pro for Workstations, Pro Education, or Education requires an additional activation key to supersede the firmware-embedded Pro key. In all cases, you must comply with [Microsoft License Terms](https://www.microsoft.com/useterms). If you're a volume license customer, refer to the [Microsoft Volume Licensing Reference Guide](https://www.microsoft.com/download/details.aspx?id=11091).
+
+## Related articles
+
+- [Windows upgrade paths](./windows-upgrade-paths.md)
+- [Volume Licensing Service Center](/licensing/)
+- [Windows Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation)
diff --git a/windows/deployment/upgrade/windows-upgrade-paths.md b/windows/deployment/upgrade/windows-upgrade-paths.md
new file mode 100644
index 0000000000..c8ea3f2dda
--- /dev/null
+++ b/windows/deployment/upgrade/windows-upgrade-paths.md
@@ -0,0 +1,71 @@
+---
+title: Windows upgrade paths
+description: Upgrade to current versions of Windows from a previous version of Windows
+ms.prod: windows-client
+ms.localizationpriority: medium
+author: frankroj
+manager: aaroncz
+ms.author: frankroj
+ms.topic: conceptual
+ms.collection:
+ - highpri
+ - tier2
+ms.technology: itpro-deploy
+ms.date: 10/02/2023
+appliesto:
+ - ✅ Windows 10
+ - ✅ Windows 11
+---
+
+# Windows upgrade paths
+
+## Upgrade paths
+
+This article provides a summary of available upgrade paths to currently supported versions of Windows. You can upgrade to currently supported versions of Windows from previous versions of Windows that are also still supported. Paths include upgrading from one release of Windows to a later release of the same version of Windows. Migrating from one edition of Windows to a different edition of the same release is also supported.
+
+> [!NOTE]
+>
+> If you're also migrating to a different edition of Windows, see [Windows edition upgrade](windows-edition-upgrades.md). The [Windows edition upgrade](windows-edition-upgrades.md) article describes methods and supported paths to change the edition of Windows. These methods require that you input a license or product key for the new Windows edition prior to starting the upgrade process. Edition downgrade is also supported for some paths. However, applications and settings aren't always maintained when the Windows edition is downgraded.
+
+- **Windows version upgrade**: You can directly upgrade any General Availability Channel version of Windows to a newer, supported General Availability Channel version of Windows, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](/lifecycle/faq/windows) for availability and service information.
+
+- **Upgrade from Windows LTSC to Windows General Availability Channel**: Upgrade from Windows LTSC to Windows General Availability Channel is available when upgrading to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise 22H2. Upgrade is supported using the in-place upgrade process using Windows setup. The Product Key switch needs to be used if apps need to be kept. If the switch isn't used, the option **Keep personal files and apps** option is grayed out. The command line to perform the upgrade is:
+
+ ```cmd
+ setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
+ ```
+
+ where **xxxxx-xxxxx-xxxxx-xxxxx-xxxxx** is the Windows General Availability Channel product key. For example, if using a KMS, the command line for Windows Enterprise would be:
+
+ ```cmd
+ setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43
+ ```
+
+ For additional product keys for use with KMS, see [Key Management Services (KMS) client activation and product keys:Generic Volume License Keys (GVLK)](/windows-server/get-started/kms-client-activation-keys#generic-volume-license-keys-gvlk).
+
+ > [!IMPORTANT]
+ > In-place upgrade from Windows General Availability Channel to Windows LTSC isn't supported.
+ >
+ >
+ > Windows 10 LTSC 2015 didn't block this in-place upgrade path even though it isn't supported. This issue was corrected in the Windows 10 LTSC 2016 release. Windows 10 LTSC 2016 only allows data-only and clean install options.
+
+- **Windows N/KN**: **Windows N** and **Windows KN** SKUs (editions without media-related functionality) follow the same upgrade paths shown in the following tables. If the pre-upgrade and post-upgrade editions aren't the same type, for example, Windows 10 Pro N to Windows 11 Pro, personal data is kept but applications and settings are removed during the upgrade process.
+
+## Supported Windows upgrade paths
+
+| Windows Edition | **Windows Home** | **Windows Pro** | **Windows Pro Education** | **Windows Education** | **Windows Enterprise** |
+|---|---|---|---|---|---|
+| **Windows Home** | ❌ | ✅ | ✅ | ✅ | ❌ |
+| **Windows Pro** | ⬇️ | ❌ | ✅ | ✅ | ✅ |
+| **Windows Education** | ❌ | ❌ | ❌ | ❌ | ⬇️ |
+| **Windows Enterprise** | ❌ | ❌ | ❌ | ✅ | ❌ |
+
+- ✅ = Full upgrade is supported including personal data, settings, and applications.
+- ❌ = Upgrade isn't supported or not applicable.
+- ⬇️ = Edition downgrade; personal data is maintained, applications and settings are removed.
+
+## Related articles
+
+- [Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
+- [Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)
+- [Windows edition upgrade](windows-edition-upgrades.md)
\ No newline at end of file
diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md
deleted file mode 100644
index c57dd5bce0..0000000000
--- a/windows/deployment/windows-10-media.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-title: Windows 10 volume license media
-description: Learn about volume license media in Windows 10, and channels such as the Volume License Service Center (VLSC).
-ms.prod: windows-client
-ms.localizationpriority: medium
-ms.date: 11/23/2022
-manager: aaroncz
-ms.author: frankroj
-author: frankroj
-ms.topic: article
-ms.technology: itpro-deploy
----
-
-# Windows 10 volume license media
-
-*Applies to:*
-
-- Windows 10
-
-With each release of Windows 10, volume license media is made available on the [Volume Licensing Service Center](https://www.microsoft.com/vlsc) (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. This article provides a description of volume license media, and describes some of the changes that have been implemented with the current release of Windows 10.
-
-## Windows 10 media
-
-To download Windows 10 installation media from the VLSC, use the product search filter to find "Windows 10." A list of products will be displayed. The page then allows you to use your search results to download products, view keys, and view product and key descriptions.
-
-When you select a product, for example "Windows 10 Enterprise" or "Windows 10 Education", you can then choose the specific release by clicking **Download** and choosing the **Download Method**, **Language**, and **Operating system Type** (bitness).
-
-> [!NOTE]
-> If you do not see a Windows 10 release available in the list of downloads, verify the [release date](https://technet.microsoft.com/windows/release-info.aspx).
-
-Instead of having separate media and packages for Windows 10 Pro (volume licensing version), Windows 10 Enterprise, and Windows 10 Education, all three are bundled together.
-
-### Language packs
-
-- **Windows 10 1607 and later**: you must select **Multilanguage** from the drop-down list of languages.
-
-### Features on demand
-
-[Features on demand](/archive/blogs/mniehaus/adding-features-including-net-3-5-to-windows-10) can be downloaded by searching for "**Windows 10 Enterprise Features on Demand**" and then following the same download process that is described above.
-
-Features on demand is a method for adding features to your Windows 10 image that aren't included in the base operating system image.
-
-## Related articles
-
-[Microsoft Volume Licensing Service Center (VLSC) User Guide](https://www.microsoft.com/download/details.aspx?id=10585)
- [Volume Activation for Windows 10](./volume-activation/volume-activation-windows-10.md)
- [Plan for volume activation](./volume-activation/plan-for-volume-activation-client.md)
- [VLSC downloads FAQ](https://www.microsoft.com/Licensing/servicecenter/Help/FAQDetails.aspx?id=150)
- [Download and burn an ISO file on the volume licensing site (VLSC)](/troubleshoot/windows-client/deployment/iso-file-on-vlsc)
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
index e9e8b08de8..31f2216143 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
@@ -1,7 +1,7 @@
---
title: What's new 2023
description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
-ms.date: 09/11/2023
+ms.date: 10/04/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: whats-new
@@ -33,6 +33,8 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| Message center post number | Description |
| ----- | ----- |
+| [MC678305](https://admin.microsoft.com/adminportal/home#/MessageCenter) | September 2023 Windows Autopatch baseline configuration update |
+| [MC678303](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Windows Autopatch availability within Microsoft Intune Admin Center |
| [MC674422](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Public Preview: Windows Autopatch Reliability Report |
| [MC672750](https://admin.microsoft.com/adminportal/home#/MessageCenter) | August 2023 Windows Autopatch baseline configuration update |
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index b341fb250c..83dda7c0fe 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -15,7 +15,7 @@ metadata:
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
- ms.date: 06/20/2023
+ ms.date: 09/26/2023
highlightedContent:
items:
@@ -34,15 +34,19 @@ highlightedContent:
- title: Windows commercial licensing
itemType: overview
url: /windows/whats-new/windows-licensing
+ - title: Copilot in Windows
+ itemType: how-to-guide
+ url: /windows/client-management/manage-windows-copilot
- title: Windows 365 documentation
itemType: overview
url: /windows-365
- title: Explore all Windows trainings and learning paths for IT pros
itemType: learn
url: https://learn.microsoft.com/en-us/training/browse/?products=windows&roles=administrator
- - title: Enroll Windows client devices in Microsoft Intune
- itemType: how-to-guide
- url: /mem/intune/fundamentals/deployment-guide-enrollment-windows
+
+# - title: Enroll Windows client devices in Microsoft Intune
+# itemType: how-to-guide
+# url: /mem/intune/fundamentals/deployment-guide-enrollment-windows
productDirectory:
title: Get started
@@ -69,10 +73,10 @@ productDirectory:
links:
- url: /windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines
text: Windows security baselines
- - url: /windows/security/identity-protection/credential-guard/credential-guard-how-it-works
- text: Credential Guard
- - url: /windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust
- text: Windows Hello for Business cloud Kerberos trust
+ - url: /windows/security/identity-protection/hello-for-business
+ text: Windows Hello for Business
+ - url: /windows/security/identity-protection/web-sign-in
+ text: Web sign-in for Windows
- url: /windows/security/threat-protection/windows-defender-application-control
text: Windows Defender Application Control (WDAC)
- url: /windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview
@@ -105,8 +109,8 @@ productDirectory:
text: Configuration Service Provider (CSP)
- url: /windows/client-management/administrative-tools-in-windows-10
text: Windows administrative tools
- - url: /windows/client-management/client-tools/quick-assist
- text: Use Quick Assist to help users
+ - url: /windows/client-management/manage-windows-copilot
+ text: Manage Copilot in Windows
- url: /windows/application-management/index
text: Learn more about application management >
- url: /windows/client-management
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 9407853770..c487f33918 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -1933,7 +1933,7 @@ To turn off these recommendations, you can use any of the following methods:
- In Group Policy, set the "Remove Recommended from Start Menu" policy to Enabled under **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**.
- In an MDM solution, such as Microsoft Intune, you can use the [HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#hiderecentjumplists) setting in the Start Policy configuration service provider (CSP).
- In the registry, you can set **HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackDocs** to 0.
-- In the UI, you can turn off **Show recommendations for tips, shortcuts, new apps, and more** under **Settings** > **Personalization** > **Start**.
+- In the UI, you can turn off **Show recently opened items in Start, Jump Lists, and File Explorer** under **Settings** > **Personalization** > **Start**.
### Allowed traffic list for Windows Restricted Traffic Limited Functionality Baseline
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/operations/citool-commands.md b/windows/security/application-security/application-control/windows-defender-application-control/operations/citool-commands.md
index 170525c906..729ecd07ee 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/operations/citool-commands.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/operations/citool-commands.md
@@ -1,42 +1,71 @@
---
-title: Managing CI Policies and Tokens with CiTool
-description: Learn how to use Policy Commands, Token Commands, and Miscellaneous Commands in CiTool
-ms.topic: how-to
-ms.date: 04/05/2023
+title: Managing CI policies and tokens with CiTool
+description: Learn how to use policy commands, token commands, and miscellaneous commands in CiTool
+ms.topic: reference
+ms.date: 10/02/2023
appliesto:
- ✅ Windows 11
---
# CiTool technical reference
-CiTool makes Windows Defender Application Control (WDAC) policy management easier for IT admins. CI Tool can be used to manage Windows Defender Application Control policies and CI Tokens. This article describes how to use CiTool to update and manage policies. CiTool is currently included as part of the Windows image in Windows 11 version 22H2.
+CiTool makes Windows Defender Application Control (WDAC) policy management easier for IT admins. You can use this tool to manage Windows Defender Application Control policies and CI tokens. This article describes how to use CiTool to update and manage policies. It's currently included as part of the Windows image in Windows 11, version 22H2.
-## Policy Commands
+## Policy commands
| Command | Description | Alias |
|--------|---------|---------|
-| --update-policy `` | Add or update a policy on the current system | -up |
-| --remove-policy `` | Remove a policy indicated by PolicyGUID from the system | -rp |
-| --list-policies | Dump information about all policies on the system, whether they're active or not | -lp |
+| `--update-policy ` | Add or update a policy on the current system. | `-up` |
+| `--remove-policy ` | Remove a policy indicated by PolicyGUID from the system. | `-rp` |
+| `--list-policies` | Dump information about all policies on the system, whether they're active or not. | `-lp` |
-## Token Commands
+## Token commands
| Command | Description | Alias |
|--------|---------|---------|
-| --add-token `` <--token-id ID> | Deploy a token onto the current system, with an optional specific ID. | -at |
-| --remove-token `` | Remove a Token indicated by ID from the system. | -rt |
-| --list-tokens | Dump information about all tokens on the system | -lt |
+| `--add-token <--token-id ID>` | Deploy a token onto the current system, with an optional specific ID. | `-at` |
+| `--remove-token ` | Remove a token indicated by ID from the system. | `-rt` |
+| `--list-tokens` | Dump information about all tokens on the system. | `-lt` |
> [!NOTE]
-> Regarding `--add-token`, if `` is specified, a pre-existing token with `` should not exist.
+> Regarding `--add-token`, if `` is specified, a pre-existing token with `` shouldn't exist.
-## Miscellaneous Commands
+## Miscellaneous commands
| Command | Description | Alias |
|--------|---------|---------|
-| --device-id | Dump the Code Integrity Device ID | -id |
-| --refresh | Attempt to Refresh WDAC Policies | -r |
-| --help | Display the tool's help menu | -h |
+| `--device-id` | Dump the code integrity device ID. | `-id` |
+| `--refresh` | Attempt to refresh WDAC policies. | `-r` |
+| `--help` | Display the tool's help menu. | `-h` |
+
+## Output attributes and descriptions
+
+### List policies (`--list-policies`)
+
+```output
+ Policy ID: d2bda982-ccf6-4344-ac5b-0b44427b6816
+ Base Policy ID: d2bda982-ccf6-4344-ac5b-0b44427b6816
+ Friendly Name: Microsoft Windows Driver Policy
+ Version: 2814751463178240
+ Platform Policy: true
+ Policy is Signed: true
+ Has File on Disk: false
+ Is Currently Enforced: true
+ Is Authorized: true
+ Status: 0
+```
+
+| Attribute | Description | Example value |
+|--------|---------|---------|
+| Policy ID | Lists the ID of the policy. | `d2bda982-ccf6-4344-ac5b-0b44427b6816` |
+| Base Policy ID | Lists the ID of the base policy. | `d2bda982-ccf6-4344-ac5b-0b44427b6816` |
+| Friendly Name | Value listed in `` | `Microsoft Windows Driver Policy` |
+| Version | Version of the policy listed in `` | `2814751463178240` |
+| Platform Policy | Indicates whether the policy is provided by Microsoft, for example in the vulnerable driver blocklist policy. | `true` |
+| Policy is Signed | Indicates whether the policy has a valid signature. | `true` |
+| Has File on Disk | Indicates whether the policy file is currently on the disk. | `false` |
+| Is Currently Enforced | Indicates whether the policy file is active. | `true` |
+| Is Authorized | If the policy requires a token to be activated, this value is the state of authorization for the token. If the policy doesn't require a token, this value matches the value for the **Is Currently Enforced** property. | `true` |
## Examples
diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md
index efbf40ef92..0cc106f7cb 100644
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@@ -39,7 +39,7 @@ This content set contains:
- [Service Accounts](/windows-server/identity/ad-ds/manage/understand-service-accounts)
- [Active Directory Security Groups](/windows-server/identity/ad-ds/manage/understand-security-groups)
-[!INCLUDE [access-control-aclsscals](../../../../includes/licensing/access-control-aclsscals.md)]
+[!INCLUDE [access-control-aclsacl](../../../../includes/licensing/access-control-aclsacl.md)]
## Practical applications
diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
index 64d320047f..d053855ed5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
@@ -1,9 +1,8 @@
---
title: Windows Hello for Business cloud-only deployment
description: Learn how to configure Windows Hello for Business in a cloud-only deployment scenario.
-ms.date: 06/23/2021
+ms.date: 10/03/2023
ms.topic: how-to
-ms.custom: has-azure-ad-ps-ref
---
# Cloud-only deployment
@@ -11,34 +10,34 @@ ms.custom: has-azure-ad-ps-ref
## Introduction
-When you Azure Active Directory (Azure AD) join a Windows device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud-only environment, there's no additional configuration needed.
+When you Microsoft Entra join a Windows device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in a cloud-only environment, there's no additional configuration needed.
-You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. Instructions on how to disable Windows Hello for Business enrollment in a cloud only environment are included below.
+You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. This article describes how to disable Windows Hello for Business enrollment in a cloud only environment.
> [!NOTE]
-> During the out-of-box experience (OOBE) flow of an Azure AD join, you will see a provisioning PIN when you don't have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts.
+> During the out-of-box experience (OOBE) flow of an Microsoft Entra join, you will see a provisioning PIN when you don't have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts.
## Prerequisites
-Cloud only deployments will use Azure AD multi-factor authentication (MFA) during Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in Azure AD MFA, you'll be guided through the MFA registration as part of the Windows Hello for Business enrollment process.
+Cloud only deployments will use Microsoft Entra multifactor authentication (MFA) during Windows Hello for Business enrollment, and there's no additional MFA configuration needed. If you aren't already registered in MFA, you'll be guided through the MFA registration as part of the Windows Hello for Business enrollment process.
The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#azure-ad-cloud-only-deployment).
-Also note that it's possible for federated domains to enable the *Supports MFA* flag in your federated domain settings. This flag tells Azure AD that the federated IDP will perform the MFA challenge.
+It's possible for federated domains to configure the *FederatedIdpMfaBehavior* flag. The flag instructs Microsoft Entra ID to accept, enforce, or reject the MFA challenge from the federated IdP. For more information, see [federatedIdpMfaBehavior values](/graph/api/resources/internaldomainfederation#federatedidpmfabehavior-values). To check this setting, use the following PowerShell command:
-Check and view this setting with the following MSOnline PowerShell command:
+```powershell
+Connect-MgGraph
+$DomainId = ""
+Get-MgDomainFederationConfiguration -DomainId $DomainId |fl
+```
-`Get-MsolDomainFederationSettings -DomainName `
+To reject the MFA claim from the federated IdP, use the following command. This change impacts all MFA scenarios for the federated domain.
-To disable this setting, run the following command. This change impacts ALL Azure AD MFA scenarios for this federated domain.
+```powershell
+Update-MgDomainFederationConfiguration -DomainId $DomainId -FederatedIdpMfaBehavior rejectMfaByFederatedIdp
+```
-`Set-MsolDomainFederationSettings -DomainName -SupportsMfa $false`
-
-Example:
-
-`Set-MsolDomainFederationSettings -DomainName contoso.com -SupportsMfa $false`
-
-If you use this Supports MFA switch with value **True**, you must verify that your federated IDP is correctly configured and working with the MFA adapter and provider used by your IDP.
+If you use configure the flag with a value of either `acceptIfMfaDoneByFederatedIdp` (default) or `enforceMfaByFederatedIdp`, you must verify that your federated IDP is correctly configured and working with the MFA adapter and provider used by your IdP.
## Use Intune to disable Windows Hello for Business enrollment
@@ -63,7 +62,7 @@ If you don't use Intune in your organization, then you can disable Windows Hello
Intune uses the following registry keys: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\Device\Policies`**
-To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account:
+To look up your Tenant ID, see [How to find your Microsoft Entra tenant ID](/azure/active-directory/fundamentals/how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account:
```msgraph-interactive
GET https://graph.microsoft.com/v1.0/organization?$select=id
@@ -83,12 +82,3 @@ These registry settings can be applied from Local or Group Policies:
- Value = **0** for Disable or Value = **1** for Enable
If there's a conflicting Device policy and User policy, the User policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. This conflict could lead to unexpected results.
-
-## Related reference documents for Azure AD join scenarios
-
-- [Azure AD-joined devices](/azure/active-directory/devices/concept-azure-ad-join)
-- [Plan your Azure Active Directory device deployment](/azure/active-directory/devices/plan-device-deployment)
-- [How to: Plan your Azure AD join implementation](/azure/active-directory/devices/azureadjoin-plan)
-- [How to manage the local administrators group on Azure AD-joined devices](/azure/active-directory/devices/assign-local-admin)
-- [Manage device identities using the Azure portal](/azure/active-directory/devices/device-management-azure-portal)
-- [Azure AD Join Single Sign-on Deployment](hello-hybrid-aadj-sso.md)
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/aduc-account-scril.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/aduc-account-scril.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/aduc-account-scril.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/aduc-account-scril.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/exclude-credential-providers-properties.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/exclude-credential-providers-properties.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/exclude-credential-providers-properties.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/exclude-credential-providers-properties.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/four-steps-passwordless-strategy.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/four-steps-passwordless-strategy.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/four-steps-passwordless-strategy.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/four-steps-passwordless-strategy.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/gpmc-exclude-credential-providers.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-exclude-credential-providers.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/gpmc-exclude-credential-providers.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-exclude-credential-providers.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/gpmc-require-smart-card-policy.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-require-smart-card-policy.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/gpmc-require-smart-card-policy.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-require-smart-card-policy.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/gpmc-security-options.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-security-options.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/gpmc-security-options.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-security-options.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/require-whfb-smart-card-policy.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/require-whfb-smart-card-policy.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/require-whfb-smart-card-policy.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/require-whfb-smart-card-policy.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/server-2012-adac-user-scril.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2012-adac-user-scril.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/server-2012-adac-user-scril.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2012-adac-user-scril.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/server-2016-adac-domain-scril.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2016-adac-domain-scril.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/server-2016-adac-domain-scril.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2016-adac-domain-scril.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/server-2016-adac-user-scril.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2016-adac-user-scril.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/server-2016-adac-user-scril.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2016-adac-user-scril.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/edge-on.png b/windows/security/identity-protection/hello-for-business/images/passwordless/edge-on.png
new file mode 100644
index 0000000000..06a13b6f1a
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/edge-on.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/key-credential-provider.svg b/windows/security/identity-protection/hello-for-business/images/passwordless/key-credential-provider.svg
new file mode 100644
index 0000000000..dd8c09b2dd
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/images/passwordless/key-credential-provider.svg
@@ -0,0 +1,11 @@
+
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-off.png b/windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-off.png
new file mode 100644
index 0000000000..ccfade47d9
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-off.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-on.png b/windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-on.png
new file mode 100644
index 0000000000..abb9b6456d
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-on.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/uac-off.png b/windows/security/identity-protection/hello-for-business/images/passwordless/uac-off.png
new file mode 100644
index 0000000000..8913baa8ce
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/uac-off.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/uac-on.png b/windows/security/identity-protection/hello-for-business/images/passwordless/uac-on.png
new file mode 100644
index 0000000000..b0d03a6299
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/uac-on.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset.gif b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset.gif
index 2ef07cd63c..d8aba4d740 100644
Binary files a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset.gif and b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset.gif differ
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
index 690c5f984c..c3a0d37737 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -13,7 +13,7 @@ This article describes Windows' password-less strategy and how Windows Hello for
Over the past few years, Microsoft has continued their commitment to enabling a world without passwords.
-:::image type="content" source="images/passwordless/four-steps-passwordless-strategy.png" alt-text="Diagram of stair-step strategy with four steps.":::
+:::image type="content" source="images/passwordless-strategy/four-steps-passwordless-strategy.png" alt-text="Diagram of stair-step strategy with four steps.":::
### 1. Develop a password replacement offering
@@ -224,17 +224,17 @@ Windows provides two ways to prevent your users from using passwords. You can us
You can use Group Policy to deploy an interactive logon security policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Windows Settings > Local Policy > Security Options**. The name of the policy setting depends on the version of the operating systems you use to configure Group Policy.
-:::image type="content" source="images/passwordless/gpmc-security-options.png" alt-text="The Group Policy Management Editor displaying the location of the Security Options node.":::
+:::image type="content" source="images/passwordless-strategy/gpmc-security-options.png" alt-text="The Group Policy Management Editor displaying the location of the Security Options node.":::
**Windows Server 2016 and earlier**
The policy name for these operating systems is **Interactive logon: Require smart card**.
-:::image type="content" source="images/passwordless/gpmc-require-smart-card-policy.png" alt-text="The Group Policy Management Editor displaying the location of the policy 'Interactive logon: Require smart card'.":::
+:::image type="content" source="images/passwordless-strategy/gpmc-require-smart-card-policy.png" alt-text="The Group Policy Management Editor displaying the location of the policy 'Interactive logon: Require smart card'.":::
**Windows 10, version 1703 or later using Remote Server Administrator Tools**
The policy name for these operating systems is **Interactive logon: Require Windows Hello for Business or smart card**.
-:::image type="content" source="images/passwordless/require-whfb-smart-card-policy.png" alt-text="Highlighting the security policy 'Interactive logon: Require Windows Hello for Business or smart card'.":::
+:::image type="content" source="images/passwordless-strategy/require-whfb-smart-card-policy.png" alt-text="Highlighting the security policy 'Interactive logon: Require Windows Hello for Business or smart card'.":::
When you enable this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card.
@@ -242,11 +242,11 @@ When you enable this security policy setting, Windows prevents users from signin
You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > System > Logon**:
-:::image type="content" source="images/passwordless/gpmc-exclude-credential-providers.png" alt-text="The Group Policy Management Editor displaying the location of 'Logon' node and the policy setting 'Exclude credential providers'.":::
+:::image type="content" source="images/passwordless-strategy/gpmc-exclude-credential-providers.png" alt-text="The Group Policy Management Editor displaying the location of 'Logon' node and the policy setting 'Exclude credential providers'.":::
The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is `{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}`.
-:::image type="content" source="images/passwordless/exclude-credential-providers-properties.png" alt-text="Properties of the policy setting 'Exclude credential providers'.":::
+:::image type="content" source="images/passwordless-strategy/exclude-credential-providers-properties.png" alt-text="Properties of the policy setting 'Exclude credential providers'.":::
Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it. This configuration prevents the user from entering a password using the credential provider. However, this change doesn't prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs.
@@ -296,7 +296,7 @@ The account options on a user account include the option **Smart card is require
The following image shows the SCRIL setting for a user in Active Directory Users and Computers:
-:::image type="content" source="images/passwordless/aduc-account-scril.png" alt-text="Example user properties in Active Directory that shows the SCRIL setting on Account options.":::
+:::image type="content" source="images/passwordless-strategy/aduc-account-scril.png" alt-text="Example user properties in Active Directory that shows the SCRIL setting on Account options.":::
When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account don't allow the user to sign-in interactively with a password. Users will no longer need to change their password when it expires, because passwords for SCRIL users don't expire. The users are effectively password-less because:
@@ -307,7 +307,7 @@ When you configure a user account for SCRIL, Active Directory changes the affect
The following image shows the SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2012:
-:::image type="content" source="images/passwordless/server-2012-adac-user-scril.png" alt-text="Example user properties in Windows Server 2012 Active Directory Administrative Center that shows the SCRIL setting.":::
+:::image type="content" source="images/passwordless-strategy/server-2012-adac-user-scril.png" alt-text="Example user properties in Windows Server 2012 Active Directory Administrative Center that shows the SCRIL setting.":::
> [!NOTE]
> Although a SCRIL user's password never expires in early domains, you can toggle the SCRIL configuration on a user account to generate a new random 128 bit password. Use the following process to toggle this configuration:
@@ -321,7 +321,7 @@ The following image shows the SCRIL setting for a user in Active Directory Admin
The following image shows the SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2016:
-:::image type="content" source="images/passwordless/server-2016-adac-user-scril.png" alt-text="Example user properties in Windows Server 2016 Active Directory Administrative Center that shows the SCRIL setting.":::
+:::image type="content" source="images/passwordless-strategy/server-2016-adac-user-scril.png" alt-text="Example user properties in Windows Server 2016 Active Directory Administrative Center that shows the SCRIL setting.":::
> [!TIP]
> Windows Hello for Business was formerly known as Microsoft Passport.
@@ -332,8 +332,7 @@ Domains configured for Windows Server 2016 or later domain functional level can
In this configuration, passwords for SCRIL-configured users expire based on Active Directory password policy settings. When the SCRIL user authenticates from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128-bit password for the user as part of the authentication. This feature is great because your users don't experience any change password notifications or any authentication outages.
-:::image type="content" source="images/passwordless/server-2016-adac-domain-scril.png" alt-text="The Active Directory Administrative Center on Windows Server 2016 showing the domain setting for SCRIL.":::
+:::image type="content" source="images/passwordless-strategy/server-2016-adac-domain-scril.png" alt-text="The Active Directory Administrative Center on Windows Server 2016 showing the domain setting for SCRIL.":::
> [!NOTE]
> Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability by reducing the usage surface while Microsoft continues to close the gaps to remove the password completely.
-
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index ad2fc7674a..cc9f23c50f 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -4,8 +4,6 @@ items:
- name: Concepts
expanded: true
items:
- - name: Passwordless strategy
- href: passwordless-strategy.md
- name: Why a PIN is better than a password
href: hello-why-pin-is-better-than-password.md
- name: Windows Hello biometrics in the enterprise
@@ -112,6 +110,8 @@ items:
items:
- name: PIN reset
href: hello-feature-pin-reset.md
+ - name: Windows Hello Enhanced Security Sign-in (ESS) 🔗
+ href: /windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security
- name: Dual enrollment
href: hello-feature-dual-enrollment.md
- name: Dynamic Lock
diff --git a/windows/security/identity-protection/passkeys/images/delete-passkey.png b/windows/security/identity-protection/passkeys/images/delete-passkey.png
new file mode 100644
index 0000000000..1363d8db62
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/delete-passkey.png differ
diff --git a/windows/security/identity-protection/passkeys/images/device-save-qr.png b/windows/security/identity-protection/passkeys/images/device-save-qr.png
new file mode 100644
index 0000000000..e551a1e528
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/device-save-qr.png differ
diff --git a/windows/security/identity-protection/passkeys/images/device-save.png b/windows/security/identity-protection/passkeys/images/device-save.png
new file mode 100644
index 0000000000..240b3a9695
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/device-save.png differ
diff --git a/windows/security/identity-protection/passkeys/images/device-use.png b/windows/security/identity-protection/passkeys/images/device-use.png
new file mode 100644
index 0000000000..5aa3daea3d
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/device-use.png differ
diff --git a/windows/security/identity-protection/passkeys/images/hello-save-confirm.png b/windows/security/identity-protection/passkeys/images/hello-save-confirm.png
new file mode 100644
index 0000000000..b9fdda9002
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/hello-save-confirm.png differ
diff --git a/windows/security/identity-protection/passkeys/images/hello-save.png b/windows/security/identity-protection/passkeys/images/hello-save.png
new file mode 100644
index 0000000000..785a45596b
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/hello-save.png differ
diff --git a/windows/security/identity-protection/passkeys/images/hello-use-confirm.png b/windows/security/identity-protection/passkeys/images/hello-use-confirm.png
new file mode 100644
index 0000000000..4139c708c3
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/hello-use-confirm.png differ
diff --git a/windows/security/identity-protection/passkeys/images/hello-use.png b/windows/security/identity-protection/passkeys/images/hello-use.png
new file mode 100644
index 0000000000..df46054877
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/hello-use.png differ
diff --git a/windows/security/identity-protection/passkeys/images/laptop.svg b/windows/security/identity-protection/passkeys/images/laptop.svg
new file mode 100644
index 0000000000..2440c97fd5
--- /dev/null
+++ b/windows/security/identity-protection/passkeys/images/laptop.svg
@@ -0,0 +1,3 @@
+
\ No newline at end of file
diff --git a/windows/security/identity-protection/passkeys/images/linked-device-connect.png b/windows/security/identity-protection/passkeys/images/linked-device-connect.png
new file mode 100644
index 0000000000..34cb085968
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/linked-device-connect.png differ
diff --git a/windows/security/identity-protection/passkeys/images/linked-device-save.png b/windows/security/identity-protection/passkeys/images/linked-device-save.png
new file mode 100644
index 0000000000..48bd40f658
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/linked-device-save.png differ
diff --git a/windows/security/identity-protection/passkeys/images/linked-device-use.png b/windows/security/identity-protection/passkeys/images/linked-device-use.png
new file mode 100644
index 0000000000..5aeacdae7a
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/linked-device-use.png differ
diff --git a/windows/security/identity-protection/passkeys/images/phone.svg b/windows/security/identity-protection/passkeys/images/phone.svg
new file mode 100644
index 0000000000..acb1dce81f
--- /dev/null
+++ b/windows/security/identity-protection/passkeys/images/phone.svg
@@ -0,0 +1,3 @@
+
\ No newline at end of file
diff --git a/windows/security/identity-protection/passkeys/images/qr-code.svg b/windows/security/identity-protection/passkeys/images/qr-code.svg
new file mode 100644
index 0000000000..d84c521351
--- /dev/null
+++ b/windows/security/identity-protection/passkeys/images/qr-code.svg
@@ -0,0 +1,3 @@
+
\ No newline at end of file
diff --git a/windows/security/identity-protection/passkeys/images/save-passkey.png b/windows/security/identity-protection/passkeys/images/save-passkey.png
new file mode 100644
index 0000000000..9dd3799a14
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/save-passkey.png differ
diff --git a/windows/security/identity-protection/passkeys/images/security-key-save.png b/windows/security/identity-protection/passkeys/images/security-key-save.png
new file mode 100644
index 0000000000..a17554e17c
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/security-key-save.png differ
diff --git a/windows/security/identity-protection/passkeys/images/security-key-setup.png b/windows/security/identity-protection/passkeys/images/security-key-setup.png
new file mode 100644
index 0000000000..192d63cc74
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/security-key-setup.png differ
diff --git a/windows/security/identity-protection/passkeys/images/security-key-use.png b/windows/security/identity-protection/passkeys/images/security-key-use.png
new file mode 100644
index 0000000000..1513aa359e
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/security-key-use.png differ
diff --git a/windows/security/identity-protection/passkeys/images/usb.svg b/windows/security/identity-protection/passkeys/images/usb.svg
new file mode 100644
index 0000000000..18027400c1
--- /dev/null
+++ b/windows/security/identity-protection/passkeys/images/usb.svg
@@ -0,0 +1,3 @@
+
\ No newline at end of file
diff --git a/windows/security/identity-protection/passkeys/images/use-passkey.png b/windows/security/identity-protection/passkeys/images/use-passkey.png
new file mode 100644
index 0000000000..1ff07346ea
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/use-passkey.png differ
diff --git a/windows/security/identity-protection/passkeys/images/website.png b/windows/security/identity-protection/passkeys/images/website.png
new file mode 100644
index 0000000000..d344d8dbde
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/website.png differ
diff --git a/windows/security/identity-protection/passkeys/index.md b/windows/security/identity-protection/passkeys/index.md
new file mode 100644
index 0000000000..40d33d3ed3
--- /dev/null
+++ b/windows/security/identity-protection/passkeys/index.md
@@ -0,0 +1,329 @@
+---
+title: Support for passkeys in Windows
+description: Learn about passkeys and how to use them on Windows devices.
+ms.collection:
+- highpri
+- tier1
+ms.topic: article
+ms.date: 09/27/2023
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+---
+
+# Support for passkeys in Windows
+
+Passkeys provide a more secure and convenient method to logging into websites and applications compared to passwords. Unlike passwords, which users must remember and type, passkeys are stored as secrets on a device and can use a device's unlock mechanism (such as biometrics or a PIN). Passkeys can be used without the need for other sign-in challenges, making the authentication process faster, secure, and more convenient.
+
+You can use passkeys with any applications or websites that support them, to create and sign in with Windows Hello. Once a passkey is created and stored with Windows Hello, you can use your device's biometrics or PIN to sign in. Alternatively, you can use a companion device (phone or tablet) to sign in.
+
+> [!NOTE]
+> Starting in Windows 11, version 22H2 with [KB5030310][KB-1], Windows provides a native experience for passkey management. However, passkeys can be used in all supported versions of Windows clients.
+
+This article describes how to create and use passkeys on Windows devices.
+
+## How passkeys work
+
+Microsoft has long been a founding member of the FIDO Alliance and has helped to define and use passkeys natively within a platform authenticator like Windows Hello. Passkeys utilize the FIDO industry security standard, which is adopted by all major platforms. Leading technology companies like Microsoft are backing passkeys as part of the FIDO Alliance, and numerous websites and apps are integrating support for passkeys.
+
+The FIDO protocols rely on standard public/private key cryptography techniques to offer more secure authentication. When a user registers with an online service, their client device generates a new key pair. The private key is stored securely on the user's device, while the public key is registered with the service. To authenticate, the client device must prove that it possesses the private key by signing a challenge. The private keys can only be used after they're unlocked by the user using the Windows Hello unlock factor (biometrics or PIN).
+
+FIDO protocols prioritize user privacy, as they're designed to prevent online services from sharing information or tracking users across different services. Additionally, any biometric information used in the authentication process remains on the user's device and isn't transmitted across the network or to the service.
+
+### Passkeys compared to passwords
+
+Passkeys have several advantages over passwords, including their ease of use and intuitive nature. Unlike passwords, passkeys are easy to create, don't need to be remembered, and don't need to be safeguarded. Additionally, passkeys are unique to each website or application, preventing their reuse. They're highly secure because they're only stored on the user's devices, with the service only storing public keys. Passkeys are designed to prevent attackers to guess or obtain them, which helps to make them resistant to phishing attempts where the attacker may try to trick the user into revealing the private key. Passkeys are enforced by the browsers or operating systems to only be used for the appropriate service, rather than relying on human verification. Finally, passkeys provide cross-device and cross-platform authentication, meaning that a passkey from one device can be used to sign in on another device.
+
+[!INCLUDE [passkey](../../../../includes/licensing/passkeys.md)]
+
+## User experiences
+
+### Create a passkey
+
+Follow these steps to create a passkey from a Windows device:
+
+:::row:::
+ :::column span="4":::
+
+ 1. Open a website or app that supports passkeys
+
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="4":::
+
+ 2. Create a passkey from your account settings
+
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="4":::
+ 3. Choose where to save the passkey. By default, Windows offers to save the passkey locally if you're using Windows Hello or Windows Hello for Business. If you select the option **Use another device**, you can choose to save the passkey in one of the following locations:
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+
+- **This Windows device**: the passkey is saved locally on your Windows device, and protected by Windows Hello (biometrics and PIN)
+- **iPhone, iPad or Android device**: the passkey is saved on a phone or tablet, protected by the device's biometrics, if offered by the device. This option requires you to scan a QR code with your phone or tablet, which must be in proximity of the Windows device
+- **Linked device**: the passkey is saved on a phone or tablet, protected by the device's biometrics, if offered by the device. This option requires the linked device to be in proximity of the Windows device, and it's only supported for Android devices
+- **Security key**: the passkey is saved to a FIDO2 security key, protected by the key's unlock mechanism (for example, biometrics or PIN)
+
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/save-passkey.png" alt-text="Screenshot showing a dialog box prompting the user to pick a location to store the passkey." lightbox="images/save-passkey.png" border="false":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="4":::
+ 4. Select **Next**
+ :::column-end:::
+:::row-end:::
+
+Pick one of the following options to learn how to save a passkey, based on where you want to store it.
+
+#### [:::image type="icon" source="images/laptop.svg" border="false"::: **Windows device**](#tab/windows)
+
+:::row:::
+ :::column span="3":::
+
+ 5. Select a Windows Hello verification method and proceed with the verification, then select **OK**
+
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/hello-save.png" alt-text="Screenshot showing the Windows Hello face verification method." lightbox="images/hello-save.png" border="false":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+
+ 6. The passkey is saved to your Windows device. To confirm select **OK**
+
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/hello-save-confirm.png" alt-text="Screenshot confirming that the passkey is saved to the Windows device" lightbox="images/hello-save-confirm.png" border="false":::
+ :::column-end:::
+:::row-end:::
+
+#### [:::image type="icon" source="images/qr-code.svg" border="false"::: **New phone or tablet**](#tab/mobile)
+
+:::row:::
+ :::column span="3":::
+
+ 5. Scan the QR code with your phone or tablet. Wait for the connection to the device to be established and follow the instructions to save the passkey
+
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/device-save-qr.png" alt-text="Screenshot showing the QR code asking the user to scan on the device." lightbox="images/device-save-qr.png" border="false":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+
+ 6. Once the passkey is saved to your phone or tablet, select **OK**
+
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/device-save.png" alt-text="Screenshot confirming that the passkey is saved to the device." lightbox="images/device-save.png" border="false":::
+ :::column-end:::
+:::row-end:::
+
+#### [:::image type="icon" source="images/phone.svg" border="false"::: **Linked phone or tablet**](#tab/linked)
+
+:::row:::
+ :::column span="3":::
+
+ 5. Once the connection to the linked device is established, follow the instructions on the device to save the passkey
+
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/linked-device-connect.png" alt-text="Screenshot showing the passkey save dialog connecting to a linked device." lightbox="images/linked-device-connect.png" border="false":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+
+ 6. Once the passkey is saved to your linked device, select **OK**
+
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/linked-device-save.png" alt-text="Screenshot confirming that the passkey is saved to the linked device." lightbox="images/linked-device-save.png" border="false":::
+ :::column-end:::
+:::row-end:::
+
+#### [:::image type="icon" source="images/usb.svg" border="false"::: **Security key**](#tab/key)
+
+:::row:::
+ :::column span="3":::
+
+ 5. Select **OK** to confirm that you want to set up a security key, and unlock the security key using the key's unlock mechanism
+
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/security-key-setup.png" alt-text="Screenshot showing a prompt to use a security key to store the passkey." lightbox="images/security-key-setup.png" border="false":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+
+ 6. Once the passkey is saved to the security key, select **OK**
+
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/security-key-save.png" alt-text="Screenshot confirming that the passkey is saved to the security key." lightbox="images/security-key-save.png" border="false":::
+ :::column-end:::
+:::row-end:::
+
+---
+
+### Use a passkey
+
+Follow these steps to use a passkey:
+
+:::row:::
+ :::column span="3":::
+ 1. Open a website or app that supports passkeys
+ :::column-end:::
+ :::column span="1":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+ 2. Select **Sign in with a passkey**, or a similar option
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/website.png" alt-text="Screenshot of a website offering the passkey sign in option." lightbox="images/website.png" border="false":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+ 3. If a passkey is stored locally and protected by Windows Hello, you're prompted to use Windows Hello to sign in. If you select the option **Use another device**, you can choose one of the following options:
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+- **This Windows device**: use this option to use a passkey that is stored locally on your Windows device, and protected by Windows Hello
+- **iPhone, iPad or Android device**: use this option if you want to sign in with a passkey stored on a phone or tablet. This option requires you to scan a QR code with your phone or tablet, which must be in proximity of the Windows device
+- **Linked device**: use this option if you want to sign in with a passkey stored on a device that is in proximity of the Windows device. This option is only supported for Android devices
+- **Security key**: use this option if you want to sign in with a passkey stored on a FIDO2 security key
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/use-passkey.png" alt-text="Screenshot of the passkey dialog prompting the user to pick where the passkey is stored." lightbox="images/use-passkey.png" border="false":::
+ :::column-end:::
+:::row-end:::
+
+Pick one of the following options to learn how to use a passkey, based on where you saved it.
+
+#### [:::image type="icon" source="images/laptop.svg" border="false"::: **Windows device**](#tab/windows)
+
+:::row:::
+ :::column span="3":::
+
+ 4. Select a Windows Hello unlock option
+
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/hello-use.png" alt-text="Screenshot showing the Windows Hello prompt for a verification method." lightbox="images/hello-use.png" border="false":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+
+ 5. Select **OK** to continue signing in
+
+ :::column-end:::
+ :::column span="1":::
+ :::column-end:::
+:::row-end:::
+
+#### [:::image type="icon" source="images/qr-code.svg" border="false"::: **Phone or tablet**](#tab/mobile)
+
+:::row:::
+ :::column span="3":::
+
+ 4. Scan the QR code with your phone or tablet where you saved the passkey. Once the connection to the device is established, follow the instructions to use the passkey
+
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/device-use.png" alt-text="Screenshot showing the QR code to scan from your phone or tablet." lightbox="images/device-use.png" border="false":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="4":::
+
+ 5. You're signed in to the website or app
+
+ :::column-end:::
+:::row-end:::
+
+#### [:::image type="icon" source="images/phone.svg" border="false"::: **Linked phone or tablet**](#tab/linked)
+
+:::row:::
+ :::column span="3":::
+
+ 4. Once the connection to the linked device is established, follow the instructions on the device to use the passkey
+
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/linked-device-use.png" alt-text="Screenshot showing that the linked device is connected to Windows." lightbox="images/linked-device-use.png" border="false":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+
+ 5. You're signed in to the website or app
+
+ :::column-end:::
+ :::column span="1":::
+ :::column-end:::
+:::row-end:::
+
+#### [:::image type="icon" source="images/usb.svg" border="false"::: **Security key**](#tab/key)
+
+:::row:::
+ :::column span="3":::
+
+ 4. Unlock the security key using the key's unlock mechanism
+
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/security-key-use.png" alt-text="Screenshot showing a prompt asking the user to unlock the security key." lightbox="images/security-key-use.png" border="false":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+
+ 5. You're signed in to the website or app
+
+ :::column-end:::
+ :::column span="1":::
+ :::column-end:::
+:::row-end:::
+
+---
+
+### Manage passkeys
+
+Starting in Windows 11, version 22H2 with [KB5030310][KB-1], you can use the Settings app to view and manage passkeys saved for apps or websites. Go to **Settings > Accounts > Passkeys**, or use the following shortcut:
+
+> [!div class="nextstepaction"]
+>
+> [Manage passkeys][MSS-1]
+
+- A list of saved passkeys is displayed and you can filter them by name
+- To delete a passkey, select **... > Delete passkey** next to the passkey name
+
+:::image type="content" source="images/delete-passkey.png" alt-text="Screenshot of the Settings app showing the delete option for a passkey." lightbox="images/delete-passkey.png" border="false":::
+
+> [!NOTE]
+> Some passkeys for *login.microsoft.com* can't be deleted, as they're used with Microsoft Entra ID and/or Microsoft Account for signing in to the device and Microsoft services.
+
+## :::image type="icon" source="../../images/icons/feedback.svg" border="false"::: Provide feedback
+
+To provide feedback for passkeys, open [**Feedback Hub**][FHUB] and use the category **Security and Privacy > Passkey**.
+
+
+
+[FHUB]: feedback-hub:?tabid=2&newFeedback=true
+[KB-1]: https://support.microsoft.com/kb/5030310
+[MSS-1]: ms-settings:savedpasskeys
diff --git a/windows/security/identity-protection/passwordless-experience/images/edge-on.png b/windows/security/identity-protection/passwordless-experience/images/edge-on.png
new file mode 100644
index 0000000000..06a13b6f1a
Binary files /dev/null and b/windows/security/identity-protection/passwordless-experience/images/edge-on.png differ
diff --git a/windows/security/identity-protection/passwordless-experience/images/key-credential-provider.svg b/windows/security/identity-protection/passwordless-experience/images/key-credential-provider.svg
new file mode 100644
index 0000000000..dd8c09b2dd
--- /dev/null
+++ b/windows/security/identity-protection/passwordless-experience/images/key-credential-provider.svg
@@ -0,0 +1,11 @@
+
diff --git a/windows/security/identity-protection/passwordless-experience/images/lock-screen-off.png b/windows/security/identity-protection/passwordless-experience/images/lock-screen-off.png
new file mode 100644
index 0000000000..ccfade47d9
Binary files /dev/null and b/windows/security/identity-protection/passwordless-experience/images/lock-screen-off.png differ
diff --git a/windows/security/identity-protection/passwordless-experience/images/lock-screen-on.png b/windows/security/identity-protection/passwordless-experience/images/lock-screen-on.png
new file mode 100644
index 0000000000..abb9b6456d
Binary files /dev/null and b/windows/security/identity-protection/passwordless-experience/images/lock-screen-on.png differ
diff --git a/windows/security/identity-protection/passwordless-experience/images/uac-off.png b/windows/security/identity-protection/passwordless-experience/images/uac-off.png
new file mode 100644
index 0000000000..8913baa8ce
Binary files /dev/null and b/windows/security/identity-protection/passwordless-experience/images/uac-off.png differ
diff --git a/windows/security/identity-protection/passwordless-experience/images/uac-on.png b/windows/security/identity-protection/passwordless-experience/images/uac-on.png
new file mode 100644
index 0000000000..b0d03a6299
Binary files /dev/null and b/windows/security/identity-protection/passwordless-experience/images/uac-on.png differ
diff --git a/windows/security/identity-protection/passwordless-experience/index.md b/windows/security/identity-protection/passwordless-experience/index.md
new file mode 100644
index 0000000000..d42f5fb84f
--- /dev/null
+++ b/windows/security/identity-protection/passwordless-experience/index.md
@@ -0,0 +1,143 @@
+---
+title: Windows passwordless experience
+description: Learn how Windows passwordless experience enables your organization to move away from passwords.
+ms.collection:
+ - highpri
+ - tier1
+ms.date: 09/27/2023
+ms.topic: how-to
+appliesto:
+ - ✅ Windows 11
+---
+
+# Windows passwordless experience
+
+Starting in Windows 11, version 22H2 with [KB5030310][KB-1], *Windows passwordless experience* is a security policy that promotes a user experience without passwords on Microsoft Entra joined devices.\
+When the policy is enabled, certain Windows authentication scenarios don't offer users the option to use a password, helping organizations and preparing users to gradually move away from passwords.
+
+With Windows passwordless experience, users who sign in with Windows Hello or a FIDO2 security key:
+
+- Can't use the password credential provider on the Windows lock screen
+- Aren't prompted to use a password during in-session authentications (for example, UAC elevation, password manager in the browser, etc.)
+- Don't have the option *Accounts > Change password* in the Settings app
+
+ >[!NOTE]
+ >Users can reset their password using CTRL+ALT+DEL > **Manage your account**
+
+Windows passwordless experience doesn't affect the initial sign-in experience and local accounts. It only applies to subsequent sign-ins for Microsoft Entra ID accounts. It also doesn't prevent a user from signing in with a password when using the *Other user* option in the lock screen.\
+The password credential provider is hidden only for the last signed in user who signed in Windows Hello or a FIDO2 security key. Windows passwordless experience isn't about preventing users from using passwords, rather to guide and educate them to not use passwords.
+
+This article explains how to enable Windows passwordless experience and describes the user experiences.
+
+>[!TIP]
+> Windows Hello for Business users can achieve passwordless sign-in from the first sign-in using the Web sign-in feature. For more information about Web sign-in, see [Web sign-in for Windows devices](../web-sign-in/index.md).
+
+## System requirements
+
+Windows passwordless experience has the following requirements:
+
+- Windows 11, version 22H2 with [KB5030310][KB-1] or later
+- Microsoft Entra joined
+- Windows Hello for Business credentials enrolled for the user, or a FIDO2 security key
+- MDM-managed: Microsoft Intune or other MDM solution
+
+>[!NOTE]
+>Microsoft Entra hybrid joined devices and Active Directory domain joined devices are currently out of scope.
+
+[!INCLUDE [windows-passwordless-experience](../../../../includes/licensing/windows-passwordless-experience.md)]
+
+## Enable Windows passwordless experience with Intune
+
+[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+| **Authentication** | Enable Passwordless Experience | Enabled |
+
+[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][INT-2] with the [Policy CSP][CSP-1].
+
+| Setting |
+|--------|
+| - **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/Authentication/EnablePasswordlessExperience` - **Data type:** int - **Value:** `1`|
+
+## User experiences
+
+### Lock screen experience
+
+:::row:::
+ :::column span="3":::
+ **Passwordless experience turned off**: users can sign in using a password, as indicated by the presence of the password credential provider :::image type="icon" source="images/key-credential-provider.svg" border="false"::: in the Windows lock screen.
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/lock-screen-off.png" lightbox="images/lock-screen-off.png" alt-text="Screenshot of the Windows lock screen showing the fingerprint, PIN and password credential providers.":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+ **Passwordless experience turned on**: the password credential provider :::image type="icon" source="images/key-credential-provider.svg" border="false"::: is missing for the last user who signed in with strong credentials. A user can either sign in using a strong credential or opt to use the *Other user* option to sign in with a password.
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/lock-screen-on.png" lightbox="images/lock-screen-on.png" alt-text="Screenshot of the Windows lock screen showing the fingerprint and PIN credential providers only. The password credential provider is missing.":::
+ :::column-end:::
+:::row-end:::
+
+### In-session authentication experiences
+
+When Windows passwordless experience is enabled, users can't use the password credential provider for in-session authentication scenarios. In-session authentication scenarios include:
+
+- Password Manager in a web browser
+- Connecting to file shares or intranet sites
+- User Account Control (UAC) elevation, except if a local user account is used for elevation
+
+>[!NOTE]
+> RDP sign in defaults to the credential provider used during sign-in. However, a user can select the option *Use a different account* to sign in with a password.
+>
+> *Run as different user* is not impacted by Windows passwordless experience.
+
+Example of UAC elevation experience:
+
+:::row:::
+ :::column span="3":::
+ **Passwordless experience turned off**: UAC elevation allows the user to authenticate using a password.
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/uac-off.png" lightbox="images/uac-off.png" alt-text="Screenshot of the UAC prompt showing username and password fields.":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+ **Passwordless experience turned on**: UAC elevation doesn't allow the user to use the password credential provider for the currently logged on user. The user can authenticate using Windows Hello, a FIDO2 security key or a local user account, if available.
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/uac-on.png" lightbox="images/uac-on.png" alt-text="Screenshot of the UAC prompt showing fingerprint and PIN options only.":::
+ :::column-end:::
+:::row-end:::
+
+## Recommendations
+
+Here's a list of recommendations to consider before enabling Windows passwordless experience:
+
+- If Windows Hello for Business is enabled, configure the [PIN reset](../hello-for-business/hello-feature-pin-reset.md) feature to allow users to reset their PIN from the lock screen. The PIN reset experience is improved starting in Windows 11, version 22H2 with [KB5030310][KB-1]
+- Don't configure the security policy *Interactive logon: Don't display last signed-in*, as it prevents Windows passwordless experience from working
+- Don't disable the password credential provider using the *Exclude credential providers* policy. The key differences between the two policies are:
+ - The Exclude credential providers policy disables passwords for *all accounts*, including local accounts. Windows passwordless experience only applies to Microsoft Entra ID accounts that sign in with Windows Hello or a FIDO2 security key. It also excludes *Other User* from the policy, so users have a backup sign in option
+ - Exclude credential providers policy prevents the use of passwords for RDP and *Run as* authentication scenarios
+- To facilitate helpdesk support operations, consider enabling the local administrator account or create a separate one, randomizing its password using the [Windows Local Administrator Password Solution (LAPS)][SERV-1]
+
+## Known issues
+
+There's a known issue affecting the in-session authentication experience when using FIDO2 security keys, where security keys aren't always an available option. The product group is aware of this behavior and plans to improve this in the future.
+
+### :::image type="icon" source="../../images/icons/feedback.svg" border="false"::: Provide feedback
+
+To provide feedback for Windows passwordless experience, open [**Feedback Hub**][FHUB] and use the category **Security and Privacy > Passwordless experience**.
+
+
+
+[CSP-1]: /windows/client-management/mdm/policy-csp-authentication#enablepasswordlessexperience
+[FHUB]: feedback-hub://?tabid=2&newFeedback=true&feedbackType=1
+[INT-2]: /mem/intune/configuration/custom-settings-windows-10
+[KB-1]: https://support.microsoft.com/kb/5030310
+[SERV-1]: /windows-server/identity/laps/laps-overview
diff --git a/windows/security/identity-protection/toc.yml b/windows/security/identity-protection/toc.yml
index 2b006e3ca0..5762bfaf81 100644
--- a/windows/security/identity-protection/toc.yml
+++ b/windows/security/identity-protection/toc.yml
@@ -3,16 +3,18 @@ items:
href: index.md
- name: Passwordless sign-in
items:
- - name: Windows Hello for Business 🔗
- href: hello-for-business/index.md
+ - name: Passwordless strategy
+ href: hello-for-business/passwordless-strategy.md
+ - name: Windows Hello for Business
+ href: hello-for-business/toc.yml
- name: Windows presence sensing
href: https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb
- - name: Windows Hello for Business Enhanced Security Sign-in (ESS) 🔗
- href: /windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security
- - name: FIDO 2 security key 🔗
+ - name: FIDO2 security key 🔗
href: /azure/active-directory/authentication/howto-authentication-passwordless-security-key
- - name: Federated sign-in 🔗
- href: /education/windows/federated-sign-in
+ - name: Windows passwordless experience
+ href: passwordless-experience/index.md
+ - name: Passkeys
+ href: passkeys/index.md
- name: Smart Cards
href: smart-cards/toc.yml
- name: Virtual smart cards
@@ -20,6 +22,10 @@ items:
displayName: VSC
- name: Enterprise Certificate Pinning
href: enterprise-certificate-pinning.md
+ - name: Web sign-in
+ href: web-sign-in/index.md
+ - name: Federated sign-in 🔗
+ href: /education/windows/federated-sign-in
- name: Advanced credential protection
items:
- name: Windows LAPS (Local Administrator Password Solution) 🔗
diff --git a/windows/security/identity-protection/web-sign-in/images/lock-screen.png b/windows/security/identity-protection/web-sign-in/images/lock-screen.png
new file mode 100644
index 0000000000..dfe0a0687e
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/lock-screen.png differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-authenticator.gif b/windows/security/identity-protection/web-sign-in/images/web-sign-in-authenticator.gif
new file mode 100644
index 0000000000..499f39dbb5
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-authenticator.gif differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-authenticator.png b/windows/security/identity-protection/web-sign-in/images/web-sign-in-authenticator.png
new file mode 100644
index 0000000000..be213d4500
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-authenticator.png differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-credential-provider.svg b/windows/security/identity-protection/web-sign-in/images/web-sign-in-credential-provider.svg
new file mode 100644
index 0000000000..1afb38e115
--- /dev/null
+++ b/windows/security/identity-protection/web-sign-in/images/web-sign-in-credential-provider.svg
@@ -0,0 +1,4 @@
+
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-federated-auth.gif b/windows/security/identity-protection/web-sign-in/images/web-sign-in-federated-auth.gif
new file mode 100644
index 0000000000..403c7fb609
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-federated-auth.gif differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-federated-auth.png b/windows/security/identity-protection/web-sign-in/images/web-sign-in-federated-auth.png
new file mode 100644
index 0000000000..f22395fbd7
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-federated-auth.png differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-pin-reset.gif b/windows/security/identity-protection/web-sign-in/images/web-sign-in-pin-reset.gif
new file mode 100644
index 0000000000..9ae9f3c92f
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-pin-reset.gif differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-pin-reset.png b/windows/security/identity-protection/web-sign-in/images/web-sign-in-pin-reset.png
new file mode 100644
index 0000000000..e3b341d814
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-pin-reset.png differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-preferred-tenant.png b/windows/security/identity-protection/web-sign-in/images/web-sign-in-preferred-tenant.png
new file mode 100644
index 0000000000..01d91be145
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-preferred-tenant.png differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-tap.gif b/windows/security/identity-protection/web-sign-in/images/web-sign-in-tap.gif
new file mode 100644
index 0000000000..b677b87480
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-tap.gif differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-tap.png b/windows/security/identity-protection/web-sign-in/images/web-sign-in-tap.png
new file mode 100644
index 0000000000..18c20dd4fd
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-tap.png differ
diff --git a/windows/security/identity-protection/web-sign-in/index.md b/windows/security/identity-protection/web-sign-in/index.md
new file mode 100644
index 0000000000..80f4e2403f
--- /dev/null
+++ b/windows/security/identity-protection/web-sign-in/index.md
@@ -0,0 +1,172 @@
+---
+title: Web sign-in for Windows
+description: Learn how Web sign-in in Windows works, key scenarios, and how to configure it.
+ms.date: 09/27/2023
+ms.topic: how-to
+appliesto:
+ - ✅ Windows 11
+ms.collection:
+ - highpri
+ - tier1
+---
+
+# Web sign-in for Windows
+
+Starting in Windows 11, version 22H2 with [KB5030310][KB-1], you can enable a web-based sign-in experience on Microsoft Entra joined devices, unlocking new sign-in options and capabilities.
+This feature is called *Web sign-in*.
+
+Web sign-in is a *credential provider*, and it was initially introduced in Windows 10 with support for Temporary Access Pass (TAP) only. With the release of Windows 11, the supported scenarios and capabilities of Web sign-in are expanded.\
+For example, you can sign in with the Microsoft Authenticator app or with a SAML-P federated identity.
+
+This article describes how to configure Web sign-in and the supported key scenarios.
+
+## System requirements
+
+To use web sign-in, the clients must meet the following prerequisites:
+
+- Windows 11, version 22H2 with [5030310][KB-1], or later
+- Must be Microsoft Entra joined
+- Must have Internet connectivity, as the authentication is done over the Internet
+
+[!INCLUDE [federated-sign-in](../../../../includes/licensing/web-sign-in.md)]
+
+## Configure web sign-in
+
+To use web sign-in, your devices must be configured with different policies. Review the following instructions to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
+
+#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune)
+
+[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+| Authentication | Enable Web Sign In | Enabled |
+| Authentication | Configure Web Sign In Allowed Urls | This setting is optional, and it contains a list of domains required for sign in, for example: - `idp.example.com` - `example.com` |
+| Authentication | Configure Webcam Access Domain Names | This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, for example: `example.com` |
+
+[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][INT-1] with the following settings:
+
+| OMA-URI | More information |
+|-|-|
+| `./Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn`| [EnableWebSignIn](/windows/client-management/mdm/policy-csp-authentication#enablewebsignin) |
+| `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`|[ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#configurewebsigninallowedurls)|
+| `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames`|[ConfigureWebcamAccessDomainNames](/windows/client-management/mdm/policy-csp-authentication#configurewebcamaccessdomainnames)|
+
+#### [:::image type="icon" source="../../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
+
+[!INCLUDE [provisioning-package-1](../../../../includes/configure/provisioning-package-1.md)]
+
+| Path | Setting name | Value |
+|--|--|--|
+| `Policies/Authentication` | `EnableWebSignIn` | Enabled |
+| `Policies/Authentication` | `ConfigureWebSignInAllowedUrls` | This setting is optional, and it contains a semicolon-separated list of domains required for sign in, for example: `idp.example.com;example.com` |
+| `Policies/Authentication` | `ConfigureWebCamAccessDomainNames` | This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `example.com` |
+
+[!INCLUDE [provisioning-package-2](../../../../includes/configure/provisioning-package-2.md)]
+
+---
+
+## User experiences
+
+Once the devices are configured, a new sign-in experience becomes available, as indicated by the presence of the Web sign-in credential provider :::image type="icon" source="images/web-sign-in-credential-provider.svg" border="false"::: in the Windows lock screen.
+
+:::image type="content" source="images/lock-screen.png" border="false" lightbox="images/lock-screen.png" alt-text="Screenshot of the Windows lock screen showing the Web sign-in credential provider.":::
+
+Here's a list of key scenarios supported by Web sign-in, and a brief animation showing the user experience. Select the thumbnail to start the animation.
+
+### Passwordless sign-in
+:::row:::
+ :::column span="3":::
+ Users can sign in to Windows passwordless, even before enrolling in Windows Hello for Business. For example, by using the Microsoft Authenticator app as a sign-in method.
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/web-sign-in-authenticator.png" border="false" lightbox="images/web-sign-in-authenticator.gif" alt-text="Animation of the Web sign-in experience with Microsoft Authenticator.":::
+ :::column-end:::
+:::row-end:::
+
+> [!TIP]
+> When used in conjuction with *Windows Hello for Business passwordless*, you can hide the password credential provider from the lock screen as well as in-session authentication scenarios. This enables a truly passwordless Windows experience.
+
+To learn more:
+- [Enable passwordless sign-in with Microsoft Authenticator][AAD-1]
+- [Passwordless authentication options for Microsoft Entra ID][AAD-2]
+- [Windows passwordless experience](../passwordless-experience/index.md)
+
+### Windows Hello for Business PIN reset
+
+:::row:::
+ :::column span="3":::
+ The Windows Hello PIN reset flow is seamless and more robust than in previous versions.
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/web-sign-in-pin-reset.png" border="false" lightbox="images/web-sign-in-pin-reset.gif" alt-text="Animation of the PIN reset in experience.":::
+ :::column-end:::
+:::row-end:::
+
+For more information, see [PIN reset](../hello-for-business/hello-feature-pin-reset.md).
+
+### Temporary Access Pass (TAP)
+
+:::row:::
+ :::column span="3":::
+ A Temporary Access Pass (TAP) is a time-limited passcode granted by an administrator to a user. Users can sign in with a TAP using the Web sign-in credential provider. For example:
+
+ - to onboard Windows Hello for Business or a FIDO2 security key
+ - if lost or forgotten FIDO2 security key and unknown password
+
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/web-sign-in-tap.png" border="false" lightbox="images/web-sign-in-tap.gif" alt-text="Animation of the TAP sign in experience.":::
+ :::column-end:::
+:::row-end:::
+
+For more information, see [Use a Temporary Access Pass][AAD-3].
+
+### Sign in with a federated identity
+
+:::row:::
+ :::column span="3":::
+ If the Microsoft Entra ID tenant is federated with a third-party SAML-P identity provider (IdP), federated users can sign using the Web sign-in credential provider.
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/web-sign-in-federated-auth.png" border="false" lightbox="images/web-sign-in-federated-auth.gif" alt-text="Animation of the sign in experience with a federated user.":::
+ :::column-end:::
+:::row-end:::
+
+> [!TIP]
+> To improve the user experience for federated identities:
+>
+> - Configure the *preferred Azure AD tenant name* feature, which allows users to select the domain name during the sign-in process. The users are then automatically redirected to the identity provider sign-in page.
+> - Enable Windows Hello for Business. Once the user signs in, the user can enroll in Windows Hello for Business and then use it to sign in to the device
+
+For more information about preferred tenant name, see [Authentication CSP - PreferredAadTenantDomainName][WIN-1].
+
+## Important considerations
+
+Here's a list of important considerations to keep in mind when configuring or using Web sign-in:
+
+- Cached credentials aren't supported with Web sign-in. If the device is offline, the user can't use the Web sign-in credential provider to sign in
+- After sign out, the user isn't displayed in the user selection list
+- Once enabled, the Web sign-in credential provider is the default credential provider for new users signing in to the device. To change the default credential provider, you can use the [DefaultCredentialProvider][WIN-2] ADMX-backed policy
+- The user can exit the Web sign-in flow by pressing Ctrl+Alt+Delete to get back to the Windows lock screen
+
+### Known issues
+
+- If you attempt to sign in while the device is offline, you get the following message: *It doesn't look that you're connected to the Internet. Check your connection and try again*. Selecting the *Back to sign-in* option doesn't bring you back to the lock screen. As a workaround, you can press Ctrl+Alt+Delete to get back to the lock screen.
+
+### :::image type="icon" source="../../images/icons/feedback.svg" border="false"::: Provide feedback
+
+To provide feedback for web sign-in, open [**Feedback Hub**][FHUB] and use the category **Security and Privacy > Passwordless experience**.
+
+
+
+[AAD-1]: /azure/active-directory/authentication/howto-authentication-passwordless-phone
+[AAD-2]: /azure/active-directory/authentication/concept-authentication-passwordless
+[AAD-3]: /azure/active-directory/authentication/howto-authentication-temporary-access-pass
+[FHUB]: feedback-hub://?tabid=2&newFeedback=true&feedbackType=1
+[INT-1]: /mem/intune/configuration/custom-settings-windows-10
+[KB-1]: https://support.microsoft.com/kb/5030310
+[WIN-1]: /windows/client-management/mdm/policy-csp-authentication#preferredaadtenantdomainname
+[WIN-2]: /windows/client-management/mdm/policy-csp-admx-credentialproviders#defaultcredentialprovider
diff --git a/windows/security/images/icons/feedback.svg b/windows/security/images/icons/feedback.svg
new file mode 100644
index 0000000000..2ecd143695
--- /dev/null
+++ b/windows/security/images/icons/feedback.svg
@@ -0,0 +1,3 @@
+
diff --git a/windows/security/images/icons/key.svg b/windows/security/images/icons/key.svg
new file mode 100644
index 0000000000..c9df33c18f
--- /dev/null
+++ b/windows/security/images/icons/key.svg
@@ -0,0 +1,3 @@
+
\ No newline at end of file
diff --git a/windows/security/images/icons/provisioning-package.svg b/windows/security/images/icons/provisioning-package.svg
new file mode 100644
index 0000000000..dbbad7d780
--- /dev/null
+++ b/windows/security/images/icons/provisioning-package.svg
@@ -0,0 +1,3 @@
+
\ No newline at end of file
diff --git a/windows/security/includes/sections/application.md b/windows/security/includes/sections/application.md
index 34f9e6a785..8b6b510ef4 100644
--- a/windows/security/includes/sections/application.md
+++ b/windows/security/includes/sections/application.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
@@ -10,17 +10,17 @@ ms.topic: include
| Feature name | Description |
|:---|:---|
| **[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)** | Smart App Control prevents users from running malicious applications on Windows devices by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections, by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, our new Smart App Control only allows processes to run that are predicted to be safe based on existing and new intelligence processed daily. Smart App Control builds on top of the same cloud-based AI used in Windows Defender Application Control (WDAC) to predict the safety of an application, so people can be confident they're using safe and reliable applications on their new Windows 11 devices, or Windows 11 devices that have been reset. |
-| **[AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview)** | |
| **[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)** | Your organization is only as secure as the applications that run on your devices. With application control, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means for addressing the threat of executable file-based malware.
Windows 10 and above include Windows Defender Application Control (WDAC) and AppLocker. WDAC is the next generation app control solution for Windows and provides powerful control over what runs in your environment. Customers who were using AppLocker on previous versions of Windows can continue to use the feature as they consider whether to switch to WDAC for the stronger protection. |
+| **[AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview)** | |
| **[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)** | User Account Control (UAC) helps prevent malware from damaging a device. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevents inadvertent changes to system settings. Enabling UAC helps to prevent malware from altering device settings and potentially gaining access to networks and sensitive data. UAC can also block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings. |
-| **[Microsoft vulnerable driver blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)** | The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with the ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers.
Prior to Windows 11, version 22H2, the operating system enforced a block policy when HVCI is enabled to prevent vulnerable versions of drivers from running. Starting in Windows 11, version 22H2, the block policy is enabled by default for all new Windows devices, and users can opt-in to enforce the policy from the Windows Security app. |
+| **[Microsoft vulnerable driver blocklist](/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules)** | The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with the ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers.
Prior to Windows 11, version 22H2, the operating system enforced a block policy when HVCI is enabled to prevent vulnerable versions of drivers from running. Starting in Windows 11, version 22H2, the block policy is enabled by default for all new Windows devices, and users can opt-in to enforce the policy from the Windows Security app. |
## Application isolation
| Feature name | Description |
|:---|:---|
-| **[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)** | Standalone mode allows Windows users to use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, user must manually start Microsoft Edge in Application Guard from Edge menu for browsing untrusted sites. |
-| **[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)** | Microsoft Defender Application Guard protects users' desktop while they browse the Internet using Microsoft Edge browser. Application Guard in enterprise mode automatically redirects untrusted website navigation in an anonymous and isolated Hyper-V based container, which is separate from the host operating system. With Enterprise mode, you can define your corporate boundaries by explicitly adding trusted domains and can customizing the Application Guard experience to meet and enforce your organization needs on Windows devices. |
+| **[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview)** | Standalone mode allows Windows users to use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, user must manually start Microsoft Edge in Application Guard from Edge menu for browsing untrusted sites. |
+| **[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard)** | Microsoft Defender Application Guard protects users' desktop while they browse the Internet using Microsoft Edge browser. Application Guard in enterprise mode automatically redirects untrusted website navigation in an anonymous and isolated Hyper-V based container, which is separate from the host operating system. With Enterprise mode, you can define your corporate boundaries by explicitly adding trusted domains and can customizing the Application Guard experience to meet and enforce your organization needs on Windows devices. |
| **Microsoft Defender Application Guard (MDAG) public APIs** | Enable applications using them to be isolated Hyper-V based container, which is separate from the host operating system. |
| **[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)** | Application Guard protects Office files including Word, PowerPoint, and Excel. Application icons have a small shield if Application Guard has been enabled and they are under protection. |
| **[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)** | The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. |
diff --git a/windows/security/includes/sections/cloud-services.md b/windows/security/includes/sections/cloud-services.md
index 07fc5b88b5..4e338bf4cd 100644
--- a/windows/security/includes/sections/cloud-services.md
+++ b/windows/security/includes/sections/cloud-services.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
@@ -9,10 +9,10 @@ ms.topic: include
| Feature name | Description |
|:---|:---|
-| **[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)** | Microsoft Azure Active Directory is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. |
-| **[Security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client.
Windows 11 can be configured with Microsoft's MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. The security baseline enables IT administrators to easily address security concerns and compliance needs for modern cloud-managed devices. |
+| **[Active Directory domain join, Microsoft Entra join, and Microsoft Entra Hybrid join with single sign-on (SSO)](/azure/active-directory/devices/concept-directory-join)** | Microsoft Entra ID is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. |
+| **[Security baselines](/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client.
Windows 11 can be configured with Microsoft's MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. The security baseline enables IT administrators to easily address security concerns and compliance needs for modern cloud-managed devices. |
| **[Remote wipe](/windows/client-management/mdm/remotewipe-csp)** | When a device is lost or stolen, IT administrators may want to remotely wipe data stored on the device. A helpdesk agent may also want to reset devices to fix issues encountered by remote workers.
With the Remote Wipe configuration service provider (CSP), an MDM solution can remotely initiate any of the following operations on a Windows device: reset the device and remove user accounts and data, reset the device and clean the drive, reset the device but persist user accounts and data. |
| **[Modern device management through (MDM)](/windows/client-management/mdm-overview)** | Windows 11 supports modern device management through mobile device management (MDM) protocols.
IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols.
To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client. |
| **[Universal Print](/universal-print/)** | Unlike traditional print solutions that rely on Windows print servers, Universal Print is a Microsoft hosted cloud subscription service that supports a zero-trust security model by enabling network isolation of printers, including the Universal Print connector software, from the rest of the organization's resources. |
| **[Windows Autopatch](/windows/deployment/windows-autopatch/)** | With the Autopatch service, IT teams can delegate management of updates to Windows 10/11, Microsoft Edge, and Microsoft 365 apps to Microsoft. Under the hood, Autopatch takes over configuration of the policies and deployment service of Windows Update for Business. What the customer gets are endpoints that are up to date, thanks to dynamically generated rings for progressive deployment that will pause and/or roll back updates (where possible) when issues arise.
The goal is to provide peace of mind to IT pros, encourage rapid adoption of updates, and to reduce bandwidth required to deploy them successfully, thereby closing gaps in protection that may have been open to exploitation by malicious actors. |
-| **[Windows Autopilot](/windows/deployment/windows-autopilot)** | Windows Autopilot simplifies the way devices get deployed, reset, and repurposed, with an experience that is zero touch for IT. |
+| **[Windows Autopilot](/autopilot/)** | Windows Autopilot simplifies the way devices get deployed, reset, and repurposed, with an experience that is zero touch for IT. |
diff --git a/windows/security/includes/sections/hardware.md b/windows/security/includes/sections/hardware.md
index 11a4f97b60..fa6c065293 100644
--- a/windows/security/includes/sections/hardware.md
+++ b/windows/security/includes/sections/hardware.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
@@ -20,7 +20,7 @@ ms.topic: include
| **[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)** | In addition to a modern hardware root-of-trust, there are numerous other capabilities in the latest chips that harden the operating system against threats, such as by protecting the boot process, safeguarding the integrity of memory, isolating security sensitive compute logic, and more. Two examples include Virtualization-based security (VBS) and Hypervisor-protected code integrity (HVCI). Virtualization-based security (VBS), also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel remains protected.
Starting with Windows 10, all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows. With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. |
| **[Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)** | Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps to prevent attacks that attempt to modify kernel mode code, such as drivers. The KMCI role is to check that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI helps to ensure that only validated code can be executed in kernel-mode.
Starting with Windows 10, all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows. With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. |
| **[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)** | Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats such as memory corruption and zero-day exploits. Based on Control-flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack. |
-| **[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)** | Kernel DMA Protection protects against external peripherals from gaining unauthorized access to memory. Physical threats such as drive-by Direct Memory Access (DMA) attacks typically happen quickly while the system owner isn't present. PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot plug ports are external and easily accessible, devices are susceptible to drive-by DMA attacks. |
+| **[Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)** | Kernel DMA Protection protects against external peripherals from gaining unauthorized access to memory. Physical threats such as drive-by Direct Memory Access (DMA) attacks typically happen quickly while the system owner isn't present. PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot plug ports are external and easily accessible, devices are susceptible to drive-by DMA attacks. |
## Secured-core PC
diff --git a/windows/security/includes/sections/identity.md b/windows/security/includes/sections/identity.md
index 191dfb47cb..557e813ec5 100644
--- a/windows/security/includes/sections/identity.md
+++ b/windows/security/includes/sections/identity.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
@@ -9,20 +9,23 @@ ms.topic: include
| Feature name | Description |
|:---|:---|
-| **[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)** | Windows 11 devices can protect user identities by removing the need to use passwords from day one. It's easy to get started with the method that's right for your organization. A password may only need to be used once during the provisioning process, after which people use a PIN, face, or fingerprint to unlock credentials and sign into the device.
Windows Hello for Business replaces the username and password by combining a security key or certificate with a PIN or biometrics data, and then mapping the credentials to a user account during setup. There are multiple ways to deploy Windows Hello for Business, depending on your organization's needs. Organizations that rely on certificates typically use on-premises public key infrastructure (PKI) to support authentication through Certificate Trust. Organizations using key trust deployment require root-of-trust provided by certificates on domain controllers. |
-| **[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)** | Windows presence sensing provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to your presence to help you stay secure and productive, whether you're working at home, the office, or a public environment. Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to automatically lock your device when you leave, and then unlock your device and sign you in using Windows Hello facial recognition when you return. Requires OEM supporting hardware. |
+| **[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)** | Windows 11 devices can protect user identities by removing the need to use passwords from day one. It's easy to get started with the method that's right for your organization. A password may only need to be used once during the provisioning process, after which people use a PIN, face, or fingerprint to unlock credentials and sign into the device.
Windows Hello for Business replaces the username and password by combining a security key or certificate with a PIN or biometrics data, and then mapping the credentials to a user account during setup. There are multiple ways to deploy Windows Hello for Business, depending on your organization's needs. Organizations that rely on certificates typically use on-premises public key infrastructure (PKI) to support authentication through Certificate Trust. Organizations using key trust deployment require root-of-trust provided by certificates on domain controllers. |
+| **[Windows presence sensing](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)** | Windows presence sensing provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to your presence to help you stay secure and productive, whether you're working at home, the office, or a public environment. Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to automatically lock your device when you leave, and then unlock your device and sign you in using Windows Hello facial recognition when you return. Requires OEM supporting hardware. |
| **[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)** | Windows Hello biometrics also supports enhanced sign-in security, which uses specialized hardware and software components to raise the security bar even higher for biometric sign in.
Enhanced sign-in security biometrics uses VBS and the TPM to isolate user authentication processes and data and secure the pathway by which the information is communicated. These specialized components protect against a class of attacks that include biometric sample injection, replay, tampering, and more.
For example, fingerprint readers must implement Secure Device Connection Protocol, which uses key negotiation and a Microsoft-issued certificate to protect and securely store user authentication data. For facial recognition, components such as the Secure Devices (SDEV) table and process isolation with trustlets help prevent additional class of attacks. |
-| **[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)** | Fast Identity Online (FIDO) defined CTAP and WebAuthN specifications are becoming the open standard for providing strong authentication that is non-phishable, user-friendly, and privacy-respecting with implementations from major platform providers and relying parties. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets.
Windows 11 can use external FIDO2 security keys for authentication alongside or in addition to Windows Hello which is also a FIDO2 certified passwordless solution. Windows 11 can be used as a FIDO authenticator for many popular identity management services. |
-| **[Federated sign-in](/education/windows/federated-sign-in)** | Windows 11 Education editions support federated sign-in with third-party identity providers. Federated sign-in enables secure sign in through methods like QR codes or pictures. |
+| **[Windows passwordless experience](/windows/security/identity-protection/passwordless-experience)** | Windows passwordless experience is a security policy that aims to create a more user-friendly experience for Microsoft Entra joined devices by eliminating the need for passwords in certain authentication scenarios. By enabling this policy, users will not be given the option to use a password in these scenarios, which helps organizations transition away from passwords over time. |
+| **[Passkeys](/windows/security/identity-protection/passkeys)** | Passkeys provide a more secure and convenient method to logging into websites and applications compared to passwords. Unlike passwords, which users must remember and type, passkeys are stored as secrets on a device and can use a device's unlock mechanism (such as biometrics or a PIN). Passkeys can be used without the need for other sign in challenges, making the authentication process faster, secure, and more convenient. |
+| **[FIDO2 security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)** | Fast Identity Online (FIDO) defined CTAP and WebAuthN specifications are becoming the open standard for providing strong authentication that is non-phishable, user-friendly, and privacy-respecting with implementations from major platform providers and relying parties. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets.
Windows 11 can use external FIDO2 security keys for authentication alongside or in addition to Windows Hello which is also a FIDO2 certified passwordless solution. Windows 11 can be used as a FIDO authenticator for many popular identity management services. |
| **[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)** | Organizations also have the option of using smart cards, an authentication method that pre-dates biometric sign in. Smart cards are tamper-resistant, portable storage devices that can enhance Windows security when authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Smart cards can only be used to sign into domain accounts, not local accounts. When a password is used to sign into a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates. |
## Advanced credential protection
| Feature name | Description |
|:---|:---|
-| **[Windows LAPS](/windows-server/identity/laps/laps-overview)** | Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Azure Active Directory-joined or Windows Server Active Directory-joined devices. You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it. |
+| **[Web sign-in](/windows/security/identity-protection/web-sign-in)** | Web sign-in is a credential provider initially introduced in Windows 10 with support for Temporary Access Pass (TAP) only. With the release of Windows 11, the supported scenarios and capabilities of Web sign-in have been expanded. For example, users can sign-in to Windows using the Microsoft Authenticator app or with a federated identity. |
+| **[Federated sign-in](/education/windows/federated-sign-in)** | Windows 11 Education editions support federated sign-in with third-party identity providers. Federated sign-in enables secure sign in through methods like QR codes or pictures. |
+| **[Windows LAPS](/windows-server/identity/laps/laps-overview)** | Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Microsoft Entra ID-joined or Windows Server Active Directory-joined devices. You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it. |
| **[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)** | Account Lockout Policy settings control the response threshold for failed logon attempts and the actions to be taken after the threshold is reached. |
-| **[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)** | Users who are still using passwords can benefit from powerful credential protection. Microsoft Defender SmartScreen includes enhanced phishing protection to automatically detect when a user enters their Microsoft password into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Since users are alerted at the moment of potential credential theft, they can take preemptive action before their password is used against them or their organization. |
+| **[Enhanced phishing protection with SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection)** | Users who are still using passwords can benefit from powerful credential protection. Microsoft Defender SmartScreen includes enhanced phishing protection to automatically detect when a user enters their Microsoft password into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Since users are alerted at the moment of potential credential theft, they can take preemptive action before their password is used against them or their organization. |
| **[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)** | Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage users', groups', and computers' access to objects and assets on a network or computer. After a user is authenticated, the Windows operating system implements the second phase of protecting resources by using built-in authorization and access control technologies to determine if an authenticated user has the correct permissions.
Access Control Lists (ACL) describe the permissions for a specific object and can also contain System Access Control Lists (SACL). SACLs provide a way to audit specific system level events, such as when a user attempt to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack. |
-| **[Credential Guard](/windows/security/identity-protection/credential-guard)** | Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Credential Guard, the Local Security Authority (LSA) stores and protects secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
By protecting the LSA process with Virtualization-based security, Credential Guard shields systems from credential theft attack techniques like pass-the-hash or pass-the-ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. |
+| **[Credential Guard](/windows/security/identity-protection/credential-guard/)** | Enabled by default in Windows 11 Enterprise, Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Credential Guard, the Local Security Authority (LSA) stores and protects secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
By protecting the LSA process with Virtualization-based security, Credential Guard shields systems from credential theft attack techniques like pass-the-hash or pass-the-ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. |
| **[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)** | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.
Administrator credentials are highly privileged and must be protected. When you use Remote Credential Guard to connect during Remote Desktop sessions, your credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, your credentials aren't exposed. |
diff --git a/windows/security/includes/sections/operating-system-security.md b/windows/security/includes/sections/operating-system-security.md
index 3a748fac25..4a4ee4acf2 100644
--- a/windows/security/includes/sections/operating-system-security.md
+++ b/windows/security/includes/sections/operating-system-security.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
@@ -9,10 +9,11 @@ ms.topic: include
| Feature name | Description |
|:---|:---|
-| **[Secure Boot and Trusted Boot](/windows/security/trusted-boot)** | Secure Boot and Trusted Boot help to prevent malware and corrupted components from loading when a device starts.
Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure the system boots up safely and securely. |
+| **[Secure Boot and Trusted Boot](/windows/security/operating-system-security/system-security/trusted-boot)** | Secure Boot and Trusted Boot help to prevent malware and corrupted components from loading when a device starts.
Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure the system boots up safely and securely. |
| **[Measured boot](/windows/compatibility/measured-boot)** | Measured Boot measures all important code and configuration settings during the boot of Windows. This includes: the firmware, boot manager, hypervisor, kernel, secure kernel and operating system. Measured Boot stores the measurements in the TPM on the machine, and makes them available in a log that can be tested remotely to verify the boot state of the client.
The Measured Boot feature provides antimalware software with a trusted (resistant to spoofing and tampering) log of all boot components that started before it. The antimalware software can use the log to determine whether components that ran before it are trustworthy, or if they are infected with malware. The antimalware software on the local machine can send the log to a remote server for evaluation. The remote server may initiate remediation actions, either by interacting with software on the client, or through out-of-band mechanisms, as appropriate. |
-| **[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)** | The Windows device health attestation process supports a zero-trust paradigm that shifts the focus from static, network-based perimeters, to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and have not been tampered with before they can access corporate resources. The determinations are made with data stored in the TPM, which provides a secure root of trust. The information is sent to an attestation service, such as Azure Attestation, to verify the device is in a trusted state. Then, an MDM tool like Microsoft Intune reviews device health and connects this information with Azure Active Directory for conditional access. |
+| **[Device health attestation service](/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)** | The Windows device health attestation process supports a zero-trust paradigm that shifts the focus from static, network-based perimeters, to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and have not been tampered with before they can access corporate resources. The determinations are made with data stored in the TPM, which provides a secure root of trust. The information is sent to an attestation service, such as Azure Attestation, to verify the device is in a trusted state. Then, an MDM tool like Microsoft Intune reviews device health and connects this information with Microsoft Entra ID for conditional access. |
| **[Windows security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)** | Microsoft provides a robust set of security settings policies that IT administrators can use to protect Windows devices and other resources in their organization. |
+| **[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)** | Some desktop devices in an enterprise serve a special purpose. For example, a PC in the lobby that customers use to see your product catalog. Or, a PC displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use: A single-app kiosk that runs a single Universal Windows Platform (UWP) app in full screen above the lock screen, or A multi-app kiosk that runs one or more apps from the desktop.
Kiosk configurations are based on Assigned Access, a feature in Windows that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. |
## Virus and threat protection
@@ -24,20 +25,21 @@ ms.topic: include
| **[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)** | Tamper protection is a capability in Microsoft Defender for Endpoint that helps protect certain security settings, such as virus and threat protection, from being disabled or changed. During some kinds of cyber attacks, bad actors try to disable security features on devices. Disabling security features provides bad actors with easier access to your data, the ability to install malware, and the ability to exploit your data, identity, and devices. Tamper protection helps guard against these types of activities. |
| **[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)** | You can protect your valuable information in specific folders by managing app access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Commonly used folders, such as those used for documents, pictures, downloads, are typically included in the list of controlled folders. Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the trusted list are prevented from making any changes to files inside protected folders.
Controlled folder access helps to protect user's valuable data from malicious apps and threats, such as ransomware. |
| **[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)** | Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. You can enable exploit protection on an individual device, and then use MDM or group policy to distribute the configuration file to multiple devices. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors. |
-| **[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)** | Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. For enhanced phishing protection, SmartScreen also alerts people when they are entering their credentials into a potentially risky location. IT can customize which notifications appear via MDM or group policy. The protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. |
+| **[Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/)** | Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. For enhanced phishing protection, SmartScreen also alerts people when they are entering their credentials into a potentially risky location. IT can customize which notifications appear via MDM or group policy. The protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. |
| **[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)** | Microsoft Defender for Endpoint is an enterprise endpoint detection and response solution that helps security teams to detect, investigate, and respond to advanced threats. Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents: endpoint behavioral sensors, cloud security analytics, threat intelligence and rich response capabilities. |
## Network security
| Feature name | Description |
|:---|:---|
-| **[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)** | Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a network. TLS 1.3 is the latest version of the protocol and is enabled by default in Windows 11. This version eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the TLS handshake as possible. The handshake is more performant with one fewer round trip per connection on average, and supports only five strong cipher suites which provide perfect forward secrecy and less operational risk. |
+| **[Transport Layer Security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)** | Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a network. TLS 1.3 is the latest version of the protocol and is enabled by default in Windows 11. This version eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the TLS handshake as possible. The handshake is more performant with one fewer round trip per connection on average, and supports only five strong cipher suites which provide perfect forward secrecy and less operational risk. |
+| **[Domain Name System (DNS) security](/windows-server/networking/dns/doh-client-support)** | Starting in Windows 11, the Windows DNS client supports DNS over HTTPS (DoH), an encrypted DNS protocol. This allows administrators to ensure their devices protect DNS queries from on-path attackers, whether they are passive observers logging browsing behavior or active attackers trying to redirect clients to malicious sites.
In a zero-trust model where there is no trust placed in a network boundary, having a secure connection to a trusted name resolver is required. |
| **Bluetooth pairing and connection protection** | The number of Bluetooth devices connected to Windows continues to increase. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG), Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that users ensure their firmware and/ or software of their Bluetooth accessories are kept up to date. |
| **[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)** | Wi-Fi Protected Access (WPA) is a security certification programs designed to secure wireless networks. WPA3 is the latest version of the certification and provides a more secure and reliable connection method as compared to WPA2 and older security protocols. Windows supports three WPA3 modes: WPA3 personal with the Hash-to-Element (H2E) protocol, WPA3 Enterprise, and WPA3 Enterprise 192-bit Suite B.
Windows 11 also supports WFA defined WPA3 Enterprise that includes enhanced Server Cert validation and TLS 1.3 for authentication using EAP-TLS Authentication. |
| **Opportunistic Wireless Encryption (OWE)** | Opportunistic Wireless Encryption (OWE) is a technology that allows wireless devices to establish encrypted connections to public Wi-Fi hotspots. |
-| **[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)** | Windows Firewall with Advanced Securityprovides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.
With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. Windows Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). |
-| **[Virtual private network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)** | The Windows VPN client platform includes built in VPN protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and consumer VPNs, including apps for the most popular enterprise VPN gateways.
In Windows 11, the most commonly used VPN controls are integrated right into the Quick Actions pane. From the Quick Actions pane, users can see the status of their VPN, start and stop the VPN tunnels, and access the Settings app for more controls. |
-| **[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)** | With Always On VPN, you can create a dedicated VPN profile for the device. Unlike User Tunnel, which only connects after a user logs on to the device, Device Tunnel allows the VPN to establish connectivity before a user sign-in. Both Device Tunnel and User Tunnel operate independently with their VPN profiles, can be connected at the same time, and can use different authentication methods and other VPN configuration settings as appropriate. |
+| **[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security)** | Windows Firewall with Advanced Securityprovides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.
With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. Windows Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). |
+| **[Virtual private network (VPN)](/windows/security/operating-system-security/network-security/vpn/vpn-guide)** | The Windows VPN client platform includes built in VPN protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and consumer VPNs, including apps for the most popular enterprise VPN gateways.
In Windows 11, the most commonly used VPN controls are integrated right into the Quick Actions pane. From the Quick Actions pane, users can see the status of their VPN, start and stop the VPN tunnels, and access the Settings app for more controls. |
+| **[Always On VPN (device tunnel)](/Windows-server/remote/remote-access/overview-always-on-vpn)** | With Always On VPN, you can create a dedicated VPN profile for the device. Unlike User Tunnel, which only connects after a user logs on to the device, Device Tunnel allows the VPN to establish connectivity before a user sign-in. Both Device Tunnel and User Tunnel operate independently with their VPN profiles, can be connected at the same time, and can use different authentication methods and other VPN configuration settings as appropriate. |
| **[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)** | DirectAccess allows connectivity for remote users to organization network resources without the need for traditional Virtual Private Network (VPN) connections.
With DirectAccess connections, remote devices are always connected to the organization and there's no need for remote users to start and stop connections. |
| **[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)** | SMB Encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on internal networks. In Windows 11, the SMB protocol has significant security updates, including AES-256 bits encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and SMB over QUIC for untrusted networks. Windows 11 introduces AES-256-GCM and AES-256-CCM cryptographic suites for SMB 3.1.1 encryption. Windows administrators can mandate the use of more advanced security or continue to use the more compatible, and still-safe, AES-128 encryption. |
| **[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)** | SMB Direct (SMB over remote direct memory access) is a storage protocol that enables direct memory-to-memory data transfers between device and storage, with minimal CPU usage, while using standard RDMA-capable network adapters.
SMB Direct supports encryption, and now you can operate with the same safety as traditional TCP and the performance of RDMA. Previously, enabling SMB encryption disabled direct data placement, making RDMA as slow as TCP. Now data is encrypted before placement, leading to relatively minor performance degradation while adding AES-128 and AES-256 protected packet privacy. |
@@ -46,8 +48,8 @@ ms.topic: include
| Feature name | Description |
|:---|:---|
-| **[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)** | The BitLocker CSP allows an MDM solution, like Microsoft Intune, to manage the BitLocker encryption features on Windows devices. This includes OS volumes, fixed drives and removeable storage, and recovery key management into Azure AD. |
-| **[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)** | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune, using a configuration service provider (CSP).
BitLocker provides encryption for the OS, fixed data, and removable data drives leveraging technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot and TPM. |
-| **[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)** | Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level and allow for full disk hardware encryption while being transparent to the device user. These drives combine the security and management benefits provided by BitLocker Drive Encryption with the power of self-encrypting drives.
By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity. |
-| **[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)** | Personal data encryption (PDE) works with BitLocker and Windows Hello for Business to further protect user documents and other files, including when the device is turned on and locked. Files are encrypted automatically and seamlessly to give users more security without interrupting their workflow.
Windows Hello for Business is used to protect the container which houses the encryption keys used by PDE. When the user signs in, the container gets authenticated to release the keys in the container to decrypt user content. |
-| **[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)** | Email encryption enables users to encrypt outgoing email messages and attachments, so only intended recipients with a digital ID (certificate) can read them. Users can digitally sign a message, which verifies the identity of the sender and confirms the message has not been tampered with. The encrypted messages can be sent by a user to other users within their organization or external contacts if they have proper encryption certificates. |
+| **[BitLocker management](/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises)** | The BitLocker CSP allows an MDM solution, like Microsoft Intune, to manage the BitLocker encryption features on Windows devices. This includes OS volumes, fixed drives and removeable storage, and recovery key management into Microsoft Entra ID. |
+| **[BitLocker enablement](/windows/security/operating-system-security/data-protection/bitlocker/)** | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune, using a configuration service provider (CSP).
BitLocker provides encryption for the OS, fixed data, and removable data drives leveraging technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot and TPM. |
+| **[Encrypted hard drive](/windows/security/operating-system-security/data-protection/encrypted-hard-drive)** | Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level and allow for full disk hardware encryption while being transparent to the device user. These drives combine the security and management benefits provided by BitLocker Drive Encryption with the power of self-encrypting drives.
By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity. |
+| **[Personal data encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)** | Personal data encryption (PDE) works with BitLocker and Windows Hello for Business to further protect user documents and other files, including when the device is turned on and locked. Files are encrypted automatically and seamlessly to give users more security without interrupting their workflow.
Windows Hello for Business is used to protect the container which houses the encryption keys used by PDE. When the user signs in, the container gets authenticated to release the keys in the container to decrypt user content. |
+| **[Email Encryption (S/MIME)](/windows/security/operating-system-security/data-protection/configure-s-mime)** | Email encryption enables users to encrypt outgoing email messages and attachments, so only intended recipients with a digital ID (certificate) can read them. Users can digitally sign a message, which verifies the identity of the sender and confirms the message has not been tampered with. The encrypted messages can be sent by a user to other users within their organization or external contacts if they have proper encryption certificates. |
diff --git a/windows/security/includes/sections/security-foundations.md b/windows/security/includes/sections/security-foundations.md
index 61eb75d6e8..7a85af0543 100644
--- a/windows/security/includes/sections/security-foundations.md
+++ b/windows/security/includes/sections/security-foundations.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
ms.topic: include
---
@@ -11,14 +11,14 @@ ms.topic: include
|:---|:---|
| **[Microsoft Security Development Lifecycle (SDL)](/windows/security/security-foundations/msft-security-dev-lifecycle)** | The Microsoft Security Development Lifecycle (SDL) introduces security best practices, tools, and processes throughout all phases of engineering and development. |
| **[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)** | A range of tools and techniques - such as threat modeling, static analysis, fuzz testing, and code quality checks - enable continued security value to be embedded into Windows by every engineer on the team from day one. Through the SDL practices, Microsoft engineers are continuously provided with actionable and up-to-date methods to improve development workflows and overall product security before the code has been released. |
-| **[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)** | As part of our secure development process, the Microsoft Windows Insider Preview bounty program invites eligible researchers across the globe to find and submit vulnerabilities that reproduce in the latest Windows Insider Preview (WIP) Dev Channel. The goal of the Windows Insider Preview bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of customers using the latest version of Windows.
Through this collaboration with researchers across the globe, our teams identify critical vulnerabilities that were not previously found during development and quickly fix the issues before releasing the final Windows. |
+| **[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)** | As part of our secure development process, the Microsoft Windows Insider Preview bounty program invites eligible researchers across the globe to find and submit vulnerabilities that reproduce in the latest Windows Insider Preview (WIP) Dev Channel. The goal of the Windows Insider Preview bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of customers using the latest version of Windows.
Through this collaboration with researchers across the globe, our teams identify critical vulnerabilities that were not previously found during development and quicky fix the issues before releasing the final Windows. |
## Certification
| Feature name | Description |
|:---|:---|
-| **[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)** | Common Criteria (CC) is an international standard currently maintained by national governments who participate in the Common Criteria Recognition Arrangement. CC defines a common taxonomy for security functional requirements, security assurance requirements, and an evaluation methodology used to ensure products undergoing evaluation satisfy the functional and assurance requirements. Microsoft ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles and completes Common Criteria certifications of Microsoft Windows products. |
-| **[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)** | The Federal Information Processing Standard (FIPS) Publication 140 is a U.S. government standard that defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140 standard, having validated cryptographic modules against FIPS 140-2 since it was first established in 2001. Multiple Microsoft products, including Windows 11, Windows 10, Windows Server, and many cloud services, use these cryptographic modules. |
+| **[Common Criteria certifications](/windows/security/security-foundations/certification/windows-platform-common-criteria)** | Common Criteria (CC) is an international standard currently maintained by national governments who participate in the Common Criteria Recognition Arrangement. CC defines a common taxonomy for security functional requirements, security assurance requirements, and an evaluation methodology used to ensure products undergoing evaluation satisfy the functional and assurance requirements. Microsoft ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles and completes Common Criteria certifications of Microsoft Windows products. |
+| **[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/security-foundations/certification/fips-140-validation)** | The Federal Information Processing Standard (FIPS) Publication 140 is a U.S. government standard that defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140 standard, having validated cryptographic modules against FIPS 140-2 since it was first established in 2001. Multiple Microsoft products, including Windows 11, Windows 10, Windows Server, and many cloud services, use these cryptographic modules. |
## Secure supply chain
@@ -26,4 +26,4 @@ ms.topic: include
|:---|:---|
| **Software Bill of Materials (SBOM)** | SBOMs are leveraged to provide the transparency and provenance of the content as it moves through various stages of the Windows supply chain. This enables trust between each supply chain segment, ensures that tampering has not taken place during ingestion and along the way, and provides a provable chain of custody for the product that we ship to customers. |
| **[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)** | Windows Defender Application Control (WDAC) enables customers to define policies for controlling what is allowed to run on their devices. WDAC policies can be remotely applied to devices using an MDM solution like Microsoft Intune.
To simplify WDAC enablement, organizations can take advantage of Azure Code Signing, a secure and fully managed service for signing WDAC policies and apps.
Azure Code Signing minimizes the complexity of code signing with a turnkey service backed by a Microsoft managed certificate authority, eliminating the need to procure and self-manage any signing certificates. The service is managed just as any other Azure resource and integrates easily with the leading development and CI/CD toolsets. |
-| **[Windows application software development kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-sdk/)** | Developers have an opportunity to design highly secure applications that benefit from the latest Windows safeguards. The Windows App SDK provides a unified set of APIs and tools for developing secure desktop apps for Windows. To help create apps that are up-to-date and protected, the SDK follows the same security standards, protocols, and compliance as the core Windows operating system. |
+| **[Windows application software development kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-sdk/)** | Developers have an opportunity to design highly secure applications that benefit from the latest Windows safeguards. The Windows App SDK provides a unified set of APIs and tools for developing secure desktop apps for Windows. To help create apps that are up-to-date and protected, the SDK follows the same security standards, protocols, and compliance as the core Windows operating system. |
diff --git a/windows/security/index.yml b/windows/security/index.yml
index 963c96d66e..40983d837f 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -14,7 +14,7 @@ metadata:
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
- ms.date: 08/11/2023
+ ms.date: 09/18/2023
highlightedContent:
items:
@@ -73,14 +73,14 @@ productDirectory:
links:
- url: /windows/security/identity-protection/hello-for-business
text: Windows Hello for Business
- - url: /windows/security/identity-protection/credential-guard
- text: Credential Guard
- - url: /windows-server/identity/laps/laps-overview
- text: Windows LAPS (Local Administrator Password Solution)
+ - url: /windows/security/identity-protection/passwordless-experience
+ text: Windows passwordless experience
+ - url: /windows/security/identity-protection/web-sign-in
+ text: Web sign-in for Windows
+ - url: /windows/security/identity-protection/passkeys
+ text: Support for passkeys in Windows
- url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection
text: Enhanced phishing protection with SmartScreen
- - url: /education/windows/federated-sign-in
- text: Federated sign-in (EDU)
- url: /windows/security/identity-protection
text: Learn more about identity protection >
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
index a16db47b99..38961897cb 100644
--- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
@@ -1,7 +1,7 @@
---
title: Enhanced Phishing Protection in Microsoft Defender SmartScreen
description: Learn how Enhanced Phishing Protection for Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps.
-ms.date: 08/11/2023
+ms.date: 09/25/2023
ms.topic: conceptual
appliesto:
- ✅ Windows 11, version 22H2
@@ -13,9 +13,10 @@ Starting in Windows 11, version 22H2, Enhanced Phishing Protection in Microsoft
If a user signs into Windows using a password, Enhanced Phishing Protection works alongside Windows security protections, and helps protect typed work or school password used to sign into Windows 11 in these ways:
-- If users type their work or school password on any Chromium browser, into a site deemed malicious by Microsoft Defender SmartScreen, Enhanced Phishing Protection alerts them. It also alerts them to change their password so attackers can't gain access to their account.
+- If users type or paste their work or school password on any browser, into a site deemed malicious by Microsoft Defender SmartScreen, Enhanced Phishing Protection alerts them. It also alerts them to change their password so attackers can't gain access to their account.
- Reusing work or school passwords makes it easy for attackers who compromise a user's password to gain access to their other accounts. Enhanced Phishing Protection can warn users if they reuse their work or school Microsoft account password on sites and apps and alert them to change their password.
- Since it's unsafe to store plaintext passwords in text editors, Enhanced Phishing Protection can warn users if they store their work or school password in Notepad, Word, or any Microsoft 365 Office app, and recommends they delete their password from the file.
+- If users type their work or school password into a website or app that SmartScreen finds suspicious, Enhanced Phishing Protection can automatically collect information from that website or app to help identify security threats. For example, the content displayed, sounds played, and application memory.
> [!NOTE]
> When a user signs-in to a device using a Windows Hello for Business PIN or biometric, Enhanced Phishing Protection does not alert the user or send events to Microsoft Defender for Endpoint.
@@ -68,10 +69,11 @@ Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP][
| Setting | OMA-URI | Data type |
|-------------------------|---------------------------------------------------------------------------|-----------|
-| **ServiceEnabled** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/ServiceEnabled` | Integer |
+| **AutomaticDataCollection** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/AutomaticDataCollection` | Integer |
| **NotifyMalicious** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyMalicious` | Integer |
| **NotifyPasswordReuse** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyPasswordReuse` | Integer |
| **NotifyUnsafeApp** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyUnsafeApp` | Integer |
+| **ServiceEnabled** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/ServiceEnabled` | Integer |
---
@@ -80,7 +82,6 @@ Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP][
By default, Enhanced Phishing Protection is deployed in audit mode, preventing notifications to the users for any protection scenarios. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender. Users aren't warned if they enter their work or school password into a phishing site, if they reuse their password, or if they unsafely store their password in applications. Because of this possibility, it's recommended that you configure Enhanced Phishing Protection to warn users during all protection scenarios.
To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen settings.
-
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
|Settings catalog element|Recommendation|
@@ -108,15 +109,19 @@ To better help you protect your organization, we recommend turning on and using
|NotifyPasswordReuse|**1**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password.|
|NotifyUnsafeApp|**1**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps.|
+
---
## Related articles
-- [SmartScreen Frequently Asked Questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx)
+- [SmartScreen frequently asked questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx)
- [WebThreatDefense CSP][WIN-1]
- [Threat protection](index.md)
[WIN-1]: /windows/client-management/mdm/policy-csp-webthreatdefense
+
[MEM-2]: /mem/intune/configuration/settings-catalog
+
+
diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml
index 2e144448b8..2bd556b46f 100644
--- a/windows/whats-new/TOC.yml
+++ b/windows/whats-new/TOC.yml
@@ -11,7 +11,7 @@
href: windows-11-plan.md
- name: Prepare for Windows 11
href: windows-11-prepare.md
- - name: Windows 11 temporary enterprise feature control
+ - name: Windows 11 enterprise feature control
href: temporary-enterprise-feature-control.md
- name: What's new in Windows 11, version 22H2
href: whats-new-windows-11-version-22h2.md
diff --git a/windows/whats-new/temporary-enterprise-feature-control.md b/windows/whats-new/temporary-enterprise-feature-control.md
index b20be1c0ab..65ebf38755 100644
--- a/windows/whats-new/temporary-enterprise-feature-control.md
+++ b/windows/whats-new/temporary-enterprise-feature-control.md
@@ -1,6 +1,6 @@
---
-title: Temporary enterprise feature control in Windows 11
-description: Learn about the Windows 11 features behind temporary enterprise feature control.
+title: Enterprise feature control in Windows 11
+description: Learn about the Windows 11 features behind temporary enterprise feature control and permanent feature control.
ms.prod: windows-client
ms.technology: itpro-fundamentals
ms.author: mstewart
@@ -8,7 +8,7 @@ author: mestew
manager: aaroncz
ms.localizationpriority: medium
ms.topic: reference
-ms.date: 05/19/2023
+ms.date: 09/26/2023
ms.collection:
- highpri
- tier2
@@ -16,21 +16,20 @@ appliesto:
- ✅ Windows 11, version 22H2 and later
---
-# Temporary enterprise feature control in Windows 11
+# Enterprise feature control in Windows 11
-New features and enhancements are introduced through the monthly cumulative update to provide continuous innovation for Windows 11. To give organizations time to plan and prepare, some of these new features are temporarily turned off by default. Features that are turned off by default are listed in the KB article for the monthly cumulative update. Typically, a feature is selected to be off by default because it either impacts the user experience or IT administrators significantly.
+New features and enhancements are introduced through the monthly cumulative update to provide continuous innovation for Windows 11. To give organizations time to plan and prepare, some of these new features might be:
+
+- Temporarily turned off by default using [temporary enterprise feature control](#temporary-enterprise-feature-control)
+- Controlled by a policy that allows for [permanent enterprise feature control](#permanent-enterprise-feature-control)
+
+Features that are turned off by default are listed in the KB article for the monthly cumulative update. Typically, a feature is selected to be off by default because it either impacts the user experience or IT administrators significantly. For example, a feature might be turned off by default if it requires a change in user behavior or if it requires IT administrators to take action before the feature can be used.
+
+## Temporary enterprise feature control
Features behind temporary enterprise control are automatically disabled for devices that have their Windows updates managed by policies.
-## Windows 11 features behind temporary enterprise feature control
-
-The following features are behind temporary enterprise control in Windows 11:
-
-| Feature | KB article where the feature was introduced | Feature update that ends temporary control |
-|---|---|---|
-| Touch-optimized taskbar for 2-in-1 devices | [February 28, 2023 - KB5022913](https://support.microsoft.com/topic/february-28-2023-kb5022913-os-build-22621-1344-preview-3e38c0d9-924d-4f3f-b0b6-3bd49b2657b9) | 2023 annual feature update |
-
-## Enable features behind temporary enterprise feature control
+### Enable features behind temporary enterprise feature control
Features that are behind temporary enterprise control will be enabled when one of the following conditions is met:
@@ -38,7 +37,7 @@ Features that are behind temporary enterprise control will be enabled when one o
- The device receives a policy that enables features behind temporary enterprise control
- When the policy is enabled, all features on the device behind temporary control are turned on when the device next restarts.
-## Policy settings for temporary enterprise feature control
+### Policy settings for temporary enterprise feature control
You can use a policy to enable features that are behind temporary enterprise feature control. When this policy is enabled, all features that were disabled behind temporary enterprise feature control are turned on when the device next reboots. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later:
@@ -46,3 +45,33 @@ You can use a policy to enable features that are behind temporary enterprise fea
- **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol)
- In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow Temporary Enterprise Feature Control** under the **Windows Update for Business** category.
+
+### Windows 11 features behind temporary enterprise feature control
+
+The following features are behind temporary enterprise control in Windows 11:
+
+| Feature | KB article where the feature was introduced | Feature update that ends temporary control | Notes |
+|---|---|---|---|
+| Touch-optimized taskbar for 2-in-1 devices | [February 28, 2023 - KB5022913](https://support.microsoft.com/topic/february-28-2023-kb5022913-os-build-22621-1344-preview-3e38c0d9-924d-4f3f-b0b6-3bd49b2657b9) | 2023 annual feature update | |
+| Selecting **Uninstall** for a Win32 app from the right-click menu uses the **Installed Apps** page in **Settings** rather than **Programs and Features** under the **Control Panel** | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | |
+| Windows Spotlight provides a minimized experience, opportunities to learn more about each image, and allows users to preview images at full screen.| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | This feature also has a permanent control: **CSP**: ./User/Vendor/MSFT/Policy/Config/Experience/[AllowWindowsSpotlight](/windows/client-management/mdm/policy-csp-experience#allowwindowsspotlight) **Group Policy**: User Configuration\Administrative Templates\Windows Components\Cloud Content\\**Turn off all Windows spotlight features**|
+| Copilot in Windows | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | This feature has a permanent control. For more information, see the [Windows 11 features with permanent enterprise feature control](#windows-11-features-with-permanent-enterprise-feature-control) section. |
+| Dev Home | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | `Get-AppxPackage -Name Microsoft.Windows.DevHome` |
+|Dev Drive | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | This feature has multiple permanent controls. For more information, see the [Windows 11 features with permanent enterprise feature control](#windows-11-features-with-permanent-enterprise-feature-control) section |
+
+## Permanent enterprise feature control
+
+New features and enhancements used to be introduced only in feature updates. However, with continuous innovation for Windows 11, new features are introduced more frequently through the monthly cumulative update. Some new features can be controlled through policies that enable you to configure them for your organization. When a feature can be controlled by a policy, it has permanent enterprise feature control.
+
+### Windows 11 features with permanent enterprise feature control
+
+The following features introduced through the monthly cumulative updates allow permanent enterprise feature control:
+
+| Feature | KB article where the feature was introduced | Feature enabled by default | CSP and Group Policy |
+|---|---|---|---|
+| Configure search on the taskbar | [February 28, 2023 - KB5022913](https://support.microsoft.com/topic/february-28-2023-kb5022913-os-build-22621-1344-preview-3e38c0d9-924d-4f3f-b0b6-3bd49b2657b9)| Yes | **CSP**: ./Device/Vendor/MSFT/Policy/Config/Search/[ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode) **Group Policy**: Computer Configuration\Administrative Templates\Windows Components\Search\\**Configures search on the taskbar**|
+| The **Recommended** section of the **Start Menu** displays personalized website recommendations |[September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)| No |**CSP**: ./Device/Vendor/MSFT/Policy/Config/Start/[HideRecoPersonalizedSites](/windows/client-management/mdm/policy-csp-start) **Group Policy**: Computer Configuration\Administrative Templates\Start Menu and Taskbar\\**Remove Personalized Website Recommendations from the Recommended section in the Start Menu**|
+| **Recommended** section added to File Explorer Home for users signed into Windows with an Azure AD account. | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes | **CSP**:./Device/Vendor/MSFT/Policy/Config/FileExplorer/[DisableGraphRecentItems](/windows/client-management/mdm/policy-csp-fileexplorer#disablegraphrecentitems) **Group Policy**: Computer Configuration\Administrative Templates\Windows Components\File Explorer\\**Turn off files from Office.com in Quick Access View** **Note**: This control disables additional items beyond the **Recommended** items. Review the policy before implementing this control. |
+| Transfer files to another PC using WiFi direct|[September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)|Yes|**CSP**: ./Device/Vendor/MSFT/Policy/Config/Wifi/[AllowWiFiDirect](/windows/client-management/mdm/policy-csp-wifi#allowwifidirect)|
+| Copilot in Windows | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes |**CSP**: ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot**|
+|Dev Drive | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes |**CSPs**: - ./Device/Vendor/MSFT/Policy/Config/FileSystem/[EnableDevDrive](/windows/client-management/mdm/policy-csp-filesystem#enableeeverive) - ./Device/Vendor/MSFT/Policy/Config/FileSystem/[DevDriveAttachPolicy](/windows/client-management/mdm/policy-csp-filesystem#devdriveattachpolicy) **Group Policies**: - Computer Configuration\Administrative Templates\System\FileSystem\\**Enable dev drive** - Computer Configuration\Administrative Templates\System\FileSystem\\**Dev drive filter attach policy**|