From ada63f8164d2a638956393fe9d612259954528cf Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 18 Jun 2020 14:27:46 -0700 Subject: [PATCH 001/370] Acrolinx spelling: "sesnsitive" and "ogranization" --- windows/security/information-protection/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/index.md b/windows/security/information-protection/index.md index 84ea720232..e72f8d6c68 100644 --- a/windows/security/information-protection/index.md +++ b/windows/security/information-protection/index.md @@ -1,6 +1,6 @@ --- title: Information protection (Windows 10) -description: Learn more about how to protect sesnsitive data across your ogranization. +description: Learn more about how to protect sensitive data across your organization. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library From 3b16e01e520aabec17ad05ef3aebce755dc90e2d Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Fri, 5 Mar 2021 12:04:09 -0800 Subject: [PATCH 002/370] pencil edit --- .../threat-protection/microsoft-defender-atp/machine-groups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md b/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md index 1370c628f9..1826c31d95 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md @@ -1,6 +1,6 @@ --- title: Create and manage device groups in Microsoft Defender ATP -description: Create device groups and set automated remediation levels on them by confiring the rules that apply on the group +description: Create device groups and set automated remediation levels on them by confirming the rules that apply on the group keywords: device groups, groups, remediation, level, rules, aad group, role, assign, rank search.product: eADQiWindows 10XVcnh search.appverid: met150 From 77d18b1ba6294fd57f6448064366ad420f374cdd Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Wed, 10 Mar 2021 15:51:34 +0530 Subject: [PATCH 003/370] Updated --- .../mdm/Language-pack-management-csp.md | 65 +++++++++++++++++++ ...onfiguration-service-provider-reference.md | 27 ++++++++ 2 files changed, 92 insertions(+) create mode 100644 windows/client-management/mdm/Language-pack-management-csp.md diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md new file mode 100644 index 0000000000..ba439c06a3 --- /dev/null +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -0,0 +1,65 @@ +--- +title: LanguagePackManagement CSP +description: Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nimishasatapathy +ms.date: 03/12/2021 +--- + +# LanguagePackManagement CSP + + +Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. A separate CSP exists to allow provisioning of optional FODs (Handwriting recognition, Text-to-speech etc.) associated with a language. MDMs like Intune can use management commands remotely to devices to configure language related settings. + + +Device context +1. Enumerate installed languages with GET command on the "InstalledLanguges" node + +Sample command +**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages** +**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN/Providers** +**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /ja-JP/Providers** + +The nodes under “InstalledLanguages” are the language tags of the installed languages. The “providers” node under language tag is the bit map representation of either "language pack (features)" or "LXPs". 1 indicates the language pack installed is a System Language Pack (non-LXP), “2” stands for LXPs installed. “3” stands for both installed. + +2. Install language pack features with EXECUTE command on the "StartInstall" node of the language + +Sample command +**ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/** +**EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation** + +The installation is an asynchronous operation. IT admin can query the ‘Status’ node using + +**GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status** +**GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode** + +Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed +> [!NOTE] +> If the IT administration has not set the policy of blocking cleanup of unused language packs, then this command will fail. + +3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. + +Sample command +**DELETE ./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN (Delete command)** + +4. Get/Set System Preferred UI Language with GET or REPLACE command on the "SystemPreferredUILanguages" Node + +Sample command +**./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages** + + + + + + + + + + + + diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index dcf8eec173..727a6c5348 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -1374,6 +1374,33 @@ Additional lists: + +[LanguagePackManagement CSP](languagepackmanagement-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcheck markcheck markcheck mark
+ + + [Maps CSP](maps-csp.md) From 4eb06c120dde73dbf61b6f1420d5cf59692b3250 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 15 Mar 2021 15:46:47 +0530 Subject: [PATCH 004/370] updated --- windows/client-management/mdm/Language-pack-management-csp.md | 4 ++-- .../mdm/configuration-service-provider-reference.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index ba439c06a3..755472b5af 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -1,5 +1,5 @@ --- -title: LanguagePackManagement CSP +title: Language Pack Management CSP description: Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. ms.reviewer: manager: dansimp @@ -11,7 +11,7 @@ author: nimishasatapathy ms.date: 03/12/2021 --- -# LanguagePackManagement CSP +# Language Pack Management CSP Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. A separate CSP exists to allow provisioning of optional FODs (Handwriting recognition, Text-to-speech etc.) associated with a language. MDMs like Intune can use management commands remotely to devices to configure language related settings. diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 727a6c5348..d689057684 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -1375,7 +1375,7 @@ Additional lists: -[LanguagePackManagement CSP](languagepackmanagement-csp.md) +[Language Pack Management CSP](language- pack-management-csp.md) From d0b796a849b273ba7018052b64bae1572d11d1a3 Mon Sep 17 00:00:00 2001 From: Thomas G Date: Wed, 17 Mar 2021 10:55:08 +0100 Subject: [PATCH 005/370] Adding all Failure Code for event 4771 according to RFC 4120 Adding all error codes for event 4771 according to RFC 4120 https://tools.ietf.org/html/rfc4120#section-7.5.9 --- .../threat-protection/auditing/event-4771.md | 73 ++++++++++++++++++- 1 file changed, 69 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md index 840d05eefb..1da05686b7 100644 --- a/windows/security/threat-protection/auditing/event-4771.md +++ b/windows/security/threat-protection/auditing/event-4771.md @@ -166,13 +166,78 @@ The most common values: > Table 6. Kerberos ticket flags. -- **Failure Code** \[Type = HexInt32\]**:** hexadecimal failure code of failed TGT issue operation. The table below contains the list of the most common error codes for this event: +- **Failure Code** \[Type = HexInt32\]**:** hexadecimal failure code of failed TGT issue operation. The table below contains the list of the error codes for this event as defined in [RFC 4120](https://tools.ietf.org/html/rfc4120#section-7.5.9): | Code | Code Name | Description | Possible causes | |------|--------------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). | -| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset | The user’s password has expired. | -| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided. | +| 0x00 | KDC\_ERR\_NONE | No error | +| 0x01 | KDC\_ERR\_NAME\_EXP | Client's entry in database has expired | +| 0x02 | KDC\_ERR\_SERVICE\_EXP | Server's entry in database has expired | +| 0x03 | KDC\_ERR\_BAD\_PVNO | Requested protocol version number not supported | +| 0x04 | KDC\_ERR\_C\_OLD\_MAST\_KVNO | Client's key encrypted in old master key | +| 0x05 | KDC\_ERR\_S\_OLD\_MAST\_KVNO | Server's key encrypted in old master key | +| 0x06 | KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN | Client not found in Kerberos database | +| 0x07 | KDC\_ERR\_S\_PRINCIPAL\_UNKNOWN | Server not found in Kerberos database | +| 0x08 | KDC\_ERR\_PRINCIPAL\_NOT\_UNIQUE | Multiple principal entries in database | +| 0x09 | KDC\_ERR\_NULL\_KEY | The client or server has a null key | +| 0x0A | KDC\_ERR\_CANNOT\_POSTDATE | Ticket not eligible for postdating | +| 0x0B | KDC\_ERR\_NEVER\_VALID | Requested starttime is later than end time | +| 0x0C | KDC\_ERR\_POLICY | KDC policy rejects request | +| 0x0D | KDC\_ERR\_BADOPTION | KDC cannot accommodate requested option | +| 0x0E | KDC\_ERR\_ETYPE\_NOSUPP | KDC has no support for encryption type | +| 0x0F | KDC\_ERR\_SUMTYPE\_NOSUPP | KDC has no support for checksum type | +| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data)|Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). +| 0x11 | KDC\_ERR\_TRTYPE\_NOSUPP | KDC has no support for transited type | +| 0x12 | KDC\_ERR\_CLIENT\_REVOKED | Clients credentials have been revoked | +| 0x13 | KDC\_ERR\_SERVICE\_REVOKED | Credentials for server have been revoked | +| 0x14 | KDC\_ERR\_TGT\_REVOKED | TGT has been revoked | +| 0x15 | KDC\_ERR\_CLIENT\_NOTYET | Client not yet valid; try again later | +| 0x16 | KDC\_ERR\_SERVICE\_NOTYET | Server not yet valid; try again later | +| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset |The user’s password has expired. +| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid |The wrong password was provided. +| 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED | Additional pre-authentication required | +| 0x1A | KDC\_ERR\_SERVER\_NOMATCH | Requested server and ticket don't match | +| 0x1B | KDC\_ERR\_MUST\_USE\_USER2USER | Server principal valid for user2user only | +| 0x1C | KDC\_ERR\_PATH\_NOT\_ACCEPTED | KDC Policy rejects transited path | +| 0x1D | KDC\_ERR\_SVC\_UNAVAILABLE | A service is not available | +| 0x1F | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed | +| 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED | Ticket expired | +| 0x21 | KRB\_AP\_ERR\_TKT\_NYV | Ticket not yet valid | +| 0x22 | KRB\_AP\_ERR\_REPEAT | Request is a replay | +| 0x23 | KRB\_AP\_ERR\_NOT\_US | The ticket isn't for us | +| 0x24 | KRB\_AP\_ERR\_BADMATCH | Ticket and authenticator don't match | +| 0x25 | KRB\_AP\_ERR\_SKEW | Clock skew too great | +| 0x26 | KRB\_AP\_ERR\_BADADDR | Incorrect net address | +| 0x27 | KRB\_AP\_ERR\_BADVERSION | Protocol version mismatch | +| 0x28 | KRB\_AP\_ERR\_MSG\_TYPE | Invalid msg type | +| 0x29 | KRB\_AP\_ERR\_MODIFIED | Message stream modified | +| 0x2A | KRB\_AP\_ERR\_BADORDER | Message out of order | +| 0x2C | KRB\_AP\_ERR\_BADKEYVER | Specified version of key is not available | +| 0x2D | KRB\_AP\_ERR\_NOKEY | Service key not available | +| 0x2E | KRB\_AP\_ERR\_MUT\_FAIL | Mutual authentication failed | +| 0x2F | KRB\_AP\_ERR\_BADDIRECTION | Incorrect message direction | +| 0x30 | KRB\_AP\_ERR\_METHOD | Alternative authentication method required | +| 0x31 | KRB\_AP\_ERR\_BADSEQ | Incorrect sequence number in message | +| 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message | +| 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED | Policy rejects transited path | +| 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG | Response too big for UDP; retry with TCP | +| 0x3C | KRB\_ERR\_GENERIC | Generic error (description in e-text) | +| 0x3D | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation | +| 0x3E | KDC\_ERROR\_CLIENT\_NOT\_TRUSTED | Reserved for PKINIT | +| 0x3F | KDC\_ERROR\_KDC\_NOT\_TRUSTED | Reserved for PKINIT | +| 0x40 | KDC\_ERROR\_INVALID\_SIG | Reserved for PKINIT | +| 0x41 | KDC\_ERR\_KEY\_TOO\_WEAK | Reserved for PKINIT | +| 0x42 | KDC\_ERR\_CERTIFICATE\_MISMATCH | Reserved for PKINIT | +| 0x43 | KRB\_AP\_ERR\_NO\_TGT | No TGT available to validate USER-TO-USER | +| 0x44 | KDC\_ERR\_WRONG\_REALM | Reserved for future use | +| 0x45 | KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED | Ticket must be for USER-TO-USER | +| 0x46 | KDC\_ERR\_CANT\_VERIFY\_CERTIFICATE | Reserved for PKINIT | +| 0x47 | KDC\_ERR\_INVALID\_CERTIFICATE | Reserved for PKINIT | +| 0x48 | KDC\_ERR\_REVOKED\_CERTIFICATE | Reserved for PKINIT | +| 0x49 | KDC\_ERR\_REVOCATION\_STATUS\_UNKNOWN | Reserved for PKINIT | +| 0x4A | KDC\_ERR\_REVOCATION\_STATUS\_UNAVAILABLE | Reserved for PKINIT | +| 0x4B | KDC\_ERR\_CLIENT\_NAME\_MISMATCH | Reserved for PKINIT | +| 0x4C | KDC\_ERR\_KDC\_NAME\_MISMATCH | Reserved for PKINIT | - **Pre-Authentication Type** \[Type = UnicodeString\]: the code of [pre-Authentication](https://technet.microsoft.com/library/cc772815(v=ws.10).aspx) type that was used in TGT request. From a7e6af7ebe8ae09198fef13df68536867f3ec518 Mon Sep 17 00:00:00 2001 From: Thomas G Date: Wed, 17 Mar 2021 12:28:09 +0100 Subject: [PATCH 006/370] fix codes to lowercase --- .../threat-protection/auditing/event-4771.md | 66 +++++++++---------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md index 1da05686b7..8aba6b4428 100644 --- a/windows/security/threat-protection/auditing/event-4771.md +++ b/windows/security/threat-protection/auditing/event-4771.md @@ -170,22 +170,22 @@ The most common values: | Code | Code Name | Description | Possible causes | |------|--------------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0x00 | KDC\_ERR\_NONE | No error | -| 0x01 | KDC\_ERR\_NAME\_EXP | Client's entry in database has expired | -| 0x02 | KDC\_ERR\_SERVICE\_EXP | Server's entry in database has expired | -| 0x03 | KDC\_ERR\_BAD\_PVNO | Requested protocol version number not supported | -| 0x04 | KDC\_ERR\_C\_OLD\_MAST\_KVNO | Client's key encrypted in old master key | -| 0x05 | KDC\_ERR\_S\_OLD\_MAST\_KVNO | Server's key encrypted in old master key | -| 0x06 | KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN | Client not found in Kerberos database | -| 0x07 | KDC\_ERR\_S\_PRINCIPAL\_UNKNOWN | Server not found in Kerberos database | -| 0x08 | KDC\_ERR\_PRINCIPAL\_NOT\_UNIQUE | Multiple principal entries in database | -| 0x09 | KDC\_ERR\_NULL\_KEY | The client or server has a null key | -| 0x0A | KDC\_ERR\_CANNOT\_POSTDATE | Ticket not eligible for postdating | -| 0x0B | KDC\_ERR\_NEVER\_VALID | Requested starttime is later than end time | -| 0x0C | KDC\_ERR\_POLICY | KDC policy rejects request | -| 0x0D | KDC\_ERR\_BADOPTION | KDC cannot accommodate requested option | -| 0x0E | KDC\_ERR\_ETYPE\_NOSUPP | KDC has no support for encryption type | -| 0x0F | KDC\_ERR\_SUMTYPE\_NOSUPP | KDC has no support for checksum type | +| 0x0 | KDC\_ERR\_NONE | No error | +| 0x1 | KDC\_ERR\_NAME\_EXP | Client's entry in database has expired | +| 0x2 | KDC\_ERR\_SERVICE\_EXP | Server's entry in database has expired | +| 0x3 | KDC\_ERR\_BAD\_PVNO | Requested protocol version number not supported | +| 0x4 | KDC\_ERR\_C\_OLD\_MAST\_KVNO | Client's key encrypted in old master key | +| 0x5 | KDC\_ERR\_S\_OLD\_MAST\_KVNO | Server's key encrypted in old master key | +| 0x6 | KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN | Client not found in Kerberos database | +| 0x7 | KDC\_ERR\_S\_PRINCIPAL\_UNKNOWN | Server not found in Kerberos database | +| 0x8 | KDC\_ERR\_PRINCIPAL\_NOT\_UNIQUE | Multiple principal entries in database | +| 0x9 | KDC\_ERR\_NULL\_KEY | The client or server has a null key | +| 0xa | KDC\_ERR\_CANNOT\_POSTDATE | Ticket not eligible for postdating | +| 0xb | KDC\_ERR\_NEVER\_VALID | Requested starttime is later than end time | +| 0xc | KDC\_ERR\_POLICY | KDC policy rejects request | +| 0xd | KDC\_ERR\_BADOPTION | KDC cannot accommodate requested option | +| 0xe | KDC\_ERR\_ETYPE\_NOSUPP | KDC has no support for encryption type | +| 0xf | KDC\_ERR\_SUMTYPE\_NOSUPP | KDC has no support for checksum type | | 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data)|Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). | 0x11 | KDC\_ERR\_TRTYPE\_NOSUPP | KDC has no support for transited type | | 0x12 | KDC\_ERR\_CLIENT\_REVOKED | Clients credentials have been revoked | @@ -196,11 +196,11 @@ The most common values: | 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset |The user’s password has expired. | 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid |The wrong password was provided. | 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED | Additional pre-authentication required | -| 0x1A | KDC\_ERR\_SERVER\_NOMATCH | Requested server and ticket don't match | -| 0x1B | KDC\_ERR\_MUST\_USE\_USER2USER | Server principal valid for user2user only | -| 0x1C | KDC\_ERR\_PATH\_NOT\_ACCEPTED | KDC Policy rejects transited path | -| 0x1D | KDC\_ERR\_SVC\_UNAVAILABLE | A service is not available | -| 0x1F | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed | +| 0x1a | KDC\_ERR\_SERVER\_NOMATCH | Requested server and ticket don't match | +| 0x1b | KDC\_ERR\_MUST\_USE\_USER2USER | Server principal valid for user2user only | +| 0x1c | KDC\_ERR\_PATH\_NOT\_ACCEPTED | KDC Policy rejects transited path | +| 0x1d | KDC\_ERR\_SVC\_UNAVAILABLE | A service is not available | +| 0x1f | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed | | 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED | Ticket expired | | 0x21 | KRB\_AP\_ERR\_TKT\_NYV | Ticket not yet valid | | 0x22 | KRB\_AP\_ERR\_REPEAT | Request is a replay | @@ -211,20 +211,20 @@ The most common values: | 0x27 | KRB\_AP\_ERR\_BADVERSION | Protocol version mismatch | | 0x28 | KRB\_AP\_ERR\_MSG\_TYPE | Invalid msg type | | 0x29 | KRB\_AP\_ERR\_MODIFIED | Message stream modified | -| 0x2A | KRB\_AP\_ERR\_BADORDER | Message out of order | -| 0x2C | KRB\_AP\_ERR\_BADKEYVER | Specified version of key is not available | -| 0x2D | KRB\_AP\_ERR\_NOKEY | Service key not available | -| 0x2E | KRB\_AP\_ERR\_MUT\_FAIL | Mutual authentication failed | -| 0x2F | KRB\_AP\_ERR\_BADDIRECTION | Incorrect message direction | +| 0x2a | KRB\_AP\_ERR\_BADORDER | Message out of order | +| 0x2c | KRB\_AP\_ERR\_BADKEYVER | Specified version of key is not available | +| 0x2d | KRB\_AP\_ERR\_NOKEY | Service key not available | +| 0x2e | KRB\_AP\_ERR\_MUT\_FAIL | Mutual authentication failed | +| 0x2f | KRB\_AP\_ERR\_BADDIRECTION | Incorrect message direction | | 0x30 | KRB\_AP\_ERR\_METHOD | Alternative authentication method required | | 0x31 | KRB\_AP\_ERR\_BADSEQ | Incorrect sequence number in message | | 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message | | 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED | Policy rejects transited path | | 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG | Response too big for UDP; retry with TCP | -| 0x3C | KRB\_ERR\_GENERIC | Generic error (description in e-text) | -| 0x3D | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation | -| 0x3E | KDC\_ERROR\_CLIENT\_NOT\_TRUSTED | Reserved for PKINIT | -| 0x3F | KDC\_ERROR\_KDC\_NOT\_TRUSTED | Reserved for PKINIT | +| 0x3c | KRB\_ERR\_GENERIC | Generic error (description in e-text) | +| 0x3d | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation | +| 0x3e | KDC\_ERROR\_CLIENT\_NOT\_TRUSTED | Reserved for PKINIT | +| 0x3f | KDC\_ERROR\_KDC\_NOT\_TRUSTED | Reserved for PKINIT | | 0x40 | KDC\_ERROR\_INVALID\_SIG | Reserved for PKINIT | | 0x41 | KDC\_ERR\_KEY\_TOO\_WEAK | Reserved for PKINIT | | 0x42 | KDC\_ERR\_CERTIFICATE\_MISMATCH | Reserved for PKINIT | @@ -235,9 +235,9 @@ The most common values: | 0x47 | KDC\_ERR\_INVALID\_CERTIFICATE | Reserved for PKINIT | | 0x48 | KDC\_ERR\_REVOKED\_CERTIFICATE | Reserved for PKINIT | | 0x49 | KDC\_ERR\_REVOCATION\_STATUS\_UNKNOWN | Reserved for PKINIT | -| 0x4A | KDC\_ERR\_REVOCATION\_STATUS\_UNAVAILABLE | Reserved for PKINIT | -| 0x4B | KDC\_ERR\_CLIENT\_NAME\_MISMATCH | Reserved for PKINIT | -| 0x4C | KDC\_ERR\_KDC\_NAME\_MISMATCH | Reserved for PKINIT | +| 0x4a | KDC\_ERR\_REVOCATION\_STATUS\_UNAVAILABLE | Reserved for PKINIT | +| 0x4b | KDC\_ERR\_CLIENT\_NAME\_MISMATCH | Reserved for PKINIT | +| 0x4c | KDC\_ERR\_KDC\_NAME\_MISMATCH | Reserved for PKINIT | - **Pre-Authentication Type** \[Type = UnicodeString\]: the code of [pre-Authentication](https://technet.microsoft.com/library/cc772815(v=ws.10).aspx) type that was used in TGT request. From 07920ba872a88179aebf8d5458fcf08c71f1ed96 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 22 Mar 2021 12:16:50 +0530 Subject: [PATCH 007/370] updated --- .../mdm/configuration-service-provider-reference.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index d689057684..867a99d7d0 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -1375,7 +1375,7 @@ Additional lists: -[Language Pack Management CSP](language- pack-management-csp.md) +[LanguagePackManagement CSP](language- pack-management-csp.md)
@@ -1389,13 +1389,13 @@ Additional lists: - - + + + + - -
Mobile Enterprise
cross markcross markcross markcross mark cross markcheck markcheck mark check markcheck markcheck mark
From f3672663d6f118bb9e0f8b91c847e86a9529cd1c Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 22 Mar 2021 14:55:48 +0530 Subject: [PATCH 008/370] updated --- .../mdm/configuration-service-provider-reference.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 867a99d7d0..2f152af35b 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -1375,7 +1375,7 @@ Additional lists: -[LanguagePackManagement CSP](language- pack-management-csp.md) +[LanguagePackManagement CSP](language-pack-management-csp.md) @@ -1389,13 +1389,12 @@ Additional lists: - - - - - - + + + + +
Mobile Enterprise
cross markcross markcross markcheck mark check markcheck markcheck markcross markcheck markcheck markcross mark
From 333ab5ae96ccc53e7f0a1aed91e4f9b17ab0e13a Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 29 Apr 2021 00:06:31 +0500 Subject: [PATCH 009/370] addition of note The event Ids mentioned in this document don't apply to the windows server core edition. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9429 --- .../event-id-explanations.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index b464707f61..369f4d7f3a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -26,6 +26,9 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind - Event IDs beginning with 80 appear in Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script +> [!Note] +> These event IDs are not applicable on Windows Server Core edition. + ## Microsoft Windows CodeIntegrity Operational log event IDs | Event ID | Explanation | From 45106d15403cb0e2cd96913da916fb61a11d089e Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 29 Apr 2021 17:50:40 +0500 Subject: [PATCH 010/370] Update windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../event-id-explanations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 369f4d7f3a..423f952e38 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -26,7 +26,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind - Event IDs beginning with 80 appear in Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script -> [!Note] +> [!NOTE] > These event IDs are not applicable on Windows Server Core edition. ## Microsoft Windows CodeIntegrity Operational log event IDs From 826fe872bf33019548a281c472378d2dd0f9d689 Mon Sep 17 00:00:00 2001 From: Rittwika Rudra <33437129+RittwikaR@users.noreply.github.com> Date: Fri, 30 Apr 2021 13:46:12 -0700 Subject: [PATCH 011/370] Non administrator settings page update --- windows/deployment/update/fod-and-lang-packs.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md index 1ae3f99648..193b4d95ad 100644 --- a/windows/deployment/update/fod-and-lang-packs.md +++ b/windows/deployment/update/fod-and-lang-packs.md @@ -18,6 +18,8 @@ ms.custom: seo-marvel-apr2020 > Applies to: Windows 10 +As of Windows 10 version 21H2, we are enabling non-Administrator user accounts to add both a display language and its corresponding language features. + As of Windows 10 version 1709, you can't use Windows Server Update Services (WSUS) to host [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FODs) locally. Starting with Windows 10 version 1803, language packs can no longer be hosted on WSUS. The **Specify settings for optional component installation and component repair** policy, located under `Computer Configuration\Administrative Templates\System` in the Group Policy Editor, can be used to specify alternate ways to acquire FOD packages, language packages, and content for corruption repair. However, it's important to note this policy only allows specifying one alternate location and behaves differently across OS versions. @@ -28,4 +30,4 @@ In Windows 10 version 1809 and beyond, changing the **Specify settings for optio For all OS versions, changing the **Specify settings for optional component installation and component repair** policy does not affect how OS updates are distributed. They continue to come from WSUS, Configuration Manager, or other sources as you have scheduled them, even while optional content is sourced from Windows Update or a network location. -Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](/windows/client-management/). \ No newline at end of file +Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](/windows/client-management/). From df848b4a876125d0b560e676d1739adf749062ac Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 7 May 2021 12:27:19 -0700 Subject: [PATCH 012/370] first draft --- windows/sv/TOC.yml | 2 +- windows/sv/index.md | 1 - windows/sv/index.yml | 66 ++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 67 insertions(+), 2 deletions(-) delete mode 100644 windows/sv/index.md create mode 100644 windows/sv/index.yml diff --git a/windows/sv/TOC.yml b/windows/sv/TOC.yml index b5ef71ac32..2b84fa1b4a 100644 --- a/windows/sv/TOC.yml +++ b/windows/sv/TOC.yml @@ -1,2 +1,2 @@ - name: Index - href: index.md \ No newline at end of file + href: index.yml \ No newline at end of file diff --git a/windows/sv/index.md b/windows/sv/index.md deleted file mode 100644 index 8f7cbe8630..0000000000 --- a/windows/sv/index.md +++ /dev/null @@ -1 +0,0 @@ -# Welcome to SV! \ No newline at end of file diff --git a/windows/sv/index.yml b/windows/sv/index.yml new file mode 100644 index 0000000000..5b07303233 --- /dev/null +++ b/windows/sv/index.yml @@ -0,0 +1,66 @@ +### YamlMime:Landing + +title: Windows NAME # < 60 chars +summary: Find out about Windows NAME. # < 160 chars + +metadata: + title: Windows SV # Required; page title displayed in search results. Include the brand. < 60 chars. + description: Learn about the administrative tools, tasks and best practices for managing Windows SV across your enterprise. # Required; article description that is displayed in search results. < 160 chars. + services: windows-10 + ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. + ms.subservice: subservice + ms.topic: landing-page # Required + ms.collection: windows-10 + author: greg-lindsay #Required; your GitHub user alias, with correct capitalization. + ms.author: greglin #Required; microsoft alias of author; optional team alias. + ms.date: 05/07/2021 #Required; mm/dd/yyyy format. + localization_priority: medium + +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new + +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Card 1 + linkLists: + - linkListType: overview + links: + - text: Link 1 + url: placeholder.md + - text: Link 2 + url: placeholder.md + - text: Link 3 + url: placeholder.md + - text: Link 4 + url: placeholder.md + + + # Card (optional) + - title: Card 2 + linkLists: + - linkListType: overview + links: + - text: Link 1 + url: placeholder.md + - text: Link 2 + url: placeholder.md + - text: Link 3 + url: placeholder.md + - text: Link 4 + url: placeholder.md + + + # Card (optional) + - title: Card 3 + linkLists: + - linkListType: overview + links: + - text: Link 1 + url: placeholder.md + - text: Link 2 + url: placeholder.md + - text: Link 3 + url: placeholder.md + - text: Link 4 + url: placeholder.md From 81811f42433ef6ed174d79984619bc82955acb6c Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 7 May 2021 12:35:49 -0700 Subject: [PATCH 013/370] 2 --- windows/sv/TOC.yml | 2 +- windows/sv/breadcrumb/toc.yml | 3 --- windows/sv/index.yml | 4 ++-- windows/sv/placeholder.md | 22 ++++++++++++++++++++++ 4 files changed, 25 insertions(+), 6 deletions(-) delete mode 100644 windows/sv/breadcrumb/toc.yml create mode 100644 windows/sv/placeholder.md diff --git a/windows/sv/TOC.yml b/windows/sv/TOC.yml index 2b84fa1b4a..459e198125 100644 --- a/windows/sv/TOC.yml +++ b/windows/sv/TOC.yml @@ -1,2 +1,2 @@ -- name: Index +- name: Windows SV href: index.yml \ No newline at end of file diff --git a/windows/sv/breadcrumb/toc.yml b/windows/sv/breadcrumb/toc.yml deleted file mode 100644 index 61d8fca61e..0000000000 --- a/windows/sv/breadcrumb/toc.yml +++ /dev/null @@ -1,3 +0,0 @@ -- name: Docs - tocHref: / - topicHref: / \ No newline at end of file diff --git a/windows/sv/index.yml b/windows/sv/index.yml index 5b07303233..0f8c82e9f2 100644 --- a/windows/sv/index.yml +++ b/windows/sv/index.yml @@ -1,7 +1,7 @@ ### YamlMime:Landing -title: Windows NAME # < 60 chars -summary: Find out about Windows NAME. # < 160 chars +title: Windows SV # < 60 chars +summary: Find out about Windows SV. # < 160 chars metadata: title: Windows SV # Required; page title displayed in search results. Include the brand. < 60 chars. diff --git a/windows/sv/placeholder.md b/windows/sv/placeholder.md new file mode 100644 index 0000000000..fecfe94a8e --- /dev/null +++ b/windows/sv/placeholder.md @@ -0,0 +1,22 @@ +--- +title: Placeholder +description: PH +ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.localizationpriority: medium +audience: itpro +ms.topic: article +ms.custom: seo-marvel-apr2020 +--- + +# Placeholder + +Placeholder text. + From caabdbb0952f8f0f028549acf0d11d9d85b4a6b0 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 21 May 2021 09:34:50 -0700 Subject: [PATCH 014/370] draft --- windows/sv/TOC.yml | 44 +++++++++++++++++++++++++++++++++-- windows/sv/index.yml | 6 ++--- windows/sv/sv-faq.md | 22 ++++++++++++++++++ windows/sv/sv-overview.md | 22 ++++++++++++++++++ windows/sv/sv-requirements.md | 22 ++++++++++++++++++ 5 files changed, 111 insertions(+), 5 deletions(-) create mode 100644 windows/sv/sv-faq.md create mode 100644 windows/sv/sv-overview.md create mode 100644 windows/sv/sv-requirements.md diff --git a/windows/sv/TOC.yml b/windows/sv/TOC.yml index 459e198125..b8531c0f0c 100644 --- a/windows/sv/TOC.yml +++ b/windows/sv/TOC.yml @@ -1,2 +1,42 @@ -- name: Windows SV - href: index.yml \ No newline at end of file +- name: Deploy and update Windows 10 + href: index.yml + items: + - name: Get started + items: + - name: Sun Valley overview + href: sv-overview.md + - name: Windows Sun Valley requirements + href: sv-requirements.md + - name: Sun Valley FAQ + href: sv-faq.md + + + - name: Upgrade to Windows Sun Valley + items: + + - name: Plan to deploy Windows Sun Valley + href: update/plan-define-readiness.md + - name: Prepare for Windows Sun Valley + href: update/eval-infra-tools.md + - name: Deploy Windows Sun Valley + href: update/plan-determine-app-readiness.md + - name: Define your servicing strategy + href: update/plan-define-strategy.md + - name: Delivery Optimization for Windows 10 updates + href: update/waas-delivery-optimization.md + + + - name: Support + items: + - name: Windows Sun Valley lifecycle + href: sv-requirements.md + - name: Prepare to deploy Windows Sun Valley + href: update/plan-define-readiness.md + - name: Deploy Windows Sun Valley + href: update/eval-infra-tools.md + - name: Determine application readiness + href: update/plan-determine-app-readiness.md + - name: Define your servicing strategy + href: update/plan-define-strategy.md + - name: Delivery Optimization for Windows 10 updates + href: update/waas-delivery-optimization.md diff --git a/windows/sv/index.yml b/windows/sv/index.yml index 0f8c82e9f2..dd25268757 100644 --- a/windows/sv/index.yml +++ b/windows/sv/index.yml @@ -22,7 +22,7 @@ landingContent: # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) - - title: Card 1 + - title: Get started linkLists: - linkListType: overview links: @@ -37,7 +37,7 @@ landingContent: # Card (optional) - - title: Card 2 + - title: Upgrade to Sun Valley linkLists: - linkListType: overview links: @@ -52,7 +52,7 @@ landingContent: # Card (optional) - - title: Card 3 + - title: Support information linkLists: - linkListType: overview links: diff --git a/windows/sv/sv-faq.md b/windows/sv/sv-faq.md new file mode 100644 index 0000000000..fecfe94a8e --- /dev/null +++ b/windows/sv/sv-faq.md @@ -0,0 +1,22 @@ +--- +title: Placeholder +description: PH +ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.localizationpriority: medium +audience: itpro +ms.topic: article +ms.custom: seo-marvel-apr2020 +--- + +# Placeholder + +Placeholder text. + diff --git a/windows/sv/sv-overview.md b/windows/sv/sv-overview.md new file mode 100644 index 0000000000..fecfe94a8e --- /dev/null +++ b/windows/sv/sv-overview.md @@ -0,0 +1,22 @@ +--- +title: Placeholder +description: PH +ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.localizationpriority: medium +audience: itpro +ms.topic: article +ms.custom: seo-marvel-apr2020 +--- + +# Placeholder + +Placeholder text. + diff --git a/windows/sv/sv-requirements.md b/windows/sv/sv-requirements.md new file mode 100644 index 0000000000..fecfe94a8e --- /dev/null +++ b/windows/sv/sv-requirements.md @@ -0,0 +1,22 @@ +--- +title: Placeholder +description: PH +ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.localizationpriority: medium +audience: itpro +ms.topic: article +ms.custom: seo-marvel-apr2020 +--- + +# Placeholder + +Placeholder text. + From 77497788f16c68eaf6d43a030f10add991c7fc25 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 21 May 2021 09:51:34 -0700 Subject: [PATCH 015/370] draft2 --- .../sv-app-readiness.md | 183 ++++++++++ windows/client-management/sv-manage.md | 67 ++++ windows/configuration/sv-configure.md | 329 ++++++++++++++++++ windows/deployment/TOC.yml | 4 +- windows/deployment/sv-planning.md | 275 +++++++++++++++ windows/sv/TOC.yml | 41 +-- 6 files changed, 873 insertions(+), 26 deletions(-) create mode 100644 windows/application-management/sv-app-readiness.md create mode 100644 windows/client-management/sv-manage.md create mode 100644 windows/configuration/sv-configure.md create mode 100644 windows/deployment/sv-planning.md diff --git a/windows/application-management/sv-app-readiness.md b/windows/application-management/sv-app-readiness.md new file mode 100644 index 0000000000..d8cddab78d --- /dev/null +++ b/windows/application-management/sv-app-readiness.md @@ -0,0 +1,183 @@ +--- +title: Windows 10 - Apps +ms.reviewer: +manager: dansimp +description: Use this article to understand the different types of apps that run on Windows 10, such as UWP and Win32 apps. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: mobile +ms.author: greglin +author: greg-lindsay +ms.localizationpriority: medium +ms.topic: article +--- +# Understand the different apps included in Windows 10 + +>Applies to: Windows 10 + +The following types of apps run on Windows 10: +- Windows apps - introduced in Windows 8, primarily installed from the Store app. +- Universal Windows Platform (UWP) apps - designed to work across platforms, can be installed on multiple platforms including Windows client, Windows Phone, and Xbox. All UWP apps are also Windows apps, but not all Windows apps are UWP apps. +- "Win32" apps - traditional Windows applications. + +Digging into the Windows apps, there are two categories: +- Apps - All other apps, installed in C:\Program Files\WindowsApps. There are two classes of apps: + - Provisioned: Installed in user account the first time you sign in with a new user account. + - Installed: Installed as part of the OS. +- System apps - Apps that are installed in the C:\Windows\* directory. These apps are integral to the OS. + +The following tables list the system apps, installed Windows apps, and provisioned Windows apps in a standard Windows 10 Enterprise installation. (If you have a custom image, your specific apps might differ.) The tables list the app, the full name, show the app's status in Windows 10 version 1709, 1803, and 1809 and indicate whether an app can be uninstalled through the UI. + +Some of the apps show up in multiple tables - that's because their status changed between versions. Make sure to check the version column for the version you are currently running. + +## Provisioned Windows apps + +You can list all provisioned Windows apps with this PowerShell command: + +```Powershell +Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName +``` + +Here are the provisioned Windows apps in Windows 10 versions 1803, 1809, 1903, 1909, and 2004. + +| Package name | App name | 1803 | 1809 | 1903 | 1909 | 2004 | Uninstall through UI? | +|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:----:|:---------------------:| +| Microsoft.3DBuilder | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | | | | | | Yes | +| Microsoft.BingWeather | [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | x | x | Yes | +| Microsoft.DesktopAppInstaller | [App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | x | x | Via Settings App | +| Microsoft.GetHelp | [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.Getstarted | [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.HEIFImageExtension | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | | x | x | x | x | No | +| Microsoft.Messaging | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.Microsoft3DViewer | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.MicrosoftOfficeHub | [Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | x | Yes | +| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | x | x | Yes | +| Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | x | x | x | x | No | +| Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.Office.OneNote | [OneNote for Windows 10](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | x | Yes | +| Microsoft.OneConnect | [Mobile Plans](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.Outlook.DesktopIntegrationServices | | | | | x | x | | +| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.ScreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | x | x | x | x | No | +| Microsoft.SkypeApp | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | x | x | No | +| Microsoft.StorePurchaseApp | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.VP9VideoExtensions | | | x | x | x | x | No | +| Microsoft.Wallet | [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WebMediaExtensions | [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WebpImageExtension | [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe) | | x | x | x | x | No | +| Microsoft.Windows.Photos | [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsAlarms | [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsCalculator | [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsCamera | [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | x | x | No | +| microsoft.windowscommunicationsapps | [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsFeedbackHub | [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsMaps | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsSoundRecorder | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsStore | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.Xbox.TCUI | [Xbox Live in-game experience](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.XboxApp | [Xbox Console Companion](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.XboxGameOverlay | [Xbox Game Bar Plugin](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.XboxGamingOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.XboxIdentityProvider | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.XboxSpeechToTextOverlay | | x | x | x | x | x | No | +| Microsoft.YourPhone | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | | x | x | x | x | No | +| Microsoft.ZuneMusic | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.ZuneVideo | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | x | x | No | + +>[!NOTE] +>The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it. + +## System apps + +System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1709, 1803, and 1809. + +You can list all system apps with this PowerShell command: + +```Powershell +Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation +``` + +| Name | Package Name | 1709 | 1803 | 1809 |Uninstall through UI? | +|----------------------------------|---------------------------------------------|:-----:|:----:|:----:|-----------------------| +| File Picker | 1527c705-839a-4832-9118-54d4Bd6a0c89 | | x | x | No | +| File Explorer | c5e2524a-ea46-4f67-841f-6a9465d9d515 | | x | x | No | +| App Resolver UX | E2A4F912-2574-4A75-9BB0-0D023378592B | | x | x | No | +| Add Suggested Folders To Library | F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE | | x | x | No | +| | InputApp | x | x | x | No | +| Microsoft.AAD.Broker.Plugin | Microsoft.AAD.Broker.Plugin | x | x | x | No | +| Microsoft.AccountsControl | Microsoft.AccountsControl | x | x | x | No | +| Microsoft.AsyncTextService | Microsoft.AsyncTextService | | x | x | No | +| Hello setup UI | Microsoft.BioEnrollment | x | x | x | No | +| | Microsoft.CredDialogHost | x | x | x | No | +| | Microsoft.ECApp | x | x | x | No | +| | Microsoft.LockApp | x | x | x | No | +| Microsoft Edge | Microsoft.MicrosoftEdge | x | x | x | No | +| | Microsoft.MicrosoftEdgeDevToolsClient | | x | x | No | +| | Microsoft.PPIProjection | x | x | x | No | +| | Microsoft.Win32WebViewHost | | x | x | No | +| | Microsoft.Windows.Apprep.ChxApp | x | x | x | No | +| | Microsoft.Windows.AssignedAccessLockApp | x | x | x | No | +| | Microsoft.Windows.CapturePicker | | x | x | No | +| | Microsoft.Windows.CloudExperienceHost | x | x | x | No | +| | Microsoft.Windows.ContentDeliveryManager | x | x | x | No | +| Cortana | Microsoft.Windows.Cortana | x | x | x | No | +| | Microsoft.Windows.Holographic.FirstRun | x | x | | No | +| | Microsoft.Windows.OOBENetworkCaptivePort | x | x | x | No | +| | Microsoft.Windows.OOBENetworkConnectionFlow | x | x | x | No | +| | Microsoft.Windows.ParentalControls | x | x | x | No | +| People Hub | Microsoft.Windows.PeopleExperienceHost | x | x | x | No | +| | Microsoft.Windows.PinningConfirmationDialog | x | x | x | No | +| | Microsoft.Windows.SecHealthUI | x | x | x | No | +| | Microsoft.Windows.SecondaryTileExperience | x | | | No | +| | Microsoft.Windows.SecureAssessmentBrowser | x | x | x | No | +| Start | Microsoft.Windows.ShellExperienceHost | x | x | x | No | +| Windows Feedback | Microsoft.WindowsFeedback | * | | | No | +| | Microsoft.XboxGameCallableUI | x | x | x | No | +| | Windows.CBSPreview | | x | x | No | +| Contact Support* | Windows.ContactSupport | * | | | Via Settings App | +| Settings | Windows.immersivecontrolpanel | x | x | x | No | +| Print 3D | Windows.Print3D | | x | x | Yes | +| Print UI | Windows.PrintDialog | x | x | x | No | + + +> [!NOTE] +> The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support). + +## Installed Windows apps + +Here are the typical installed Windows apps in Windows 10 versions 1709, 1803, and 1809. + + +| Name | Full name | 1709 | 1803 | 1809 | Uninstall through UI? | +|-----------------------|------------------------------------------|:----:|:----:|:----:|:---------------------:| +| Remote Desktop | Microsoft.RemoteDesktop | x | | x | Yes | +| Code Writer | ActiproSoftwareLLC.562882FEEB491 | x | x | | Yes | +| Eclipse Manager | 46928bounde.EclipseManager | x | x | | Yes | +| Pandora | PandoraMediaInc.29680B314EFC2 | x | x | | Yes | +| Photoshop Express | AdobeSystemIncorporated. AdobePhotoshop | x | x | | Yes | +| Duolingo | D5EA27B7.Duolingo- LearnLanguagesforFree | x | x | | Yes | +| Network Speed Test | Microsoft.NetworkSpeedTest | x | x | x | Yes | +| News | Microsoft.BingNews | x | x | x | Yes | +| Sway | Microsoft.Office.Sway | x | x | x | Yes | +| Microsoft.Advertising | Microsoft.Advertising.Xaml | x | x | x | Yes | +| | Microsoft.NET.Native.Framework.1.2 | x | x | | Yes | +| | Microsoft.NET.Native.Framework.1.3 | x | x | | Yes | +| | Microsoft.NET.Native.Framework.1.6 | x | x | x | Yes | +| | Microsoft.NET.Native.Framework.1.7 | | x | x | Yes | +| | Microsoft.NET.Native.Framework.2.0 | x | x | | Yes | +| | Microsoft.NET.Native.Runtime.1.1 | x | x | | Yes | +| | Microsoft.NET.Native.Runtime.1.3 | x | | | Yes | +| | Microsoft.NET.Native.Runtime.1.4 | x | x | | Yes | +| | Microsoft.NET.Native.Runtime.1.6 | x | x | x | Yes | +| | Microsoft.NET.Native.Runtime.1.7 | x | x | x | Yes | +| | Microsoft.NET.Native.Runtime.2.0 | x | x | | Yes | +| | Microsoft.Services.Store.Engagement | x | x | | Yes | +| | Microsoft.VCLibs.120.00 | x | x | | Yes | +| | Microsoft.VCLibs.140.00 | x | x | x | Yes | +| | Microsoft.VCLibs.120.00.Universal | x | | | Yes | +| | Microsoft.VCLibs.140.00.UWPDesktop | | x | | Yes | + +--- diff --git a/windows/client-management/sv-manage.md b/windows/client-management/sv-manage.md new file mode 100644 index 0000000000..4fc41d68c1 --- /dev/null +++ b/windows/client-management/sv-manage.md @@ -0,0 +1,67 @@ +--- +title: Manage corporate devices (Windows 10) +description: You can use the same management tools to manage all device types running Windows 10 desktops, laptops, tablets, and phones. +ms.assetid: 62D6710C-E59C-4077-9C7E-CE0A92DFC05D +ms.reviewer: +manager: dansimp +ms.author: dansimp +keywords: ["MDM", "device management"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: devices +author: dansimp +ms.localizationpriority: medium +ms.date: 09/21/2017 +ms.topic: article +--- + +# Manage corporate devices + + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +You can use the same management tools to manage all device types running Windows 10 : desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, System Center tools, and so on, will continue to work for Windows 10. + +## In this section + +| Topic | Description | +| --- | --- | +| [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment | +| [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) | How to use Remote Desktop Connection to connect to an Azure AD-joined PC | +| [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions) | Options to manage user experiences to provide a consistent and predictable experience for employees | +| [New policies for Windows 10](new-policies-for-windows-10.md) | New Group Policy settings added in Windows 10 | +| [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) | Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education | +| [Changes to Group Policy settings for Start in Windows 10](/windows/configuration/changes-to-start-policies-in-windows-10) | Changes to the Group Policy settings that you use to manage Start | +| [Introduction to configuration service providers (CSPs) for IT pros](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) | How IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 and Windows 10 Mobile in their organizations | + + +## Learn more + +[How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Endpoint Configuration Manager](/mem/configmgr/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm) + +[Azure AD, Microsoft Intune and Windows 10 - Using the cloud to modernize enterprise mobility](https://blogs.technet.microsoft.com/enterprisemobility/2015/06/12/azure-ad-microsoft-intune-and-windows-10-using-the-cloud-to-modernize-enterprise-mobility/) + +[Microsoft Intune End User Enrollment Guide](/samples/browse/?redirectedfrom=TechNet-Gallery) + +[Azure AD Join on Windows 10 devices](https://go.microsoft.com/fwlink/p/?LinkId=616791) + +[Azure AD support for Windows 10](https://go.microsoft.com/fwlink/p/?LinkID=615765) + +[Windows 10 and Azure Active Directory: Embracing the Cloud](https://go.microsoft.com/fwlink/p/?LinkId=615768) + +[How to manage Windows 10 devices using Intune](https://go.microsoft.com/fwlink/p/?LinkId=613620) + +[Using Intune alone and with Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=613207) + +Microsoft Virtual Academy course: [System Center 2012 R2 Configuration Manager & Windows Intune](/learn/) + + + + + + +  \ No newline at end of file diff --git a/windows/configuration/sv-configure.md b/windows/configuration/sv-configure.md new file mode 100644 index 0000000000..15407ebc50 --- /dev/null +++ b/windows/configuration/sv-configure.md @@ -0,0 +1,329 @@ +--- +title: Configure Windows 10 taskbar (Windows 10) +description: Administrators can pin additional apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file. +keywords: ["taskbar layout","pin apps"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: greg-lindsay +ms.author: greglin +ms.topic: article +ms.localizationpriority: medium +ms.date: 01/18/2018 +ms.reviewer: +manager: dansimp +--- +# Configure Windows 10 taskbar + +Starting in Windows 10, version 1607, administrators can pin additional apps to the taskbar and remove default pinned apps from the taskbar by adding a `` section to a layout modification XML file. This method never removes user-pinned apps from the taskbar. + +> [!NOTE] +> The only aspect of the taskbar that can currently be configured by the layout modification XML file is the layout. + +You can specify different taskbar configurations based on device locale and region. There is no limit on the number of apps that you can pin. You specify apps using the [Application User Model ID (AUMID)](./find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path (the local path to the application). + +If you specify an app to be pinned that is not provisioned for the user on the computer, the pinned icon won't appear on the taskbar. + +The order of apps in the XML file dictates the order of pinned apps on the taskbar from left to right, to the right of any existing apps pinned by the user. + +> [!NOTE] +> In operating systems configured to use a right-to-left language, the taskbar order will be reversed. + +The following example shows how apps will be pinned: Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using the XML file to the right (green square). + +![Windows left, user center, enterprise to the right](images/taskbar-generic.png) + + +## Configure taskbar (general) + +**To configure the taskbar:** + +1. Create the XML file. + * If you are also [customizing the Start layout](customize-and-export-start-layout.md), use `Export-StartLayout` to create the XML, and then add the `` section from [the following sample](#sample-taskbar-configuration-added-to-start-layout-xml-file) to the file. + * If you are only configuring the taskbar, use [the following sample](#sample-taskbar-configuration-xml-file) to create a layout modification XML file. +2. Edit and save the XML file. You can use [AUMID](./find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path to identify the apps to pin to the taskbar. + * Add `xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"` to the first line of the file, before the closing \>. + * Use `` and [AUMID](./find-the-application-user-model-id-of-an-installed-app.md) to pin Universal Windows Platform apps. + * Use `` and Desktop Application Link Path to pin desktop applications. +3. Apply the layout modification XML file to devices using [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) or a [provisioning package created in Windows Imaging and Configuration Designer (Windows ICD)](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md). + +>[!IMPORTANT] +>If you use a provisioning package or import-startlayout to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user then unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration that allows users to make changes that will persist, apply your configuration by using Group Policy. +> +>If you use Group Policy and your configuration only contains a taskbar layout, the default Windows tile layout will be applied and cannot be changed by users. If you use Group Policy and your configuration includes taskbar and a full Start layout, users can only make changes to the taskbar. If you use Group Policy and your configuration includes taskbar and a [partial Start layout](.//customize-and-export-start-layout.md#configure-a-partial-start-layout), users can make changes to the taskbar and to tile groups not defined in the partial Start layout. + +### Tips for finding AUMID and Desktop Application Link Path + +In the layout modification XML file, you will need to add entries for applications in the XML markup. In order to pin an application, you need either its AUMID or Desktop Application Link Path. + +The easiest way to find this data for an application is to: +1. Pin the application to the Start menu on a reference or testing PC. +2. Open Windows PowerShell and run the `Export-StartLayout` cmdlet. +3. Open the generated XML file. +4. Look for an entry corresponding to the app you pinned. +5. Look for a property labeled `AppUserModelID` or `DesktopApplicationLinkPath`. + + +### Sample taskbar configuration XML file + +```xml + + + + + + + + + + + +``` +### Sample taskbar configuration added to Start layout XML file + +```xml + + + + + + + + + + + + + + + + + + + + + + + +``` + +## Keep default apps and add your own + +The `` section will append listed apps to the taskbar by default. The following sample keeps the default apps pinned and adds pins for Paint, Microsoft Reader, and a command prompt. + +```xml + + + + + + + + + + + + +``` +**Before:** + +![default apps pinned to taskbar](images/taskbar-default.png) + +**After:** + + ![additional apps pinned to taskbar](images/taskbar-default-plus.png) + +## Remove default apps and add your own + +By adding `PinListPlacement="Replace"` to ``, you remove all default pinned apps; only the apps that you specify will be pinned to the taskbar. + +If you only want to remove some of the default pinned apps, you would use this method to remove all default pinned apps and then include the default app that you want to keep in your list of pinned apps. + +```xml + + + + + + + + + + + + +``` +**Before:** + +![Taskbar with default apps](images/taskbar-default.png) + +**After:** + +![Taskbar with default apps removed](images/taskbar-default-removed.png) + +## Remove default apps + +By adding `PinListPlacement="Replace"` to ``, you remove all default pinned apps. + + +```xml + + + + + + + + + + +``` + +## Configure taskbar by country or region + +The following example shows you how to configure taskbars by country or region. When the layout is applied to a computer, if there is no `` node with a region tag for the current region, the first `` node that has no specified region will be applied. When you specify one or more countries or regions in a `` node, the specified apps are pinned on computers configured for any of the specified countries or regions. + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +When the preceding example XML file is applied, the resulting taskbar for computers in the US or UK: + +![taskbar for US and UK locale](images/taskbar-region-usuk.png) + +The resulting taskbar for computers in Germany or France: + +![taskbar for DE and FR locale](images/taskbar-region-defr.png) + +The resulting taskbar for computers in any other country region: + +![taskbar for all other regions](images/taskbar-region-other.png) + + +> [!NOTE] +> [Look up country and region codes (use the ISO Short column)](/previous-versions/commerce-server/ee799297(v=cs.20)) + + + + +## Layout Modification Template schema definition + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +## Related topics + +- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) +- [Customize and export Start layout](customize-and-export-start-layout.md) +- [Add image for secondary tiles](start-secondary-tiles.md) +- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) +- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) +- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) +- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) \ No newline at end of file diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index c8a3334ac2..fb5306a3e3 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -1,4 +1,4 @@ -- name: Deploy and update Windows 10 +- name: Deploy and update Windows client href: index.yml items: - name: Get started @@ -33,6 +33,8 @@ - name: Plan items: + - name: Windows Sun Valley deployment planning + href: sv-planning.md - name: Create a deployment plan href: update/create-deployment-plan.md - name: Define readiness criteria diff --git a/windows/deployment/sv-planning.md b/windows/deployment/sv-planning.md new file mode 100644 index 0000000000..e28a0eb0e8 --- /dev/null +++ b/windows/deployment/sv-planning.md @@ -0,0 +1,275 @@ +--- +title: Windows Sun Valley deployment planning +description: Understand the different ways Windows 10 operating system can be deployed in your organization. Explore several Windows 10 deployment scenarios. +ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 +ms.reviewer: +manager: laurawi +ms.audience: itpro +ms.author: greglin +author: greg-lindsay +keywords: upgrade, in-place, configuration, deploy +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro +ms.topic: article +--- + +# Windows Sun Valley deployment planning + +**Applies to** +- Windows 10 + +To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. + +The following table summarizes various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories. +- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home). + - Note: Once you have deployed Windows 10 in your organization, it is important to stay up to date by [creating a deployment plan](update/create-deployment-plan.md) for Windows 10 feature updates. +- Dynamic deployment methods enable you to configure applications and settings for specific use cases. +- Traditional deployment methods use existing tools to deploy operating system images.
  + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
CategoryScenarioDescriptionMore information
Modern + +[Windows Autopilot](#windows-autopilot) + Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured. + +Overview of Windows Autopilot +
+ +[In-place upgrade](#in-place-upgrade) + + + Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old. + +Perform an in-place upgrade to Windows 10 with MDT
Perform an in-place upgrade to Windows 10 using Configuration Manager +
+ Dynamic + + +[Subscription Activation](#windows-10-subscription-activation) + + Switch from Windows 10 Pro to Enterprise when a subscribed user signs in. + +Windows 10 Subscription Activation +
+ + [AAD / MDM](#dynamic-provisioning) + + The device is automatically joined to AAD and configured by MDM. + +Azure Active Directory integration with MDM +
+ + [Provisioning packages](#dynamic-provisioning) + + Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices. + +Configure devices without MDM +
+ Traditional + + + [Bare metal](#new-computer) + + Deploy a new device, or wipe an existing device and deploy with a fresh image. + + Deploy a Windows 10 image using MDT
Deploy Windows 10 using PXE and Configuration Manager +
+ + [Refresh](#computer-refresh) + + Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. + + Refresh a Windows 7 computer with Windows 10
Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager +
+ + [Replace](#computer-replace) + + Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device. + + Replace a Windows 7 computer with a Windows 10 computer
Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager +
+ +
  + + +>[!IMPORTANT] +>The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
+>Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS. + +## Modern deployment methods + +Modern deployment methods embrace both traditional on-prem and cloud services to deliver a simple, streamlined, cost effective deployment experience. + +### Windows Autopilot + +Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator. + +For more information about Windows Autopilot, see [Overview of Windows Autopilot](/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows Autopilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/). + +### In-place upgrade + +For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure. + +Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like Microsoft Endpoint Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences. + +The in-place upgrade process is designed to be extremely reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by leveraging the automatically-created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications do not need to be reinstalled as part of the process. + +Because existing applications are preserved through the process, the upgrade process uses the standard Windows installation media image (Install.wim); custom images are not needed and cannot be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. (For example, Contoso Timecard 1.0 in Windows 7 and Contoso Timecard 3.0 in the Windows 10 image.) + +Scenarios that support in-place upgrade with some additional procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software. + +- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 does not require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](./mbr-to-gpt.md) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode. + +- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting: + - [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) + - [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options) + +There are some situations where you cannot use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include: + +- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process cannot change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers. +- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed. +- Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, this is not supported – preparing an upgraded OS for imaging (using Sysprep.exe) is not supported and will not work when it detects the upgraded OS. +- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken. + + +## Dynamic provisioning + +For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image, because this was often faster and easier than leveraging the preinstalled version. But this is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it is now possible to avoid this. + +The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include: + +### Windows 10 Subscription Activation + +Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation). + + +### Azure Active Directory (AAD) join with automatic mobile device management (MDM) enrollment + +In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm). + +### Provisioning package configuration + +Using the [Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm). + +These scenarios can be used to enable “choose your own device” (CYOD) programs where the organization’s users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios). + +While the initial Windows 10 release includes a variety of provisioning settings and deployment mechanisms, these will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for additional features through the Windows Feedback app or through their Microsoft Support contacts. + +## Traditional deployment: + +New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md), and [Microsoft Endpoint Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). + +With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them. + +The traditional deployment scenario can be divided into different sub-scenarios. These are explained in detail in the following sections, but the following provides a brief summary: + +- **New computer.** A bare-metal deployment of a new machine. +- **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup). +- **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup). + +### New computer + +Also called a "bare metal" deployment. This scenario occurs when you have a blank machine you need to deploy, or an existing machine you want to wipe and redeploy without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). You can also generate a full offline media that includes all the files needed for a client deployment, allowing you to deploy without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD). + +The deployment process for the new machine scenario is as follows: + +1. Start the setup from boot media (CD, USB, ISO, or PXE). + +2. Wipe the hard disk clean and create new volume(s). + +3. Install the operating system image. + +4. Install other applications (as part of the task sequence). + +After taking these steps, the computer is ready for use. + +### Computer refresh + +A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario. + +The deployment process for the wipe-and-load scenario is as follows: + +1. Start the setup on a running operating system. + +2. Save the user state locally. + +3. Wipe the hard disk clean (except for the folder containing the backup). + +4. Install the operating system image. + +5. Install other applications. + +6. Restore the user state. + +After taking these steps, the machine is ready for use. + +### Computer replace + +A computer replace is similar to the refresh scenario. However, since we are replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored. + +The deployment process for the replace scenario is as follows: + +1. Save the user state (data and settings) on the server through a backup job on the running operating system. + +2. Deploy the new computer as a bare-metal deployment. + + **Note**
In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk. + +## Related topics + +- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) +- [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](./deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md) +- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=620230) +- [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) +- [Windows setup technical reference](/windows-hardware/manufacture/desktop/windows-setup-technical-reference) +- [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) +- [UEFI firmware](/windows-hardware/design/device-experiences/oem-uefi) \ No newline at end of file diff --git a/windows/sv/TOC.yml b/windows/sv/TOC.yml index b8531c0f0c..f9d971cc94 100644 --- a/windows/sv/TOC.yml +++ b/windows/sv/TOC.yml @@ -1,42 +1,33 @@ - name: Deploy and update Windows 10 href: index.yml items: - - name: Get started + - name: Get started with Windows Sun Valley items: - name: Sun Valley overview href: sv-overview.md - name: Windows Sun Valley requirements href: sv-requirements.md - - name: Sun Valley FAQ - href: sv-faq.md - + - name: Upgrade to Windows Sun Valley items: - - name: Plan to deploy Windows Sun Valley - href: update/plan-define-readiness.md + href: ../deployment/sv-planning.md - name: Prepare for Windows Sun Valley - href: update/eval-infra-tools.md + href: ../deployment/sv-prepare.md - name: Deploy Windows Sun Valley - href: update/plan-determine-app-readiness.md - - name: Define your servicing strategy - href: update/plan-define-strategy.md - - name: Delivery Optimization for Windows 10 updates - href: update/waas-delivery-optimization.md - + href: ../deployment/sv-deploy.md + - name: Configure Windows Sun Valley + href: ../configuration/sv-configure.md + - name: Manage Windows Sun Valley + href: ../client-management/sv-manage.md - - name: Support + - name: Windows Sun Valley Support items: - name: Windows Sun Valley lifecycle - href: sv-requirements.md - - name: Prepare to deploy Windows Sun Valley - href: update/plan-define-readiness.md - - name: Deploy Windows Sun Valley - href: update/eval-infra-tools.md - - name: Determine application readiness - href: update/plan-determine-app-readiness.md - - name: Define your servicing strategy - href: update/plan-define-strategy.md - - name: Delivery Optimization for Windows 10 updates - href: update/waas-delivery-optimization.md + href: sv-lifecycle.md + - name: Windows Sun Valley application readiness + href: application-management/sv-app-readiness.md + - name: Sun Valley FAQ + href: sv-faq.md + From f3d8408cfc8dea7b52bda1a4f98bec3cb2cbde22 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 21 May 2021 10:05:29 -0700 Subject: [PATCH 016/370] draft3 --- windows/sv/TOC.yml | 21 +++++++++++---------- windows/sv/index.yml | 41 ++++++++++++++++++----------------------- 2 files changed, 29 insertions(+), 33 deletions(-) diff --git a/windows/sv/TOC.yml b/windows/sv/TOC.yml index f9d971cc94..76ac398036 100644 --- a/windows/sv/TOC.yml +++ b/windows/sv/TOC.yml @@ -1,15 +1,16 @@ -- name: Deploy and update Windows 10 +- name: Windows Sun Valley href: index.yml items: - - name: Get started with Windows Sun Valley + - name: Get started items: - - name: Sun Valley overview + - name: Windows Sun Valley overview href: sv-overview.md - name: Windows Sun Valley requirements href: sv-requirements.md + - name: Sun Valley FAQ + href: sv-faq.md - - - name: Upgrade to Windows Sun Valley + - name: Deploy and Manage Windows Sun Valley items: - name: Plan to deploy Windows Sun Valley href: ../deployment/sv-planning.md @@ -21,13 +22,13 @@ href: ../configuration/sv-configure.md - name: Manage Windows Sun Valley href: ../client-management/sv-manage.md + - name: Windows Sun Valley application readiness + href: application-management/sv-app-readiness.md - - name: Windows Sun Valley Support + - name: Support items: - name: Windows Sun Valley lifecycle href: sv-lifecycle.md - - name: Windows Sun Valley application readiness - href: application-management/sv-app-readiness.md - - name: Sun Valley FAQ - href: sv-faq.md + + diff --git a/windows/sv/index.yml b/windows/sv/index.yml index dd25268757..f528902792 100644 --- a/windows/sv/index.yml +++ b/windows/sv/index.yml @@ -1,7 +1,7 @@ ### YamlMime:Landing title: Windows SV # < 60 chars -summary: Find out about Windows SV. # < 160 chars +summary: Find out about Windows Sun Valley. # < 160 chars metadata: title: Windows SV # Required; page title displayed in search results. Include the brand. < 60 chars. @@ -26,41 +26,36 @@ landingContent: linkLists: - linkListType: overview links: - - text: Link 1 - url: placeholder.md - - text: Link 2 - url: placeholder.md - - text: Link 3 - url: placeholder.md - - text: Link 4 - url: placeholder.md - + - text: Windows Sun Valley overview + url: sv-overview.md + - text: Windows Sun Valley requirements + url: sv-requirements.md + - text: Windows Sun Valley FAQ + url: sv-faq.md # Card (optional) - - title: Upgrade to Sun Valley + - title: Deploy Windows Sun Valley linkLists: - linkListType: overview links: - - text: Link 1 + - text: Plan to deploy Windows Sun Valley url: placeholder.md - - text: Link 2 + - text: Prepare for Windows Sun Valley url: placeholder.md - - text: Link 3 + - text: Deploy Windows Sun Valley url: placeholder.md - - text: Link 4 + - text: Configure Windows Sun Valley + url: placeholder.md + - text: Manage Windows Sun Valley + url: placeholder.md + - text: Windows Sun Valley application readiness url: placeholder.md - # Card (optional) - title: Support information linkLists: - linkListType: overview links: - - text: Link 1 - url: placeholder.md - - text: Link 2 - url: placeholder.md - - text: Link 3 - url: placeholder.md - - text: Link 4 + - text: Windows Sun Valley lifecycle url: placeholder.md + From 68f9baf2a90dea7ccb1359e50df688f9ba251597 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 21 May 2021 10:19:50 -0700 Subject: [PATCH 017/370] draft4 --- windows/hub/TOC.yml | 4 +++- windows/hub/index.yml | 34 ++++++++++++++++++++++------------ windows/sv/TOC.yml | 2 ++ windows/sv/index.yml | 2 ++ 4 files changed, 29 insertions(+), 13 deletions(-) diff --git a/windows/hub/TOC.yml b/windows/hub/TOC.yml index 2d99b5fb17..36a3417877 100644 --- a/windows/hub/TOC.yml +++ b/windows/hub/TOC.yml @@ -1,8 +1,10 @@ -- name: Windows 10 +- name: Windows client href: index.yml items: - name: What's new href: /windows/whats-new + - name: Windows Sun Valley + href: /windows/sv - name: Release information href: /windows/release-health - name: Deployment diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 2714aec10e..7ecfe4e922 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -1,10 +1,10 @@ ### YamlMime:Landing -title: Windows 10 resources and documentation for IT Pros # < 60 chars +title: Windows client resources and documentation for IT Pros # < 60 chars summary: Plan, deploy, secure, and manage devices running Windows 10. # < 160 chars metadata: - title: Windows 10 documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars. + title: Windows client documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars. description: Evaluate, plan, deploy, secure and manage devices running Windows 10. # Required; article description that is displayed in search results. < 160 chars. services: windows-10 ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. @@ -26,12 +26,14 @@ landingContent: linkLists: - linkListType: overview links: - - text: What's new in Windows 10, version 21H1 + - text: Windows Sun Valley overview + url: /sv/sv-overview.md + - text: What's new in Windows Sun Valley, version 21H2 url: /windows/whats-new/whats-new-windows-10-version-21H1 - - text: What's new in Windows 10, version 20H2 - url: /windows/whats-new/whats-new-windows-10-version-20H2 - - text: What's new in Windows 10, version 2004 - url: /windows/whats-new/whats-new-windows-10-version-2004 + - text: What's new in Windows 10, version 21H2 + url: /windows/whats-new/whats-new-windows-10-version-21H1 + - text: Windows Sun Valley release information + url: /windows/release-health/release-information - text: Windows 10 release information url: /windows/release-health/release-information @@ -40,8 +42,10 @@ landingContent: linkLists: - linkListType: how-to-guide links: - - text: Configure Windows 10 + - text: Configure Windows client url: /windows/configuration/index + - text: Configure Windows Sun Valley + url: /windows/configuration/sv-configure.md - text: Accessibility information for IT Pros url: /windows/configuration/windows-10-accessibility-for-itpros - text: Configure access to Microsoft Store @@ -54,8 +58,10 @@ landingContent: linkLists: - linkListType: deploy links: - - text: Deploy and update Windows 10 + - text: Deploy and update Windows client url: /windows/deployment/index + - text: Deploy Windows Sun Valley + url: /windows/deployment/sv-deploy.md - text: Windows 10 deployment scenarios url: /windows/deployment/windows-10-deployment-scenarios - text: Create a deployment plan @@ -69,8 +75,10 @@ landingContent: linkLists: - linkListType: how-to-guide links: - - text: Windows 10 application management + - text: Windows application management url: /windows/application-management/index + - text: Windows Sun Valley application management + url: /windows/application-management/sv-app-manage.md - text: Understand the different apps included in Windows 10 url: /windows/application-management/apps-in-windows-10 - text: Get started with App-V for Windows 10 @@ -83,8 +91,10 @@ landingContent: linkLists: - linkListType: how-to-guide links: - - text: Windows 10 client management + - text: Windows client management url: /windows/client-management/index + - text: Manage Windows Sun Valley + url: /windows/client-management/sv-manage.md - text: Administrative tools in Windows 10 url: /windows/client-management/administrative-tools-in-windows-10 - text: Create mandatory user profiles @@ -97,7 +107,7 @@ landingContent: linkLists: - linkListType: how-to-guide links: - - text: Windows 10 Enterprise Security + - text: Windows Enterprise Security url: /windows/security/index - text: Windows Privacy url: /windows/privacy/index diff --git a/windows/sv/TOC.yml b/windows/sv/TOC.yml index 76ac398036..5e9b8425bd 100644 --- a/windows/sv/TOC.yml +++ b/windows/sv/TOC.yml @@ -29,6 +29,8 @@ items: - name: Windows Sun Valley lifecycle href: sv-lifecycle.md + - name: Windows Sun Valley release information + href: ../release-health diff --git a/windows/sv/index.yml b/windows/sv/index.yml index f528902792..61131a5288 100644 --- a/windows/sv/index.yml +++ b/windows/sv/index.yml @@ -58,4 +58,6 @@ landingContent: links: - text: Windows Sun Valley lifecycle url: placeholder.md + - text: Windows Sun Valley release information + url: ../release-health From 0b5e722bc9e78c763885157ec7ff287cf38248f9 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 21 May 2021 10:25:16 -0700 Subject: [PATCH 018/370] draft5 --- windows/deployment/TOC.yml | 16 +- .../{sv-planning.md => sv-deploy.md} | 0 windows/deployment/sv-plan.md | 275 ++++++++++++++++++ windows/deployment/sv-prepare.md | 275 ++++++++++++++++++ 4 files changed, 560 insertions(+), 6 deletions(-) rename windows/deployment/{sv-planning.md => sv-deploy.md} (100%) create mode 100644 windows/deployment/sv-plan.md create mode 100644 windows/deployment/sv-prepare.md diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index fb5306a3e3..21fe4cf03f 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -5,7 +5,7 @@ items: - name: What's new href: deploy-whats-new.md - - name: Windows 10 deployment scenarios + - name: Windows client deployment scenarios href: windows-10-deployment-scenarios.md - name: What is Windows as a service? href: update/waas-quick-start.md @@ -34,7 +34,7 @@ - name: Plan items: - name: Windows Sun Valley deployment planning - href: sv-planning.md + href: sv-plan.md - name: Create a deployment plan href: update/create-deployment-plan.md - name: Define readiness criteria @@ -69,6 +69,8 @@ - name: Prepare items: + - name: Prepare to deploy Windows Sun Valley + href: sv-prepare.md - name: Prepare to deploy Windows 10 updates href: update/prepare-deploy-windows.md - name: Evaluate and update infrastructure @@ -98,11 +100,13 @@ - name: Deploy items: - - name: Deploy Windows 10 + - name: Deploy Windows client items: - - name: Deploy Windows 10 with Autopilot + - name: Windows Sun Valley deployment overview + href: sv-deploy.md + - name: Deploy Windows client with Autopilot href: windows-autopilot/index.yml - - name: Deploy Windows 10 with Configuration Manager + - name: Deploy Windows client with Configuration Manager items: - name: Deploy to a new device href: deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md @@ -112,7 +116,7 @@ href: deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md - name: In-place upgrade href: deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md - - name: Deploy Windows 10 with MDT + - name: Deploy Windows client with MDT items: - name: Deploy to a new device href: deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md diff --git a/windows/deployment/sv-planning.md b/windows/deployment/sv-deploy.md similarity index 100% rename from windows/deployment/sv-planning.md rename to windows/deployment/sv-deploy.md diff --git a/windows/deployment/sv-plan.md b/windows/deployment/sv-plan.md new file mode 100644 index 0000000000..e28a0eb0e8 --- /dev/null +++ b/windows/deployment/sv-plan.md @@ -0,0 +1,275 @@ +--- +title: Windows Sun Valley deployment planning +description: Understand the different ways Windows 10 operating system can be deployed in your organization. Explore several Windows 10 deployment scenarios. +ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 +ms.reviewer: +manager: laurawi +ms.audience: itpro +ms.author: greglin +author: greg-lindsay +keywords: upgrade, in-place, configuration, deploy +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro +ms.topic: article +--- + +# Windows Sun Valley deployment planning + +**Applies to** +- Windows 10 + +To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. + +The following table summarizes various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories. +- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home). + - Note: Once you have deployed Windows 10 in your organization, it is important to stay up to date by [creating a deployment plan](update/create-deployment-plan.md) for Windows 10 feature updates. +- Dynamic deployment methods enable you to configure applications and settings for specific use cases. +- Traditional deployment methods use existing tools to deploy operating system images.
  + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
CategoryScenarioDescriptionMore information
Modern + +[Windows Autopilot](#windows-autopilot) + Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured. + +Overview of Windows Autopilot +
+ +[In-place upgrade](#in-place-upgrade) + + + Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old. + +Perform an in-place upgrade to Windows 10 with MDT
Perform an in-place upgrade to Windows 10 using Configuration Manager +
+ Dynamic + + +[Subscription Activation](#windows-10-subscription-activation) + + Switch from Windows 10 Pro to Enterprise when a subscribed user signs in. + +Windows 10 Subscription Activation +
+ + [AAD / MDM](#dynamic-provisioning) + + The device is automatically joined to AAD and configured by MDM. + +Azure Active Directory integration with MDM +
+ + [Provisioning packages](#dynamic-provisioning) + + Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices. + +Configure devices without MDM +
+ Traditional + + + [Bare metal](#new-computer) + + Deploy a new device, or wipe an existing device and deploy with a fresh image. + + Deploy a Windows 10 image using MDT
Deploy Windows 10 using PXE and Configuration Manager +
+ + [Refresh](#computer-refresh) + + Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. + + Refresh a Windows 7 computer with Windows 10
Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager +
+ + [Replace](#computer-replace) + + Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device. + + Replace a Windows 7 computer with a Windows 10 computer
Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager +
+ +
  + + +>[!IMPORTANT] +>The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
+>Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS. + +## Modern deployment methods + +Modern deployment methods embrace both traditional on-prem and cloud services to deliver a simple, streamlined, cost effective deployment experience. + +### Windows Autopilot + +Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator. + +For more information about Windows Autopilot, see [Overview of Windows Autopilot](/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows Autopilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/). + +### In-place upgrade + +For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure. + +Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like Microsoft Endpoint Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences. + +The in-place upgrade process is designed to be extremely reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by leveraging the automatically-created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications do not need to be reinstalled as part of the process. + +Because existing applications are preserved through the process, the upgrade process uses the standard Windows installation media image (Install.wim); custom images are not needed and cannot be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. (For example, Contoso Timecard 1.0 in Windows 7 and Contoso Timecard 3.0 in the Windows 10 image.) + +Scenarios that support in-place upgrade with some additional procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software. + +- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 does not require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](./mbr-to-gpt.md) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode. + +- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting: + - [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) + - [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options) + +There are some situations where you cannot use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include: + +- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process cannot change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers. +- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed. +- Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, this is not supported – preparing an upgraded OS for imaging (using Sysprep.exe) is not supported and will not work when it detects the upgraded OS. +- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken. + + +## Dynamic provisioning + +For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image, because this was often faster and easier than leveraging the preinstalled version. But this is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it is now possible to avoid this. + +The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include: + +### Windows 10 Subscription Activation + +Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation). + + +### Azure Active Directory (AAD) join with automatic mobile device management (MDM) enrollment + +In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm). + +### Provisioning package configuration + +Using the [Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm). + +These scenarios can be used to enable “choose your own device” (CYOD) programs where the organization’s users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios). + +While the initial Windows 10 release includes a variety of provisioning settings and deployment mechanisms, these will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for additional features through the Windows Feedback app or through their Microsoft Support contacts. + +## Traditional deployment: + +New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md), and [Microsoft Endpoint Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). + +With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them. + +The traditional deployment scenario can be divided into different sub-scenarios. These are explained in detail in the following sections, but the following provides a brief summary: + +- **New computer.** A bare-metal deployment of a new machine. +- **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup). +- **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup). + +### New computer + +Also called a "bare metal" deployment. This scenario occurs when you have a blank machine you need to deploy, or an existing machine you want to wipe and redeploy without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). You can also generate a full offline media that includes all the files needed for a client deployment, allowing you to deploy without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD). + +The deployment process for the new machine scenario is as follows: + +1. Start the setup from boot media (CD, USB, ISO, or PXE). + +2. Wipe the hard disk clean and create new volume(s). + +3. Install the operating system image. + +4. Install other applications (as part of the task sequence). + +After taking these steps, the computer is ready for use. + +### Computer refresh + +A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario. + +The deployment process for the wipe-and-load scenario is as follows: + +1. Start the setup on a running operating system. + +2. Save the user state locally. + +3. Wipe the hard disk clean (except for the folder containing the backup). + +4. Install the operating system image. + +5. Install other applications. + +6. Restore the user state. + +After taking these steps, the machine is ready for use. + +### Computer replace + +A computer replace is similar to the refresh scenario. However, since we are replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored. + +The deployment process for the replace scenario is as follows: + +1. Save the user state (data and settings) on the server through a backup job on the running operating system. + +2. Deploy the new computer as a bare-metal deployment. + + **Note**
In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk. + +## Related topics + +- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) +- [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](./deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md) +- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=620230) +- [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) +- [Windows setup technical reference](/windows-hardware/manufacture/desktop/windows-setup-technical-reference) +- [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) +- [UEFI firmware](/windows-hardware/design/device-experiences/oem-uefi) \ No newline at end of file diff --git a/windows/deployment/sv-prepare.md b/windows/deployment/sv-prepare.md new file mode 100644 index 0000000000..e28a0eb0e8 --- /dev/null +++ b/windows/deployment/sv-prepare.md @@ -0,0 +1,275 @@ +--- +title: Windows Sun Valley deployment planning +description: Understand the different ways Windows 10 operating system can be deployed in your organization. Explore several Windows 10 deployment scenarios. +ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 +ms.reviewer: +manager: laurawi +ms.audience: itpro +ms.author: greglin +author: greg-lindsay +keywords: upgrade, in-place, configuration, deploy +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro +ms.topic: article +--- + +# Windows Sun Valley deployment planning + +**Applies to** +- Windows 10 + +To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. + +The following table summarizes various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories. +- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home). + - Note: Once you have deployed Windows 10 in your organization, it is important to stay up to date by [creating a deployment plan](update/create-deployment-plan.md) for Windows 10 feature updates. +- Dynamic deployment methods enable you to configure applications and settings for specific use cases. +- Traditional deployment methods use existing tools to deploy operating system images.
  + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
CategoryScenarioDescriptionMore information
Modern + +[Windows Autopilot](#windows-autopilot) + Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured. + +Overview of Windows Autopilot +
+ +[In-place upgrade](#in-place-upgrade) + + + Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old. + +Perform an in-place upgrade to Windows 10 with MDT
Perform an in-place upgrade to Windows 10 using Configuration Manager +
+ Dynamic + + +[Subscription Activation](#windows-10-subscription-activation) + + Switch from Windows 10 Pro to Enterprise when a subscribed user signs in. + +Windows 10 Subscription Activation +
+ + [AAD / MDM](#dynamic-provisioning) + + The device is automatically joined to AAD and configured by MDM. + +Azure Active Directory integration with MDM +
+ + [Provisioning packages](#dynamic-provisioning) + + Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices. + +Configure devices without MDM +
+ Traditional + + + [Bare metal](#new-computer) + + Deploy a new device, or wipe an existing device and deploy with a fresh image. + + Deploy a Windows 10 image using MDT
Deploy Windows 10 using PXE and Configuration Manager +
+ + [Refresh](#computer-refresh) + + Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. + + Refresh a Windows 7 computer with Windows 10
Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager +
+ + [Replace](#computer-replace) + + Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device. + + Replace a Windows 7 computer with a Windows 10 computer
Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager +
+ +
  + + +>[!IMPORTANT] +>The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
+>Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS. + +## Modern deployment methods + +Modern deployment methods embrace both traditional on-prem and cloud services to deliver a simple, streamlined, cost effective deployment experience. + +### Windows Autopilot + +Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator. + +For more information about Windows Autopilot, see [Overview of Windows Autopilot](/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows Autopilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/). + +### In-place upgrade + +For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure. + +Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like Microsoft Endpoint Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences. + +The in-place upgrade process is designed to be extremely reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by leveraging the automatically-created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications do not need to be reinstalled as part of the process. + +Because existing applications are preserved through the process, the upgrade process uses the standard Windows installation media image (Install.wim); custom images are not needed and cannot be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. (For example, Contoso Timecard 1.0 in Windows 7 and Contoso Timecard 3.0 in the Windows 10 image.) + +Scenarios that support in-place upgrade with some additional procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software. + +- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 does not require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](./mbr-to-gpt.md) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode. + +- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting: + - [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) + - [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options) + +There are some situations where you cannot use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include: + +- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process cannot change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers. +- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed. +- Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, this is not supported – preparing an upgraded OS for imaging (using Sysprep.exe) is not supported and will not work when it detects the upgraded OS. +- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken. + + +## Dynamic provisioning + +For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image, because this was often faster and easier than leveraging the preinstalled version. But this is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it is now possible to avoid this. + +The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include: + +### Windows 10 Subscription Activation + +Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation). + + +### Azure Active Directory (AAD) join with automatic mobile device management (MDM) enrollment + +In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm). + +### Provisioning package configuration + +Using the [Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm). + +These scenarios can be used to enable “choose your own device” (CYOD) programs where the organization’s users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios). + +While the initial Windows 10 release includes a variety of provisioning settings and deployment mechanisms, these will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for additional features through the Windows Feedback app or through their Microsoft Support contacts. + +## Traditional deployment: + +New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md), and [Microsoft Endpoint Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). + +With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them. + +The traditional deployment scenario can be divided into different sub-scenarios. These are explained in detail in the following sections, but the following provides a brief summary: + +- **New computer.** A bare-metal deployment of a new machine. +- **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup). +- **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup). + +### New computer + +Also called a "bare metal" deployment. This scenario occurs when you have a blank machine you need to deploy, or an existing machine you want to wipe and redeploy without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). You can also generate a full offline media that includes all the files needed for a client deployment, allowing you to deploy without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD). + +The deployment process for the new machine scenario is as follows: + +1. Start the setup from boot media (CD, USB, ISO, or PXE). + +2. Wipe the hard disk clean and create new volume(s). + +3. Install the operating system image. + +4. Install other applications (as part of the task sequence). + +After taking these steps, the computer is ready for use. + +### Computer refresh + +A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario. + +The deployment process for the wipe-and-load scenario is as follows: + +1. Start the setup on a running operating system. + +2. Save the user state locally. + +3. Wipe the hard disk clean (except for the folder containing the backup). + +4. Install the operating system image. + +5. Install other applications. + +6. Restore the user state. + +After taking these steps, the machine is ready for use. + +### Computer replace + +A computer replace is similar to the refresh scenario. However, since we are replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored. + +The deployment process for the replace scenario is as follows: + +1. Save the user state (data and settings) on the server through a backup job on the running operating system. + +2. Deploy the new computer as a bare-metal deployment. + + **Note**
In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk. + +## Related topics + +- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) +- [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](./deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md) +- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=620230) +- [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) +- [Windows setup technical reference](/windows-hardware/manufacture/desktop/windows-setup-technical-reference) +- [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) +- [UEFI firmware](/windows-hardware/design/device-experiences/oem-uefi) \ No newline at end of file From 0e6ff045990caa70188ebd15afd380822e5c2b84 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 21 May 2021 10:32:07 -0700 Subject: [PATCH 019/370] draft6 --- windows/hub/TOC.yml | 4 +-- windows/hub/index.yml | 12 ++++---- windows/sv/breadcrumb/toc.yml | 53 +++++++++++++++++++++++++++++++++++ 3 files changed, 61 insertions(+), 8 deletions(-) create mode 100644 windows/sv/breadcrumb/toc.yml diff --git a/windows/hub/TOC.yml b/windows/hub/TOC.yml index 36a3417877..5ba5004d55 100644 --- a/windows/hub/TOC.yml +++ b/windows/hub/TOC.yml @@ -3,10 +3,10 @@ items: - name: What's new href: /windows/whats-new - - name: Windows Sun Valley - href: /windows/sv - name: Release information href: /windows/release-health + - name: Windows Sun Valley + href: /windows/sv - name: Deployment href: /windows/deployment - name: Configuration diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 7ecfe4e922..5a9ddebb3d 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -1,11 +1,11 @@ ### YamlMime:Landing title: Windows client resources and documentation for IT Pros # < 60 chars -summary: Plan, deploy, secure, and manage devices running Windows 10. # < 160 chars +summary: Plan, deploy, secure, and manage devices running Windows 10 and Windows Sun Valley. # < 160 chars metadata: title: Windows client documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Evaluate, plan, deploy, secure and manage devices running Windows 10. # Required; article description that is displayed in search results. < 160 chars. + description: Evaluate, plan, deploy, secure and manage devices running Windows 10 and Windows Sun Valley. # Required; article description that is displayed in search results. < 160 chars. services: windows-10 ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. ms.subservice: subservice @@ -62,11 +62,11 @@ landingContent: url: /windows/deployment/index - text: Deploy Windows Sun Valley url: /windows/deployment/sv-deploy.md - - text: Windows 10 deployment scenarios + - text: Windows deployment scenarios url: /windows/deployment/windows-10-deployment-scenarios - text: Create a deployment plan url: /windows/deployment/update/create-deployment-plan - - text: Prepare to deploy Windows 10 + - text: Prepare to deploy Windows client url: /windows/deployment/update/prepare-deploy-windows @@ -77,7 +77,7 @@ landingContent: links: - text: Windows application management url: /windows/application-management/index - - text: Windows Sun Valley application management + - text: Manage Windows Sun Valley applications url: /windows/application-management/sv-app-manage.md - text: Understand the different apps included in Windows 10 url: /windows/application-management/apps-in-windows-10 @@ -95,7 +95,7 @@ landingContent: url: /windows/client-management/index - text: Manage Windows Sun Valley url: /windows/client-management/sv-manage.md - - text: Administrative tools in Windows 10 + - text: Administrative tools url: /windows/client-management/administrative-tools-in-windows-10 - text: Create mandatory user profiles url: /windows/client-management/mandatory-user-profile diff --git a/windows/sv/breadcrumb/toc.yml b/windows/sv/breadcrumb/toc.yml new file mode 100644 index 0000000000..e2971f2d84 --- /dev/null +++ b/windows/sv/breadcrumb/toc.yml @@ -0,0 +1,53 @@ +- name: Docs + tocHref: / + topicHref: / + items: + - name: Windows + tocHref: /windows + topicHref: /windows/windows-10 + items: + - name: What's new + tocHref: /windows/whats-new/ + topicHref: /windows/whats-new/index + - name: Configuration + tocHref: /windows/configuration/ + topicHref: /windows/configuration/index + - name: Deployment + tocHref: /windows/deployment/ + topicHref: /windows/deployment/index + - name: Application management + tocHref: /windows/application-management/ + topicHref: /windows/application-management/index + - name: Client management + tocHref: /windows/client-management/ + topicHref: /windows/client-management/index + items: + - name: Mobile Device Management + tocHref: /windows/client-management/mdm/ + topicHref: /windows/client-management/mdm/index + - name: Release information + tocHref: /windows/release-information/ + topicHref: /windows/release-health/release-information + - name: Privacy + tocHref: /windows/privacy/ + topicHref: /windows/privacy/index + - name: Security + tocHref: /windows/security/ + topicHref: /windows/security/index + items: + - name: Identity and access protection + tocHref: /windows/security/identity-protection/ + topicHref: /windows/security/identity-protection/index + items: + - name: Windows Hello for Business + tocHref: /windows/security/identity-protection/hello-for-business + topicHref: /windows/security/identity-protection/hello-for-business/hello-identity-verification + - name: Threat protection + tocHref: /windows/security/threat-protection/ + topicHref: /windows/security/threat-protection/index + - name: Information protection + tocHref: /windows/security/information-protection/ + topicHref: /windows/security/information-protection/index + - name: Hardware-based protection + tocHref: /windows/security/hardware-protection/ + topicHref: /windows/security/hardware-protection/index From 3c67265d05561e89ed4f341db665255b0e5f6fd1 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 21 May 2021 10:37:00 -0700 Subject: [PATCH 020/370] draft7 --- windows/sv/TOC.yml | 2 +- windows/sv/sv-faq.md | 4 ++-- windows/sv/sv-lifecycle.md | 22 ++++++++++++++++++++++ windows/sv/sv-overview.md | 4 ++-- windows/sv/sv-requirements.md | 4 ++-- 5 files changed, 29 insertions(+), 7 deletions(-) create mode 100644 windows/sv/sv-lifecycle.md diff --git a/windows/sv/TOC.yml b/windows/sv/TOC.yml index 5e9b8425bd..fb7d2ccba4 100644 --- a/windows/sv/TOC.yml +++ b/windows/sv/TOC.yml @@ -13,7 +13,7 @@ - name: Deploy and Manage Windows Sun Valley items: - name: Plan to deploy Windows Sun Valley - href: ../deployment/sv-planning.md + href: ../deployment/sv-plan.md - name: Prepare for Windows Sun Valley href: ../deployment/sv-prepare.md - name: Deploy Windows Sun Valley diff --git a/windows/sv/sv-faq.md b/windows/sv/sv-faq.md index fecfe94a8e..220beac886 100644 --- a/windows/sv/sv-faq.md +++ b/windows/sv/sv-faq.md @@ -16,7 +16,7 @@ ms.topic: article ms.custom: seo-marvel-apr2020 --- -# Placeholder +# Windows Sun Valley frequently asked questions (FAQ) -Placeholder text. +FAQ. diff --git a/windows/sv/sv-lifecycle.md b/windows/sv/sv-lifecycle.md new file mode 100644 index 0000000000..c16baa14b7 --- /dev/null +++ b/windows/sv/sv-lifecycle.md @@ -0,0 +1,22 @@ +--- +title: Lifecycle +description: PH +ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.localizationpriority: medium +audience: itpro +ms.topic: article +ms.custom: seo-marvel-apr2020 +--- + +# Windows Sun Valley lifecycle + +Sun Valley lifecycle. + diff --git a/windows/sv/sv-overview.md b/windows/sv/sv-overview.md index fecfe94a8e..4099c30662 100644 --- a/windows/sv/sv-overview.md +++ b/windows/sv/sv-overview.md @@ -16,7 +16,7 @@ ms.topic: article ms.custom: seo-marvel-apr2020 --- -# Placeholder +# Windows Sun Valley overview -Placeholder text. +Overview of Sun Valley. diff --git a/windows/sv/sv-requirements.md b/windows/sv/sv-requirements.md index fecfe94a8e..5e4a647fea 100644 --- a/windows/sv/sv-requirements.md +++ b/windows/sv/sv-requirements.md @@ -16,7 +16,7 @@ ms.topic: article ms.custom: seo-marvel-apr2020 --- -# Placeholder +# Windows Sun Valley requirements -Placeholder text. +Windows Sun Valley requirements. From 659c59863498881b486a0a062f8af9d75833adec Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 21 May 2021 10:44:43 -0700 Subject: [PATCH 021/370] draft8 --- windows/sv/TOC.yml | 14 +++++++------- windows/sv/index.yml | 12 ++++++------ 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/windows/sv/TOC.yml b/windows/sv/TOC.yml index fb7d2ccba4..355d8e61c1 100644 --- a/windows/sv/TOC.yml +++ b/windows/sv/TOC.yml @@ -13,24 +13,24 @@ - name: Deploy and Manage Windows Sun Valley items: - name: Plan to deploy Windows Sun Valley - href: ../deployment/sv-plan.md + href: /windows/deployment/sv-plan.md - name: Prepare for Windows Sun Valley - href: ../deployment/sv-prepare.md + href: /windows/deployment/sv-prepare.md - name: Deploy Windows Sun Valley - href: ../deployment/sv-deploy.md + href: /windows/deployment/sv-deploy.md - name: Configure Windows Sun Valley - href: ../configuration/sv-configure.md + href: /windows/configuration/sv-configure.md - name: Manage Windows Sun Valley - href: ../client-management/sv-manage.md + href: /windows/client-management/sv-manage.md - name: Windows Sun Valley application readiness - href: application-management/sv-app-readiness.md + href: /windows/application-management/sv-app-readiness.md - name: Support items: - name: Windows Sun Valley lifecycle href: sv-lifecycle.md - name: Windows Sun Valley release information - href: ../release-health + href: /windows/release-health diff --git a/windows/sv/index.yml b/windows/sv/index.yml index 61131a5288..477ed81e72 100644 --- a/windows/sv/index.yml +++ b/windows/sv/index.yml @@ -39,17 +39,17 @@ landingContent: - linkListType: overview links: - text: Plan to deploy Windows Sun Valley - url: placeholder.md + url: /windows/deployment/sv-plan.md - text: Prepare for Windows Sun Valley - url: placeholder.md + url: /windows/deployment/sv-prepare.md - text: Deploy Windows Sun Valley - url: placeholder.md + url: /windows/deployment/sv-deploy.md - text: Configure Windows Sun Valley - url: placeholder.md + url: /windows/configuration/sv-configure.md - text: Manage Windows Sun Valley - url: placeholder.md + url: /windows/client-management/sv-manage.md - text: Windows Sun Valley application readiness - url: placeholder.md + url: /windows/application-management/sv-app-readiness.md # Card (optional) - title: Support information From a9eea14b6088c303110d976e4b3d013da119d3d0 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 21 May 2021 10:50:25 -0700 Subject: [PATCH 022/370] draft9 --- windows/deployment/TOC.yml | 2 ++ windows/deployment/index.yml | 10 ++++++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 21fe4cf03f..9eb39c2bb6 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -5,6 +5,8 @@ items: - name: What's new href: deploy-whats-new.md + - name: Windows Sun Valley deployment overview + href: sv-deploy.md - name: Windows client deployment scenarios href: windows-10-deployment-scenarios.md - name: What is Windows as a service? diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index 55641790b7..12426c9a08 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -1,10 +1,10 @@ ### YamlMime:Landing -title: Windows 10 deployment resources and documentation # < 60 chars +title: Windows client deployment resources and documentation # < 60 chars summary: Learn about deploying and keeping Windows 10 up to date. # < 160 chars metadata: - title: Windows 10 deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars. + title: Windows client deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars. description: Learn about deploying Windows 10 and keeping it up to date in your organization. # Required; article description that is displayed in search results. < 160 chars. services: windows-10 ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. @@ -40,7 +40,7 @@ landingContent: linkLists: - linkListType: how-to-guide links: - - text: Prepare to deploy Windows 10 updates + - text: Prepare to deploy Windows updates url: update/prepare-deploy-windows.md - text: Prepare updates using Windows Update for Business url: update/waas-manage-updates-wufb.md @@ -66,7 +66,9 @@ landingContent: links: - text: What's new in Windows deployment url: windows-10-deployment-scenarios.md - - text: Windows 10 deployment scenarios + - text: Windows Sun Valley deployment overview + url: sv-deploy.md + - text: Windows client deployment scenarios url: windows-10-deployment-scenarios.md - text: Basics of Windows updates, channels, and tools url: update/get-started-updates-channels-tools.md From 52ff9eaae898127e8195f0b3051740fa35368944 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 21 May 2021 10:57:41 -0700 Subject: [PATCH 023/370] draft10 --- windows/deployment/deploy-whats-new.md | 8 +- windows/deployment/index.yml | 2 +- windows/deployment/sv-deploy.md | 254 +------------------------ 3 files changed, 8 insertions(+), 256 deletions(-) diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index 4707849d86..95cc27289d 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -1,9 +1,9 @@ --- -title: What's new in Windows 10 deployment +title: What's new in Windows client deployment ms.reviewer: manager: laurawi ms.author: greglin -description: Use this article to learn about new solutions and online content related to deploying Windows 10 in your organization. +description: Use this article to learn about new solutions and online content related to deploying Windows in your organization. keywords: deployment, automate, tools, configure, news ms.mktglfcycl: deploy ms.localizationpriority: medium @@ -20,12 +20,14 @@ ms.custom: seo-marvel-apr2020 **Applies to:** - Windows 10 +- Windows Sun Valley ## In this topic -This topic provides an overview of new solutions and online content related to deploying Windows 10 in your organization. +This topic provides an overview of new solutions and online content related to deploying Windows client in your organization. - For an all-up overview of new features in Windows 10, see [What's new in Windows 10](/windows/whats-new/index). +- For an all-up overview of new features in Windows Sun Valley, see [What's new in Windows Sun Valley](/windows/whats-new/index). ## Latest news diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index 12426c9a08..10182bbea5 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -65,7 +65,7 @@ landingContent: - linkListType: overview links: - text: What's new in Windows deployment - url: windows-10-deployment-scenarios.md + url: deploy-whats-new.md - text: Windows Sun Valley deployment overview url: sv-deploy.md - text: Windows client deployment scenarios diff --git a/windows/deployment/sv-deploy.md b/windows/deployment/sv-deploy.md index e28a0eb0e8..75df574256 100644 --- a/windows/deployment/sv-deploy.md +++ b/windows/deployment/sv-deploy.md @@ -19,257 +19,7 @@ ms.topic: article # Windows Sun Valley deployment planning **Applies to** -- Windows 10 +- Windows Sun Valley -To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. +To successfully deploy the Windows Sun Valley operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. -The following table summarizes various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories. -- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home). - - Note: Once you have deployed Windows 10 in your organization, it is important to stay up to date by [creating a deployment plan](update/create-deployment-plan.md) for Windows 10 feature updates. -- Dynamic deployment methods enable you to configure applications and settings for specific use cases. -- Traditional deployment methods use existing tools to deploy operating system images.
  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
CategoryScenarioDescriptionMore information
Modern - -[Windows Autopilot](#windows-autopilot) - Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured. - -Overview of Windows Autopilot -
- -[In-place upgrade](#in-place-upgrade) - - - Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old. - -Perform an in-place upgrade to Windows 10 with MDT
Perform an in-place upgrade to Windows 10 using Configuration Manager -
- Dynamic - - -[Subscription Activation](#windows-10-subscription-activation) - - Switch from Windows 10 Pro to Enterprise when a subscribed user signs in. - -Windows 10 Subscription Activation -
- - [AAD / MDM](#dynamic-provisioning) - - The device is automatically joined to AAD and configured by MDM. - -Azure Active Directory integration with MDM -
- - [Provisioning packages](#dynamic-provisioning) - - Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices. - -Configure devices without MDM -
- Traditional - - - [Bare metal](#new-computer) - - Deploy a new device, or wipe an existing device and deploy with a fresh image. - - Deploy a Windows 10 image using MDT
Deploy Windows 10 using PXE and Configuration Manager -
- - [Refresh](#computer-refresh) - - Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. - - Refresh a Windows 7 computer with Windows 10
Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager -
- - [Replace](#computer-replace) - - Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device. - - Replace a Windows 7 computer with a Windows 10 computer
Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager -
- -
  - - ->[!IMPORTANT] ->The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
->Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS. - -## Modern deployment methods - -Modern deployment methods embrace both traditional on-prem and cloud services to deliver a simple, streamlined, cost effective deployment experience. - -### Windows Autopilot - -Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator. - -For more information about Windows Autopilot, see [Overview of Windows Autopilot](/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows Autopilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/). - -### In-place upgrade - -For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure. - -Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like Microsoft Endpoint Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences. - -The in-place upgrade process is designed to be extremely reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by leveraging the automatically-created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications do not need to be reinstalled as part of the process. - -Because existing applications are preserved through the process, the upgrade process uses the standard Windows installation media image (Install.wim); custom images are not needed and cannot be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. (For example, Contoso Timecard 1.0 in Windows 7 and Contoso Timecard 3.0 in the Windows 10 image.) - -Scenarios that support in-place upgrade with some additional procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software. - -- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 does not require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](./mbr-to-gpt.md) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode. - -- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting: - - [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) - - [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options) - -There are some situations where you cannot use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include: - -- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process cannot change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers. -- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed. -- Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, this is not supported – preparing an upgraded OS for imaging (using Sysprep.exe) is not supported and will not work when it detects the upgraded OS. -- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken. - - -## Dynamic provisioning - -For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image, because this was often faster and easier than leveraging the preinstalled version. But this is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it is now possible to avoid this. - -The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include: - -### Windows 10 Subscription Activation - -Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation). - - -### Azure Active Directory (AAD) join with automatic mobile device management (MDM) enrollment - -In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm). - -### Provisioning package configuration - -Using the [Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm). - -These scenarios can be used to enable “choose your own device” (CYOD) programs where the organization’s users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios). - -While the initial Windows 10 release includes a variety of provisioning settings and deployment mechanisms, these will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for additional features through the Windows Feedback app or through their Microsoft Support contacts. - -## Traditional deployment: - -New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md), and [Microsoft Endpoint Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). - -With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them. - -The traditional deployment scenario can be divided into different sub-scenarios. These are explained in detail in the following sections, but the following provides a brief summary: - -- **New computer.** A bare-metal deployment of a new machine. -- **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup). -- **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup). - -### New computer - -Also called a "bare metal" deployment. This scenario occurs when you have a blank machine you need to deploy, or an existing machine you want to wipe and redeploy without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). You can also generate a full offline media that includes all the files needed for a client deployment, allowing you to deploy without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD). - -The deployment process for the new machine scenario is as follows: - -1. Start the setup from boot media (CD, USB, ISO, or PXE). - -2. Wipe the hard disk clean and create new volume(s). - -3. Install the operating system image. - -4. Install other applications (as part of the task sequence). - -After taking these steps, the computer is ready for use. - -### Computer refresh - -A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario. - -The deployment process for the wipe-and-load scenario is as follows: - -1. Start the setup on a running operating system. - -2. Save the user state locally. - -3. Wipe the hard disk clean (except for the folder containing the backup). - -4. Install the operating system image. - -5. Install other applications. - -6. Restore the user state. - -After taking these steps, the machine is ready for use. - -### Computer replace - -A computer replace is similar to the refresh scenario. However, since we are replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored. - -The deployment process for the replace scenario is as follows: - -1. Save the user state (data and settings) on the server through a backup job on the running operating system. - -2. Deploy the new computer as a bare-metal deployment. - - **Note**
In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk. - -## Related topics - -- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) -- [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](./deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md) -- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=620230) -- [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) -- [Windows setup technical reference](/windows-hardware/manufacture/desktop/windows-setup-technical-reference) -- [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) -- [UEFI firmware](/windows-hardware/design/device-experiences/oem-uefi) \ No newline at end of file From 0e1b842fb9016049e452ec258fde08b5db5f595c Mon Sep 17 00:00:00 2001 From: Thomas Raya Date: Mon, 24 May 2021 10:01:48 -0700 Subject: [PATCH 024/370] Update TOC.yml test site relative link --- windows/sv/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/sv/TOC.yml b/windows/sv/TOC.yml index 355d8e61c1..a293d047ad 100644 --- a/windows/sv/TOC.yml +++ b/windows/sv/TOC.yml @@ -13,7 +13,7 @@ - name: Deploy and Manage Windows Sun Valley items: - name: Plan to deploy Windows Sun Valley - href: /windows/deployment/sv-plan.md + href: /windows/deployment/sv-plan - name: Prepare for Windows Sun Valley href: /windows/deployment/sv-prepare.md - name: Deploy Windows Sun Valley From 019efaf14e3c7c6c96f349887633c6f737829c8e Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 26 May 2021 15:53:17 +0500 Subject: [PATCH 025/370] Pointing to the correct link As the content has been moved to MDM, I have updated and pointed to the correct link. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9451 --- .../create-wip-policy-using-intune-azure.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index c10b2990b3..685e4236d2 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -52,9 +52,9 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or ## Create a WIP policy -1. Sign in to the Azure portal. +1. Sign in to the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/). -2. Open Microsoft Intune and click **Client apps** > **App protection policies** > **Create policy**. +2. Open Microsoft Intune and click **Apps** > **App protection policies** > **Create policy**. ![Open Client apps](images/create-app-protection-policy.png) From 2bef916b8d6fb2e52d9ab2776f4a4968ddb2fa67 Mon Sep 17 00:00:00 2001 From: v-hearya Date: Fri, 28 May 2021 23:31:37 +0530 Subject: [PATCH 026/370] ie-edge-faqs.md converted into yml --- browsers/internet-explorer/TOC.yml | 2 +- .../kb-support/ie-edge-faqs.md | 220 ----------------- .../kb-support/ie-edge-faqs.yml | 233 ++++++++++++++++++ 3 files changed, 234 insertions(+), 221 deletions(-) delete mode 100644 browsers/internet-explorer/kb-support/ie-edge-faqs.md create mode 100644 browsers/internet-explorer/kb-support/ie-edge-faqs.yml diff --git a/browsers/internet-explorer/TOC.yml b/browsers/internet-explorer/TOC.yml index 077879a18d..2c6602e1de 100644 --- a/browsers/internet-explorer/TOC.yml +++ b/browsers/internet-explorer/TOC.yml @@ -356,6 +356,6 @@ - name: KB Troubleshoot items: - name: Internet Explorer and Microsoft Edge FAQ for IT Pros - href: kb-support/ie-edge-faqs.md + href: kb-support/ie-edge-faqs.yml - name: Microsoft Edge and Internet Explorer troubleshooting href: /troubleshoot/browsers/welcome-browsers diff --git a/browsers/internet-explorer/kb-support/ie-edge-faqs.md b/browsers/internet-explorer/kb-support/ie-edge-faqs.md deleted file mode 100644 index 3e2d6c100e..0000000000 --- a/browsers/internet-explorer/kb-support/ie-edge-faqs.md +++ /dev/null @@ -1,220 +0,0 @@ ---- -title: IE and Microsoft Edge FAQ for IT Pros -description: Describes frequently asked questions about Internet Explorer and Microsoft Edge for IT professionals. -audience: ITPro -manager: msmets -author: ramakoni1 -ms.author: ramakoni -ms.reviewer: ramakoni, DEV_Triage -ms.prod: internet-explorer -ms.technology: -ms.topic: kb-support -ms.custom: CI=111020 -ms.localizationpriority: medium -ms.date: 01/23/2020 ---- -# Internet Explorer and Microsoft Edge frequently asked questions (FAQ) for IT Pros - -## Cookie-related questions - -### What is a cookie? - -An HTTP cookie (the web cookie or browser cookie) is a small piece of data that a server sends to the user's web browser. The web browser may store the cookie and return it to the server together with the next request. For example, a cookie might be used to indicate whether two requests come from the same browser in order to allow the user to remain logged-in. The cookie records stateful information for the stateless HTTP protocol. - -### How does Internet Explorer handle cookies? - -For more information about how Internet Explorer handles cookies, see the following articles: - -- [Beware Cookie Sharing in Cross-Zone Scenarios](/archive/blogs/ieinternals/beware-cookie-sharing-in-cross-zone-scenarios) -- [A Quick Look at P3P](/archive/blogs/ieinternals/a-quick-look-at-p3p) -- [Internet Explorer Cookie Internals FAQ](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq) -- [Privacy Beyond Blocking Cookies](/archive/blogs/ie/privacy-beyond-blocking-cookies-bringing-awareness-to-third-party-content) -- [Description of Cookies](https://support.microsoft.com/help/260971/description-of-cookies) - -### Where does Internet Explorer store cookies? - -To see where Internet Explorer stores its cookies, follow these steps: - -1. Start File Explorer. -2. Select **Views** \> **Change folder and search options**. -3. In the **Folder Options** dialog box, select **View**. -4. In **Advanced settings**, select **Do not show hidden files, folders, or drivers**. -5. Clear **Hide protected operation system files (Recommended)**. -6. Select **Apply**. -7. Select **OK**. - -The following are the folder locations where the cookies are stored: - -**In Windows 10** -C:\Users\username\AppData\Local\Microsoft\Windows\INetCache - -**In Windows 8 and Windows 8.1** -C:\Users\username\AppData\Local\Microsoft\Windows\INetCookies - -**In Windows 7** -C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies -C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies\Low - -### What is the per-domain cookie limit? - -Since the June 2018 cumulative updates for Internet Explorer and Microsoft Edge, the per-domain cookie limit is increased from 50 to 180 for both browsers. The cookies vary by path. So, if the same cookie is set for the same domain but for different paths, it's essentially a new cookie. - -There's still a 5 Kilobytes (KB) limit on the size of the cookie header that is sent out. This limit can cause some cookies to be lost after they exceed that value. - -The JavaScript limitation was updated to 10 KB from 4 KB. - -For more information, see [Internet Explorer Cookie Internals (FAQ)](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq). - -#### Additional information about cookie limits - -**What does the Cookie RFC allow?** -RFC 2109 defines how cookies should be implemented, and it defines minimum values that browsers support. According to the RFC, browsers would ideally have no limits on the size and number of cookies that a browser can handle. To meet the specifications, the user agent should support the following: - -- At least 300 cookies total -- At least 20 cookies per unique host or domain name - -For practicality, individual browser makers set a limit on the total number of cookies that any one domain or unique host can set. They also limit the total number of cookies that can be stored on a computer. - -### Cookie size limit per domain - -Some browsers also limit the amount of space that any one domain can use for cookies. This means that if your browser sets a limit of 4,096 bytes per domain for cookies, 4,096 bytes is the maximum available space in that domain even though you can set up to 180 cookies. - -## Proxy Auto Configuration (PAC)-related questions - -### Is an example Proxy Auto Configuration (PAC) file available? - -Here is a simple PAC file: - -```vb -function FindProxyForURL(url, host) -{ - return "PROXY proxyserver:portnumber"; -} -``` - -> [!NOTE] -> The previous PAC always returns the **proxyserver:portnumber** proxy. - -For more information about how to write a PAC file and about the different functions in a PAC file, see [the FindProxyForURL website](https://findproxyforurl.com/). - -**Third-party information disclaimer** -The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. - -### How to improve performance by using PAC scripts - -- [Browser is slow to respond when you use an automatic configuration script](https://support.microsoft.com/help/315810/browser-is-slow-to-respond-when-you-use-an-automatic-configuration-scr) -- [Optimizing performance with automatic Proxyconfiguration scripts (PAC)](https://blogs.msdn.microsoft.com/askie/2014/02/07/optimizing-performance-with-automatic-proxyconfiguration-scripts-pac/) - -## Other questions - -### How to set home and start pages in Microsoft Edge and allow user editing - -For more information, see the following blog article: - -[How do I set the home page in Microsoft Edge?](https://blogs.msdn.microsoft.com/askie/2017/10/04/how-do-i-set-the-home-page-in-edge/) - -### How to add sites to the Enterprise Mode (EMIE) site list - -For more information about how to add sites to an EMIE list, see [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](../ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md). - -### What is Content Security Policy (CSP)? - -By using [Content Security Policy](/microsoft-edge/dev-guide/security/content-security-policy), you create an allow list of sources of trusted content in the HTTP headers. You also pre-approve certain servers for content that is loaded into a webpage, and instruct the browser to execute or render only resources from those sources. You can use this technique to prevent malicious content from being injected into sites. - -Content Security Policy is supported in all versions of Microsoft Edge. It lets web developers lock down the resources that can be used by their web application. This helps prevent [cross-site scripting](https://en.wikipedia.org/wiki/Cross-site_scripting) attacks that remain a common vulnerability on the web. However, the first version of Content Security Policy was difficult to implement on websites that used inline script elements that either pointed to script sources or contained script directly. - -CSP2 makes these scenarios easier to manage by adding support for nonces and hashes for script and style resources. A nonce is a cryptographically strong random value that is generated on each page load that appears in both the CSP policy and in the script tags on the page. Using nonces can help minimize the need to maintain a list of allowed source URL values while also allowing trusted scripts that are declared in script elements to run. - -For more information, see the following articles: - -- [Introducing support for Content Security Policy Level 2](https://blogs.windows.com/msedgedev/2017/01/10/edge-csp-2/) -- [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) - -### Where to find Internet Explorer security zones registry entries - -Most of the Internet Zone entries can be found in [Internet Explorer security zones registry entries for advanced users](https://support.microsoft.com/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users). - -This article was written for Internet Explorer 6 but is still applicable to Internet Explorer 11. - -The default Zone Keys are stored in the following locations: - -- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones -- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones - -### Why don't HTML5 videos play in Internet Explorer 11? - -To play HTML5 videos in the Internet Zone, use the default settings or make sure that the registry key value of **2701** under **Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3** is set to **0**. - -- 0 (the default value): Allow -- 3: Disallow - -This key is read by the **URLACTION\_ALLOW\_AUDIO\_VIDEO 0x00002701** URL action flag that determines whether media elements (audio and video) are allowed in pages in a URL security zone. - -For more information, see [Unable to play HTML5 Videos in IE](/archive/blogs/askie/unable-to-play-html5-videos-in-ie). - -For Windows 10 N and Windows KN editions, you must also download the feature pack that is discussed in [Media feature pack for Windows 10 N and Windows 10 KN editions](https://support.microsoft.com/help/3010081/media-feature-pack-for-windows-10-n-and-windows-10-kn-editions). - -For more information about how to check Windows versions, see [Which version of Windows operating system am I running?](https://support.microsoft.com/help/13443/windows-which-version-am-i-running) - -### What is the Enterprise Mode Site List Portal? - -This is a new feature to add sites to your enterprise mode site list XML. For more information, see [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal). - -### What is Enterprise Mode Feature? - -For more information about this topic, see [Enterprise Mode and the Enterprise Mode Site List](../ie11-deploy-guide/what-is-enterprise-mode.md). - -### Where can I obtain a list of HTTP Status codes? - -For information about this list, see [HTTP Status Codes](/windows/win32/winhttp/http-status-codes). - -### What is end of support for Internet Explorer 11? - -Internet Explorer 11 is the last major version of Internet Explorer. Internet Explorer 11 will continue receiving security updates and technical support for the lifecycle of the version of Windows on which it is installed. - -For more information, see [Lifecycle FAQ — Internet Explorer and Edge](https://support.microsoft.com/help/17454/lifecycle-faq-internet-explorer). - -### How to configure TLS (SSL) for Internet Explorer - -For more information about how to configure TLS/SSL for Internet Explorer, see [Group Policy Setting to configure TLS/SSL](https://gpsearch.azurewebsites.net/#380). - -### What is Site to Zone? - -Site to Zone usually refers to one of the following: - -**Site to Zone Assignment List** -This is a Group Policy policy setting that can be used to add sites to the various security zones. - -The Site to Zone Assignment List policy setting associates sites to zones by using the following values for the Internet security zones: - -- Intranet zone -- Trusted Sites zone -- Internet zone -- Restricted Sites zone - -If you set this policy setting to **Enabled**, you can enter a list of sites and their related zone numbers. By associating a site to a zone, you can make sure that the security settings for the specified zone are applied to the site. - -**Site to Zone Mapping** -Site to Zone Mapping is stored as the name of the key. The protocol is a registry value that has a number that assigns it to the corresponding zone. Internet Explorer will read from the following registry subkeys for the sites that are deployed through the Site to Zone assignment list: - -- HKEY\_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap -- HKEY\_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey - -**Site to Zone Assignment List policy** -This policy setting is available for both Computer Configuration and User Configuration: - -- Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page -- User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page - -**References** -[How to configure Internet Explorer security zone sites using group polices](/archive/blogs/askie/how-to-configure-internet-explorer-security-zone-sites-using-group-polices) - -### What are the limits for MaxConnectionsPerServer, MaxConnectionsPer1_0Server for the current versions of Internet Explorer? - -For more information about these settings and limits, see [Connectivity Enhancements in Windows Internet Explorer 8](/previous-versions/cc304129(v=vs.85)). - -### What is the MaxConnectionsPerProxy setting, and what are the maximum allowed values for this setting? - -The **MaxConnectionsPerProxy** setting controls the number of connections that a single-user client can maintain to a given host by using a proxy server. - -For more information, see [Understanding Connection Limits and New Proxy Connection Limits in WinInet and Internet Explorer](/archive/blogs/jpsanders/understanding-connection-limits-and-new-proxy-connection-limits-in-wininet-and-internet-explorer). \ No newline at end of file diff --git a/browsers/internet-explorer/kb-support/ie-edge-faqs.yml b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml new file mode 100644 index 0000000000..8c6a0be253 --- /dev/null +++ b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml @@ -0,0 +1,233 @@ +### YamlMime:FAQ +metadata: + title: IE and Microsoft Edge FAQ for IT Pros + description: Describes frequently asked questions about Internet Explorer and Microsoft Edge for IT professionals. + audience: ITPro + manager: msmets + author: ramakoni1 + ms.author: ramakoni + ms.reviewer: ramakoni, DEV_Triage + ms.prod: internet-explorer + ms.technology: + ms.topic: kb-support + ms.custom: CI=111020 + ms.localizationpriority: medium + ms.date: 01/23/2020 + +title: Internet Explorer and Microsoft Edge frequently asked questions (FAQ) for IT Pros +summary: | + +sections: + - name: Cookie-related questions + questions: + - question: | + What is a cookie? + answer: | + An HTTP cookie (the web cookie or browser cookie) is a small piece of data that a server sends to the user's web browser. The web browser may store the cookie and return it to the server together with the next request. For example, a cookie might be used to indicate whether two requests come from the same browser in order to allow the user to remain logged-in. The cookie records stateful information for the stateless HTTP protocol. + + - question: | + How does Internet Explorer handle cookies? + answer: | + For more information about how Internet Explorer handles cookies, see the following articles: + + - [Beware Cookie Sharing in Cross-Zone Scenarios](/archive/blogs/ieinternals/beware-cookie-sharing-in-cross-zone-scenarios) + - [A Quick Look at P3P](/archive/blogs/ieinternals/a-quick-look-at-p3p) + - [Internet Explorer Cookie Internals FAQ](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq) + - [Privacy Beyond Blocking Cookies](/archive/blogs/ie/privacy-beyond-blocking-cookies-bringing-awareness-to-third-party-content) + - [Description of Cookies](https://support.microsoft.com/help/260971/description-of-cookies) + + - question: | + Where does Internet Explorer store cookies? + answer: | + To see where Internet Explorer stores its cookies, follow these steps: + + 1. Start File Explorer. + 2. Select **Views** \> **Change folder and search options**. + 3. In the **Folder Options** dialog box, select **View**. + 4. In **Advanced settings**, select **Do not show hidden files, folders, or drivers**. + 5. Clear **Hide protected operation system files (Recommended)**. + 6. Select **Apply**. + 7. Select **OK**. + + The following are the folder locations where the cookies are stored: + + **In Windows 10** + C:\Users\username\AppData\Local\Microsoft\Windows\INetCache + + **In Windows 8 and Windows 8.1** + C:\Users\username\AppData\Local\Microsoft\Windows\INetCookies + + **In Windows 7** + C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies + C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies\Low + + - question: | + What is the per-domain cookie limit? + answer: | + Since the June 2018 cumulative updates for Internet Explorer and Microsoft Edge, the per-domain cookie limit is increased from 50 to 180 for both browsers. The cookies vary by path. So, if the same cookie is set for the same domain but for different paths, it's essentially a new cookie. + + There's still a 5 Kilobytes (KB) limit on the size of the cookie header that is sent out. This limit can cause some cookies to be lost after they exceed that value. + + The JavaScript limitation was updated to 10 KB from 4 KB. + + For more information, see [Internet Explorer Cookie Internals (FAQ)](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq). + + - question: | + Cookie size limit per domain + answer: | + Some browsers also limit the amount of space that any one domain can use for cookies. This means that if your browser sets a limit of 4,096 bytes per domain for cookies, 4,096 bytes is the maximum available space in that domain even though you can set up to 180 cookies. + + - name: Proxy Auto Configuration (PAC)-related questions + questions: + - question: | + Is an example Proxy Auto Configuration (PAC) file available? + answer: | + Here is a simple PAC file: + + ```vb + function FindProxyForURL(url, host) + { + return "PROXY proxyserver:portnumber"; + } + ``` + + > [!NOTE] + > The previous PAC always returns the **proxyserver:portnumber** proxy. + + For more information about how to write a PAC file and about the different functions in a PAC file, see [the FindProxyForURL website](https://findproxyforurl.com/). + + **Third-party information disclaimer** + The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. + + - question: | + How to improve performance by using PAC scripts + answer: | + - [Browser is slow to respond when you use an automatic configuration script](https://support.microsoft.com/help/315810/browser-is-slow-to-respond-when-you-use-an-automatic-configuration-scr) + - [Optimizing performance with automatic Proxyconfiguration scripts (PAC)](https://blogs.msdn.microsoft.com/askie/2014/02/07/optimizing-performance-with-automatic-proxyconfiguration-scripts-pac/) + + - name: Other questions + questions: + - question: | + How to set home and start pages in Microsoft Edge and allow user editing + answer: | + For more information, see the following blog article: + + [How do I set the home page in Microsoft Edge?](https://blogs.msdn.microsoft.com/askie/2017/10/04/how-do-i-set-the-home-page-in-edge/) + + - question: | + How to add sites to the Enterprise Mode (EMIE) site list + answer: | + For more information about how to add sites to an EMIE list, see [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](../ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md). + + - question: | + What is Content Security Policy (CSP)? + answer: | + By using [Content Security Policy](/microsoft-edge/dev-guide/security/content-security-policy), you create an allow list of sources of trusted content in the HTTP headers. You also pre-approve certain servers for content that is loaded into a webpage, and instruct the browser to execute or render only resources from those sources. You can use this technique to prevent malicious content from being injected into sites. + + Content Security Policy is supported in all versions of Microsoft Edge. It lets web developers lock down the resources that can be used by their web application. This helps prevent [cross-site scripting](https://en.wikipedia.org/wiki/Cross-site_scripting) attacks that remain a common vulnerability on the web. However, the first version of Content Security Policy was difficult to implement on websites that used inline script elements that either pointed to script sources or contained script directly. + + CSP2 makes these scenarios easier to manage by adding support for nonces and hashes for script and style resources. A nonce is a cryptographically strong random value that is generated on each page load that appears in both the CSP policy and in the script tags on the page. Using nonces can help minimize the need to maintain a list of allowed source URL values while also allowing trusted scripts that are declared in script elements to run. + + For more information, see the following articles: + + - [Introducing support for Content Security Policy Level 2](https://blogs.windows.com/msedgedev/2017/01/10/edge-csp-2/) + - [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) + + - question: | + Where to find Internet Explorer security zones registry entries + answer: | + Most of the Internet Zone entries can be found in [Internet Explorer security zones registry entries for advanced users](https://support.microsoft.com/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users). + + This article was written for Internet Explorer 6 but is still applicable to Internet Explorer 11. + + The default Zone Keys are stored in the following locations: + + - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones + - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones + + - question: | + Why don't HTML5 videos play in Internet Explorer 11? + answer: | + To play HTML5 videos in the Internet Zone, use the default settings or make sure that the registry key value of **2701** under **Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3** is set to **0**. + + - 0 (the default value): Allow + - 3: Disallow + + This key is read by the **URLACTION\_ALLOW\_AUDIO\_VIDEO 0x00002701** URL action flag that determines whether media elements (audio and video) are allowed in pages in a URL security zone. + + For more information, see [Unable to play HTML5 Videos in IE](/archive/blogs/askie/unable-to-play-html5-videos-in-ie). + + For Windows 10 N and Windows KN editions, you must also download the feature pack that is discussed in [Media feature pack for Windows 10 N and Windows 10 KN editions](https://support.microsoft.com/help/3010081/media-feature-pack-for-windows-10-n-and-windows-10-kn-editions). + + For more information about how to check Windows versions, see [Which version of Windows operating system am I running?](https://support.microsoft.com/help/13443/windows-which-version-am-i-running) + + - question: | + What is the Enterprise Mode Site List Portal? + answer: | + This is a new feature to add sites to your enterprise mode site list XML. For more information, see [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal). + + - question: | + What is Enterprise Mode Feature? + answer: | + For more information about this topic, see [Enterprise Mode and the Enterprise Mode Site List](../ie11-deploy-guide/what-is-enterprise-mode.md). + + - question: | + Where can I obtain a list of HTTP Status codes? + answer: | + For information about this list, see [HTTP Status Codes](/windows/win32/winhttp/http-status-codes). + + - question: | + What is end of support for Internet Explorer 11? + answer: | + Internet Explorer 11 is the last major version of Internet Explorer. Internet Explorer 11 will continue receiving security updates and technical support for the lifecycle of the version of Windows on which it is installed. + + For more information, see [Lifecycle FAQ — Internet Explorer and Edge](https://support.microsoft.com/help/17454/lifecycle-faq-internet-explorer). + + - question: | + How to configure TLS (SSL) for Internet Explorer + answer: | + For more information about how to configure TLS/SSL for Internet Explorer, see [Group Policy Setting to configure TLS/SSL](https://gpsearch.azurewebsites.net/#380). + + - question: | + What is Site to Zone? + answer: | + Site to Zone usually refers to one of the following: + + **Site to Zone Assignment List** + This is a Group Policy policy setting that can be used to add sites to the various security zones. + + The Site to Zone Assignment List policy setting associates sites to zones by using the following values for the Internet security zones: + + - Intranet zone + - Trusted Sites zone + - Internet zone + - Restricted Sites zone + + If you set this policy setting to **Enabled**, you can enter a list of sites and their related zone numbers. By associating a site to a zone, you can make sure that the security settings for the specified zone are applied to the site. + + **Site to Zone Mapping** + Site to Zone Mapping is stored as the name of the key. The protocol is a registry value that has a number that assigns it to the corresponding zone. Internet Explorer will read from the following registry subkeys for the sites that are deployed through the Site to Zone assignment list: + + - HKEY\_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap + - HKEY\_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey + + **Site to Zone Assignment List policy** + This policy setting is available for both Computer Configuration and User Configuration: + + - Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page + - User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page + + **References** + [How to configure Internet Explorer security zone sites using group polices](/archive/blogs/askie/how-to-configure-internet-explorer-security-zone-sites-using-group-polices) + + - question: | + What are the limits for MaxConnectionsPerServer, MaxConnectionsPer1_0Server for the current versions of Internet Explorer? + answer: | + For more information about these settings and limits, see [Connectivity Enhancements in Windows Internet Explorer 8](/previous-versions/cc304129(v=vs.85)). + + - question: | + What is the MaxConnectionsPerProxy setting, and what are the maximum allowed values for this setting? + answer: | + The **MaxConnectionsPerProxy** setting controls the number of connections that a single-user client can maintain to a given host by using a proxy server. + + For more information, see [Understanding Connection Limits and New Proxy Connection Limits in WinInet and Internet Explorer](/archive/blogs/jpsanders/understanding-connection-limits-and-new-proxy-connection-limits-in-wininet-and-internet-explorer). From 14fc19ef109aa2cc8d229eeabfba46d8aa3c4b9b Mon Sep 17 00:00:00 2001 From: v-hearya Date: Fri, 28 May 2021 23:57:54 +0530 Subject: [PATCH 027/370] missing content added --- .../internet-explorer/kb-support/ie-edge-faqs.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/browsers/internet-explorer/kb-support/ie-edge-faqs.yml b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml index 8c6a0be253..7bc45c1ec2 100644 --- a/browsers/internet-explorer/kb-support/ie-edge-faqs.yml +++ b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml @@ -71,6 +71,18 @@ sections: The JavaScript limitation was updated to 10 KB from 4 KB. For more information, see [Internet Explorer Cookie Internals (FAQ)](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq). + + - name: Additional information about cookie limits + questions: + - question: | + What does the Cookie RFC allow? + answer: | + RFC 2109 defines how cookies should be implemented, and it defines minimum values that browsers support. According to the RFC, browsers would ideally have no limits on the size and number of cookies that a browser can handle. To meet the specifications, the user agent should support the following: + + - At least 300 cookies total + - At least 20 cookies per unique host or domain name + + For practicality, individual browser makers set a limit on the total number of cookies that any one domain or unique host can set. They also limit the total number of cookies that can be stored on a computer. - question: | Cookie size limit per domain From 59af80564b27c765a665efb11f5d695326ac0643 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 31 May 2021 21:51:04 +0530 Subject: [PATCH 028/370] removed device word this is my own PR i removed word **Device** --- windows/client-management/mdm/healthattestation-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 3463de078b..7ba60128fb 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -1,5 +1,5 @@ --- -title: Device HealthAttestation CSP +title: HealthAttestation CSP description: Learn how the DHA-CSP enables enterprise IT managers to assess if a device is booted to a trusted and compliant state, and take enterprise policy actions. ms.assetid: 6F2D783C-F6B4-4A81-B9A2-522C4661D1AC ms.reviewer: From 818a12067925afaadc3bc520df2a63a3c25d6ff1 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 31 May 2021 23:48:21 +0530 Subject: [PATCH 029/370] formatted table properly. added cross check marks this is my own PR, 01. I added Checkmarks only for Business edition if under Professional and Enterprise are already added Checkmarks 02. I added Crossmarks only for Business edition if under Professional and Enterprise are already added Crossmarks 03. Removed the following words **Only for mobile application management (MAM)** **Provisioning only** 04. Added footnotes **A- Only for mobile application management (MAM)** **B- Provisioning only** --- ...onfiguration-service-provider-reference.md | 160 +++++++++--------- 1 file changed, 79 insertions(+), 81 deletions(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 90f132759c..35baca9f52 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -71,7 +71,7 @@ Additional lists: cross mark check mark4 - cross mark + check mark4 check mark4 check mark4 cross mark @@ -97,7 +97,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -123,7 +123,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark cross mark @@ -149,7 +149,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -201,7 +201,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -227,7 +227,7 @@ Additional lists: cross mark check mark3 - + check mark check mark check mark cross mark @@ -253,7 +253,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -305,7 +305,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark cross mark @@ -331,7 +331,7 @@ Additional lists: check mark3 check mark3 - + check mark3 check mark3 check mark3 check mark @@ -358,7 +358,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark1 @@ -384,7 +384,7 @@ Additional lists: check mark2 check mark2 - + check mark2 check mark2 check mark2 check mark @@ -410,7 +410,7 @@ Additional lists: check mark3 check mark3 - + check mark3 check mark3 check mark3 check mark @@ -436,7 +436,7 @@ Additional lists: check mark2 check mark2 - + check mark2 check mark2 check mark2 check mark @@ -462,7 +462,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -514,7 +514,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -540,7 +540,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark cross mark @@ -566,7 +566,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -592,7 +592,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -618,7 +618,7 @@ Additional lists: check mark check mark - + check mark check mark check mark cross mark @@ -644,7 +644,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -670,7 +670,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -722,7 +722,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -748,7 +748,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -774,7 +774,6 @@ Additional lists: check mark check mark - check mark check mark check mark @@ -802,7 +801,6 @@ Additional lists: check mark check mark - check mark check mark check mark @@ -829,7 +827,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -882,7 +880,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -934,7 +932,7 @@ Additional lists: check mark2 check mark2 - + check mark2 check mark2 check mark2 check mark @@ -960,7 +958,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1012,7 +1010,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1037,9 +1035,9 @@ Additional lists: check mark -Only for mobile application management (MAM) +A + check mark check mark - check mark check mark check mark @@ -1065,10 +1063,9 @@ Additional lists: cross mark check mark - check mark check mark - cross mark + check mark cross mark @@ -1092,7 +1089,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1118,7 +1115,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1144,7 +1141,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1168,7 +1165,7 @@ Additional lists: Mobile - + cross mark check mark3 check mark3 check mark3 @@ -1196,10 +1193,10 @@ Additional lists: cross mark cross mark - cross mark cross mark - check mark (Provisioning only) + cross mark + check markB @@ -1248,7 +1245,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1274,7 +1271,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1300,7 +1297,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1378,7 +1375,7 @@ Additional lists: cross mark check mark - + check mark check mark check mark check mark @@ -1404,7 +1401,7 @@ Additional lists: cross mark check mark - + check mark check mark check mark check mark @@ -1482,7 +1479,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1534,7 +1531,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1560,7 +1557,7 @@ Additional lists: cross mark check mark - + check mark check mark check mark check mark @@ -1586,7 +1583,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1638,7 +1635,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1664,7 +1661,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1688,12 +1685,12 @@ Additional lists: Mobile - check mark (Provisioning only) - check mark (Provisioning only) - - check mark (Provisioning only) - check mark (Provisioning only) - check mark (Provisioning only) + check markB + check markB + check markB + check markB + check markB + check markB @@ -1716,7 +1713,7 @@ Additional lists: cross mark check mark - + check mark check mark check mark check mark @@ -1742,7 +1739,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1768,7 +1765,7 @@ Additional lists: cross mark check mark - + check mark check mark check mark check mark @@ -1794,7 +1791,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1820,7 +1817,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1846,7 +1843,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1872,7 +1869,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1898,7 +1895,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1924,7 +1921,7 @@ Additional lists: cross mark check mark - + check mark check mark check mark check mark @@ -1950,7 +1947,7 @@ Additional lists: cross mark check mark1 - + check mark1 check mark1 check mark1 cross mark @@ -1976,7 +1973,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -2002,7 +1999,7 @@ Additional lists: cross mark check mark1 - + check mark1 check mark1 check mark1 cross mark @@ -2028,7 +2025,7 @@ Additional lists: cross mark check mark - + check mark check mark check mark check mark @@ -2159,7 +2156,7 @@ Additional lists: cross mark cross mark - + check mark check mark check mark cross mark @@ -2185,7 +2182,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -2211,7 +2208,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -2237,7 +2234,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -2290,7 +2287,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -2316,7 +2313,7 @@ Additional lists: cross mark check mark1 - + check mark1 check mark1 check mark1 cross mark @@ -2368,7 +2365,7 @@ Additional lists: cross mark check mark1 - + check mark1 check mark1 check mark1 cross mark @@ -2421,7 +2418,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -2447,7 +2444,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -2503,7 +2500,6 @@ Additional lists: check mark - @@ -2627,6 +2623,8 @@ The following list shows the CSPs supported in HoloLens devices:
Footnotes: +- A - Only for mobile application management (MAM) +- B - Provisioning only - 1 - Added in Windows 10, version 1607. - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. @@ -2636,4 +2634,4 @@ The following list shows the CSPs supported in HoloLens devices: - 7 - Added in Windows 10, version 1909. - 8 - Added in Windows 10, version 2004. - 9 - Added in Windows 10 Team 2020 Update -- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2) \ No newline at end of file +- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2) From 534690e3f5745b9a0c64e52bb98141b437cb0d97 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 1 Jun 2021 00:24:54 +0530 Subject: [PATCH 030/370] Update windows/client-management/mdm/configuration-service-provider-reference.md accepted Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../mdm/configuration-service-provider-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 35baca9f52..e23ec60e95 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2623,7 +2623,7 @@ The following list shows the CSPs supported in HoloLens devices:
Footnotes: -- A - Only for mobile application management (MAM) +- A - Only for mobile application management (MAM) - B - Provisioning only - 1 - Added in Windows 10, version 1607. - 2 - Added in Windows 10, version 1703. From 7ef4e5ade9277041be1aa55212925cee5db4bb04 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 1 Jun 2021 10:48:36 +0530 Subject: [PATCH 031/370] Update windows/client-management/mdm/configuration-service-provider-reference.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../mdm/configuration-service-provider-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index e23ec60e95..e13ad288ab 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2623,7 +2623,7 @@ The following list shows the CSPs supported in HoloLens devices:
Footnotes: -- A - Only for mobile application management (MAM) +- A - Only for mobile application management (MAM). - B - Provisioning only - 1 - Added in Windows 10, version 1607. - 2 - Added in Windows 10, version 1703. From 460f60dd4abec4c5228991d27e829a1489c0b06e Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 1 Jun 2021 10:48:48 +0530 Subject: [PATCH 032/370] Update windows/client-management/mdm/configuration-service-provider-reference.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../mdm/configuration-service-provider-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index e13ad288ab..f4fab2c509 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2633,5 +2633,5 @@ The following list shows the CSPs supported in HoloLens devices: - 6 - Added in Windows 10, version 1903. - 7 - Added in Windows 10, version 1909. - 8 - Added in Windows 10, version 2004. -- 9 - Added in Windows 10 Team 2020 Update +- 9 - Added in Windows 10 Team 2020 Update. - 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2) From 827ed7c9761b1ca8fdefe65d59d306903c960fc3 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 1 Jun 2021 10:49:00 +0530 Subject: [PATCH 033/370] Update windows/client-management/mdm/configuration-service-provider-reference.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../mdm/configuration-service-provider-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index f4fab2c509..0f759f0e22 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2634,4 +2634,4 @@ The following list shows the CSPs supported in HoloLens devices: - 7 - Added in Windows 10, version 1909. - 8 - Added in Windows 10, version 2004. - 9 - Added in Windows 10 Team 2020 Update. -- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2) +- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2). From 3ac0b220781ec3f56a70100448772bceec07ac1e Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 1 Jun 2021 10:49:13 +0530 Subject: [PATCH 034/370] Update windows/client-management/mdm/configuration-service-provider-reference.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../mdm/configuration-service-provider-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 0f759f0e22..e9ff678bdb 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2624,7 +2624,7 @@ The following list shows the CSPs supported in HoloLens devices: Footnotes: - A - Only for mobile application management (MAM). -- B - Provisioning only +- B - Provisioning only. - 1 - Added in Windows 10, version 1607. - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. From f139f3b91614e2ed3df61b40953315379a99b781 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 1 Jun 2021 11:24:06 +0530 Subject: [PATCH 035/370] Update windows/client-management/mdm/healthattestation-csp.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/mdm/healthattestation-csp.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 7ba60128fb..9df5a62fdf 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -1,5 +1,5 @@ --- -title: HealthAttestation CSP +title: Device HealthAttestation CSP description: Learn how the DHA-CSP enables enterprise IT managers to assess if a device is booted to a trusted and compliant state, and take enterprise policy actions. ms.assetid: 6F2D783C-F6B4-4A81-B9A2-522C4661D1AC ms.reviewer: @@ -1176,4 +1176,3 @@ xmlns="http://schemas.microsoft.com/windows/security/healthcertificate/validatio [Configuration service provider reference](configuration-service-provider-reference.md) - From 8b70ad21214bff96116460ecaaf711bed625eada Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 1 Jun 2021 09:21:51 -0700 Subject: [PATCH 036/370] sv to 11 --- .openpublishing.publish.config.json | 6 ++-- windows/application-management/index.yml | 2 +- windows/deployment/TOC.yml | 8 ++--- windows/deployment/deploy-whats-new.md | 4 +-- windows/deployment/index.yml | 2 +- windows/deployment/sv-deploy.md | 8 ++--- windows/deployment/sv-plan.md | 4 +-- windows/deployment/sv-prepare.md | 4 +-- windows/hub/TOC.yml | 4 +-- windows/hub/index.yml | 30 ++++++++-------- windows/sv/TOC.yml | 36 ------------------- windows/windows-11/TOC.yml | 36 +++++++++++++++++++ windows/{sv => windows-11}/breadcrumb/toc.yml | 0 windows/{sv => windows-11}/docfx.json | 4 +-- windows/{sv => windows-11}/index.yml | 26 +++++++------- windows/{sv => windows-11}/placeholder.md | 0 .../windows-11-faq.md} | 5 ++- .../windows-11-lifecycle.md} | 7 ++-- .../windows-11-overview.md} | 4 +-- .../windows-11-requirements.md} | 4 +-- 20 files changed, 96 insertions(+), 98 deletions(-) delete mode 100644 windows/sv/TOC.yml create mode 100644 windows/windows-11/TOC.yml rename windows/{sv => windows-11}/breadcrumb/toc.yml (100%) rename windows/{sv => windows-11}/docfx.json (90%) rename windows/{sv => windows-11}/index.yml (75%) rename windows/{sv => windows-11}/placeholder.md (100%) rename windows/{sv/sv-requirements.md => windows-11/windows-11-faq.md} (71%) rename windows/{sv/sv-lifecycle.md => windows-11/windows-11-lifecycle.md} (69%) rename windows/{sv/sv-overview.md => windows-11/windows-11-overview.md} (86%) rename windows/{sv/sv-faq.md => windows-11/windows-11-requirements.md} (85%) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index ecd7571ea7..4fc470da75 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -130,9 +130,9 @@ "template_folder": "_themes" }, { - "docset_name": "SV", - "build_source_folder": "windows/sv", - "build_output_subfolder": "SV", + "docset_name": "windows-11", + "build_source_folder": "windows/windows-11", + "build_output_subfolder": "windows-11", "locale": "en-us", "monikers": [], "moniker_ranges": [], diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml index dc786fd289..d3a95df0d0 100644 --- a/windows/application-management/index.yml +++ b/windows/application-management/index.yml @@ -5,7 +5,7 @@ summary: Learn about managing applications in Windows client, including how to r metadata: title: Windows application management # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Learn about managing applications in Windows 10 and Windows Sun Valley. # Required; article description that is displayed in search results. < 160 chars. + description: Learn about managing applications in Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars. services: windows-10 ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. ms.subservice: subservice diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 9eb39c2bb6..3a19c56f54 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -5,7 +5,7 @@ items: - name: What's new href: deploy-whats-new.md - - name: Windows Sun Valley deployment overview + - name: Windows 11 deployment overview href: sv-deploy.md - name: Windows client deployment scenarios href: windows-10-deployment-scenarios.md @@ -35,7 +35,7 @@ - name: Plan items: - - name: Windows Sun Valley deployment planning + - name: Windows 11 deployment planning href: sv-plan.md - name: Create a deployment plan href: update/create-deployment-plan.md @@ -71,7 +71,7 @@ - name: Prepare items: - - name: Prepare to deploy Windows Sun Valley + - name: Prepare to deploy Windows 11 href: sv-prepare.md - name: Prepare to deploy Windows 10 updates href: update/prepare-deploy-windows.md @@ -104,7 +104,7 @@ items: - name: Deploy Windows client items: - - name: Windows Sun Valley deployment overview + - name: Windows 11 deployment overview href: sv-deploy.md - name: Deploy Windows client with Autopilot href: windows-autopilot/index.yml diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index 95cc27289d..03d5ce122e 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -20,14 +20,14 @@ ms.custom: seo-marvel-apr2020 **Applies to:** - Windows 10 -- Windows Sun Valley +- Windows 11 ## In this topic This topic provides an overview of new solutions and online content related to deploying Windows client in your organization. - For an all-up overview of new features in Windows 10, see [What's new in Windows 10](/windows/whats-new/index). -- For an all-up overview of new features in Windows Sun Valley, see [What's new in Windows Sun Valley](/windows/whats-new/index). +- For an all-up overview of new features in Windows 11, see [What's new in Windows 11](/windows/whats-new/index). ## Latest news diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index 10182bbea5..f6f9bf26ec 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -66,7 +66,7 @@ landingContent: links: - text: What's new in Windows deployment url: deploy-whats-new.md - - text: Windows Sun Valley deployment overview + - text: Windows 11 deployment overview url: sv-deploy.md - text: Windows client deployment scenarios url: windows-10-deployment-scenarios.md diff --git a/windows/deployment/sv-deploy.md b/windows/deployment/sv-deploy.md index 75df574256..ca92e990a7 100644 --- a/windows/deployment/sv-deploy.md +++ b/windows/deployment/sv-deploy.md @@ -1,5 +1,5 @@ --- -title: Windows Sun Valley deployment planning +title: Windows 11 deployment planning description: Understand the different ways Windows 10 operating system can be deployed in your organization. Explore several Windows 10 deployment scenarios. ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 ms.reviewer: @@ -16,10 +16,10 @@ audience: itpro ms.topic: article --- -# Windows Sun Valley deployment planning +# Windows 11 deployment planning **Applies to** -- Windows Sun Valley +- Windows 11, version 21H1 -To successfully deploy the Windows Sun Valley operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. +To successfully deploy the Windows 11 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. diff --git a/windows/deployment/sv-plan.md b/windows/deployment/sv-plan.md index e28a0eb0e8..cd88a54b3d 100644 --- a/windows/deployment/sv-plan.md +++ b/windows/deployment/sv-plan.md @@ -1,5 +1,5 @@ --- -title: Windows Sun Valley deployment planning +title: Windows 11 deployment planning description: Understand the different ways Windows 10 operating system can be deployed in your organization. Explore several Windows 10 deployment scenarios. ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 ms.reviewer: @@ -16,7 +16,7 @@ audience: itpro ms.topic: article --- -# Windows Sun Valley deployment planning +# Windows 11 deployment planning **Applies to** - Windows 10 diff --git a/windows/deployment/sv-prepare.md b/windows/deployment/sv-prepare.md index e28a0eb0e8..cd88a54b3d 100644 --- a/windows/deployment/sv-prepare.md +++ b/windows/deployment/sv-prepare.md @@ -1,5 +1,5 @@ --- -title: Windows Sun Valley deployment planning +title: Windows 11 deployment planning description: Understand the different ways Windows 10 operating system can be deployed in your organization. Explore several Windows 10 deployment scenarios. ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 ms.reviewer: @@ -16,7 +16,7 @@ audience: itpro ms.topic: article --- -# Windows Sun Valley deployment planning +# Windows 11 deployment planning **Applies to** - Windows 10 diff --git a/windows/hub/TOC.yml b/windows/hub/TOC.yml index 5ba5004d55..812bcc04b5 100644 --- a/windows/hub/TOC.yml +++ b/windows/hub/TOC.yml @@ -5,8 +5,8 @@ href: /windows/whats-new - name: Release information href: /windows/release-health - - name: Windows Sun Valley - href: /windows/sv + - name: Windows 11 + href: /windows/windows-11 - name: Deployment href: /windows/deployment - name: Configuration diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 5a9ddebb3d..572df40317 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -1,11 +1,11 @@ ### YamlMime:Landing title: Windows client resources and documentation for IT Pros # < 60 chars -summary: Plan, deploy, secure, and manage devices running Windows 10 and Windows Sun Valley. # < 160 chars +summary: Plan, deploy, secure, and manage devices running Windows 10 and Windows 11. # < 160 chars metadata: title: Windows client documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Evaluate, plan, deploy, secure and manage devices running Windows 10 and Windows Sun Valley. # Required; article description that is displayed in search results. < 160 chars. + description: Evaluate, plan, deploy, secure and manage devices running Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars. services: windows-10 ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. ms.subservice: subservice @@ -13,7 +13,7 @@ metadata: ms.collection: windows-10 author: greg-lindsay #Required; your GitHub user alias, with correct capitalization. ms.author: greglin #Required; microsoft alias of author; optional team alias. - ms.date: 10/20/2020 #Required; mm/dd/yyyy format. + ms.date: 06/01/2020 #Required; mm/dd/yyyy format. localization_priority: medium # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new @@ -26,13 +26,13 @@ landingContent: linkLists: - linkListType: overview links: - - text: Windows Sun Valley overview - url: /sv/sv-overview.md - - text: What's new in Windows Sun Valley, version 21H2 + - text: Windows 11 overview + url: /windows-11/windows-11-overview.md + - text: What's new in Windows 11, version 21H2 url: /windows/whats-new/whats-new-windows-10-version-21H1 - text: What's new in Windows 10, version 21H2 url: /windows/whats-new/whats-new-windows-10-version-21H1 - - text: Windows Sun Valley release information + - text: Windows 11 release information url: /windows/release-health/release-information - text: Windows 10 release information url: /windows/release-health/release-information @@ -44,8 +44,8 @@ landingContent: links: - text: Configure Windows client url: /windows/configuration/index - - text: Configure Windows Sun Valley - url: /windows/configuration/sv-configure.md + - text: Configure Windows 11 + url: /windows/configuration/windows-11-configure.md - text: Accessibility information for IT Pros url: /windows/configuration/windows-10-accessibility-for-itpros - text: Configure access to Microsoft Store @@ -60,8 +60,8 @@ landingContent: links: - text: Deploy and update Windows client url: /windows/deployment/index - - text: Deploy Windows Sun Valley - url: /windows/deployment/sv-deploy.md + - text: Deploy Windows 11 + url: /windows/deployment/windows-11-deploy.md - text: Windows deployment scenarios url: /windows/deployment/windows-10-deployment-scenarios - text: Create a deployment plan @@ -77,8 +77,8 @@ landingContent: links: - text: Windows application management url: /windows/application-management/index - - text: Manage Windows Sun Valley applications - url: /windows/application-management/sv-app-manage.md + - text: Manage Windows 11 applications + url: /windows/application-management/windows-11-app-manage.md - text: Understand the different apps included in Windows 10 url: /windows/application-management/apps-in-windows-10 - text: Get started with App-V for Windows 10 @@ -93,8 +93,8 @@ landingContent: links: - text: Windows client management url: /windows/client-management/index - - text: Manage Windows Sun Valley - url: /windows/client-management/sv-manage.md + - text: Manage Windows 11 + url: /windows/client-management/windows-11-manage.md - text: Administrative tools url: /windows/client-management/administrative-tools-in-windows-10 - text: Create mandatory user profiles diff --git a/windows/sv/TOC.yml b/windows/sv/TOC.yml deleted file mode 100644 index a293d047ad..0000000000 --- a/windows/sv/TOC.yml +++ /dev/null @@ -1,36 +0,0 @@ -- name: Windows Sun Valley - href: index.yml - items: - - name: Get started - items: - - name: Windows Sun Valley overview - href: sv-overview.md - - name: Windows Sun Valley requirements - href: sv-requirements.md - - name: Sun Valley FAQ - href: sv-faq.md - - - name: Deploy and Manage Windows Sun Valley - items: - - name: Plan to deploy Windows Sun Valley - href: /windows/deployment/sv-plan - - name: Prepare for Windows Sun Valley - href: /windows/deployment/sv-prepare.md - - name: Deploy Windows Sun Valley - href: /windows/deployment/sv-deploy.md - - name: Configure Windows Sun Valley - href: /windows/configuration/sv-configure.md - - name: Manage Windows Sun Valley - href: /windows/client-management/sv-manage.md - - name: Windows Sun Valley application readiness - href: /windows/application-management/sv-app-readiness.md - - - name: Support - items: - - name: Windows Sun Valley lifecycle - href: sv-lifecycle.md - - name: Windows Sun Valley release information - href: /windows/release-health - - - diff --git a/windows/windows-11/TOC.yml b/windows/windows-11/TOC.yml new file mode 100644 index 0000000000..ad14e66327 --- /dev/null +++ b/windows/windows-11/TOC.yml @@ -0,0 +1,36 @@ +- name: Windows 11 + href: index.yml + items: + - name: Get started + items: + - name: Windows 11 overview + href: windows-11-overview.md + - name: Windows 11 requirements + href: windows-11-requirements.md + - name: Windows 11 FAQ + href: windows-11-faq.md + + - name: Deploy and Manage Windows 11 + items: + - name: Plan to deploy Windows 11 + href: /windows/deployment/windows-11-plan + - name: Prepare for Windows 11 + href: /windows/deployment/windows-11-prepare.md + - name: Deploy Windows 11 + href: /windows/deployment/windows-11-deploy.md + - name: Configure Windows 11 + href: /windows/configuration/windows-11-configure.md + - name: Manage Windows 11 + href: /windows/client-management/windows-11-manage.md + - name: Windows 11 application readiness + href: /windows/application-management/windows-11-app-readiness.md + + - name: Support + items: + - name: Windows 11 lifecycle + href: windows-11-lifecycle.md + - name: Windows 11 release information + href: /windows/release-health + + + diff --git a/windows/sv/breadcrumb/toc.yml b/windows/windows-11/breadcrumb/toc.yml similarity index 100% rename from windows/sv/breadcrumb/toc.yml rename to windows/windows-11/breadcrumb/toc.yml diff --git a/windows/sv/docfx.json b/windows/windows-11/docfx.json similarity index 90% rename from windows/sv/docfx.json rename to windows/windows-11/docfx.json index 7035c4cd69..e7955464fe 100644 --- a/windows/sv/docfx.json +++ b/windows/windows-11/docfx.json @@ -39,13 +39,13 @@ "overwrite": [], "externalReference": [], "globalMetadata": { - "breadcrumb_path": "/windows/sv/breadcrumb/toc.json", + "breadcrumb_path": "/windows/windows-11/breadcrumb/toc.json", "extendBreadcrumb": true, "feedback_system": "None" }, "fileMetadata": {}, "template": [], - "dest": "SV", + "dest": "windows-11", "markdownEngineName": "markdig" } } \ No newline at end of file diff --git a/windows/sv/index.yml b/windows/windows-11/index.yml similarity index 75% rename from windows/sv/index.yml rename to windows/windows-11/index.yml index 477ed81e72..5e33fe3113 100644 --- a/windows/sv/index.yml +++ b/windows/windows-11/index.yml @@ -1,7 +1,7 @@ ### YamlMime:Landing title: Windows SV # < 60 chars -summary: Find out about Windows Sun Valley. # < 160 chars +summary: Find out about Windows Windows 11. # < 160 chars metadata: title: Windows SV # Required; page title displayed in search results. Include the brand. < 60 chars. @@ -26,29 +26,29 @@ landingContent: linkLists: - linkListType: overview links: - - text: Windows Sun Valley overview + - text: Windows Windows 11 overview url: sv-overview.md - - text: Windows Sun Valley requirements + - text: Windows Windows 11 requirements url: sv-requirements.md - - text: Windows Sun Valley FAQ + - text: Windows Windows 11 FAQ url: sv-faq.md # Card (optional) - - title: Deploy Windows Sun Valley + - title: Deploy Windows 11 linkLists: - linkListType: overview links: - - text: Plan to deploy Windows Sun Valley + - text: Plan to deploy Windows Windows 11 url: /windows/deployment/sv-plan.md - - text: Prepare for Windows Sun Valley + - text: Prepare for Windows Windows 11 url: /windows/deployment/sv-prepare.md - - text: Deploy Windows Sun Valley + - text: Deploy Windows Windows 11 url: /windows/deployment/sv-deploy.md - - text: Configure Windows Sun Valley + - text: Configure Windows Windows 11 url: /windows/configuration/sv-configure.md - - text: Manage Windows Sun Valley + - text: Manage Windows Windows 11 url: /windows/client-management/sv-manage.md - - text: Windows Sun Valley application readiness + - text: Windows Windows 11 application readiness url: /windows/application-management/sv-app-readiness.md # Card (optional) @@ -56,8 +56,8 @@ landingContent: linkLists: - linkListType: overview links: - - text: Windows Sun Valley lifecycle + - text: Windows Windows 11 lifecycle url: placeholder.md - - text: Windows Sun Valley release information + - text: Windows Windows 11 release information url: ../release-health diff --git a/windows/sv/placeholder.md b/windows/windows-11/placeholder.md similarity index 100% rename from windows/sv/placeholder.md rename to windows/windows-11/placeholder.md diff --git a/windows/sv/sv-requirements.md b/windows/windows-11/windows-11-faq.md similarity index 71% rename from windows/sv/sv-requirements.md rename to windows/windows-11/windows-11-faq.md index 5e4a647fea..1ac810bb60 100644 --- a/windows/sv/sv-requirements.md +++ b/windows/windows-11/windows-11-faq.md @@ -1,7 +1,6 @@ --- title: Placeholder description: PH -ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C ms.reviewer: manager: laurawi ms.audience: itpro @@ -16,7 +15,7 @@ ms.topic: article ms.custom: seo-marvel-apr2020 --- -# Windows Sun Valley requirements +# Windows 11 frequently asked questions (FAQ) -Windows Sun Valley requirements. +FAQ. diff --git a/windows/sv/sv-lifecycle.md b/windows/windows-11/windows-11-lifecycle.md similarity index 69% rename from windows/sv/sv-lifecycle.md rename to windows/windows-11/windows-11-lifecycle.md index c16baa14b7..fab8fda180 100644 --- a/windows/sv/sv-lifecycle.md +++ b/windows/windows-11/windows-11-lifecycle.md @@ -1,7 +1,6 @@ --- title: Lifecycle -description: PH -ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C +description: Lifecycle information for Windows 11 ms.reviewer: manager: laurawi ms.audience: itpro @@ -16,7 +15,7 @@ ms.topic: article ms.custom: seo-marvel-apr2020 --- -# Windows Sun Valley lifecycle +# Windows 11 lifecycle -Sun Valley lifecycle. +Windows 11 lifecycle. diff --git a/windows/sv/sv-overview.md b/windows/windows-11/windows-11-overview.md similarity index 86% rename from windows/sv/sv-overview.md rename to windows/windows-11/windows-11-overview.md index 4099c30662..f39f5e4c23 100644 --- a/windows/sv/sv-overview.md +++ b/windows/windows-11/windows-11-overview.md @@ -16,7 +16,7 @@ ms.topic: article ms.custom: seo-marvel-apr2020 --- -# Windows Sun Valley overview +# Windows 11 overview -Overview of Sun Valley. +Overview of Windows 11. diff --git a/windows/sv/sv-faq.md b/windows/windows-11/windows-11-requirements.md similarity index 85% rename from windows/sv/sv-faq.md rename to windows/windows-11/windows-11-requirements.md index 220beac886..482850a4f9 100644 --- a/windows/sv/sv-faq.md +++ b/windows/windows-11/windows-11-requirements.md @@ -16,7 +16,7 @@ ms.topic: article ms.custom: seo-marvel-apr2020 --- -# Windows Sun Valley frequently asked questions (FAQ) +# Windows 11 requirements -FAQ. +Windows 11 requirements. From 5b1f9848a3b8a6de82a5cb336460c10a34d7ad14 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 1 Jun 2021 09:46:31 -0700 Subject: [PATCH 037/370] H1 fixes --- windows/deployment/{sv-deploy.md => windows-11-deploy.md} | 0 windows/deployment/{sv-plan.md => windows-11-plan.md} | 4 ++-- .../deployment/{sv-prepare.md => windows-11-prepare.md} | 8 ++++---- 3 files changed, 6 insertions(+), 6 deletions(-) rename windows/deployment/{sv-deploy.md => windows-11-deploy.md} (100%) rename windows/deployment/{sv-plan.md => windows-11-plan.md} (99%) rename windows/deployment/{sv-prepare.md => windows-11-prepare.md} (99%) diff --git a/windows/deployment/sv-deploy.md b/windows/deployment/windows-11-deploy.md similarity index 100% rename from windows/deployment/sv-deploy.md rename to windows/deployment/windows-11-deploy.md diff --git a/windows/deployment/sv-plan.md b/windows/deployment/windows-11-plan.md similarity index 99% rename from windows/deployment/sv-plan.md rename to windows/deployment/windows-11-plan.md index cd88a54b3d..e3b81e8c3c 100644 --- a/windows/deployment/sv-plan.md +++ b/windows/deployment/windows-11-plan.md @@ -1,6 +1,6 @@ --- title: Windows 11 deployment planning -description: Understand the different ways Windows 10 operating system can be deployed in your organization. Explore several Windows 10 deployment scenarios. +description: Understand the different ways Windows 11 operating system can be deployed in your organization. Explore several Windows 11 deployment scenarios. ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 ms.reviewer: manager: laurawi @@ -19,7 +19,7 @@ ms.topic: article # Windows 11 deployment planning **Applies to** -- Windows 10 +- Windows 11 To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. diff --git a/windows/deployment/sv-prepare.md b/windows/deployment/windows-11-prepare.md similarity index 99% rename from windows/deployment/sv-prepare.md rename to windows/deployment/windows-11-prepare.md index cd88a54b3d..eb8ce64aa0 100644 --- a/windows/deployment/sv-prepare.md +++ b/windows/deployment/windows-11-prepare.md @@ -1,6 +1,6 @@ --- -title: Windows 11 deployment planning -description: Understand the different ways Windows 10 operating system can be deployed in your organization. Explore several Windows 10 deployment scenarios. +title: Prepare to deploy Windows 11 +description: Understand the different ways Windows 11 operating system can be deployed in your organization. Explore several Windows 11 deployment scenarios. ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 ms.reviewer: manager: laurawi @@ -16,10 +16,10 @@ audience: itpro ms.topic: article --- -# Windows 11 deployment planning +# Prepare to deploy Windows 11 **Applies to** -- Windows 10 +- Windows 11, version 21H1 To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. From 5af48f6be2deb00ea8733163229159bde7d2e972 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 1 Jun 2021 12:17:01 -0700 Subject: [PATCH 038/370] sv --- .openpublishing.publish.config.json | 6 +- windows/deployment/TOC.yml | 8 +-- windows/{windows-11 => sv}/TOC.yml | 0 windows/{windows-11 => sv}/breadcrumb/toc.yml | 0 windows/{windows-11 => sv}/docfx.json | 0 windows/{windows-11 => sv}/index.yml | 0 windows/{windows-11 => sv}/placeholder.md | 0 windows/{windows-11 => sv}/windows-11-faq.md | 0 .../windows-11-lifecycle.md | 0 .../{windows-11 => sv}/windows-11-overview.md | 0 .../windows-11-requirements.md | 0 windows/whats-new/sv/TOC.yml | 36 +++++++++++ windows/whats-new/sv/breadcrumb/toc.yml | 53 ++++++++++++++++ windows/whats-new/sv/docfx.json | 51 +++++++++++++++ windows/whats-new/sv/index.yml | 63 +++++++++++++++++++ windows/whats-new/sv/placeholder.md | 22 +++++++ windows/whats-new/sv/windows-11-faq.md | 21 +++++++ windows/whats-new/sv/windows-11-lifecycle.md | 21 +++++++ windows/whats-new/sv/windows-11-overview.md | 22 +++++++ .../whats-new/sv/windows-11-requirements.md | 22 +++++++ 20 files changed, 318 insertions(+), 7 deletions(-) rename windows/{windows-11 => sv}/TOC.yml (100%) rename windows/{windows-11 => sv}/breadcrumb/toc.yml (100%) rename windows/{windows-11 => sv}/docfx.json (100%) rename windows/{windows-11 => sv}/index.yml (100%) rename windows/{windows-11 => sv}/placeholder.md (100%) rename windows/{windows-11 => sv}/windows-11-faq.md (100%) rename windows/{windows-11 => sv}/windows-11-lifecycle.md (100%) rename windows/{windows-11 => sv}/windows-11-overview.md (100%) rename windows/{windows-11 => sv}/windows-11-requirements.md (100%) create mode 100644 windows/whats-new/sv/TOC.yml create mode 100644 windows/whats-new/sv/breadcrumb/toc.yml create mode 100644 windows/whats-new/sv/docfx.json create mode 100644 windows/whats-new/sv/index.yml create mode 100644 windows/whats-new/sv/placeholder.md create mode 100644 windows/whats-new/sv/windows-11-faq.md create mode 100644 windows/whats-new/sv/windows-11-lifecycle.md create mode 100644 windows/whats-new/sv/windows-11-overview.md create mode 100644 windows/whats-new/sv/windows-11-requirements.md diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 4fc470da75..32eb1b181b 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -130,9 +130,9 @@ "template_folder": "_themes" }, { - "docset_name": "windows-11", - "build_source_folder": "windows/windows-11", - "build_output_subfolder": "windows-11", + "docset_name": "sv", + "build_source_folder": "windows/sv", + "build_output_subfolder": "sv", "locale": "en-us", "monikers": [], "moniker_ranges": [], diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 3a19c56f54..559a6b7d13 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -6,7 +6,7 @@ - name: What's new href: deploy-whats-new.md - name: Windows 11 deployment overview - href: sv-deploy.md + href: windows-11-deploy.md - name: Windows client deployment scenarios href: windows-10-deployment-scenarios.md - name: What is Windows as a service? @@ -36,7 +36,7 @@ - name: Plan items: - name: Windows 11 deployment planning - href: sv-plan.md + href: windows-11-plan.md - name: Create a deployment plan href: update/create-deployment-plan.md - name: Define readiness criteria @@ -72,7 +72,7 @@ - name: Prepare items: - name: Prepare to deploy Windows 11 - href: sv-prepare.md + href: windows-11-prepare.md - name: Prepare to deploy Windows 10 updates href: update/prepare-deploy-windows.md - name: Evaluate and update infrastructure @@ -105,7 +105,7 @@ - name: Deploy Windows client items: - name: Windows 11 deployment overview - href: sv-deploy.md + href: windows-11-deploy.md - name: Deploy Windows client with Autopilot href: windows-autopilot/index.yml - name: Deploy Windows client with Configuration Manager diff --git a/windows/windows-11/TOC.yml b/windows/sv/TOC.yml similarity index 100% rename from windows/windows-11/TOC.yml rename to windows/sv/TOC.yml diff --git a/windows/windows-11/breadcrumb/toc.yml b/windows/sv/breadcrumb/toc.yml similarity index 100% rename from windows/windows-11/breadcrumb/toc.yml rename to windows/sv/breadcrumb/toc.yml diff --git a/windows/windows-11/docfx.json b/windows/sv/docfx.json similarity index 100% rename from windows/windows-11/docfx.json rename to windows/sv/docfx.json diff --git a/windows/windows-11/index.yml b/windows/sv/index.yml similarity index 100% rename from windows/windows-11/index.yml rename to windows/sv/index.yml diff --git a/windows/windows-11/placeholder.md b/windows/sv/placeholder.md similarity index 100% rename from windows/windows-11/placeholder.md rename to windows/sv/placeholder.md diff --git a/windows/windows-11/windows-11-faq.md b/windows/sv/windows-11-faq.md similarity index 100% rename from windows/windows-11/windows-11-faq.md rename to windows/sv/windows-11-faq.md diff --git a/windows/windows-11/windows-11-lifecycle.md b/windows/sv/windows-11-lifecycle.md similarity index 100% rename from windows/windows-11/windows-11-lifecycle.md rename to windows/sv/windows-11-lifecycle.md diff --git a/windows/windows-11/windows-11-overview.md b/windows/sv/windows-11-overview.md similarity index 100% rename from windows/windows-11/windows-11-overview.md rename to windows/sv/windows-11-overview.md diff --git a/windows/windows-11/windows-11-requirements.md b/windows/sv/windows-11-requirements.md similarity index 100% rename from windows/windows-11/windows-11-requirements.md rename to windows/sv/windows-11-requirements.md diff --git a/windows/whats-new/sv/TOC.yml b/windows/whats-new/sv/TOC.yml new file mode 100644 index 0000000000..ad14e66327 --- /dev/null +++ b/windows/whats-new/sv/TOC.yml @@ -0,0 +1,36 @@ +- name: Windows 11 + href: index.yml + items: + - name: Get started + items: + - name: Windows 11 overview + href: windows-11-overview.md + - name: Windows 11 requirements + href: windows-11-requirements.md + - name: Windows 11 FAQ + href: windows-11-faq.md + + - name: Deploy and Manage Windows 11 + items: + - name: Plan to deploy Windows 11 + href: /windows/deployment/windows-11-plan + - name: Prepare for Windows 11 + href: /windows/deployment/windows-11-prepare.md + - name: Deploy Windows 11 + href: /windows/deployment/windows-11-deploy.md + - name: Configure Windows 11 + href: /windows/configuration/windows-11-configure.md + - name: Manage Windows 11 + href: /windows/client-management/windows-11-manage.md + - name: Windows 11 application readiness + href: /windows/application-management/windows-11-app-readiness.md + + - name: Support + items: + - name: Windows 11 lifecycle + href: windows-11-lifecycle.md + - name: Windows 11 release information + href: /windows/release-health + + + diff --git a/windows/whats-new/sv/breadcrumb/toc.yml b/windows/whats-new/sv/breadcrumb/toc.yml new file mode 100644 index 0000000000..e2971f2d84 --- /dev/null +++ b/windows/whats-new/sv/breadcrumb/toc.yml @@ -0,0 +1,53 @@ +- name: Docs + tocHref: / + topicHref: / + items: + - name: Windows + tocHref: /windows + topicHref: /windows/windows-10 + items: + - name: What's new + tocHref: /windows/whats-new/ + topicHref: /windows/whats-new/index + - name: Configuration + tocHref: /windows/configuration/ + topicHref: /windows/configuration/index + - name: Deployment + tocHref: /windows/deployment/ + topicHref: /windows/deployment/index + - name: Application management + tocHref: /windows/application-management/ + topicHref: /windows/application-management/index + - name: Client management + tocHref: /windows/client-management/ + topicHref: /windows/client-management/index + items: + - name: Mobile Device Management + tocHref: /windows/client-management/mdm/ + topicHref: /windows/client-management/mdm/index + - name: Release information + tocHref: /windows/release-information/ + topicHref: /windows/release-health/release-information + - name: Privacy + tocHref: /windows/privacy/ + topicHref: /windows/privacy/index + - name: Security + tocHref: /windows/security/ + topicHref: /windows/security/index + items: + - name: Identity and access protection + tocHref: /windows/security/identity-protection/ + topicHref: /windows/security/identity-protection/index + items: + - name: Windows Hello for Business + tocHref: /windows/security/identity-protection/hello-for-business + topicHref: /windows/security/identity-protection/hello-for-business/hello-identity-verification + - name: Threat protection + tocHref: /windows/security/threat-protection/ + topicHref: /windows/security/threat-protection/index + - name: Information protection + tocHref: /windows/security/information-protection/ + topicHref: /windows/security/information-protection/index + - name: Hardware-based protection + tocHref: /windows/security/hardware-protection/ + topicHref: /windows/security/hardware-protection/index diff --git a/windows/whats-new/sv/docfx.json b/windows/whats-new/sv/docfx.json new file mode 100644 index 0000000000..e7955464fe --- /dev/null +++ b/windows/whats-new/sv/docfx.json @@ -0,0 +1,51 @@ +{ + "build": { + "content": [ + { + "files": [ + "**/*.md", + "**/*.yml" + ], + "exclude": [ + "**/obj/**", + "**/includes/**", + "_themes/**", + "_themes.pdf/**", + "**/docfx.json", + "_repo.en-us/**", + "README.md", + "LICENSE", + "LICENSE-CODE", + "ThirdPartyNotices.md" + ] + } + ], + "resource": [ + { + "files": [ + "**/*.png", + "**/*.jpg" + ], + "exclude": [ + "**/obj/**", + "**/includes/**", + "_themes/**", + "_themes.pdf/**", + "**/docfx.json", + "_repo.en-us/**" + ] + } + ], + "overwrite": [], + "externalReference": [], + "globalMetadata": { + "breadcrumb_path": "/windows/windows-11/breadcrumb/toc.json", + "extendBreadcrumb": true, + "feedback_system": "None" + }, + "fileMetadata": {}, + "template": [], + "dest": "windows-11", + "markdownEngineName": "markdig" + } +} \ No newline at end of file diff --git a/windows/whats-new/sv/index.yml b/windows/whats-new/sv/index.yml new file mode 100644 index 0000000000..5e33fe3113 --- /dev/null +++ b/windows/whats-new/sv/index.yml @@ -0,0 +1,63 @@ +### YamlMime:Landing + +title: Windows SV # < 60 chars +summary: Find out about Windows Windows 11. # < 160 chars + +metadata: + title: Windows SV # Required; page title displayed in search results. Include the brand. < 60 chars. + description: Learn about the administrative tools, tasks and best practices for managing Windows SV across your enterprise. # Required; article description that is displayed in search results. < 160 chars. + services: windows-10 + ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. + ms.subservice: subservice + ms.topic: landing-page # Required + ms.collection: windows-10 + author: greg-lindsay #Required; your GitHub user alias, with correct capitalization. + ms.author: greglin #Required; microsoft alias of author; optional team alias. + ms.date: 05/07/2021 #Required; mm/dd/yyyy format. + localization_priority: medium + +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new + +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Get started + linkLists: + - linkListType: overview + links: + - text: Windows Windows 11 overview + url: sv-overview.md + - text: Windows Windows 11 requirements + url: sv-requirements.md + - text: Windows Windows 11 FAQ + url: sv-faq.md + + # Card (optional) + - title: Deploy Windows 11 + linkLists: + - linkListType: overview + links: + - text: Plan to deploy Windows Windows 11 + url: /windows/deployment/sv-plan.md + - text: Prepare for Windows Windows 11 + url: /windows/deployment/sv-prepare.md + - text: Deploy Windows Windows 11 + url: /windows/deployment/sv-deploy.md + - text: Configure Windows Windows 11 + url: /windows/configuration/sv-configure.md + - text: Manage Windows Windows 11 + url: /windows/client-management/sv-manage.md + - text: Windows Windows 11 application readiness + url: /windows/application-management/sv-app-readiness.md + + # Card (optional) + - title: Support information + linkLists: + - linkListType: overview + links: + - text: Windows Windows 11 lifecycle + url: placeholder.md + - text: Windows Windows 11 release information + url: ../release-health + diff --git a/windows/whats-new/sv/placeholder.md b/windows/whats-new/sv/placeholder.md new file mode 100644 index 0000000000..fecfe94a8e --- /dev/null +++ b/windows/whats-new/sv/placeholder.md @@ -0,0 +1,22 @@ +--- +title: Placeholder +description: PH +ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.localizationpriority: medium +audience: itpro +ms.topic: article +ms.custom: seo-marvel-apr2020 +--- + +# Placeholder + +Placeholder text. + diff --git a/windows/whats-new/sv/windows-11-faq.md b/windows/whats-new/sv/windows-11-faq.md new file mode 100644 index 0000000000..1ac810bb60 --- /dev/null +++ b/windows/whats-new/sv/windows-11-faq.md @@ -0,0 +1,21 @@ +--- +title: Placeholder +description: PH +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.localizationpriority: medium +audience: itpro +ms.topic: article +ms.custom: seo-marvel-apr2020 +--- + +# Windows 11 frequently asked questions (FAQ) + +FAQ. + diff --git a/windows/whats-new/sv/windows-11-lifecycle.md b/windows/whats-new/sv/windows-11-lifecycle.md new file mode 100644 index 0000000000..fab8fda180 --- /dev/null +++ b/windows/whats-new/sv/windows-11-lifecycle.md @@ -0,0 +1,21 @@ +--- +title: Lifecycle +description: Lifecycle information for Windows 11 +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.localizationpriority: medium +audience: itpro +ms.topic: article +ms.custom: seo-marvel-apr2020 +--- + +# Windows 11 lifecycle + +Windows 11 lifecycle. + diff --git a/windows/whats-new/sv/windows-11-overview.md b/windows/whats-new/sv/windows-11-overview.md new file mode 100644 index 0000000000..f39f5e4c23 --- /dev/null +++ b/windows/whats-new/sv/windows-11-overview.md @@ -0,0 +1,22 @@ +--- +title: Placeholder +description: PH +ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.localizationpriority: medium +audience: itpro +ms.topic: article +ms.custom: seo-marvel-apr2020 +--- + +# Windows 11 overview + +Overview of Windows 11. + diff --git a/windows/whats-new/sv/windows-11-requirements.md b/windows/whats-new/sv/windows-11-requirements.md new file mode 100644 index 0000000000..482850a4f9 --- /dev/null +++ b/windows/whats-new/sv/windows-11-requirements.md @@ -0,0 +1,22 @@ +--- +title: Placeholder +description: PH +ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.localizationpriority: medium +audience: itpro +ms.topic: article +ms.custom: seo-marvel-apr2020 +--- + +# Windows 11 requirements + +Windows 11 requirements. + From 9fd633ba5a9bf87b9868997929b69b44db80a164 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 2 Jun 2021 12:38:29 +0500 Subject: [PATCH 039/370] update basic-audit-account-management.md --- .../basic-audit-account-management.md | 84 +++++++++---------- 1 file changed, 42 insertions(+), 42 deletions(-) diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md index 10a7cb1c8c..dd21f98e57 100644 --- a/windows/security/threat-protection/auditing/basic-audit-account-management.md +++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md @@ -46,48 +46,48 @@ You can configure this security setting by opening the appropriate policy under | Account management events | Description | |---------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 624 | A user account was created. | -| 627 | A user password was changed. | -| 628 | A user password was set. | -| 630 | A user account was deleted. | -| 631 | A global group was created. | -| 632 | A member was added to a global group. | -| 633 | A member was removed from a global group. | -| 634 | A global group was deleted. | -| 635 | A new local group was created. | -| 636 | A member was added to a local group. | -| 637 | A member was removed from a local group. | -| 638 | A local group was deleted. | -| 639 | A local group account was changed. | -| 641 | A global group account was changed. | -| 642 | A user account was changed. | -| 643 | A domain policy was modified. | -| 644 | A user account was auto locked. | -| 645 | A computer account was created. | -| 646 | A computer account was changed. | -| 647 | A computer account was deleted. | -| 648 | A local security group with security disabled was created.
**Note:** SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks. | -| 649 | A local security group with security disabled was changed. | -| 650 | A member was added to a security-disabled local security group. | -| 651 | A member was removed from a security-disabled local security group. | -| 652 | A security-disabled local group was deleted. | -| 653 | A security-disabled global group was created. | -| 645 | A security-disabled global group was changed. | -| 655 | A member was added to a security-disabled global group. | -| 656 | A member was removed from a security-disabled global group. | -| 657 | A security-disabled global group was deleted. | -| 658 | A security-enabled universal group was created. | -| 659 | A security-enabled universal group was changed. | -| 660 | A member was added to a security-enabled universal group. | -| 661 | A member was removed from a security-enabled universal group. | -| 662 | A security-enabled universal group was deleted. | -| 663 | A security-disabled universal group was created. | -| 664 | A security-disabled universal group was changed. | -| 665 | A member was added to a security-disabled universal group. | -| 666 | A member was removed from a security-disabled universal group. | -| 667 | A security-disabled universal group was deleted. | -| 668 | A group type was changed. | -| 684 | Set the security descriptor of members of administrative groups. | +| 4720 | A user account was created. | +| 4723 | A user password was changed. | +| 4724 | A user password was set. | +| 4726 | A user account was deleted. | +| 4727 | A global group was created. | +| 4728 | A member was added to a global group. | +| 4729 | A member was removed from a global group. | +| 4730 | A global group was deleted. | +| 4731 | A new local group was created. | +| 4732 | A member was added to a local group. | +| 4733 | A member was removed from a local group. | +| 4734 | A local group was deleted. | +| 4735 | A local group account was changed. | +| 4737 | A global group account was changed. | +| 4738 | A user account was changed. | +| 4739 | A domain policy was modified. | +| 4740 | A user account was auto locked. | +| 4741 | A computer account was created. | +| 4742 | A computer account was changed. | +| 4743 | A computer account was deleted. | +| 4744 | A local security group with security disabled was created.
**Note:** SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks. | +| 4745 | A local security group with security disabled was changed. | +| 4746 | A member was added to a security-disabled local security group. | +| 4747 | A member was removed from a security-disabled local security group. | +| 4748 | A security-disabled local group was deleted. | +| 4749 | A security-disabled global group was created. | +| 4750 | A security-disabled global group was changed. | +| 4751 | A member was added to a security-disabled global group. | +| 4752 | A member was removed from a security-disabled global group. | +| 4753 | A security-disabled global group was deleted. | +| 4754 | A security-enabled universal group was created. | +| 4755 | A security-enabled universal group was changed. | +| 4756 | A member was added to a security-enabled universal group. | +| 4757 | A member was removed from a security-enabled universal group. | +| 4758 | A security-enabled universal group was deleted. | +| 4759 | A security-disabled universal group was created. | +| 4760 | A security-disabled universal group was changed. | +| 4761 | A member was added to a security-disabled universal group. | +| 4762 | A member was removed from a security-disabled universal group. | +| 4763 | A security-disabled universal group was deleted. | +| 4764 | A group type was changed. | +| 4780 | Set the security descriptor of members of administrative groups. | | 685 | Set the security descriptor of members of administrative groups.
**Note:** Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged. | ## Related topics From ab320a70eac965e084f5e73670f000c27b9d559a Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 2 Jun 2021 14:24:45 +0500 Subject: [PATCH 040/370] Update Proxy servers and Internal proxy servers Made changes in Proxy servers and Internal proxy servers. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9499 --- .../create-wip-policy-using-intune-azure.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index c10b2990b3..69a4976fae 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -486,7 +486,7 @@ Specify the proxy servers your devices will go through to reach your cloud resou Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. This list shouldn’t include any servers listed in your Internal proxy servers list. -Internal proxy servers must be used only for WIP-protected (enterprise) traffic. +Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic. Separate multiple resources with the ";" delimiter. ```console @@ -497,8 +497,7 @@ proxy.contoso.com:80;proxy2.contoso.com:443 Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. -This list shouldn’t include any servers listed in your Proxy servers list. -Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic. +This list shouldn’t include any servers listed in your Proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic. Separate multiple resources with the ";" delimiter. ```console From 1ca6bc2544d22c9a01b92fe2e8fa7f7f3df44c44 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Wed, 2 Jun 2021 13:57:37 -0700 Subject: [PATCH 041/370] Added a note to page The note about separating allow and deny rules is at the end of the "More information about file path rules" section. --- .../select-types-of-rules-to-create.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index add268e0ee..d6e4970eb9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -126,6 +126,9 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`. +>[!NOTE] +>We recommend maintaining separate ALLOW and DENY policies on version 1903 and higher, if for no other reason than it makes it a bit easier for an average person to reason over the policy. + ## More information about hashes ### Why does scan create four hash rules per XML file? From 0dd7f54dfb636f8e3ed3a5308ae96ba93323928b Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Wed, 2 Jun 2021 14:00:59 -0700 Subject: [PATCH 042/370] content in whats new --- windows/whats-new/TOC.yml | 36 +++++++---- windows/whats-new/sv/TOC.yml | 36 ----------- windows/whats-new/sv/breadcrumb/toc.yml | 53 ---------------- windows/whats-new/sv/docfx.json | 51 --------------- windows/whats-new/sv/index.yml | 63 ------------------- windows/whats-new/sv/placeholder.md | 22 ------- windows/whats-new/sv/windows-11-faq.md | 21 ------- windows/whats-new/sv/windows-11-lifecycle.md | 21 ------- windows/whats-new/windows-sv-get-started.md | 51 +++++++++++++++ ...-11-overview.md => windows-sv-overview.md} | 0 ...irements.md => windows-sv-requirements.md} | 0 11 files changed, 74 insertions(+), 280 deletions(-) delete mode 100644 windows/whats-new/sv/TOC.yml delete mode 100644 windows/whats-new/sv/breadcrumb/toc.yml delete mode 100644 windows/whats-new/sv/docfx.json delete mode 100644 windows/whats-new/sv/index.yml delete mode 100644 windows/whats-new/sv/placeholder.md delete mode 100644 windows/whats-new/sv/windows-11-faq.md delete mode 100644 windows/whats-new/sv/windows-11-lifecycle.md create mode 100644 windows/whats-new/windows-sv-get-started.md rename windows/whats-new/{sv/windows-11-overview.md => windows-sv-overview.md} (100%) rename windows/whats-new/{sv/windows-11-requirements.md => windows-sv-requirements.md} (100%) diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml index b0d672f68c..2afb052a34 100644 --- a/windows/whats-new/TOC.yml +++ b/windows/whats-new/TOC.yml @@ -1,19 +1,29 @@ -- name: What's new in Windows 10 +- name: What's new in Windows client href: index.yml -- name: What's new in Windows 10, version 21H1 - href: whats-new-windows-10-version-21H1.md -- name: What's new in Windows 10, version 20H2 - href: whats-new-windows-10-version-20H2.md -- name: What's new in Windows 10, version 2004 - href: whats-new-windows-10-version-2004.md -- name: What's new in Windows 10, version 1909 - href: whats-new-windows-10-version-1909.md -- name: What's new in Windows 10, version 1903 - href: whats-new-windows-10-version-1903.md -- name: What's new in Windows 10, version 1809 - href: whats-new-windows-10-version-1809.md +- name: Windows Sun Valley + items: + - name: Windows Sun Valley overview + href: sv-overview.md + - name: Windows Sun Valley requirements + href: sv-requirements.md + - name: Get started with Windows Sun Valley + href: sv-get-started.md +- name: Windows 10 + items: + - name: What's new in Windows 10, version 21H1 + href: whats-new-windows-10-version-21H1.md + - name: What's new in Windows 10, version 20H2 + href: whats-new-windows-10-version-20H2.md + - name: What's new in Windows 10, version 2004 + href: whats-new-windows-10-version-2004.md + - name: What's new in Windows 10, version 1909 + href: whats-new-windows-10-version-1909.md + - name: What's new in Windows 10, version 1903 + href: whats-new-windows-10-version-1903.md - name: Previous versions items: + - name: What's new in Windows 10, version 1809 + href: whats-new-windows-10-version-1809.md - name: What's new in Windows 10, version 1803 href: whats-new-windows-10-version-1803.md - name: What's new in Windows 10, version 1709 diff --git a/windows/whats-new/sv/TOC.yml b/windows/whats-new/sv/TOC.yml deleted file mode 100644 index ad14e66327..0000000000 --- a/windows/whats-new/sv/TOC.yml +++ /dev/null @@ -1,36 +0,0 @@ -- name: Windows 11 - href: index.yml - items: - - name: Get started - items: - - name: Windows 11 overview - href: windows-11-overview.md - - name: Windows 11 requirements - href: windows-11-requirements.md - - name: Windows 11 FAQ - href: windows-11-faq.md - - - name: Deploy and Manage Windows 11 - items: - - name: Plan to deploy Windows 11 - href: /windows/deployment/windows-11-plan - - name: Prepare for Windows 11 - href: /windows/deployment/windows-11-prepare.md - - name: Deploy Windows 11 - href: /windows/deployment/windows-11-deploy.md - - name: Configure Windows 11 - href: /windows/configuration/windows-11-configure.md - - name: Manage Windows 11 - href: /windows/client-management/windows-11-manage.md - - name: Windows 11 application readiness - href: /windows/application-management/windows-11-app-readiness.md - - - name: Support - items: - - name: Windows 11 lifecycle - href: windows-11-lifecycle.md - - name: Windows 11 release information - href: /windows/release-health - - - diff --git a/windows/whats-new/sv/breadcrumb/toc.yml b/windows/whats-new/sv/breadcrumb/toc.yml deleted file mode 100644 index e2971f2d84..0000000000 --- a/windows/whats-new/sv/breadcrumb/toc.yml +++ /dev/null @@ -1,53 +0,0 @@ -- name: Docs - tocHref: / - topicHref: / - items: - - name: Windows - tocHref: /windows - topicHref: /windows/windows-10 - items: - - name: What's new - tocHref: /windows/whats-new/ - topicHref: /windows/whats-new/index - - name: Configuration - tocHref: /windows/configuration/ - topicHref: /windows/configuration/index - - name: Deployment - tocHref: /windows/deployment/ - topicHref: /windows/deployment/index - - name: Application management - tocHref: /windows/application-management/ - topicHref: /windows/application-management/index - - name: Client management - tocHref: /windows/client-management/ - topicHref: /windows/client-management/index - items: - - name: Mobile Device Management - tocHref: /windows/client-management/mdm/ - topicHref: /windows/client-management/mdm/index - - name: Release information - tocHref: /windows/release-information/ - topicHref: /windows/release-health/release-information - - name: Privacy - tocHref: /windows/privacy/ - topicHref: /windows/privacy/index - - name: Security - tocHref: /windows/security/ - topicHref: /windows/security/index - items: - - name: Identity and access protection - tocHref: /windows/security/identity-protection/ - topicHref: /windows/security/identity-protection/index - items: - - name: Windows Hello for Business - tocHref: /windows/security/identity-protection/hello-for-business - topicHref: /windows/security/identity-protection/hello-for-business/hello-identity-verification - - name: Threat protection - tocHref: /windows/security/threat-protection/ - topicHref: /windows/security/threat-protection/index - - name: Information protection - tocHref: /windows/security/information-protection/ - topicHref: /windows/security/information-protection/index - - name: Hardware-based protection - tocHref: /windows/security/hardware-protection/ - topicHref: /windows/security/hardware-protection/index diff --git a/windows/whats-new/sv/docfx.json b/windows/whats-new/sv/docfx.json deleted file mode 100644 index e7955464fe..0000000000 --- a/windows/whats-new/sv/docfx.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "build": { - "content": [ - { - "files": [ - "**/*.md", - "**/*.yml" - ], - "exclude": [ - "**/obj/**", - "**/includes/**", - "_themes/**", - "_themes.pdf/**", - "**/docfx.json", - "_repo.en-us/**", - "README.md", - "LICENSE", - "LICENSE-CODE", - "ThirdPartyNotices.md" - ] - } - ], - "resource": [ - { - "files": [ - "**/*.png", - "**/*.jpg" - ], - "exclude": [ - "**/obj/**", - "**/includes/**", - "_themes/**", - "_themes.pdf/**", - "**/docfx.json", - "_repo.en-us/**" - ] - } - ], - "overwrite": [], - "externalReference": [], - "globalMetadata": { - "breadcrumb_path": "/windows/windows-11/breadcrumb/toc.json", - "extendBreadcrumb": true, - "feedback_system": "None" - }, - "fileMetadata": {}, - "template": [], - "dest": "windows-11", - "markdownEngineName": "markdig" - } -} \ No newline at end of file diff --git a/windows/whats-new/sv/index.yml b/windows/whats-new/sv/index.yml deleted file mode 100644 index 5e33fe3113..0000000000 --- a/windows/whats-new/sv/index.yml +++ /dev/null @@ -1,63 +0,0 @@ -### YamlMime:Landing - -title: Windows SV # < 60 chars -summary: Find out about Windows Windows 11. # < 160 chars - -metadata: - title: Windows SV # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Learn about the administrative tools, tasks and best practices for managing Windows SV across your enterprise. # Required; article description that is displayed in search results. < 160 chars. - services: windows-10 - ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. - ms.subservice: subservice - ms.topic: landing-page # Required - ms.collection: windows-10 - author: greg-lindsay #Required; your GitHub user alias, with correct capitalization. - ms.author: greglin #Required; microsoft alias of author; optional team alias. - ms.date: 05/07/2021 #Required; mm/dd/yyyy format. - localization_priority: medium - -# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new - -landingContent: -# Cards and links should be based on top customer tasks or top subjects -# Start card title with a verb - # Card (optional) - - title: Get started - linkLists: - - linkListType: overview - links: - - text: Windows Windows 11 overview - url: sv-overview.md - - text: Windows Windows 11 requirements - url: sv-requirements.md - - text: Windows Windows 11 FAQ - url: sv-faq.md - - # Card (optional) - - title: Deploy Windows 11 - linkLists: - - linkListType: overview - links: - - text: Plan to deploy Windows Windows 11 - url: /windows/deployment/sv-plan.md - - text: Prepare for Windows Windows 11 - url: /windows/deployment/sv-prepare.md - - text: Deploy Windows Windows 11 - url: /windows/deployment/sv-deploy.md - - text: Configure Windows Windows 11 - url: /windows/configuration/sv-configure.md - - text: Manage Windows Windows 11 - url: /windows/client-management/sv-manage.md - - text: Windows Windows 11 application readiness - url: /windows/application-management/sv-app-readiness.md - - # Card (optional) - - title: Support information - linkLists: - - linkListType: overview - links: - - text: Windows Windows 11 lifecycle - url: placeholder.md - - text: Windows Windows 11 release information - url: ../release-health - diff --git a/windows/whats-new/sv/placeholder.md b/windows/whats-new/sv/placeholder.md deleted file mode 100644 index fecfe94a8e..0000000000 --- a/windows/whats-new/sv/placeholder.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -title: Placeholder -description: PH -ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C -ms.reviewer: -manager: laurawi -ms.audience: itpro -author: greg-lindsay -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: medium -audience: itpro -ms.topic: article -ms.custom: seo-marvel-apr2020 ---- - -# Placeholder - -Placeholder text. - diff --git a/windows/whats-new/sv/windows-11-faq.md b/windows/whats-new/sv/windows-11-faq.md deleted file mode 100644 index 1ac810bb60..0000000000 --- a/windows/whats-new/sv/windows-11-faq.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -title: Placeholder -description: PH -ms.reviewer: -manager: laurawi -ms.audience: itpro -author: greg-lindsay -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: medium -audience: itpro -ms.topic: article -ms.custom: seo-marvel-apr2020 ---- - -# Windows 11 frequently asked questions (FAQ) - -FAQ. - diff --git a/windows/whats-new/sv/windows-11-lifecycle.md b/windows/whats-new/sv/windows-11-lifecycle.md deleted file mode 100644 index fab8fda180..0000000000 --- a/windows/whats-new/sv/windows-11-lifecycle.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -title: Lifecycle -description: Lifecycle information for Windows 11 -ms.reviewer: -manager: laurawi -ms.audience: itpro -author: greg-lindsay -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: medium -audience: itpro -ms.topic: article -ms.custom: seo-marvel-apr2020 ---- - -# Windows 11 lifecycle - -Windows 11 lifecycle. - diff --git a/windows/whats-new/windows-sv-get-started.md b/windows/whats-new/windows-sv-get-started.md new file mode 100644 index 0000000000..c2522f3e4c --- /dev/null +++ b/windows/whats-new/windows-sv-get-started.md @@ -0,0 +1,51 @@ +--- +title: Get started with Windows 10, version 1709 +description: Learn about features, review requirements, and plan your deployment of Windows 10, version 1709, including IT Pro content, release information, and history. +keywords: ["get started", "windows 10", "fall creators update", "1709"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: dansimp +ms.author: dansimp +ms.date: 10/16/2017 +ms.reviewer: +manager: dansimp +ms.localizationpriority: high +ms.topic: article +--- + +# Get started with Windows 10, version 1709 + +**Applies to** + +- Windows 10 + +> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +Welcome to Windows 10, version 1709, also known as the Fall Creators Update. Use the following information to learn about new features, review system requirements, and plan your deployment of the latest version of Windows 10. + +## Specification and systems requirements + +Before you install any version of Windows 10, make sure you visit the [Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications) page. This page contains the minimum systems requirements and important notes to install Windows 10, as well as feature deprecation information and additional requirements to use certain features. + +## What's new in Windows 10, version 1709 IT Pro content + +Take a look at the [What's new in Windows 10, version 1709 IT Pro content](whats-new-windows-10-version-1709.md), for the latest updates in content. Use this topic to easily navigate the documentation for the new features in Windows 10, version 1709. + +## Windows 10 release information and update history + +To view availability dates and servicing options for each version and update of Windows, including version 1709, visit the [Windows 10 release information](https://technet.microsoft.com/windows/mt679505.aspx) page. For further details on each update, go to the [Windows 10 update history](https://support.microsoft.com/help/4018124/windows-10-update-history) page. + +## Windows 10 Roadmap + +If you'd like to gain some insight into preview, or in-development features, visit the [Windows 10 Roadmap](https://www.microsoft.com/WindowsForBusiness/windows-roadmap) page. You'll be able to filter by feature state and product category, to make this information easier to navigate. + +## Top support solutions for Windows 10 + +Having problems with your latest deployment of Windows 10, version 1709? Check out the [Top support solutions for Windows 10](/windows/client-management/windows-10-support-solutions) topic, where we've collected the top Microsoft Support solutions for the most common issues experienced when using Windows 10 in an enterprise or IT pro environment. + +> Want even more information? Visit the [Windows 10 lifecycle page](https://www.microsoft.com/itpro/windows-10) on the [Windows IT Pro Center](https://itpro.windows.com). + +Ready to get started with Windows 10, version 1709? +> [!div class="nextstepaction"] +> [Deploy and Update Windows 10](/windows/deployment) diff --git a/windows/whats-new/sv/windows-11-overview.md b/windows/whats-new/windows-sv-overview.md similarity index 100% rename from windows/whats-new/sv/windows-11-overview.md rename to windows/whats-new/windows-sv-overview.md diff --git a/windows/whats-new/sv/windows-11-requirements.md b/windows/whats-new/windows-sv-requirements.md similarity index 100% rename from windows/whats-new/sv/windows-11-requirements.md rename to windows/whats-new/windows-sv-requirements.md From dc04f0325f595f9f7d1ac7e9de31adc8f9208a2e Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Wed, 2 Jun 2021 14:09:02 -0700 Subject: [PATCH 043/370] link fix --- windows/whats-new/TOC.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml index 2afb052a34..4ee09a9849 100644 --- a/windows/whats-new/TOC.yml +++ b/windows/whats-new/TOC.yml @@ -3,11 +3,11 @@ - name: Windows Sun Valley items: - name: Windows Sun Valley overview - href: sv-overview.md + href: windows-sv-overview.md - name: Windows Sun Valley requirements - href: sv-requirements.md + href: windows-sv-requirements.md - name: Get started with Windows Sun Valley - href: sv-get-started.md + href: windows-sv-get-started.md - name: Windows 10 items: - name: What's new in Windows 10, version 21H1 From a09acb3d6a645a0c3e07564b0672a07c1956bbc8 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Wed, 2 Jun 2021 16:09:25 -0700 Subject: [PATCH 044/370] edits --- windows/hub/TOC.yml | 6 +++--- windows/hub/index.yml | 18 +++++++++--------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/hub/TOC.yml b/windows/hub/TOC.yml index 812bcc04b5..71671b2312 100644 --- a/windows/hub/TOC.yml +++ b/windows/hub/TOC.yml @@ -1,12 +1,12 @@ -- name: Windows client +- name: Windows href: index.yml items: + - name: Windows Sun Valley + href: /windows/whats-new/windows-sv-overview.md - name: What's new href: /windows/whats-new - name: Release information href: /windows/release-health - - name: Windows 11 - href: /windows/windows-11 - name: Deployment href: /windows/deployment - name: Configuration diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 572df40317..97ba2fdf8a 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -26,13 +26,13 @@ landingContent: linkLists: - linkListType: overview links: - - text: Windows 11 overview - url: /windows-11/windows-11-overview.md - - text: What's new in Windows 11, version 21H2 + - text: Windows SV overview + url: /windows-11/windows-sv-overview.md + - text: What's new in Windows SV, version 21H2 url: /windows/whats-new/whats-new-windows-10-version-21H1 - text: What's new in Windows 10, version 21H2 url: /windows/whats-new/whats-new-windows-10-version-21H1 - - text: Windows 11 release information + - text: Windows Sun Valley release information url: /windows/release-health/release-information - text: Windows 10 release information url: /windows/release-health/release-information @@ -44,7 +44,7 @@ landingContent: links: - text: Configure Windows client url: /windows/configuration/index - - text: Configure Windows 11 + - text: Configure Windows Sun Valley url: /windows/configuration/windows-11-configure.md - text: Accessibility information for IT Pros url: /windows/configuration/windows-10-accessibility-for-itpros @@ -60,8 +60,8 @@ landingContent: links: - text: Deploy and update Windows client url: /windows/deployment/index - - text: Deploy Windows 11 - url: /windows/deployment/windows-11-deploy.md + - text: Deploy Windows Sun Valley + url: /windows/deployment/windows-sv-deploy.md - text: Windows deployment scenarios url: /windows/deployment/windows-10-deployment-scenarios - text: Create a deployment plan @@ -77,7 +77,7 @@ landingContent: links: - text: Windows application management url: /windows/application-management/index - - text: Manage Windows 11 applications + - text: Manage Windows SV applications url: /windows/application-management/windows-11-app-manage.md - text: Understand the different apps included in Windows 10 url: /windows/application-management/apps-in-windows-10 @@ -93,7 +93,7 @@ landingContent: links: - text: Windows client management url: /windows/client-management/index - - text: Manage Windows 11 + - text: Manage Windows Sun Valley url: /windows/client-management/windows-11-manage.md - text: Administrative tools url: /windows/client-management/administrative-tools-in-windows-10 From 9a3aeb4b74bd72ae4c16f2cc712dac4f73e563a2 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Wed, 2 Jun 2021 16:26:53 -0700 Subject: [PATCH 045/370] edits --- .../windows-sv-app-manage.md | 17 ++++++++++++++++ .../client-management/windows-sv-manage.md | 19 ++++++++++++++++++ windows/configuration/windows-sv-configure.md | 17 ++++++++++++++++ ...dows-11-deploy.md => windows-sv-deploy.md} | 0 ...{windows-11-plan.md => windows-sv-plan.md} | 0 ...ws-11-prepare.md => windows-sv-prepare.md} | 0 windows/hub/index.yml | 20 +++++++++---------- 7 files changed, 63 insertions(+), 10 deletions(-) create mode 100644 windows/application-management/windows-sv-app-manage.md create mode 100644 windows/client-management/windows-sv-manage.md create mode 100644 windows/configuration/windows-sv-configure.md rename windows/deployment/{windows-11-deploy.md => windows-sv-deploy.md} (100%) rename windows/deployment/{windows-11-plan.md => windows-sv-plan.md} (100%) rename windows/deployment/{windows-11-prepare.md => windows-sv-prepare.md} (100%) diff --git a/windows/application-management/windows-sv-app-manage.md b/windows/application-management/windows-sv-app-manage.md new file mode 100644 index 0000000000..86ee8a28c0 --- /dev/null +++ b/windows/application-management/windows-sv-app-manage.md @@ -0,0 +1,17 @@ +--- +title: Manage applications in Windows Sun Valley +ms.reviewer: +manager: dansimp +description: Use this article to understand the different types of apps that run on Windows Sun Valley, such as UWP and Win32 apps. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: mobile +ms.author: greglin +author: greg-lindsay +ms.localizationpriority: medium +ms.topic: article +--- +# Manage applications in Windows Sun Valley + +>Applies to: Windows Sun Valley diff --git a/windows/client-management/windows-sv-manage.md b/windows/client-management/windows-sv-manage.md new file mode 100644 index 0000000000..22704843bd --- /dev/null +++ b/windows/client-management/windows-sv-manage.md @@ -0,0 +1,19 @@ +--- +title: Manage Windows Sun Valley in your organization +description: This topic offers strategies for deploying and managing Windows Sun Valley, including deploying Windows Sun Valley in a mixed environment. +keywords: ["MDM", "device management", "group policy", "Azure Active Directory"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: devices +author: dansimp +ms.localizationpriority: medium +ms.date: 04/26/2018 +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.topic: article +--- + +# Manage Windows Sun Valley in your organization + diff --git a/windows/configuration/windows-sv-configure.md b/windows/configuration/windows-sv-configure.md new file mode 100644 index 0000000000..2a7ccf17d1 --- /dev/null +++ b/windows/configuration/windows-sv-configure.md @@ -0,0 +1,17 @@ +--- +title: Configure Windows Sun Valley +description: Administrators can pin additional apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file. +keywords: ["taskbar layout","pin apps"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: greg-lindsay +ms.author: greglin +ms.topic: article +ms.localizationpriority: medium +ms.date: 01/18/2018 +ms.reviewer: +manager: dansimp +--- +# Configure Windows Sun Valley + diff --git a/windows/deployment/windows-11-deploy.md b/windows/deployment/windows-sv-deploy.md similarity index 100% rename from windows/deployment/windows-11-deploy.md rename to windows/deployment/windows-sv-deploy.md diff --git a/windows/deployment/windows-11-plan.md b/windows/deployment/windows-sv-plan.md similarity index 100% rename from windows/deployment/windows-11-plan.md rename to windows/deployment/windows-sv-plan.md diff --git a/windows/deployment/windows-11-prepare.md b/windows/deployment/windows-sv-prepare.md similarity index 100% rename from windows/deployment/windows-11-prepare.md rename to windows/deployment/windows-sv-prepare.md diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 97ba2fdf8a..1013fb36b3 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -26,14 +26,14 @@ landingContent: linkLists: - linkListType: overview links: - - text: Windows SV overview - url: /windows-11/windows-sv-overview.md - - text: What's new in Windows SV, version 21H2 - url: /windows/whats-new/whats-new-windows-10-version-21H1 + - text: Windows Sun Valley overview + url: /windows/whats-new/windows-sv-overview.md + - text: Windows Sun Valley requirements + url: /windows/whats-new/windows-sv-requirements.md + - text: Get started with Windows Sun Valley + url: /windows/whats-new/get-started-windows-sv.md - text: What's new in Windows 10, version 21H2 url: /windows/whats-new/whats-new-windows-10-version-21H1 - - text: Windows Sun Valley release information - url: /windows/release-health/release-information - text: Windows 10 release information url: /windows/release-health/release-information @@ -45,7 +45,7 @@ landingContent: - text: Configure Windows client url: /windows/configuration/index - text: Configure Windows Sun Valley - url: /windows/configuration/windows-11-configure.md + url: /windows/configuration/windows-sv-configure.md - text: Accessibility information for IT Pros url: /windows/configuration/windows-10-accessibility-for-itpros - text: Configure access to Microsoft Store @@ -77,8 +77,8 @@ landingContent: links: - text: Windows application management url: /windows/application-management/index - - text: Manage Windows SV applications - url: /windows/application-management/windows-11-app-manage.md + - text: Manage Windows Sun Valley applications + url: /windows/application-management/windows-sv-app-manage.md - text: Understand the different apps included in Windows 10 url: /windows/application-management/apps-in-windows-10 - text: Get started with App-V for Windows 10 @@ -94,7 +94,7 @@ landingContent: - text: Windows client management url: /windows/client-management/index - text: Manage Windows Sun Valley - url: /windows/client-management/windows-11-manage.md + url: /windows/client-management/windows-sv-manage.md - text: Administrative tools url: /windows/client-management/administrative-tools-in-windows-10 - text: Create mandatory user profiles From dd2fcb113d1fcf73b056d6666057d478d25523c5 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Wed, 2 Jun 2021 16:46:49 -0700 Subject: [PATCH 046/370] edits --- windows/whats-new/index.yml | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml index 45c6930684..7531bc087e 100644 --- a/windows/whats-new/index.yml +++ b/windows/whats-new/index.yml @@ -22,6 +22,26 @@ landingContent: # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) + + - title: Windows Sun Valley + linkLists: + - linkListType: overview + links: + - text: Windows Sun Valley Overview + url: windows-sv-overview.md + - text: Windows Sun Valley requirements + url: windows-sv-requirements.md + - text: Get started with Windows Sun Valley + url: windows-sv-get-started.md + - text: Deploy Windows Sun Valley + url: /windows/deployment/windows-sv-deploy.md + - text: Windows Sun Valley app management + url: /windows/application-managerment/windows-sv-app-manage.md + - text: Configure Windows Sun Valley + url: /windows/configuration/windows-sv-configure.md + - text: Manage Windows Sun Valley clients + url: /windows/client-management/windows-sv-manage.md + - title: What's new in Windows 10 linkLists: - linkListType: overview @@ -57,13 +77,7 @@ landingContent: url: /windows/deployment/planning/windows-10-removed-features - text: Compare Windows 10 Editions url: https://go.microsoft.com/fwlink/p/?LinkId=690485 - - # Card (optional) - - title: See also - linkLists: - - linkListType: overview - links: - text: Windows 10 Enterprise LTSC url: ltsc/index.md - text: Edit an existing topic using the Edit link - url: contribute-to-a-topic.md \ No newline at end of file + url: contribute-to-a-topic.md From a7aad9ca114beee8c588581bdbb7fa0f0a35863a Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Wed, 2 Jun 2021 16:47:01 -0700 Subject: [PATCH 047/370] Restored event ID 3086 and added event ID 8036 Event ID updates are for event-id-explanation. Also, I reworked the language in the new note added in the More information about firewall rules section. --- .../event-id-explanations.md | 3 ++- .../select-types-of-rules-to-create.md | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 849d3ce821..b1da16e27a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -41,6 +41,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind |--------|-----------| | 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the script hosts themselves. Note: there is no WDAC enforcement on third-party script hosts. | | 8029 | Block script/MSI file | +| 8036| COM object was blocked. Learn more about COM object authorization: Allow COM object registration in a WDAC policy (Windows 10) - Windows security - Microsoft Docs | | 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | | ## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events @@ -108,7 +109,7 @@ A list of other relevant event IDs and their corresponding description. | 3082 | If the policy was in enforced mode, the non-WHQL driver would have been denied by the policy. | | 3084 | Code Integrity will enforce the WHQL Required policy setting on this session. | | 3085 | Code Integrity will not enforce the WHQL Required policy setting on this session. | -| 3086 | COM object was blocked. Learn more about COM object authorization: Allow COM object registration in a WDAC policy (Windows 10) - Windows security - Microsoft Docs| +| 3086 | The file under validation does not meet the signing requirements for an IUM (isolated user mode) process. | | 3095 | This Code Integrity policy cannot be refreshed and must be rebooted instead. | | 3097 | The Code Integrity policy cannot be refreshed. | | 3100 | The application control policy was refreshed but was unsuccessfully activated. Retry. | diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index d6e4970eb9..f110ba66c4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -127,7 +127,7 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`. >[!NOTE] ->We recommend maintaining separate ALLOW and DENY policies on version 1903 and higher, if for no other reason than it makes it a bit easier for an average person to reason over the policy. +>For others to better understand the WDAC policies that has been deployed, we recommend maintaining separate ALLOW and DENY policies on version 1903 and higher. ## More information about hashes From 3a01b40ec9a985a2e41a98b930123d584a8ad0bd Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Wed, 2 Jun 2021 17:13:12 -0700 Subject: [PATCH 048/370] Added link to event ID 8036 in the event id explanation doc Also, I added a space to the new note in select type of rules doc. --- .../event-id-explanations.md | 2 +- .../select-types-of-rules-to-create.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index b1da16e27a..fb6a29d22d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -41,7 +41,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind |--------|-----------| | 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the script hosts themselves. Note: there is no WDAC enforcement on third-party script hosts. | | 8029 | Block script/MSI file | -| 8036| COM object was blocked. Learn more about COM object authorization: Allow COM object registration in a WDAC policy (Windows 10) - Windows security - Microsoft Docs | +| 8036| COM object was blocked. Learn more about COM object authorization: [Allow COM object registration in a WDAC policy (Windows 10) - Windows security - Microsoft Docs](allow-com-object-registration-in-windows-defender-application-control-policy). | | 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | | ## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index f110ba66c4..91b1a1725e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -126,8 +126,8 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`. ->[!NOTE] ->For others to better understand the WDAC policies that has been deployed, we recommend maintaining separate ALLOW and DENY policies on version 1903 and higher. +> [!NOTE] +> For others to better understand the WDAC policies that has been deployed, we recommend maintaining separate ALLOW and DENY policies on version 1903 and higher. ## More information about hashes From 5f4f59a8dcdc3f4eaa0c0743bafb40648c084eb5 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Wed, 2 Jun 2021 19:27:32 -0700 Subject: [PATCH 049/370] edits --- windows/whats-new/TOC.yml | 2 +- windows/whats-new/index.yml | 29 +++++++++-------------------- 2 files changed, 10 insertions(+), 21 deletions(-) diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml index 4ee09a9849..cc890c69f0 100644 --- a/windows/whats-new/TOC.yml +++ b/windows/whats-new/TOC.yml @@ -1,4 +1,4 @@ -- name: What's new in Windows client +- name: What's new in Windows href: index.yml - name: Windows Sun Valley items: diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml index 7531bc087e..e1c75debe3 100644 --- a/windows/whats-new/index.yml +++ b/windows/whats-new/index.yml @@ -1,11 +1,11 @@ ### YamlMime:Landing -title: What's new in Windows 10 # < 60 chars -summary: Find out about new features and capabilities in the latest release of Windows 10. # < 160 chars +title: What's new in Windows # < 60 chars +summary: Find out about new features and capabilities in the latest release of Windows 10 and Windows Sun Valley. # < 160 chars metadata: - title: What's new in Windows 10 # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Find out about new features and capabilities in the latest release of Windows 10. # Required; article description that is displayed in search results. < 160 chars. + title: What's new in Windows # Required; page title displayed in search results. Include the brand. < 60 chars. + description: Find out about new features and capabilities in the latest release of Windows 10 and Windows Sun Valley. # Required; article description that is displayed in search results. < 160 chars. services: windows-10 ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. ms.subservice: subservice @@ -13,7 +13,7 @@ metadata: ms.collection: windows-10 author: greg-lindsay #Required; your GitHub user alias, with correct capitalization. ms.author: greglin #Required; microsoft alias of author; optional team alias. - ms.date: 02/09/2021 #Required; mm/dd/yyyy format. + ms.date: 06/02/2021 #Required; mm/dd/yyyy format. localization_priority: medium # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new @@ -33,14 +33,7 @@ landingContent: url: windows-sv-requirements.md - text: Get started with Windows Sun Valley url: windows-sv-get-started.md - - text: Deploy Windows Sun Valley - url: /windows/deployment/windows-sv-deploy.md - - text: Windows Sun Valley app management - url: /windows/application-managerment/windows-sv-app-manage.md - - text: Configure Windows Sun Valley - url: /windows/configuration/windows-sv-configure.md - - text: Manage Windows Sun Valley clients - url: /windows/client-management/windows-sv-manage.md + - title: What's new in Windows 10 linkLists: @@ -56,8 +49,6 @@ landingContent: url: whats-new-windows-10-version-1909.md - text: What's new in Windows 10, version 1903 url: whats-new-windows-10-version-1903.md - - text: What's new in Windows 10, version 1809 - url: whats-new-windows-10-version-1809.md # Card (optional) @@ -65,11 +56,11 @@ landingContent: linkLists: - linkListType: overview links: - - text: Windows 10 release information + - text: Windows release information url: /windows/release-health/release-information - - text: Windows 10 release health dashboard + - text: Windows release health dashboard url: /windows/release-information/ - - text: Windows 10 update history + - text: Windows update history url: https://support.microsoft.com/topic/windows-10-update-history-7dd3071a-3906-fa2c-c342-f7f86728a6e3 - text: Windows 10 features we’re no longer developing url: /windows/deployment/planning/windows-10-deprecated-features @@ -79,5 +70,3 @@ landingContent: url: https://go.microsoft.com/fwlink/p/?LinkId=690485 - text: Windows 10 Enterprise LTSC url: ltsc/index.md - - text: Edit an existing topic using the Edit link - url: contribute-to-a-topic.md From 98f419251ca43ddcfdbae667089c6995cfc02502 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Wed, 2 Jun 2021 19:46:44 -0700 Subject: [PATCH 050/370] edits --- windows/hub/TOC.yml | 9 ++-- windows/whats-new/windows-sv-get-started.md | 46 ++++---------------- windows/whats-new/windows-sv-overview.md | 8 ++-- windows/whats-new/windows-sv-requirements.md | 8 ++-- 4 files changed, 22 insertions(+), 49 deletions(-) diff --git a/windows/hub/TOC.yml b/windows/hub/TOC.yml index 71671b2312..d8320ed98c 100644 --- a/windows/hub/TOC.yml +++ b/windows/hub/TOC.yml @@ -1,10 +1,13 @@ - name: Windows href: index.yml items: - - name: Windows Sun Valley - href: /windows/whats-new/windows-sv-overview.md - name: What's new - href: /windows/whats-new + expanded: true + items: + - name: What's new in Windows + href: /windows/whats-new + - name: Windows Sun Valley + href: /windows/whats-new/windows-sv-overview.md - name: Release information href: /windows/release-health - name: Deployment diff --git a/windows/whats-new/windows-sv-get-started.md b/windows/whats-new/windows-sv-get-started.md index c2522f3e4c..3bcdd4f4e0 100644 --- a/windows/whats-new/windows-sv-get-started.md +++ b/windows/whats-new/windows-sv-get-started.md @@ -1,51 +1,21 @@ --- -title: Get started with Windows 10, version 1709 -description: Learn about features, review requirements, and plan your deployment of Windows 10, version 1709, including IT Pro content, release information, and history. -keywords: ["get started", "windows 10", "fall creators update", "1709"] +title: Get started with Windows Sun Valley +description: Learn about features, review requirements, and plan your deployment of Windows Sun Valley, including IT Pro content, release information, and history. +keywords: ["get started", "windows sun valley"] ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp -ms.author: dansimp +author: greg-lindsay +ms.author: greglin ms.date: 10/16/2017 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: high ms.topic: article --- -# Get started with Windows 10, version 1709 +# Get started with Windows Sun Valley **Applies to** -- Windows 10 - -> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -Welcome to Windows 10, version 1709, also known as the Fall Creators Update. Use the following information to learn about new features, review system requirements, and plan your deployment of the latest version of Windows 10. - -## Specification and systems requirements - -Before you install any version of Windows 10, make sure you visit the [Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications) page. This page contains the minimum systems requirements and important notes to install Windows 10, as well as feature deprecation information and additional requirements to use certain features. - -## What's new in Windows 10, version 1709 IT Pro content - -Take a look at the [What's new in Windows 10, version 1709 IT Pro content](whats-new-windows-10-version-1709.md), for the latest updates in content. Use this topic to easily navigate the documentation for the new features in Windows 10, version 1709. - -## Windows 10 release information and update history - -To view availability dates and servicing options for each version and update of Windows, including version 1709, visit the [Windows 10 release information](https://technet.microsoft.com/windows/mt679505.aspx) page. For further details on each update, go to the [Windows 10 update history](https://support.microsoft.com/help/4018124/windows-10-update-history) page. - -## Windows 10 Roadmap - -If you'd like to gain some insight into preview, or in-development features, visit the [Windows 10 Roadmap](https://www.microsoft.com/WindowsForBusiness/windows-roadmap) page. You'll be able to filter by feature state and product category, to make this information easier to navigate. - -## Top support solutions for Windows 10 - -Having problems with your latest deployment of Windows 10, version 1709? Check out the [Top support solutions for Windows 10](/windows/client-management/windows-10-support-solutions) topic, where we've collected the top Microsoft Support solutions for the most common issues experienced when using Windows 10 in an enterprise or IT pro environment. - -> Want even more information? Visit the [Windows 10 lifecycle page](https://www.microsoft.com/itpro/windows-10) on the [Windows IT Pro Center](https://itpro.windows.com). - -Ready to get started with Windows 10, version 1709? -> [!div class="nextstepaction"] -> [Deploy and Update Windows 10](/windows/deployment) +- Windows Sun Valley diff --git a/windows/whats-new/windows-sv-overview.md b/windows/whats-new/windows-sv-overview.md index f39f5e4c23..7b375294fe 100644 --- a/windows/whats-new/windows-sv-overview.md +++ b/windows/whats-new/windows-sv-overview.md @@ -1,6 +1,6 @@ --- -title: Placeholder -description: PH +title: Windows Sun Valley overview +description: Overview of Windows Sun Valley ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C ms.reviewer: manager: laurawi @@ -16,7 +16,7 @@ ms.topic: article ms.custom: seo-marvel-apr2020 --- -# Windows 11 overview +# Windows Sun Valley overview -Overview of Windows 11. +Overview of Windows Sun Valley. diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index 482850a4f9..8c7e043b4e 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -1,6 +1,6 @@ --- -title: Placeholder -description: PH +title: Windows Sun Valley requirements +description: Hardware requirements to deploy Windows Sun Valley ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C ms.reviewer: manager: laurawi @@ -16,7 +16,7 @@ ms.topic: article ms.custom: seo-marvel-apr2020 --- -# Windows 11 requirements +# Windows Sun Valley requirements -Windows 11 requirements. +Windows Sun Valley requirements. From 802d5c6d87fd2c3de55894ab0b3d93412cc4d23d Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Wed, 2 Jun 2021 19:57:04 -0700 Subject: [PATCH 051/370] edits --- windows/hub/TOC.yml | 2 +- windows/hub/index.yml | 6 +++--- windows/whats-new/TOC.yml | 2 ++ 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/windows/hub/TOC.yml b/windows/hub/TOC.yml index d8320ed98c..0b7e4c7651 100644 --- a/windows/hub/TOC.yml +++ b/windows/hub/TOC.yml @@ -7,7 +7,7 @@ - name: What's new in Windows href: /windows/whats-new - name: Windows Sun Valley - href: /windows/whats-new/windows-sv-overview.md + href: whats-new/windows-sv-overview.md - name: Release information href: /windows/release-health - name: Deployment diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 1013fb36b3..372692de4c 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -1,11 +1,11 @@ ### YamlMime:Landing title: Windows client resources and documentation for IT Pros # < 60 chars -summary: Plan, deploy, secure, and manage devices running Windows 10 and Windows 11. # < 160 chars +summary: Plan, deploy, secure, and manage devices running Windows 10 and Windows Sun Valley. # < 160 chars metadata: title: Windows client documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Evaluate, plan, deploy, secure and manage devices running Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars. + description: Evaluate, plan, deploy, secure and manage devices running Windows 10 and Windows Sun Valley. # Required; article description that is displayed in search results. < 160 chars. services: windows-10 ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. ms.subservice: subservice @@ -34,7 +34,7 @@ landingContent: url: /windows/whats-new/get-started-windows-sv.md - text: What's new in Windows 10, version 21H2 url: /windows/whats-new/whats-new-windows-10-version-21H1 - - text: Windows 10 release information + - text: Windows release information url: /windows/release-health/release-information # Card (optional) diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml index cc890c69f0..21c6326fb5 100644 --- a/windows/whats-new/TOC.yml +++ b/windows/whats-new/TOC.yml @@ -1,6 +1,7 @@ - name: What's new in Windows href: index.yml - name: Windows Sun Valley + expanded: true items: - name: Windows Sun Valley overview href: windows-sv-overview.md @@ -9,6 +10,7 @@ - name: Get started with Windows Sun Valley href: windows-sv-get-started.md - name: Windows 10 + expanded: true items: - name: What's new in Windows 10, version 21H1 href: whats-new-windows-10-version-21H1.md From 15cac4271a529104b3594a1de5f11d205c81d23f Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Wed, 2 Jun 2021 20:01:30 -0700 Subject: [PATCH 052/370] edits --- windows/hub/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/hub/TOC.yml b/windows/hub/TOC.yml index 0b7e4c7651..13a76d8a85 100644 --- a/windows/hub/TOC.yml +++ b/windows/hub/TOC.yml @@ -7,7 +7,7 @@ - name: What's new in Windows href: /windows/whats-new - name: Windows Sun Valley - href: whats-new/windows-sv-overview.md + href: whats-new/windows-sv-overview - name: Release information href: /windows/release-health - name: Deployment From d97c072e54335eb4c8f40cd7812a2fb13daa2a8e Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Wed, 2 Jun 2021 20:05:09 -0700 Subject: [PATCH 053/370] edits --- windows/hub/index.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 372692de4c..14991296ce 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -42,7 +42,7 @@ landingContent: linkLists: - linkListType: how-to-guide links: - - text: Configure Windows client + - text: Configure Windows url: /windows/configuration/index - text: Configure Windows Sun Valley url: /windows/configuration/windows-sv-configure.md @@ -58,7 +58,7 @@ landingContent: linkLists: - linkListType: deploy links: - - text: Deploy and update Windows client + - text: Deploy and update Windows url: /windows/deployment/index - text: Deploy Windows Sun Valley url: /windows/deployment/windows-sv-deploy.md From 006dc81e807bf7c55248723d73b8fe0881c47f84 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Wed, 2 Jun 2021 20:08:07 -0700 Subject: [PATCH 054/370] cant get link to work --- windows/hub/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/hub/TOC.yml b/windows/hub/TOC.yml index 13a76d8a85..18f3f6c535 100644 --- a/windows/hub/TOC.yml +++ b/windows/hub/TOC.yml @@ -7,7 +7,7 @@ - name: What's new in Windows href: /windows/whats-new - name: Windows Sun Valley - href: whats-new/windows-sv-overview + href: /windows/whats-new/windows-sv-overview - name: Release information href: /windows/release-health - name: Deployment From e09986f3beda35c0d0e04a1d3b17c89c2f0703ae Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Wed, 2 Jun 2021 20:15:22 -0700 Subject: [PATCH 055/370] fixup --- windows/deployment/TOC.yml | 8 ++-- windows/deployment/index.yml | 2 +- windows/sv/index.yml | 42 +++++++++---------- windows/sv/windows-11-faq.md | 21 ---------- ...1-lifecycle.md => windows-sv-lifecycle.md} | 0 ...-11-overview.md => windows-sv-overview.md} | 0 ...irements.md => windows-sv-requirements.md} | 0 7 files changed, 25 insertions(+), 48 deletions(-) delete mode 100644 windows/sv/windows-11-faq.md rename windows/sv/{windows-11-lifecycle.md => windows-sv-lifecycle.md} (100%) rename windows/sv/{windows-11-overview.md => windows-sv-overview.md} (100%) rename windows/sv/{windows-11-requirements.md => windows-sv-requirements.md} (100%) diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 50fd1c8bb7..0e2693fd62 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -6,7 +6,7 @@ - name: What's new href: deploy-whats-new.md - name: Windows 11 deployment overview - href: windows-11-deploy.md + href: windows-sv-deploy.md - name: Windows client deployment scenarios href: windows-10-deployment-scenarios.md - name: What is Windows as a service? @@ -36,7 +36,7 @@ - name: Plan items: - name: Windows 11 deployment planning - href: windows-11-plan.md + href: windows-sv-plan.md - name: Create a deployment plan href: update/create-deployment-plan.md - name: Define readiness criteria @@ -72,7 +72,7 @@ - name: Prepare items: - name: Prepare to deploy Windows 11 - href: windows-11-prepare.md + href: windows-sv-prepare.md - name: Prepare to deploy Windows 10 updates href: update/prepare-deploy-windows.md - name: Evaluate and update infrastructure @@ -105,7 +105,7 @@ - name: Deploy Windows client items: - name: Windows 11 deployment overview - href: windows-11-deploy.md + href: windows-sv-deploy.md - name: Deploy Windows client with Autopilot href: windows-autopilot/index.yml - name: Deploy Windows client with Configuration Manager diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index f6f9bf26ec..7b8a56f315 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -67,7 +67,7 @@ landingContent: - text: What's new in Windows deployment url: deploy-whats-new.md - text: Windows 11 deployment overview - url: sv-deploy.md + url: windows-sv-deploy.md - text: Windows client deployment scenarios url: windows-10-deployment-scenarios.md - text: Basics of Windows updates, channels, and tools diff --git a/windows/sv/index.yml b/windows/sv/index.yml index 5e33fe3113..9ce50839f3 100644 --- a/windows/sv/index.yml +++ b/windows/sv/index.yml @@ -1,7 +1,7 @@ ### YamlMime:Landing title: Windows SV # < 60 chars -summary: Find out about Windows Windows 11. # < 160 chars +summary: Find out about Windows Windows Sun Valley. # < 160 chars metadata: title: Windows SV # Required; page title displayed in search results. Include the brand. < 60 chars. @@ -26,38 +26,36 @@ landingContent: linkLists: - linkListType: overview links: - - text: Windows Windows 11 overview - url: sv-overview.md - - text: Windows Windows 11 requirements - url: sv-requirements.md - - text: Windows Windows 11 FAQ - url: sv-faq.md + - text: Windows Sun Valley overview + url: windows-sv-overview.md + - text: Windows Sun Valley requirements + url: windows-sv-requirements.md # Card (optional) - - title: Deploy Windows 11 + - title: Deploy Windows Sun Valley linkLists: - linkListType: overview links: - - text: Plan to deploy Windows Windows 11 - url: /windows/deployment/sv-plan.md - - text: Prepare for Windows Windows 11 - url: /windows/deployment/sv-prepare.md - - text: Deploy Windows Windows 11 - url: /windows/deployment/sv-deploy.md - - text: Configure Windows Windows 11 + - text: Plan to deploy Windows Windows Sun Valley + url: /windows/deployment/windows-sv-plan.md + - text: Prepare for Windows Windows Sun Valley + url: /windows/deployment/windows-sv-prepare.md + - text: Deploy Windows Windows Sun Valley + url: /windows/deployment/windows-sv-deploy.md + - text: Configure Windows Windows Sun Valley url: /windows/configuration/sv-configure.md - - text: Manage Windows Windows 11 - url: /windows/client-management/sv-manage.md - - text: Windows Windows 11 application readiness - url: /windows/application-management/sv-app-readiness.md + - text: Manage Windows Windows Sun Valley + url: /windows/client-management/windows-sv-manage.md + - text: Windows Windows Sun Valley application readiness + url: /windows/application-management/windows-sv-app-readiness.md # Card (optional) - title: Support information linkLists: - linkListType: overview links: - - text: Windows Windows 11 lifecycle + - text: Windows Windows Sun Valley lifecycle url: placeholder.md - - text: Windows Windows 11 release information - url: ../release-health + - text: Windows Windows Sun Valley release information + url: /windows/release-health diff --git a/windows/sv/windows-11-faq.md b/windows/sv/windows-11-faq.md deleted file mode 100644 index 1ac810bb60..0000000000 --- a/windows/sv/windows-11-faq.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -title: Placeholder -description: PH -ms.reviewer: -manager: laurawi -ms.audience: itpro -author: greg-lindsay -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: medium -audience: itpro -ms.topic: article -ms.custom: seo-marvel-apr2020 ---- - -# Windows 11 frequently asked questions (FAQ) - -FAQ. - diff --git a/windows/sv/windows-11-lifecycle.md b/windows/sv/windows-sv-lifecycle.md similarity index 100% rename from windows/sv/windows-11-lifecycle.md rename to windows/sv/windows-sv-lifecycle.md diff --git a/windows/sv/windows-11-overview.md b/windows/sv/windows-sv-overview.md similarity index 100% rename from windows/sv/windows-11-overview.md rename to windows/sv/windows-sv-overview.md diff --git a/windows/sv/windows-11-requirements.md b/windows/sv/windows-sv-requirements.md similarity index 100% rename from windows/sv/windows-11-requirements.md rename to windows/sv/windows-sv-requirements.md From 9d3f37c97518a8655fc3964f13dd538c353a35cf Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Wed, 2 Jun 2021 20:27:26 -0700 Subject: [PATCH 056/370] fixup --- windows/sv/TOC.yml | 44 +++++++++++++-------------- windows/sv/windows-sv-overview.md | 8 ++--- windows/sv/windows-sv-requirements.md | 9 +++--- 3 files changed, 29 insertions(+), 32 deletions(-) diff --git a/windows/sv/TOC.yml b/windows/sv/TOC.yml index ad14e66327..f0ec3588a7 100644 --- a/windows/sv/TOC.yml +++ b/windows/sv/TOC.yml @@ -1,35 +1,33 @@ -- name: Windows 11 +- name: Windows Sun Valley href: index.yml items: - name: Get started items: - - name: Windows 11 overview - href: windows-11-overview.md - - name: Windows 11 requirements - href: windows-11-requirements.md - - name: Windows 11 FAQ - href: windows-11-faq.md + - name: Windows Sun Valley overview + href: windows-sv-overview.md + - name: Windows Sun Valley requirements + href: windows-sv-requirements.md - - name: Deploy and Manage Windows 11 + - name: Deploy and Manage Windows Sun Valley items: - - name: Plan to deploy Windows 11 - href: /windows/deployment/windows-11-plan - - name: Prepare for Windows 11 - href: /windows/deployment/windows-11-prepare.md - - name: Deploy Windows 11 - href: /windows/deployment/windows-11-deploy.md - - name: Configure Windows 11 - href: /windows/configuration/windows-11-configure.md - - name: Manage Windows 11 - href: /windows/client-management/windows-11-manage.md - - name: Windows 11 application readiness - href: /windows/application-management/windows-11-app-readiness.md + - name: Plan to deploy Windows Sun Valley + href: /windows/deployment/windows-sv-plan + - name: Prepare for Windows Sun Valley + href: /windows/deployment/windows-sv-prepare.md + - name: Deploy Windows Sun Valley + href: /windows/deployment/windows-sv-deploy.md + - name: Configure Windows Sun Valley + href: /windows/configuration/windows-sv-configure.md + - name: Manage Windows Sun Valley + href: /windows/client-management/windows-sv-manage.md + - name: Windows Sun Valley application readiness + href: /windows/application-management/windows-sv-app-readiness.md - name: Support items: - - name: Windows 11 lifecycle - href: windows-11-lifecycle.md - - name: Windows 11 release information + - name: Windows Sun Valley lifecycle + href: windows-sv-lifecycle.md + - name: Windows Sun Valley release information href: /windows/release-health diff --git a/windows/sv/windows-sv-overview.md b/windows/sv/windows-sv-overview.md index f39f5e4c23..7b375294fe 100644 --- a/windows/sv/windows-sv-overview.md +++ b/windows/sv/windows-sv-overview.md @@ -1,6 +1,6 @@ --- -title: Placeholder -description: PH +title: Windows Sun Valley overview +description: Overview of Windows Sun Valley ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C ms.reviewer: manager: laurawi @@ -16,7 +16,7 @@ ms.topic: article ms.custom: seo-marvel-apr2020 --- -# Windows 11 overview +# Windows Sun Valley overview -Overview of Windows 11. +Overview of Windows Sun Valley. diff --git a/windows/sv/windows-sv-requirements.md b/windows/sv/windows-sv-requirements.md index 482850a4f9..88eb31f2f5 100644 --- a/windows/sv/windows-sv-requirements.md +++ b/windows/sv/windows-sv-requirements.md @@ -1,7 +1,6 @@ --- -title: Placeholder -description: PH -ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C +title: Windows Sun Valley requirements +description: Requirements to deploy Windows Sun Valley ms.reviewer: manager: laurawi ms.audience: itpro @@ -16,7 +15,7 @@ ms.topic: article ms.custom: seo-marvel-apr2020 --- -# Windows 11 requirements +# Windows Sun Valley requirements -Windows 11 requirements. +Windows Sun Valley requirements. From d705d4a1efeb44f92bca614d21753f9f60af0ba9 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 3 Jun 2021 12:09:37 +0500 Subject: [PATCH 057/370] Update windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../create-wip-policy-using-intune-azure.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 69a4976fae..2cd10013da 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -497,7 +497,8 @@ proxy.contoso.com:80;proxy2.contoso.com:443 Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. -This list shouldn’t include any servers listed in your Proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic. +This list shouldn’t include any servers listed in your Proxy servers list. +Internal proxy servers must be used only for WIP-protected (enterprise) traffic. Separate multiple resources with the ";" delimiter. ```console From a840a33060203945db8dd81f3d570b142edf261a Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 3 Jun 2021 12:20:45 +0500 Subject: [PATCH 058/370] Removal of spaces Removed spaces from the page. --- .../basic-audit-account-management.md | 90 +++++++++---------- 1 file changed, 45 insertions(+), 45 deletions(-) diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md index dd21f98e57..5541fc0f63 100644 --- a/windows/security/threat-protection/auditing/basic-audit-account-management.md +++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md @@ -44,51 +44,51 @@ set this value to **No auditing**, in the **Properties** dialog box for this pol You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy. -| Account management events | Description | -|---------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 4720 | A user account was created. | -| 4723 | A user password was changed. | -| 4724 | A user password was set. | -| 4726 | A user account was deleted. | -| 4727 | A global group was created. | -| 4728 | A member was added to a global group. | -| 4729 | A member was removed from a global group. | -| 4730 | A global group was deleted. | -| 4731 | A new local group was created. | -| 4732 | A member was added to a local group. | -| 4733 | A member was removed from a local group. | -| 4734 | A local group was deleted. | -| 4735 | A local group account was changed. | -| 4737 | A global group account was changed. | -| 4738 | A user account was changed. | -| 4739 | A domain policy was modified. | -| 4740 | A user account was auto locked. | -| 4741 | A computer account was created. | -| 4742 | A computer account was changed. | -| 4743 | A computer account was deleted. | -| 4744 | A local security group with security disabled was created.
**Note:** SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks. | -| 4745 | A local security group with security disabled was changed. | -| 4746 | A member was added to a security-disabled local security group. | -| 4747 | A member was removed from a security-disabled local security group. | -| 4748 | A security-disabled local group was deleted. | -| 4749 | A security-disabled global group was created. | -| 4750 | A security-disabled global group was changed. | -| 4751 | A member was added to a security-disabled global group. | -| 4752 | A member was removed from a security-disabled global group. | -| 4753 | A security-disabled global group was deleted. | -| 4754 | A security-enabled universal group was created. | -| 4755 | A security-enabled universal group was changed. | -| 4756 | A member was added to a security-enabled universal group. | -| 4757 | A member was removed from a security-enabled universal group. | -| 4758 | A security-enabled universal group was deleted. | -| 4759 | A security-disabled universal group was created. | -| 4760 | A security-disabled universal group was changed. | -| 4761 | A member was added to a security-disabled universal group. | -| 4762 | A member was removed from a security-disabled universal group. | -| 4763 | A security-disabled universal group was deleted. | -| 4764 | A group type was changed. | -| 4780 | Set the security descriptor of members of administrative groups. | -| 685 | Set the security descriptor of members of administrative groups.
**Note:** Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged. | +| Account management events | Description | +| :-----------------------: | :---------- | +| 4720 | A user account was created. | +| 4723 | A user password was changed. | +| 4724 | A user password was set. | +| 4726 | A user account was deleted. | +| 4727 | A global group was created. | +| 4728 | A member was added to a global group. | +| 4729 | A member was removed from a global group. | +| 4730 | A global group was deleted. | +| 4731 | A new local group was created. | +| 4732 | A member was added to a local group. | +| 4733 | A member was removed from a local group. | +| 4734 | A local group was deleted. | +| 4735 | A local group account was changed. | +| 4737 | A global group account was changed. | +| 4738 | A user account was changed. | +| 4739 | A domain policy was modified. | +| 4740 | A user account was auto locked. | +| 4741 | A computer account was created. | +| 4742 | A computer account was changed. | +| 4743 | A computer account was deleted. | +| 4744 | A local security group with security disabled was created.
**Note:** SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks | +| 4745 | A local security group with security disabled was changed. | +| 4746 | A member was added to a security-disabled local security group. | +| 4747 | A member was removed from a security-disabled local security group. | +| 4748 | A security-disabled local group was deleted. | +| 4749 | A security-disabled global group was created. | +| 4750 | A security-disabled global group was changed. | +| 4751 | A member was added to a security-disabled global group. | +| 4752 | A member was removed from a security-disabled global group. | +| 4753 | A security-disabled global group was deleted. | +| 4754 | A security-enabled universal group was created. | +| 4755 | A security-enabled universal group was changed. | +| 4756 | A member was added to a security-enabled universal group. | +| 4757 | A member was removed from a security-enabled universal group. | +| 4758 | A security-enabled universal group was deleted. | +| 4759 | A security-disabled universal group was created. | +| 4760 | A security-disabled universal group was changed. | +| 4761 | A member was added to a security-disabled universal group. | +| 4762 | A member was removed from a security-disabled universal group. | +| 4763 | A security-disabled universal group was deleted. | +| 4764 | A group type was changed. | +| 4780 | Set the security descriptor of members of administrative groups. | +| 685 | Set the security descriptor of members of administrative groups.
**Note:** Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged. | ## Related topics From 4921cd416d3d24245aaacb7ec5e017c04ca9018a Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 3 Jun 2021 00:25:37 -0700 Subject: [PATCH 059/370] leverage faq --- windows/whats-new/windows-sv-overview.md | 187 ++++++++++++++++++- windows/whats-new/windows-sv-requirements.md | 2 +- 2 files changed, 187 insertions(+), 2 deletions(-) diff --git a/windows/whats-new/windows-sv-overview.md b/windows/whats-new/windows-sv-overview.md index 7b375294fe..3ab1b42497 100644 --- a/windows/whats-new/windows-sv-overview.md +++ b/windows/whats-new/windows-sv-overview.md @@ -18,5 +18,190 @@ ms.custom: seo-marvel-apr2020 # Windows Sun Valley overview -Overview of Windows Sun Valley. +Sun Valley is the next client release of Windows. It represents an evolution of Windows 10 that is modern, streamlined, fresh, light, yet familiar to those who use Windows today. It is optimized to deliver great working, learning, and playing experiences. Its goal is to be our most reliable, secure, connected, and performant OS release ever. + +Sun Valley offers new features and functionality built to address challenges our customers face today as well as a completely refreshed look and feel that makes the experience clean and simple. Head to Windows.com/SV to read more about all the new features. + +Windows 10 launched six years ago. Since then, there has been a lot of hardware innovation. With Windows SV every detail has been considered. It has the power and security you crave in a redesigned and refreshed look. Plus, it comes with new tools, sounds, and apps. + +Windows SV provides a familiar modern and refreshed interface that is still familiar that increases productivity and enhances the collaboration experience for end users while maintaining consistent the management forof those IT managed devices. for IT + +The goal with Windows is still the same, regardless of number. Our commitment to drive innovation, bring people together and build the best version of Windows remains. +We said we would always update Windows, of course we’re going to innovate, move people forward, commitment to give people the best version of Windows remains. + +We expect most new devices to be built and designed for Windows SV, and consumer offerings will transition very quickly. Commercial and educational organizations should work with their device partners to understand what options are available for new PCs. + +Commercial version +Eventually all new devices will be built and shipped with Windows Oct2021. Commercial organizations should work with their device partners to understand what options are available for new PCs + +Will there be an evaluation version of Sun Valley? Yes, you can take advantage of the Windows Insider Program to evaluate builds of Sun Valley just as we do today for Windows 10. + +When will new devices be ready for purchase? New devices will be available later in 2021. We expect to see a large refresh of commercial devices in 2022 + +## How to get Windows Sun Valley + +All upgrades to Sun Valley from Windows 10 will be free. + +Windows Sun Valley is due out later in 2021 and will be delivered over several months. The rollout of the upgrade to Windows 10 devices already in use today will begin in 2022 through the first half of that year. Once it has been tested and validated for your specific PC, Windows Update will indicate that the upgrade is ready for installation. + +If your Windows 10 PC meets the minimum specifications for Sun Valley, you will be able to upgrade. We’ve made it simple for you to see for yourself. Download the PC Health Check App to see if your PC meets the minimum specifications. (go to aka.ms/PCHealthCheck - not real URL) + +Commercial version +There is no cost to upgrade for eligible devices to Windows Oct21. Only Windows 10 PCs that are running the most current version of Windows 10 and meet the minimum hardware specifications will be eligible to upgrade. You can check to see if you have the latest updates by navigating to Windows Update in settings. + +Commercial version +The upgrade is expected to be available in early 2022. Not all eligible Windows 10 PCs will be offered theo upgrade at the same time. To see if your PC is eligible, download the PC Health Check app (link). Once the upgrade rollout has started, you can check the status of your device by navigating to Windows Update in settings.  + +Test out either experience by joining the Windows Insider Program (either by syncing the Windows Insider Pre-release category in WSUS or by selecting “Manage preview builds – Release Preview”). + + +## Windows Sun Valley servicing + +No. Features of Windows SV will be updated once per year in the second half of the year, and quality updates will be releasesd every month oin the second Tuesday of the month. Starting with Windows 10, version 21H2, Windows 10 will receive only quality updates on the second Tuesday of the month + +Commercial version +No. Features of Windows Oct21 will be updated once per year in the second half of the year, and quality updates will be released every month in the second Tuesday of the month. Starting with Windows 10, version 21H2, Windows 10 will receive only quality updates on the second Tuesday of the month. + +How long is the support window for each Sun Valley release? We will support each annual release for 24 months for Home, Pro, Pro for Workstations and Pro Education editions, and 36 months for Enterprise and Education editions, beginning at GA in October 2021 + +Annual SV releases will be supported for either 24 or 36 months, depending on edition, beginning at their initial GA. + +• SV editions supported for 24 months: Home, Pro, Pro Education, Pro for Workstations, Cloud +• SV editions supported for 36 months: Enterprise, IoT Enterprise, Education + +Will there still be a combined LCU and SSU package capability? Yes. Windows XX will continue to support one cumulative package where we will deploy all LCUs and SSUs (if applicable) together as a single package to Windows Server Update Service (WSUS) and Catalog, and have them orchestrated on the device. This capability is also the default for those updating from Windows Update. + +## Mixed environment + +Yes. We will continue to support Windows 10 with security updates until October 2025. + +Can I run both Sun Valley and Windows 10 in parallel? If so, do I use the same process and tools to manage both? Yes, Windows SV is based on the same foundation of Windows 10 so they can coexist and will use the same processes and tools to manage them. + +Will I be able to manage my Windows environment with MEM in the same way, or will there be changes? In Configuration Manager, you can manage exactly the same way you do today. Simply sync the new Windows XX Product category. + +How will update management look for environments with mixed Sun Valley and Windows 10 populations? You can use your current management tools and processes to manage quality updates for both Windows 10 and Windows XX, in addition to using them to move between the two products. + + +Commercial +Yes. You do not have to upgrade to Windows Oct21. Microsoft will continue to support Windows 10 until October 14, 2025. + +## Deploying Windows Sun Valley + +You will have the option to upgrade, clean install, or reimage Windows 10 devices to move to Windows SV. For Windows 7 devices that meet hardware requirements, you will need to clean install or reimage to go directly to Windows SV. + +Any specific rollback or upgrade recover mechanisms exist? The Windows SV upgrade has a 10 day rollback period, similar to what is offered today for Windows 10 updates + +I leverage Autopilot to allow end users auto provision devices, will Autopilot be available for Sun Valley? Yes, Autopilot can still be leveraged. + +Timing will vary, particularly based on internet speed. Downloading and installing Windows SV will most likely take longer than a typical Windows 10 feature update. You can use your PC while you’re downloading it and then you have the option to schedule the install to happen at a specific time when you aren’t planning on using your PC. + +The free upgrade is for the same edition as you have on your device for Windows 10. If you have Windows 10 Home eEdition, you will be upgraded to Windows SV Home eEdition. For Pro and higher editions, SV will no longer be offered in S mode, so you will need to first switch out of S mode toto qualify for upgrade. + +Commercial +The upgrade to Windows Oct21 is for the same edition as you have on your Windows 10 device. Devices with Windows 10 Pro installed will be upgraded to Windows Oct21 Pro. Devices running Windows 10 Enterprise will upgrade to Windows Oct21 Enterprise. Windows Oct21 Pro will not offer Windows Oct21 Pro in S mode, so you will need to switch out of S mode to upgrade. + +Yes, once you have upgraded to Sun Valley, you have 10 days to utilize the rollback function to move back to Windows 10 while keeping files and data that you brought along with you. After that 10 day10-day period, you will need to back up this data and do a “clean install” to move back to Windows 10. + +In Intune, you will need to leverage target version, if you are not already, to upgrade from Windows 10 to Windows XX. While feature update deferrals are great for moving you to newer versions of your current product (e.g. Windows 10, version 20H2 to 21H1) they are not able to move you between two different products. You will continue being able to manage quality updates for Windows 10 and Windows XX the same way as you do today. + +Commercial +Yes, once you have upgraded to Windows Oct21, you have 10 days to utilize the rollback function to move back to Windows 10 while keeping files and data that you brought along with you. After that 10-day period, you will need to back up your data and do a “clean install” to move back to Windows 10. + +The upgrade experience will be similar to a feature update in Windows 10. You will download the software while able to continue to use your device. Once it is downloaded and ready to install, you will be guided through the installation process through aprocess: a series of screen and prompts. + +Commercial version +The upgrade experience will be similar to a feature update in Windows 10. You will download the software while being able to continue to use your device. Once the update is downloaded and ready to install, you will be guided through the installation process through a series of screens and prompts. There will be at least one restart. + +If I decline the upgrade, can I change my mind and upgrade later? You will be given the opportunity to upgrade via the Windows Update section in Settings if you originally declined the offer. + +If customers upgrade, the default experience will be for files and data to move forward with the new installation. However, we always recommend that customers back up files before installing a new Windows version. If you already sync your files to OneDrive, you may not need to take any additional action to create a backup. + +Commercial version +By default, all your files and data will transfer. However, Microsoft recommends backing up your files before installation. + +Are customers able to download the upgrade ‘on demand’? Will there be ways that customers can find the upgrade prior to Intelligent rollout? Yes, we plan to have similar options that we do today for updates to Windows 10: Upgrade Assistant (similar to Update Assistant) and the Media Creation Tool. We recommend, however, that the customer wait until they are notified through Windows Update that the upgrade is ready for their device. Note that there will be temporary blocks in some instances that will prevent the upgrade from completing installation. + +If a CYOD user purchases a Sun Valley device, can I move them back to Windows 10 and how? Downgrade rights are available with Windows SV Pro OEM licensed devices. You can downgrade to any version of Windows Pro/Professional that has not reached its end of support date. You will need to reimage or clean install a Windows SV device to downgrade it to Windows 10. Downgrade rights are also available through Microsoft Volume Licensing (check your agreement for more details). + +If I’m upgrading from Windows 10 to Sun Valley can I change editions at that time (e.g., from Home or Education to Pro)? No, you will need to change editions separately (before or after upgrading). Applicable fees may apply to acquire the license for the new edition + +Commercial version +If you have Windows 10 Pro, you’ll upgrade to Windows Oct2021 Pro. You can then step up to Windows Oct2021 Enterprise. If you have Windows 10 Home, you’ll upgrade to Windows Oct2021 Home. You can then step up to Windows 10 Pro. + +## Requirements + +The upgrade to Sun Valley is available for devices running Windows 10, version 20H1 or newer, on eligible hardware. + +You can use the PC Health Check app to determine if your PC can upgrade. The PC Health Check is available for download . [this will eventually need to change to a message about WU – Aug 2021 timeframe] + +Can Enterprise customers get the upgrade? Enterprise customers are eligible per the terms of their current licensing agreement + +What about Windows RT? Windows RT is not eligible for upgrade. + +Any device that meets the minimum specification can upgrade run Windows SV. However, Windows 7 devices will likely not meet the minimum specification because of age and generation of the processor that was included with that device. Please see below for the full CPU list available through our Windows SV specifications page to see which ones are compatible for upgrade. If a customer with a Windows 7 PC that meets the minimum spec wants to upgrade, they would need to purchase a Windows 10 license, perform a clean install, and proceed with the upgrade to Windows SV. In 2022, they will also have the option to purchase Windows SV at retail and install it on the compatible Windows 7 device. + +The minimum storage drive requirement is 64GB for Windows SV. Ongoing requirements for feature and quality updates will vary, but are generally expected to be similar to what we see today for Windows 10 + + +Commercial +To see if your PC is eligible, download the PC Health Check app (link). Once the upgrade rollout has started, you can check the status of your device by navigating to Windows Update in settings. + +## Managing Windows Sun Valley + + +With Windows 10, Microsoft forced me to make significant changes to my IT processes, management approach and tooling, what will this new version require me to change? Windows SV is based on the same foundation of Windows 10, so it will support the same management tools that you use today with Windows 10. + +## Hardware compatibility + +Most software and accessories that worked with Windows 10 areis expected to work with Windows SV. Check with your software publisher or accessory manufacturer for specific details on your products. + +Commercial version +Most software and accessories that worked with Windows 10 are expected to work with Windows Oct21. Check with your software publisher or accessory manufacturer for specific details on your products. + +Most software and accessories that worked with Windows 10 is expected to work with Windows SV. Check with your software publisher or accessory manufacturer for specific details on your products. + +Most software and accessories that worked with Windows 10 is expected to work with Windows SV. Check with your software publisher or accessory manufacturer for specific details on your products and to see if an upgrade of your security solution is required for WIndowsWindows SV. + +Commercial version +Most software and accessories that worked with Windows 10 are expected to work with Windows Oct21. Check with your software publisher or accessory manufacturer for specific details on your products. + +## App management in Windows Sun Valley + +Commercial version (specific to apps) +Yes, Microsoft is committed to ensuring your applications work on the latest versions of our software and Windows Oct21 has been built with compatibility in mind. Our promise states that apps that worked on Windows 7/8.1/10 will work on Windows Oct21. If you have App Assure, Microsoft will help you fix them at no cost. + +App Assure is a service that helps customers remediate application issues that they may experience when deploying the latest version of our software. + +App Assure is available at no additional cost for eligible customers with 150+ seats. For more information on eligibility requirements, please navigate to this page + +Visit the App Assure page and sign in to submit your request for assistance for a dedicated App Assure Manager. If you experience any issues submitting a request for assistance, please contact ACHELP@microsoft.com and our team members will reach out to you to help! + +Yes, most apps and devices that worked with Windows 10 will be compatible with Sun Valley. You can also check with your software publisher manufacturer for more detailed information. + +## Licensing + +Will I get Sun Valley as part of my Microsoft 365 license? +Microsoft 365 licenses that include Windows licenses will allow you to run Sun Valley on supported devices. + + +If I have a volume license, will it equally cover Sun Valley and Windows 10 devices both before and after upgrade? Yes + +## Applications + +Will Safeguard holds still function for SV and how will that work between the two different OS versions? Yes. IT Administrators will have access to safeguard hold information using Update Compliance. More information can be found here. + +What’s going to happen with kiosk mode? Commercial version +Windows Oct2021 is committed to support all of the commercial scenarios that we supported in Windows 10, which includes kiosk mode. In this initial Windows Oct2021 release, we are supporting single app kiosk mode. In the future, we plan to support multi-app kiosk mode. + +Will Known Issue Rollback (KIR) function on SV? Yes, the known issue rollback will function on SV. + +What’s not in Sun Valley that’s in Windows 10? (link to Aaron Grady deck). This is also published on the Windows specifications page and there will be a docs/technet article that will be published, too + + +---------------------------------------- + + + + + diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index 8c7e043b4e..fffaec9814 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -18,5 +18,5 @@ ms.custom: seo-marvel-apr2020 # Windows Sun Valley requirements -Windows Sun Valley requirements. +The upgrade to Sun Valley is available for devices running Windows 10, version 20H1 or newer, on eligible hardware. From 9446cdaa9b55733b5d45a70c95127d648a349367 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 3 Jun 2021 10:32:38 -0700 Subject: [PATCH 060/370] edits --- windows/deployment/windows-sv-deploy.md | 13 +- windows/whats-new/windows-sv-overview.md | 193 ++++--------------- windows/whats-new/windows-sv-requirements.md | 24 +++ 3 files changed, 73 insertions(+), 157 deletions(-) diff --git a/windows/deployment/windows-sv-deploy.md b/windows/deployment/windows-sv-deploy.md index ca92e990a7..033c8308fa 100644 --- a/windows/deployment/windows-sv-deploy.md +++ b/windows/deployment/windows-sv-deploy.md @@ -1,7 +1,6 @@ --- -title: Windows 11 deployment planning -description: Understand the different ways Windows 10 operating system can be deployed in your organization. Explore several Windows 10 deployment scenarios. -ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 +title: Windows Sun Valley deployment planning +description: Understand the different ways Windows Sun Valley operating system can be deployed in your organization. Explore several Windows Sun Valley deployment scenarios. ms.reviewer: manager: laurawi ms.audience: itpro @@ -16,10 +15,12 @@ audience: itpro ms.topic: article --- -# Windows 11 deployment planning +# Windows Sun Valley deployment planning **Applies to** -- Windows 11, version 21H1 +- Windows Sun Valley -To successfully deploy the Windows 11 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. +## + +To successfully deploy the Windows Sun Valley operating system in your organization, ... diff --git a/windows/whats-new/windows-sv-overview.md b/windows/whats-new/windows-sv-overview.md index 3ab1b42497..44ce28569a 100644 --- a/windows/whats-new/windows-sv-overview.md +++ b/windows/whats-new/windows-sv-overview.md @@ -18,190 +18,81 @@ ms.custom: seo-marvel-apr2020 # Windows Sun Valley overview -Sun Valley is the next client release of Windows. It represents an evolution of Windows 10 that is modern, streamlined, fresh, light, yet familiar to those who use Windows today. It is optimized to deliver great working, learning, and playing experiences. Its goal is to be our most reliable, secure, connected, and performant OS release ever. +**Applies to** +- Windows Sun Valley -Sun Valley offers new features and functionality built to address challenges our customers face today as well as a completely refreshed look and feel that makes the experience clean and simple. Head to Windows.com/SV to read more about all the new features. +This article provides an introduction to Windows Sun Valley, the next client release of Windows. -Windows 10 launched six years ago. Since then, there has been a lot of hardware innovation. With Windows SV every detail has been considered. It has the power and security you crave in a redesigned and refreshed look. Plus, it comes with new tools, sounds, and apps. +## What is Windows Sun Valley? -Windows SV provides a familiar modern and refreshed interface that is still familiar that increases productivity and enhances the collaboration experience for end users while maintaining consistent the management forof those IT managed devices. for IT - -The goal with Windows is still the same, regardless of number. Our commitment to drive innovation, bring people together and build the best version of Windows remains. -We said we would always update Windows, of course we’re going to innovate, move people forward, commitment to give people the best version of Windows remains. - -We expect most new devices to be built and designed for Windows SV, and consumer offerings will transition very quickly. Commercial and educational organizations should work with their device partners to understand what options are available for new PCs. - -Commercial version -Eventually all new devices will be built and shipped with Windows Oct2021. Commercial organizations should work with their device partners to understand what options are available for new PCs - -Will there be an evaluation version of Sun Valley? Yes, you can take advantage of the Windows Insider Program to evaluate builds of Sun Valley just as we do today for Windows 10. - -When will new devices be ready for purchase? New devices will be available later in 2021. We expect to see a large refresh of commercial devices in 2022 +Windows Sun Valley is a newly designed Windows client operating system due to be released later in 2021. It is fresh and light, yet familiar to those who use Windows today. The goal of this release is to be the most reliable, secure, connected, and performant OS release ever. ## How to get Windows Sun Valley -All upgrades to Sun Valley from Windows 10 will be free. +Windows Sun Valley will delivered as an upgrade to devices running Windows 10 beginning in the first half of 2022. All upgrades to Windows Sun Valley from Windows 10 will be free. It will also be available on new devices that meet the hardware requirements. -Windows Sun Valley is due out later in 2021 and will be delivered over several months. The rollout of the upgrade to Windows 10 devices already in use today will begin in 2022 through the first half of that year. Once it has been tested and validated for your specific PC, Windows Update will indicate that the upgrade is ready for installation. +You must be running the most current version of Windows 10 and meet the minimum hardware specifications to be eligible to upgrade. For more information, see [Windows Sun Valley requirements](windows-sv-requirements.md). -If your Windows 10 PC meets the minimum specifications for Sun Valley, you will be able to upgrade. We’ve made it simple for you to see for yourself. Download the PC Health Check App to see if your PC meets the minimum specifications. (go to aka.ms/PCHealthCheck - not real URL) +Not all eligible Windows 10 PCs will be offered theo upgrade at the same time. To see if your PC is eligible, download the PC Health Check app (link). The app will check that your devices meets hardware and software requirements to perform an upgrade to Windows Sun Valley. You can also check the status of your device by navigating to Windows Update in settings. Once the upgrade rollout has started and the upgrade has been tested and validated for your specific PC hardware, Windows Update will indicate that the upgrade is ready for installation. -Commercial version -There is no cost to upgrade for eligible devices to Windows Oct21. Only Windows 10 PCs that are running the most current version of Windows 10 and meet the minimum hardware specifications will be eligible to upgrade. You can check to see if you have the latest updates by navigating to Windows Update in settings. +You can get early access to test Windows Sun Valley by joining the Windows Insider Program, or by enabling pre-release Windows 10 feature updates in Configuration Manager or Windows Server Update Services (WSUS). -Commercial version -The upgrade is expected to be available in early 2022. Not all eligible Windows 10 PCs will be offered theo upgrade at the same time. To see if your PC is eligible, download the PC Health Check app (link). Once the upgrade rollout has started, you can check the status of your device by navigating to Windows Update in settings.  +## Windows Sun Valley lifecycle -Test out either experience by joining the Windows Insider Program (either by syncing the Windows Insider Pre-release category in WSUS or by selecting “Manage preview builds – Release Preview”). +Windows Sun Valley feature updates will be released once per year in the second half of the year. Quality updates will be released each month on the second Tuesday of the month. +Microsoft will continue to provide one cumulative package that includes all latest cumulative updates (LCUs) and servicing stack updates (SSUs), if applicable, for Windows Sun Valley. This will be provided as a single package to Windows Server Update Services (WSUS) and Catalog, and have them orchestrated on the device. This capability is also the default for devices using Windows Update. -## Windows Sun Valley servicing +Windows Sun Valley annual releases are supported for 24 months for the following editions: +- Home +- Pro +- Pro for Workstations +- Pro Education -No. Features of Windows SV will be updated once per year in the second half of the year, and quality updates will be releasesd every month oin the second Tuesday of the month. Starting with Windows 10, version 21H2, Windows 10 will receive only quality updates on the second Tuesday of the month +Windows Sun Valley annual releases are supported for 36 months for the following editions: +- Enterprise +- Education editions -Commercial version -No. Features of Windows Oct21 will be updated once per year in the second half of the year, and quality updates will be released every month in the second Tuesday of the month. Starting with Windows 10, version 21H2, Windows 10 will receive only quality updates on the second Tuesday of the month. +## Windows 10 lifecycle -How long is the support window for each Sun Valley release? We will support each annual release for 24 months for Home, Pro, Pro for Workstations and Pro Education editions, and 36 months for Enterprise and Education editions, beginning at GA in October 2021 +Starting with Windows 10, version 21H2, Windows 10 will receive only quality updates on the second Tuesday of the month. Windows 10 will be supported with security updates until October 2025. -Annual SV releases will be supported for either 24 or 36 months, depending on edition, beginning at their initial GA. - -• SV editions supported for 24 months: Home, Pro, Pro Education, Pro for Workstations, Cloud -• SV editions supported for 36 months: Enterprise, IoT Enterprise, Education +## OS management in a mixed environment -Will there still be a combined LCU and SSU package capability? Yes. Windows XX will continue to support one cumulative package where we will deploy all LCUs and SSUs (if applicable) together as a single package to Windows Server Update Service (WSUS) and Catalog, and have them orchestrated on the device. This capability is also the default for those updating from Windows Update. +Windows Sun Valley is based on the same foundation as Windows 10. You can use your current management tools and processes to manage quality updates for both Windows 10 and Windows Sun Valley, in addition to using them to move between the two products. -## Mixed environment +## Deploy Windows Sun Valley -Yes. We will continue to support Windows 10 with security updates until October 2025. +Consider using the following process to deploy Windows Sun Valley to existing devices: +1. Preview Windows Sun Valley and create a deployment plan. +2. Test critical applications and management policies. +3. Update devices to the latest release of Windows 10. +4. Verify that devices meet the minimum hardware requirements for Windows Sun Valley. +5. Update deployment tools and infrastructure. +6. Update qualifying devices to Windows Sun Valley. -Can I run both Sun Valley and Windows 10 in parallel? If so, do I use the same process and tools to manage both? Yes, Windows SV is based on the same foundation of Windows 10 so they can coexist and will use the same processes and tools to manage them. - -Will I be able to manage my Windows environment with MEM in the same way, or will there be changes? In Configuration Manager, you can manage exactly the same way you do today. Simply sync the new Windows XX Product category. - -How will update management look for environments with mixed Sun Valley and Windows 10 populations? You can use your current management tools and processes to manage quality updates for both Windows 10 and Windows XX, in addition to using them to move between the two products. - - -Commercial -Yes. You do not have to upgrade to Windows Oct21. Microsoft will continue to support Windows 10 until October 14, 2025. - -## Deploying Windows Sun Valley - -You will have the option to upgrade, clean install, or reimage Windows 10 devices to move to Windows SV. For Windows 7 devices that meet hardware requirements, you will need to clean install or reimage to go directly to Windows SV. - -Any specific rollback or upgrade recover mechanisms exist? The Windows SV upgrade has a 10 day rollback period, similar to what is offered today for Windows 10 updates - -I leverage Autopilot to allow end users auto provision devices, will Autopilot be available for Sun Valley? Yes, Autopilot can still be leveraged. - -Timing will vary, particularly based on internet speed. Downloading and installing Windows SV will most likely take longer than a typical Windows 10 feature update. You can use your PC while you’re downloading it and then you have the option to schedule the install to happen at a specific time when you aren’t planning on using your PC. - -The free upgrade is for the same edition as you have on your device for Windows 10. If you have Windows 10 Home eEdition, you will be upgraded to Windows SV Home eEdition. For Pro and higher editions, SV will no longer be offered in S mode, so you will need to first switch out of S mode toto qualify for upgrade. - -Commercial -The upgrade to Windows Oct21 is for the same edition as you have on your Windows 10 device. Devices with Windows 10 Pro installed will be upgraded to Windows Oct21 Pro. Devices running Windows 10 Enterprise will upgrade to Windows Oct21 Enterprise. Windows Oct21 Pro will not offer Windows Oct21 Pro in S mode, so you will need to switch out of S mode to upgrade. - -Yes, once you have upgraded to Sun Valley, you have 10 days to utilize the rollback function to move back to Windows 10 while keeping files and data that you brought along with you. After that 10 day10-day period, you will need to back up this data and do a “clean install” to move back to Windows 10. - -In Intune, you will need to leverage target version, if you are not already, to upgrade from Windows 10 to Windows XX. While feature update deferrals are great for moving you to newer versions of your current product (e.g. Windows 10, version 20H2 to 21H1) they are not able to move you between two different products. You will continue being able to manage quality updates for Windows 10 and Windows XX the same way as you do today. - -Commercial -Yes, once you have upgraded to Windows Oct21, you have 10 days to utilize the rollback function to move back to Windows 10 while keeping files and data that you brought along with you. After that 10-day period, you will need to back up your data and do a “clean install” to move back to Windows 10. - -The upgrade experience will be similar to a feature update in Windows 10. You will download the software while able to continue to use your device. Once it is downloaded and ready to install, you will be guided through the installation process through aprocess: a series of screen and prompts. - -Commercial version -The upgrade experience will be similar to a feature update in Windows 10. You will download the software while being able to continue to use your device. Once the update is downloaded and ready to install, you will be guided through the installation process through a series of screens and prompts. There will be at least one restart. - -If I decline the upgrade, can I change my mind and upgrade later? You will be given the opportunity to upgrade via the Windows Update section in Settings if you originally declined the offer. - -If customers upgrade, the default experience will be for files and data to move forward with the new installation. However, we always recommend that customers back up files before installing a new Windows version. If you already sync your files to OneDrive, you may not need to take any additional action to create a backup. - -Commercial version -By default, all your files and data will transfer. However, Microsoft recommends backing up your files before installation. - -Are customers able to download the upgrade ‘on demand’? Will there be ways that customers can find the upgrade prior to Intelligent rollout? Yes, we plan to have similar options that we do today for updates to Windows 10: Upgrade Assistant (similar to Update Assistant) and the Media Creation Tool. We recommend, however, that the customer wait until they are notified through Windows Update that the upgrade is ready for their device. Note that there will be temporary blocks in some instances that will prevent the upgrade from completing installation. - -If a CYOD user purchases a Sun Valley device, can I move them back to Windows 10 and how? Downgrade rights are available with Windows SV Pro OEM licensed devices. You can downgrade to any version of Windows Pro/Professional that has not reached its end of support date. You will need to reimage or clean install a Windows SV device to downgrade it to Windows 10. Downgrade rights are also available through Microsoft Volume Licensing (check your agreement for more details). - -If I’m upgrading from Windows 10 to Sun Valley can I change editions at that time (e.g., from Home or Education to Pro)? No, you will need to change editions separately (before or after upgrading). Applicable fees may apply to acquire the license for the new edition - -Commercial version -If you have Windows 10 Pro, you’ll upgrade to Windows Oct2021 Pro. You can then step up to Windows Oct2021 Enterprise. If you have Windows 10 Home, you’ll upgrade to Windows Oct2021 Home. You can then step up to Windows 10 Pro. - -## Requirements - -The upgrade to Sun Valley is available for devices running Windows 10, version 20H1 or newer, on eligible hardware. - -You can use the PC Health Check app to determine if your PC can upgrade. The PC Health Check is available for download . [this will eventually need to change to a message about WU – Aug 2021 timeframe] - -Can Enterprise customers get the upgrade? Enterprise customers are eligible per the terms of their current licensing agreement - -What about Windows RT? Windows RT is not eligible for upgrade. - -Any device that meets the minimum specification can upgrade run Windows SV. However, Windows 7 devices will likely not meet the minimum specification because of age and generation of the processor that was included with that device. Please see below for the full CPU list available through our Windows SV specifications page to see which ones are compatible for upgrade. If a customer with a Windows 7 PC that meets the minimum spec wants to upgrade, they would need to purchase a Windows 10 license, perform a clean install, and proceed with the upgrade to Windows SV. In 2022, they will also have the option to purchase Windows SV at retail and install it on the compatible Windows 7 device. - -The minimum storage drive requirement is 64GB for Windows SV. Ongoing requirements for feature and quality updates will vary, but are generally expected to be similar to what we see today for Windows 10 - - -Commercial -To see if your PC is eligible, download the PC Health Check app (link). Once the upgrade rollout has started, you can check the status of your device by navigating to Windows Update in settings. - -## Managing Windows Sun Valley +For more information, see [Windows Sun Valley deployment planning](/windows/deployment/windows-sv-deploy). +## Manage Windows Sun Valley With Windows 10, Microsoft forced me to make significant changes to my IT processes, management approach and tooling, what will this new version require me to change? Windows SV is based on the same foundation of Windows 10, so it will support the same management tools that you use today with Windows 10. ## Hardware compatibility -Most software and accessories that worked with Windows 10 areis expected to work with Windows SV. Check with your software publisher or accessory manufacturer for specific details on your products. +Most accessories and associated software that worked with Windows 10 are expected to work with Windows Sun Valley. Check with your accessory manufacturer for specific details. -Commercial version -Most software and accessories that worked with Windows 10 are expected to work with Windows Oct21. Check with your software publisher or accessory manufacturer for specific details on your products. +## Application compatibility -Most software and accessories that worked with Windows 10 is expected to work with Windows SV. Check with your software publisher or accessory manufacturer for specific details on your products. +Microsoft is committed to ensuring your Windows 10 applications work on Windows Sun Valley. If you have App Assure, Microsoft will help you fix any issues at no cost. App Assure is free for organizations with 150 or more seats. For more information on eligibility requirements, see [article link here]. -Most software and accessories that worked with Windows 10 is expected to work with Windows SV. Check with your software publisher or accessory manufacturer for specific details on your products and to see if an upgrade of your security solution is required for WIndowsWindows SV. +## Windows Sun Valley features and applications -Commercial version -Most software and accessories that worked with Windows 10 are expected to work with Windows Oct21. Check with your software publisher or accessory manufacturer for specific details on your products. - -## App management in Windows Sun Valley - -Commercial version (specific to apps) -Yes, Microsoft is committed to ensuring your applications work on the latest versions of our software and Windows Oct21 has been built with compatibility in mind. Our promise states that apps that worked on Windows 7/8.1/10 will work on Windows Oct21. If you have App Assure, Microsoft will help you fix them at no cost. - -App Assure is a service that helps customers remediate application issues that they may experience when deploying the latest version of our software. - -App Assure is available at no additional cost for eligible customers with 150+ seats. For more information on eligibility requirements, please navigate to this page - -Visit the App Assure page and sign in to submit your request for assistance for a dedicated App Assure Manager. If you experience any issues submitting a request for assistance, please contact ACHELP@microsoft.com and our team members will reach out to you to help! - -Yes, most apps and devices that worked with Windows 10 will be compatible with Sun Valley. You can also check with your software publisher manufacturer for more detailed information. +Most features and applications that are included with Windows 10 will be available on Windows Sun Valley. For information about features that are deprecated or work differently on Windows Sun Valley, see [article link here]. ## Licensing -Will I get Sun Valley as part of my Microsoft 365 license? -Microsoft 365 licenses that include Windows licenses will allow you to run Sun Valley on supported devices. - - -If I have a volume license, will it equally cover Sun Valley and Windows 10 devices both before and after upgrade? Yes - -## Applications - -Will Safeguard holds still function for SV and how will that work between the two different OS versions? Yes. IT Administrators will have access to safeguard hold information using Update Compliance. More information can be found here. - -What’s going to happen with kiosk mode? Commercial version -Windows Oct2021 is committed to support all of the commercial scenarios that we supported in Windows 10, which includes kiosk mode. In this initial Windows Oct2021 release, we are supporting single app kiosk mode. In the future, we plan to support multi-app kiosk mode. - -Will Known Issue Rollback (KIR) function on SV? Yes, the known issue rollback will function on SV. - -What’s not in Sun Valley that’s in Windows 10? (link to Aaron Grady deck). This is also published on the Windows specifications page and there will be a docs/technet article that will be published, too - - ----------------------------------------- - - - - +There are no unique licensing requirements for Windows Sun Valley beyond what is required for Windows 10 devices. +Microsoft 365 licenses that include Windows licenses will permit you to run Windows Sun Valley on supported devices. +If you have a volume license, it will equally cover Windows Sun Valley and Windows 10 devices before and after upgrade. diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index fffaec9814..2866b8c09a 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -18,5 +18,29 @@ ms.custom: seo-marvel-apr2020 # Windows Sun Valley requirements +This article lists the sotware and physical hardware requirements to run Windows Sun Valley. Windows Sun Valley can also be run on Virtual Machines (VMs). + +## Software requirements + The upgrade to Sun Valley is available for devices running Windows 10, version 20H1 or newer, on eligible hardware. +## Hardware requirements + +The following processor and hardware requirements are necessary to support Windows Sun Valley: + +Processor +- Intel 8th generation, Intel Celeron N4000, Pentium N5000 +- AMD Ryzen gen 2 (Zen+), AMD 3xxx +- Qualcomm 7c, 8c, 8cx +- 64bit architecture +- 1Ghz clock speed +- 2 cores + +Hardware +- 64GB drive +- 4GB RAM +- UEFI, Secure Boot capable & TPM 2.0 +- >9” with HD Resolution (1366x768 equivalent) +- DirectX 12 compatible graphics / WDDM 2.x +- Connectivity required (Home Edition) + From 2ea579bd357aeb67765fccce9dd0c84a0bc1d132 Mon Sep 17 00:00:00 2001 From: v-miegge <49650192+v-miegge@users.noreply.github.com> Date: Thu, 3 Jun 2021 11:12:08 -0700 Subject: [PATCH 061/370] CI 144624 - created article, updated TOC --- .../hello-aad-join-cloud-only-deploy.md | 94 +++++++++++++++++++ .../hello-for-business/toc.yml | 2 + 2 files changed, 96 insertions(+) create mode 100644 windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md new file mode 100644 index 0000000000..f46f11f58a --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -0,0 +1,94 @@ +--- +title: Azure Active Directory join cloud only deployment +description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 device. +keywords: identity, Hello, Active Directory, cloud, +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +audience: ITPro +author: mapalko +ms.author: mapalko +manager: dansimp +ms.collection: M365-identity-device-management +ms.topic: article +localizationpriority: medium +ms.date: 06/03/2021 +ms.reviewer: +--- +# Azure Active Directory Join Cloud Only Deployment + +## Introduction + +When you Azure Active Directory (Azure AD) join a Windows 10 device, the system prompts you to enroll in Windows Hello for Business by default. However, you may wish to disable the automatic Windows Hello for Business enrollment prompts. + +> [!NOTE} +> During the out-of-box experience (OOBE) flow of an Azure AD join, you will see a provisioning PIN when you don’t have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts. + +## Prerequisites + +This cloud only deployment will use Azure AD multi-factor authentication (MFA) during the Windows Hello for Business enrollment and there is no additional MFA configuration needed. If you are not already registered in Azure AD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business deployment enrollment process. The necessary Windows Hello for Business prerequisites for are located at [Cloud Only Deployment](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification#cloud-only-deployment). + +> [!NOTE] +> It's possible for federated domains to enable the “Supports MFA” flag in your federated domain settings. This tells Azure AD that the federated IDP will perform the MFA challenge. + +You can check and view this setting with the following MSOnline PowerShell command: + +`Get-MsolDomainFederationSettings –DomainName ` + +## Use Intune to disable Windows Hello for Business enrollment + +We recommend that you disable or manage this behavior through an Intune policy using the steps in [Integrate Windows Hello for Business with Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/windows-hello). + +However, not everyone uses Intune. The following method explains how to disable Windows Hello for Business enrollment without Intune, or through a third-party mobile device management (MDM). If you are not running Intune in your organization, you can disable Windows Hello for Business via the registry. We have provided the underlying registry subkeys for disabling Windows Hello for Business. + +To disable this, run the following command. Note that this impacts **all** Azure AD MFA scenarios for this federated domain. + +`Set-MsolDomainFederationSettings -DomainName -SupportsMfa $false` + +Example: + +`Set-MsolDomainFederationSettings -DomainName contoso.com -SupportsMfa $false` + +If you use this Supports MFA switch with value True, you will need to verify your federated IDP is correctly configured and working with the MFA adapter and provider used by your IDP. + +## Create a Windows Hello for Business policy + +1. Sign into the Microsoft Endpoint Manager admin center. +2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens. +3. Select from the following options for Configure Windows Hello for Business: + + 1. **Disabled**: If you do not want to enable Windows Hello for Business during device enrollment, select this option. When disabled, users cannot provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business. + +## Disable Windows Hello for Business enrollment without Intune + +The information below can be pushed out to the devices through a third-party MDM, or some other method that you use to manage these devices, if you do not manage them with Intune. This can also be set manually on the specific device(s). + +These are Azure AD joined only systems and not domain joined systems, so these settings could be made in the registry on the device(s) when Intune is not used. + +These are the registry settings an Intune policy would set. If you are not using Intune, it is recommended to use the Intune Device Policy registry settings manually to disable this. + +Intune Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\Device\Policies** + +These are the registry settings pushed from Intune for user policies for your reference. + +Intune User Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\UserSid\Policies** +DWORD: **UsePassportForWork** +Value = **0** for Disable, or Value = **1** for Enable + +These are the registry settings for Local or Group Policies for your reference. + +Local/GPO User Policy: **HKEY_USERS\UserSID\SOFTWARE\Policies\Microsoft\PassportForWork** +Local/GPO Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork** +DWORD: **Enabled** +Value = **0** for Disable or Value = **1** for Enable + +If there is a conflicting Device policy and User policy, the device policy or computer policy would take precedence. We do not recommend creating Local/GPO registry settings that could conflict with an Intune policy. This could lead to unexpected results. + +## Related reference documents for Azure AD join scenarios + +- [Azure AD joined devices](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-join) +- [Plan your Azure Active Directory device deployment](https://docs.microsoft.com/azure/active-directory/devices/plan-device-deployment) +- [How to: Plan your Azure AD join implementation](https://docs.microsoft.com/azure/active-directory/devices/azureadjoin-plan) +- [How to manage the local administrators group on Azure AD joined devices](https://docs.microsoft.com/azure/active-directory/devices/assign-local-admin) +- [Manage device identities using the Azure portal](https://docs.microsoft.com/azure/active-directory/devices/device-management-azure-portal) diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml index 5c90875208..ec30c22aec 100644 --- a/windows/security/identity-protection/hello-for-business/toc.yml +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -101,6 +101,8 @@ href: hello-cert-trust-validate-deploy-mfa.md - name: Configure Windows Hello for Business policy settings href: hello-cert-trust-policy-settings.md + - name: Azure AD join cloud only deployment + href: hello-aad-join-cloud-only-deploy - name: Managing Windows Hello for Business in your organization href: hello-manage-in-organization.md - name: Deploying Certificates to Key Trust Users to Enable RDP From bb27dd991180afa4066a9ba4f87d495a0e0ca9f0 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 3 Jun 2021 11:12:47 -0700 Subject: [PATCH 062/370] 3 articles drafted --- windows/deployment/windows-sv-deploy.md | 4 +- windows/whats-new/windows-sv-get-started.md | 15 ++++++++ windows/whats-new/windows-sv-overview.md | 42 ++++++++------------- 3 files changed, 32 insertions(+), 29 deletions(-) diff --git a/windows/deployment/windows-sv-deploy.md b/windows/deployment/windows-sv-deploy.md index 033c8308fa..fe50501d35 100644 --- a/windows/deployment/windows-sv-deploy.md +++ b/windows/deployment/windows-sv-deploy.md @@ -20,7 +20,7 @@ ms.topic: article **Applies to** - Windows Sun Valley -## +## Windows Sun Valley deployment considerations + -To successfully deploy the Windows Sun Valley operating system in your organization, ... diff --git a/windows/whats-new/windows-sv-get-started.md b/windows/whats-new/windows-sv-get-started.md index 3bcdd4f4e0..9e588a9e10 100644 --- a/windows/whats-new/windows-sv-get-started.md +++ b/windows/whats-new/windows-sv-get-started.md @@ -19,3 +19,18 @@ ms.topic: article **Applies to** - Windows Sun Valley + +## Windows Sun Valley deployment planning + +Consider using the following process to deploy Windows Sun Valley to existing devices: +1. Preview Windows Sun Valley and create a deployment plan. +2. Test critical applications and management policies. +3. Update devices to the latest release of Windows 10. +4. Verify that devices meet the minimum hardware requirements for Windows Sun Valley. +5. Update deployment tools and infrastructure. +6. Update qualifying devices to Windows Sun Valley. + + +## See also + +[Windows Sun Valley deployment planning](/windows/deployment/windows-sv-deploy). diff --git a/windows/whats-new/windows-sv-overview.md b/windows/whats-new/windows-sv-overview.md index 44ce28569a..a68ec2aa11 100644 --- a/windows/whats-new/windows-sv-overview.md +++ b/windows/whats-new/windows-sv-overview.md @@ -21,11 +21,7 @@ ms.custom: seo-marvel-apr2020 **Applies to** - Windows Sun Valley -This article provides an introduction to Windows Sun Valley, the next client release of Windows. - -## What is Windows Sun Valley? - -Windows Sun Valley is a newly designed Windows client operating system due to be released later in 2021. It is fresh and light, yet familiar to those who use Windows today. The goal of this release is to be the most reliable, secure, connected, and performant OS release ever. +This article provides an introduction to Windows Sun Valley, the next client release of Windows. Windows Sun Valley is a newly designed Windows client operating system due to be released later in 2021. It is fresh and light, yet familiar to those who use Windows today. The goal of this release is to be the most reliable, secure, connected, and performant OS release ever. ## How to get Windows Sun Valley @@ -39,10 +35,14 @@ You can get early access to test Windows Sun Valley by joining the Windows Insid ## Windows Sun Valley lifecycle +### Updates + Windows Sun Valley feature updates will be released once per year in the second half of the year. Quality updates will be released each month on the second Tuesday of the month. Microsoft will continue to provide one cumulative package that includes all latest cumulative updates (LCUs) and servicing stack updates (SSUs), if applicable, for Windows Sun Valley. This will be provided as a single package to Windows Server Update Services (WSUS) and Catalog, and have them orchestrated on the device. This capability is also the default for devices using Windows Update. +### Servicing + Windows Sun Valley annual releases are supported for 24 months for the following editions: - Home - Pro @@ -51,32 +51,20 @@ Windows Sun Valley annual releases are supported for 24 months for the following Windows Sun Valley annual releases are supported for 36 months for the following editions: - Enterprise -- Education editions +- Education + +### Feature and application lifecycle + +Most features and applications that are included with Windows 10 will be available on Windows Sun Valley. For information about features that are deprecated or work differently on Windows Sun Valley, see [article link here]. ## Windows 10 lifecycle Starting with Windows 10, version 21H2, Windows 10 will receive only quality updates on the second Tuesday of the month. Windows 10 will be supported with security updates until October 2025. -## OS management in a mixed environment +## Management and tools Windows Sun Valley is based on the same foundation as Windows 10. You can use your current management tools and processes to manage quality updates for both Windows 10 and Windows Sun Valley, in addition to using them to move between the two products. -## Deploy Windows Sun Valley - -Consider using the following process to deploy Windows Sun Valley to existing devices: -1. Preview Windows Sun Valley and create a deployment plan. -2. Test critical applications and management policies. -3. Update devices to the latest release of Windows 10. -4. Verify that devices meet the minimum hardware requirements for Windows Sun Valley. -5. Update deployment tools and infrastructure. -6. Update qualifying devices to Windows Sun Valley. - -For more information, see [Windows Sun Valley deployment planning](/windows/deployment/windows-sv-deploy). - -## Manage Windows Sun Valley - -With Windows 10, Microsoft forced me to make significant changes to my IT processes, management approach and tooling, what will this new version require me to change? Windows SV is based on the same foundation of Windows 10, so it will support the same management tools that you use today with Windows 10. - ## Hardware compatibility Most accessories and associated software that worked with Windows 10 are expected to work with Windows Sun Valley. Check with your accessory manufacturer for specific details. @@ -85,10 +73,6 @@ Most accessories and associated software that worked with Windows 10 are expecte Microsoft is committed to ensuring your Windows 10 applications work on Windows Sun Valley. If you have App Assure, Microsoft will help you fix any issues at no cost. App Assure is free for organizations with 150 or more seats. For more information on eligibility requirements, see [article link here]. -## Windows Sun Valley features and applications - -Most features and applications that are included with Windows 10 will be available on Windows Sun Valley. For information about features that are deprecated or work differently on Windows Sun Valley, see [article link here]. - ## Licensing There are no unique licensing requirements for Windows Sun Valley beyond what is required for Windows 10 devices. @@ -96,3 +80,7 @@ There are no unique licensing requirements for Windows Sun Valley beyond what is Microsoft 365 licenses that include Windows licenses will permit you to run Windows Sun Valley on supported devices. If you have a volume license, it will equally cover Windows Sun Valley and Windows 10 devices before and after upgrade. + +## See also + +[Get started with Windows Sun Valley](windows-sv-get-started.md) From 5d5bad186fb63d9b10c6eab447f7cf149bd34dcc Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 3 Jun 2021 11:17:51 -0700 Subject: [PATCH 063/370] fix some other articles --- windows/deployment/windows-sv-plan.md | 259 +--------------------- windows/deployment/windows-sv-prepare.md | 260 +---------------------- windows/sv/index.yml | 2 +- 3 files changed, 10 insertions(+), 511 deletions(-) diff --git a/windows/deployment/windows-sv-plan.md b/windows/deployment/windows-sv-plan.md index e3b81e8c3c..7244da875c 100644 --- a/windows/deployment/windows-sv-plan.md +++ b/windows/deployment/windows-sv-plan.md @@ -1,6 +1,6 @@ --- -title: Windows 11 deployment planning -description: Understand the different ways Windows 11 operating system can be deployed in your organization. Explore several Windows 11 deployment scenarios. +title: Windows Sun Valley deployment planning +description: Understand the different ways Windows Sun Valley operating system can be deployed in your organization. Explore several Windows Sun Valley deployment scenarios. ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 ms.reviewer: manager: laurawi @@ -19,257 +19,8 @@ ms.topic: article # Windows 11 deployment planning **Applies to** -- Windows 11 +- Windows Sun Valley -To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. +To successfully deploy the Windows Sun Valley operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. -The following table summarizes various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories. -- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home). - - Note: Once you have deployed Windows 10 in your organization, it is important to stay up to date by [creating a deployment plan](update/create-deployment-plan.md) for Windows 10 feature updates. -- Dynamic deployment methods enable you to configure applications and settings for specific use cases. -- Traditional deployment methods use existing tools to deploy operating system images.
  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
CategoryScenarioDescriptionMore information
Modern - -[Windows Autopilot](#windows-autopilot) - Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured. - -Overview of Windows Autopilot -
- -[In-place upgrade](#in-place-upgrade) - - - Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old. - -Perform an in-place upgrade to Windows 10 with MDT
Perform an in-place upgrade to Windows 10 using Configuration Manager -
- Dynamic - - -[Subscription Activation](#windows-10-subscription-activation) - - Switch from Windows 10 Pro to Enterprise when a subscribed user signs in. - -Windows 10 Subscription Activation -
- - [AAD / MDM](#dynamic-provisioning) - - The device is automatically joined to AAD and configured by MDM. - -Azure Active Directory integration with MDM -
- - [Provisioning packages](#dynamic-provisioning) - - Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices. - -Configure devices without MDM -
- Traditional - - - [Bare metal](#new-computer) - - Deploy a new device, or wipe an existing device and deploy with a fresh image. - - Deploy a Windows 10 image using MDT
Deploy Windows 10 using PXE and Configuration Manager -
- - [Refresh](#computer-refresh) - - Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. - - Refresh a Windows 7 computer with Windows 10
Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager -
- - [Replace](#computer-replace) - - Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device. - - Replace a Windows 7 computer with a Windows 10 computer
Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager -
- -
  - - ->[!IMPORTANT] ->The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
->Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS. - -## Modern deployment methods - -Modern deployment methods embrace both traditional on-prem and cloud services to deliver a simple, streamlined, cost effective deployment experience. - -### Windows Autopilot - -Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator. - -For more information about Windows Autopilot, see [Overview of Windows Autopilot](/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows Autopilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/). - -### In-place upgrade - -For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure. - -Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like Microsoft Endpoint Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences. - -The in-place upgrade process is designed to be extremely reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by leveraging the automatically-created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications do not need to be reinstalled as part of the process. - -Because existing applications are preserved through the process, the upgrade process uses the standard Windows installation media image (Install.wim); custom images are not needed and cannot be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. (For example, Contoso Timecard 1.0 in Windows 7 and Contoso Timecard 3.0 in the Windows 10 image.) - -Scenarios that support in-place upgrade with some additional procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software. - -- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 does not require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](./mbr-to-gpt.md) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode. - -- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting: - - [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) - - [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options) - -There are some situations where you cannot use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include: - -- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process cannot change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers. -- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed. -- Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, this is not supported – preparing an upgraded OS for imaging (using Sysprep.exe) is not supported and will not work when it detects the upgraded OS. -- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken. - - -## Dynamic provisioning - -For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image, because this was often faster and easier than leveraging the preinstalled version. But this is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it is now possible to avoid this. - -The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include: - -### Windows 10 Subscription Activation - -Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation). - - -### Azure Active Directory (AAD) join with automatic mobile device management (MDM) enrollment - -In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm). - -### Provisioning package configuration - -Using the [Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm). - -These scenarios can be used to enable “choose your own device” (CYOD) programs where the organization’s users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios). - -While the initial Windows 10 release includes a variety of provisioning settings and deployment mechanisms, these will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for additional features through the Windows Feedback app or through their Microsoft Support contacts. - -## Traditional deployment: - -New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md), and [Microsoft Endpoint Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). - -With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them. - -The traditional deployment scenario can be divided into different sub-scenarios. These are explained in detail in the following sections, but the following provides a brief summary: - -- **New computer.** A bare-metal deployment of a new machine. -- **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup). -- **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup). - -### New computer - -Also called a "bare metal" deployment. This scenario occurs when you have a blank machine you need to deploy, or an existing machine you want to wipe and redeploy without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). You can also generate a full offline media that includes all the files needed for a client deployment, allowing you to deploy without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD). - -The deployment process for the new machine scenario is as follows: - -1. Start the setup from boot media (CD, USB, ISO, or PXE). - -2. Wipe the hard disk clean and create new volume(s). - -3. Install the operating system image. - -4. Install other applications (as part of the task sequence). - -After taking these steps, the computer is ready for use. - -### Computer refresh - -A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario. - -The deployment process for the wipe-and-load scenario is as follows: - -1. Start the setup on a running operating system. - -2. Save the user state locally. - -3. Wipe the hard disk clean (except for the folder containing the backup). - -4. Install the operating system image. - -5. Install other applications. - -6. Restore the user state. - -After taking these steps, the machine is ready for use. - -### Computer replace - -A computer replace is similar to the refresh scenario. However, since we are replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored. - -The deployment process for the replace scenario is as follows: - -1. Save the user state (data and settings) on the server through a backup job on the running operating system. - -2. Deploy the new computer as a bare-metal deployment. - - **Note**
In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk. - -## Related topics - -- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) -- [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](./deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md) -- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=620230) -- [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) -- [Windows setup technical reference](/windows-hardware/manufacture/desktop/windows-setup-technical-reference) -- [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) -- [UEFI firmware](/windows-hardware/design/device-experiences/oem-uefi) \ No newline at end of file +The following table summarizes various Windows Sun Valley deployment scenarios. The scenarios are each assigned to one of three categories. \ No newline at end of file diff --git a/windows/deployment/windows-sv-prepare.md b/windows/deployment/windows-sv-prepare.md index eb8ce64aa0..2a0b778723 100644 --- a/windows/deployment/windows-sv-prepare.md +++ b/windows/deployment/windows-sv-prepare.md @@ -1,7 +1,6 @@ --- -title: Prepare to deploy Windows 11 -description: Understand the different ways Windows 11 operating system can be deployed in your organization. Explore several Windows 11 deployment scenarios. -ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 +title: Prepare to deploy Windows Sun Valley +description: Understand the different ways Windows Sun Valley operating system can be deployed in your organization. Explore several Windows Sun Valley deployment scenarios. ms.reviewer: manager: laurawi ms.audience: itpro @@ -19,257 +18,6 @@ ms.topic: article # Prepare to deploy Windows 11 **Applies to** -- Windows 11, version 21H1 +- Windows Sun Valley -To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. - -The following table summarizes various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories. -- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home). - - Note: Once you have deployed Windows 10 in your organization, it is important to stay up to date by [creating a deployment plan](update/create-deployment-plan.md) for Windows 10 feature updates. -- Dynamic deployment methods enable you to configure applications and settings for specific use cases. -- Traditional deployment methods use existing tools to deploy operating system images.
  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
CategoryScenarioDescriptionMore information
Modern - -[Windows Autopilot](#windows-autopilot) - Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured. - -Overview of Windows Autopilot -
- -[In-place upgrade](#in-place-upgrade) - - - Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old. - -Perform an in-place upgrade to Windows 10 with MDT
Perform an in-place upgrade to Windows 10 using Configuration Manager -
- Dynamic - - -[Subscription Activation](#windows-10-subscription-activation) - - Switch from Windows 10 Pro to Enterprise when a subscribed user signs in. - -Windows 10 Subscription Activation -
- - [AAD / MDM](#dynamic-provisioning) - - The device is automatically joined to AAD and configured by MDM. - -Azure Active Directory integration with MDM -
- - [Provisioning packages](#dynamic-provisioning) - - Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices. - -Configure devices without MDM -
- Traditional - - - [Bare metal](#new-computer) - - Deploy a new device, or wipe an existing device and deploy with a fresh image. - - Deploy a Windows 10 image using MDT
Deploy Windows 10 using PXE and Configuration Manager -
- - [Refresh](#computer-refresh) - - Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. - - Refresh a Windows 7 computer with Windows 10
Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager -
- - [Replace](#computer-replace) - - Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device. - - Replace a Windows 7 computer with a Windows 10 computer
Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager -
- -
  - - ->[!IMPORTANT] ->The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
->Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS. - -## Modern deployment methods - -Modern deployment methods embrace both traditional on-prem and cloud services to deliver a simple, streamlined, cost effective deployment experience. - -### Windows Autopilot - -Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator. - -For more information about Windows Autopilot, see [Overview of Windows Autopilot](/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows Autopilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/). - -### In-place upgrade - -For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure. - -Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like Microsoft Endpoint Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences. - -The in-place upgrade process is designed to be extremely reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by leveraging the automatically-created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications do not need to be reinstalled as part of the process. - -Because existing applications are preserved through the process, the upgrade process uses the standard Windows installation media image (Install.wim); custom images are not needed and cannot be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. (For example, Contoso Timecard 1.0 in Windows 7 and Contoso Timecard 3.0 in the Windows 10 image.) - -Scenarios that support in-place upgrade with some additional procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software. - -- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 does not require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](./mbr-to-gpt.md) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode. - -- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting: - - [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) - - [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options) - -There are some situations where you cannot use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include: - -- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process cannot change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers. -- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed. -- Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, this is not supported – preparing an upgraded OS for imaging (using Sysprep.exe) is not supported and will not work when it detects the upgraded OS. -- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken. - - -## Dynamic provisioning - -For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image, because this was often faster and easier than leveraging the preinstalled version. But this is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it is now possible to avoid this. - -The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include: - -### Windows 10 Subscription Activation - -Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation). - - -### Azure Active Directory (AAD) join with automatic mobile device management (MDM) enrollment - -In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm). - -### Provisioning package configuration - -Using the [Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm). - -These scenarios can be used to enable “choose your own device” (CYOD) programs where the organization’s users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios). - -While the initial Windows 10 release includes a variety of provisioning settings and deployment mechanisms, these will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for additional features through the Windows Feedback app or through their Microsoft Support contacts. - -## Traditional deployment: - -New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md), and [Microsoft Endpoint Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). - -With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them. - -The traditional deployment scenario can be divided into different sub-scenarios. These are explained in detail in the following sections, but the following provides a brief summary: - -- **New computer.** A bare-metal deployment of a new machine. -- **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup). -- **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup). - -### New computer - -Also called a "bare metal" deployment. This scenario occurs when you have a blank machine you need to deploy, or an existing machine you want to wipe and redeploy without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). You can also generate a full offline media that includes all the files needed for a client deployment, allowing you to deploy without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD). - -The deployment process for the new machine scenario is as follows: - -1. Start the setup from boot media (CD, USB, ISO, or PXE). - -2. Wipe the hard disk clean and create new volume(s). - -3. Install the operating system image. - -4. Install other applications (as part of the task sequence). - -After taking these steps, the computer is ready for use. - -### Computer refresh - -A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario. - -The deployment process for the wipe-and-load scenario is as follows: - -1. Start the setup on a running operating system. - -2. Save the user state locally. - -3. Wipe the hard disk clean (except for the folder containing the backup). - -4. Install the operating system image. - -5. Install other applications. - -6. Restore the user state. - -After taking these steps, the machine is ready for use. - -### Computer replace - -A computer replace is similar to the refresh scenario. However, since we are replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored. - -The deployment process for the replace scenario is as follows: - -1. Save the user state (data and settings) on the server through a backup job on the running operating system. - -2. Deploy the new computer as a bare-metal deployment. - - **Note**
In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk. - -## Related topics - -- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) -- [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](./deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md) -- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=620230) -- [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) -- [Windows setup technical reference](/windows-hardware/manufacture/desktop/windows-setup-technical-reference) -- [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) -- [UEFI firmware](/windows-hardware/design/device-experiences/oem-uefi) \ No newline at end of file +To successfully deploy \ No newline at end of file diff --git a/windows/sv/index.yml b/windows/sv/index.yml index 9ce50839f3..6f30d77869 100644 --- a/windows/sv/index.yml +++ b/windows/sv/index.yml @@ -1,6 +1,6 @@ ### YamlMime:Landing -title: Windows SV # < 60 chars +title: Windows Sun Valley # < 60 chars summary: Find out about Windows Windows Sun Valley. # < 160 chars metadata: From c95cf2df28f757b0b515ca89a45e0e42c0d77693 Mon Sep 17 00:00:00 2001 From: v-miegge <49650192+v-miegge@users.noreply.github.com> Date: Thu, 3 Jun 2021 11:20:36 -0700 Subject: [PATCH 064/370] Updates --- .../hello-aad-join-cloud-only-deploy.md | 14 +++++++------- .../identity-protection/hello-for-business/toc.yml | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index f46f11f58a..d9cc726083 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -27,7 +27,7 @@ When you Azure Active Directory (Azure AD) join a Windows 10 device, the system ## Prerequisites -This cloud only deployment will use Azure AD multi-factor authentication (MFA) during the Windows Hello for Business enrollment and there is no additional MFA configuration needed. If you are not already registered in Azure AD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business deployment enrollment process. The necessary Windows Hello for Business prerequisites for are located at [Cloud Only Deployment](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification#cloud-only-deployment). +This cloud only deployment will use Azure AD multi-factor authentication (MFA) during the Windows Hello for Business enrollment and there is no additional MFA configuration needed. If you are not already registered in Azure AD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business deployment enrollment process. The necessary Windows Hello for Business prerequisites for are located at [Cloud Only Deployment](hello-identity-verification.md#cloud-only-deployment). > [!NOTE] > It's possible for federated domains to enable the “Supports MFA” flag in your federated domain settings. This tells Azure AD that the federated IDP will perform the MFA challenge. @@ -38,7 +38,7 @@ You can check and view this setting with the following MSOnline PowerShell comma ## Use Intune to disable Windows Hello for Business enrollment -We recommend that you disable or manage this behavior through an Intune policy using the steps in [Integrate Windows Hello for Business with Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/windows-hello). +We recommend that you disable or manage this behavior through an Intune policy using the steps in [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello). However, not everyone uses Intune. The following method explains how to disable Windows Hello for Business enrollment without Intune, or through a third-party mobile device management (MDM). If you are not running Intune in your organization, you can disable Windows Hello for Business via the registry. We have provided the underlying registry subkeys for disabling Windows Hello for Business. @@ -87,8 +87,8 @@ If there is a conflicting Device policy and User policy, the device policy or co ## Related reference documents for Azure AD join scenarios -- [Azure AD joined devices](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-join) -- [Plan your Azure Active Directory device deployment](https://docs.microsoft.com/azure/active-directory/devices/plan-device-deployment) -- [How to: Plan your Azure AD join implementation](https://docs.microsoft.com/azure/active-directory/devices/azureadjoin-plan) -- [How to manage the local administrators group on Azure AD joined devices](https://docs.microsoft.com/azure/active-directory/devices/assign-local-admin) -- [Manage device identities using the Azure portal](https://docs.microsoft.com/azure/active-directory/devices/device-management-azure-portal) +- [Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join) +- [Plan your Azure Active Directory device deployment](/azure/active-directory/devices/plan-device-deployment) +- [How to: Plan your Azure AD join implementation](/azure/active-directory/devices/azureadjoin-plan) +- [How to manage the local administrators group on Azure AD joined devices](/azure/active-directory/devices/assign-local-admin) +- [Manage device identities using the Azure portal](/azure/active-directory/devices/device-management-azure-portal) diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml index ec30c22aec..60161ce7da 100644 --- a/windows/security/identity-protection/hello-for-business/toc.yml +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -102,7 +102,7 @@ - name: Configure Windows Hello for Business policy settings href: hello-cert-trust-policy-settings.md - name: Azure AD join cloud only deployment - href: hello-aad-join-cloud-only-deploy + href: hello-aad-join-cloud-only-deploy.md - name: Managing Windows Hello for Business in your organization href: hello-manage-in-organization.md - name: Deploying Certificates to Key Trust Users to Enable RDP From 5a8e04486522015bb3919bc04d51519effce493b Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 3 Jun 2021 11:20:37 -0700 Subject: [PATCH 065/370] index card link --- windows/whats-new/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml index e1c75debe3..433ee55b6f 100644 --- a/windows/whats-new/index.yml +++ b/windows/whats-new/index.yml @@ -28,7 +28,7 @@ landingContent: - linkListType: overview links: - text: Windows Sun Valley Overview - url: windows-sv-overview.md + url: windows-sv-overview - text: Windows Sun Valley requirements url: windows-sv-requirements.md - text: Get started with Windows Sun Valley From 7c9f075f2169c75364129b37cbbc815f8e3f2936 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 3 Jun 2021 11:22:25 -0700 Subject: [PATCH 066/370] index card link!! --- windows/hub/index.yml | 6 +++--- windows/whats-new/index.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 14991296ce..748310bd3c 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -27,11 +27,11 @@ landingContent: - linkListType: overview links: - text: Windows Sun Valley overview - url: /windows/whats-new/windows-sv-overview.md + url: /windows/whats-new/windows-sv-overview - text: Windows Sun Valley requirements - url: /windows/whats-new/windows-sv-requirements.md + url: /windows/whats-new/windows-sv-requirements - text: Get started with Windows Sun Valley - url: /windows/whats-new/get-started-windows-sv.md + url: /windows/whats-new/get-started-windows-sv - text: What's new in Windows 10, version 21H2 url: /windows/whats-new/whats-new-windows-10-version-21H1 - text: Windows release information diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml index 433ee55b6f..e1c75debe3 100644 --- a/windows/whats-new/index.yml +++ b/windows/whats-new/index.yml @@ -28,7 +28,7 @@ landingContent: - linkListType: overview links: - text: Windows Sun Valley Overview - url: windows-sv-overview + url: windows-sv-overview.md - text: Windows Sun Valley requirements url: windows-sv-requirements.md - text: Get started with Windows Sun Valley From 379f43396b78e8cfb6a62eddc2c5df7f70e6147f Mon Sep 17 00:00:00 2001 From: v-miegge <49650192+v-miegge@users.noreply.github.com> Date: Thu, 3 Jun 2021 11:28:52 -0700 Subject: [PATCH 067/370] Acrolinx --- .../hello-aad-join-cloud-only-deploy.md | 27 ++++++++++--------- 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index d9cc726083..460b06dd45 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -23,11 +23,11 @@ ms.reviewer: When you Azure Active Directory (Azure AD) join a Windows 10 device, the system prompts you to enroll in Windows Hello for Business by default. However, you may wish to disable the automatic Windows Hello for Business enrollment prompts. > [!NOTE} -> During the out-of-box experience (OOBE) flow of an Azure AD join, you will see a provisioning PIN when you don’t have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts. +> During the out-of-box experience (OOBE) flow of an Azure AD join, you'll see a provisioning PIN when you don’t have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts. ## Prerequisites -This cloud only deployment will use Azure AD multi-factor authentication (MFA) during the Windows Hello for Business enrollment and there is no additional MFA configuration needed. If you are not already registered in Azure AD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business deployment enrollment process. The necessary Windows Hello for Business prerequisites for are located at [Cloud Only Deployment](hello-identity-verification.md#cloud-only-deployment). +This cloud only deployment will use Azure AD multi-factor authentication (MFA) during the Windows Hello for Business enrollment and there's no other MFA configuration needed. If you're not already registered in Azure AD MFA, you'll be guided though the MFA registration as part of the Windows Hello for Business deployment enrollment process. The necessary Windows Hello for Business prerequisites for are located at [Cloud Only Deployment](hello-identity-verification.md#cloud-only-deployment). > [!NOTE] > It's possible for federated domains to enable the “Supports MFA” flag in your federated domain settings. This tells Azure AD that the federated IDP will perform the MFA challenge. @@ -40,9 +40,12 @@ You can check and view this setting with the following MSOnline PowerShell comma We recommend that you disable or manage this behavior through an Intune policy using the steps in [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello). -However, not everyone uses Intune. The following method explains how to disable Windows Hello for Business enrollment without Intune, or through a third-party mobile device management (MDM). If you are not running Intune in your organization, you can disable Windows Hello for Business via the registry. We have provided the underlying registry subkeys for disabling Windows Hello for Business. +However, not everyone uses Intune. The following method explains how to disable Windows Hello for Business enrollment without Intune, or through a third-party mobile device management (MDM). If you're not running Intune in your organization, you can disable Windows Hello for Business via the registry. We have provided the underlying registry subkeys for disabling Windows Hello for Business. -To disable this, run the following command. Note that this impacts **all** Azure AD MFA scenarios for this federated domain. +To disable Windows Hello for Business, run the following command. + +> [!NOTE] +> This action impacts **all** Azure AD MFA scenarios for this federated domain. `Set-MsolDomainFederationSettings -DomainName -SupportsMfa $false` @@ -50,7 +53,7 @@ Example: `Set-MsolDomainFederationSettings -DomainName contoso.com -SupportsMfa $false` -If you use this Supports MFA switch with value True, you will need to verify your federated IDP is correctly configured and working with the MFA adapter and provider used by your IDP. +If you use this Supports MFA switch with value True, you'll need to verify your federated IDP is correctly configured and working with the MFA adapter and provider used by your IDP. ## Create a Windows Hello for Business policy @@ -58,32 +61,32 @@ If you use this Supports MFA switch with value True, you will need to verify you 2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens. 3. Select from the following options for Configure Windows Hello for Business: - 1. **Disabled**: If you do not want to enable Windows Hello for Business during device enrollment, select this option. When disabled, users cannot provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business. + 1. **Disabled**: If you don't want to enable Windows Hello for Business during device enrollment, select this option. When disabled, users can't provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business. ## Disable Windows Hello for Business enrollment without Intune -The information below can be pushed out to the devices through a third-party MDM, or some other method that you use to manage these devices, if you do not manage them with Intune. This can also be set manually on the specific device(s). +The information below can be pushed out to the devices through a third-party MDM, or some other method that you use to manage these devices, if you don't manage them with Intune. This push can also be set manually on the specific device(s). -These are Azure AD joined only systems and not domain joined systems, so these settings could be made in the registry on the device(s) when Intune is not used. +These systems are Azure AD joined only, and aren't domain joined systems, so these settings could be made in the registry on the device(s) when Intune isn't used. -These are the registry settings an Intune policy would set. If you are not using Intune, it is recommended to use the Intune Device Policy registry settings manually to disable this. +These registry settings are the settings an Intune policy would set. If you're not using Intune, it's recommended to use the Intune Device Policy registry settings manually to disable the policy. Intune Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\Device\Policies** -These are the registry settings pushed from Intune for user policies for your reference. +These registry settings are pushed from Intune for user policies for your reference. Intune User Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\UserSid\Policies** DWORD: **UsePassportForWork** Value = **0** for Disable, or Value = **1** for Enable -These are the registry settings for Local or Group Policies for your reference. +These registry settings are for Local or Group Policies for your reference. Local/GPO User Policy: **HKEY_USERS\UserSID\SOFTWARE\Policies\Microsoft\PassportForWork** Local/GPO Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork** DWORD: **Enabled** Value = **0** for Disable or Value = **1** for Enable -If there is a conflicting Device policy and User policy, the device policy or computer policy would take precedence. We do not recommend creating Local/GPO registry settings that could conflict with an Intune policy. This could lead to unexpected results. +If there's a conflicting Device policy and User policy, the device policy or computer policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. Creating these settings could lead to unexpected results. ## Related reference documents for Azure AD join scenarios From e3ef8dc6ad5d4d5e033c9242cd2bb08184b028e4 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 3 Jun 2021 11:32:22 -0700 Subject: [PATCH 068/370] add some links --- windows/whats-new/windows-sv-overview.md | 12 ++++++++---- windows/whats-new/windows-sv-requirements.md | 11 +++++++---- 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/windows/whats-new/windows-sv-overview.md b/windows/whats-new/windows-sv-overview.md index a68ec2aa11..343ad3490b 100644 --- a/windows/whats-new/windows-sv-overview.md +++ b/windows/whats-new/windows-sv-overview.md @@ -21,11 +21,13 @@ ms.custom: seo-marvel-apr2020 **Applies to** - Windows Sun Valley -This article provides an introduction to Windows Sun Valley, the next client release of Windows. Windows Sun Valley is a newly designed Windows client operating system due to be released later in 2021. It is fresh and light, yet familiar to those who use Windows today. The goal of this release is to be the most reliable, secure, connected, and performant OS release ever. +This article provides an introduction to Windows Sun Valley, the next client release of Windows. + +Windows Sun Valley is a newly designed Windows client operating system due to be released later in 2021. It is fresh and light, yet familiar to those who use Windows today. The goal of this release is to be the most reliable, secure, connected, and performant OS release ever. ## How to get Windows Sun Valley -Windows Sun Valley will delivered as an upgrade to devices running Windows 10 beginning in the first half of 2022. All upgrades to Windows Sun Valley from Windows 10 will be free. It will also be available on new devices that meet the hardware requirements. +Windows Sun Valley will delivered as an upgrade to devices running Windows 10 beginning in the first half of 2022. All upgrades to Windows Sun Valley from Windows 10 will be free. Windows Sun Valley will also be available on new devices that meet the hardware requirements. You must be running the most current version of Windows 10 and meet the minimum hardware specifications to be eligible to upgrade. For more information, see [Windows Sun Valley requirements](windows-sv-requirements.md). @@ -59,7 +61,9 @@ Most features and applications that are included with Windows 10 will be availab ## Windows 10 lifecycle -Starting with Windows 10, version 21H2, Windows 10 will receive only quality updates on the second Tuesday of the month. Windows 10 will be supported with security updates until October 2025. +Starting with Windows 10, version 21H2, Windows 10 will receive only quality updates on the second Tuesday of the month. + +Windows 10 will be supported with security updates until October 2025. ## Management and tools @@ -71,7 +75,7 @@ Most accessories and associated software that worked with Windows 10 are expecte ## Application compatibility -Microsoft is committed to ensuring your Windows 10 applications work on Windows Sun Valley. If you have App Assure, Microsoft will help you fix any issues at no cost. App Assure is free for organizations with 150 or more seats. For more information on eligibility requirements, see [article link here]. +Microsoft is committed to ensuring your Windows 10 applications work on Windows Sun Valley. If you have [App Assure](https://www.microsoft.com/fasttrack/microsoft-365/app-assure), Microsoft will help you fix any issues at no cost. App Assure is free for organizations with 150 or more seats. For more information on eligibility requirements, see [Products and Capabilities: App Assure](https://docs.microsoft.com/fasttrack/products-and-capabilities#app-assure). ## Licensing diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index 2866b8c09a..949af445bb 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -26,7 +26,7 @@ The upgrade to Sun Valley is available for devices running Windows 10, version 2 ## Hardware requirements -The following processor and hardware requirements are necessary to support Windows Sun Valley: +To install Windows Sun Valley, devices must meet the following specifications: Processor - Intel 8th generation, Intel Celeron N4000, Pentium N5000 @@ -40,7 +40,10 @@ Hardware - 64GB drive - 4GB RAM - UEFI, Secure Boot capable & TPM 2.0 -- >9” with HD Resolution (1366x768 equivalent) -- DirectX 12 compatible graphics / WDDM 2.x -- Connectivity required (Home Edition) +- Monitor 9” or more, with HD Resolution +- DirectX 12 compatible graphics / WDDM 2.x + +## Network requirements + +Internet connectivity is required for the Home Edition From 65a9b57f0065ba9fc73380b5467a0d07faecfafa Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 3 Jun 2021 11:35:02 -0700 Subject: [PATCH 069/370] rm --- windows/deployment/TOC.yml | 8 ++++---- windows/whats-new/windows-sv-get-started.md | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 0e2693fd62..b66af87886 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -5,7 +5,7 @@ items: - name: What's new href: deploy-whats-new.md - - name: Windows 11 deployment overview + - name: Windows Sun Valley deployment overview href: windows-sv-deploy.md - name: Windows client deployment scenarios href: windows-10-deployment-scenarios.md @@ -35,7 +35,7 @@ - name: Plan items: - - name: Windows 11 deployment planning + - name: Windows Sun Valley deployment planning href: windows-sv-plan.md - name: Create a deployment plan href: update/create-deployment-plan.md @@ -71,7 +71,7 @@ - name: Prepare items: - - name: Prepare to deploy Windows 11 + - name: Prepare to deploy Windows Sun Valley href: windows-sv-prepare.md - name: Prepare to deploy Windows 10 updates href: update/prepare-deploy-windows.md @@ -104,7 +104,7 @@ items: - name: Deploy Windows client items: - - name: Windows 11 deployment overview + - name: Windows Sun Valley deployment overview href: windows-sv-deploy.md - name: Deploy Windows client with Autopilot href: windows-autopilot/index.yml diff --git a/windows/whats-new/windows-sv-get-started.md b/windows/whats-new/windows-sv-get-started.md index 9e588a9e10..25b0d9e99c 100644 --- a/windows/whats-new/windows-sv-get-started.md +++ b/windows/whats-new/windows-sv-get-started.md @@ -20,7 +20,7 @@ ms.topic: article - Windows Sun Valley -## Windows Sun Valley deployment planning +## Deployment planning Consider using the following process to deploy Windows Sun Valley to existing devices: 1. Preview Windows Sun Valley and create a deployment plan. @@ -33,4 +33,4 @@ Consider using the following process to deploy Windows Sun Valley to existing de ## See also -[Windows Sun Valley deployment planning](/windows/deployment/windows-sv-deploy). +[Windows Sun Valley deployment planning](/windows/deployment/windows-sv-deploy) From 41729287484cce224bbf1f877ba3c1068865c316 Mon Sep 17 00:00:00 2001 From: v-miegge <49650192+v-miegge@users.noreply.github.com> Date: Thu, 3 Jun 2021 11:36:42 -0700 Subject: [PATCH 070/370] Note fix --- .../hello-for-business/hello-aad-join-cloud-only-deploy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index 460b06dd45..0536abfc83 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -22,7 +22,7 @@ ms.reviewer: When you Azure Active Directory (Azure AD) join a Windows 10 device, the system prompts you to enroll in Windows Hello for Business by default. However, you may wish to disable the automatic Windows Hello for Business enrollment prompts. -> [!NOTE} +> [!NOTE] > During the out-of-box experience (OOBE) flow of an Azure AD join, you'll see a provisioning PIN when you don’t have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts. ## Prerequisites From 9d3e667196a2eea54f4acefec1387213fc026841 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 3 Jun 2021 11:38:13 -0700 Subject: [PATCH 071/370] see also --- windows/whats-new/windows-sv-requirements.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index 949af445bb..ddb8bf84c1 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -40,10 +40,14 @@ Hardware - 64GB drive - 4GB RAM - UEFI, Secure Boot capable & TPM 2.0 -- Monitor 9” or more, with HD Resolution +- Monitor size 9” or more with HD Resolution - DirectX 12 compatible graphics / WDDM 2.x ## Network requirements Internet connectivity is required for the Home Edition +## See also + +[Windows Sun Valley overview](windows-sv-overview.md) + From 215a7783a66347e67e59dc7668edb611c55052b4 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 3 Jun 2021 11:40:55 -0700 Subject: [PATCH 072/370] small edits --- windows/whats-new/windows-sv-overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/whats-new/windows-sv-overview.md b/windows/whats-new/windows-sv-overview.md index 343ad3490b..dc48dc8b7b 100644 --- a/windows/whats-new/windows-sv-overview.md +++ b/windows/whats-new/windows-sv-overview.md @@ -21,7 +21,7 @@ ms.custom: seo-marvel-apr2020 **Applies to** - Windows Sun Valley -This article provides an introduction to Windows Sun Valley, the next client release of Windows. +This article provides an introduction and answers some frequently asked questions about Windows Sun Valley, the next client release of Windows. Windows Sun Valley is a newly designed Windows client operating system due to be released later in 2021. It is fresh and light, yet familiar to those who use Windows today. The goal of this release is to be the most reliable, secure, connected, and performant OS release ever. @@ -55,7 +55,7 @@ Windows Sun Valley annual releases are supported for 36 months for the following - Enterprise - Education -### Feature and application lifecycle +### Features and applications Most features and applications that are included with Windows 10 will be available on Windows Sun Valley. For information about features that are deprecated or work differently on Windows Sun Valley, see [article link here]. From 01c3844cb17028a84cf6f09b467f129a3168cdf5 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 3 Jun 2021 11:49:45 -0700 Subject: [PATCH 073/370] add rollback --- windows/whats-new/windows-sv-overview.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/windows/whats-new/windows-sv-overview.md b/windows/whats-new/windows-sv-overview.md index dc48dc8b7b..2407048dbc 100644 --- a/windows/whats-new/windows-sv-overview.md +++ b/windows/whats-new/windows-sv-overview.md @@ -29,11 +29,11 @@ Windows Sun Valley is a newly designed Windows client operating system due to be Windows Sun Valley will delivered as an upgrade to devices running Windows 10 beginning in the first half of 2022. All upgrades to Windows Sun Valley from Windows 10 will be free. Windows Sun Valley will also be available on new devices that meet the hardware requirements. -You must be running the most current version of Windows 10 and meet the minimum hardware specifications to be eligible to upgrade. For more information, see [Windows Sun Valley requirements](windows-sv-requirements.md). +You must be running a current version of Windows 10 and meet the minimum hardware specifications to be eligible to upgrade. For more information, see [Windows Sun Valley requirements](windows-sv-requirements.md). -Not all eligible Windows 10 PCs will be offered theo upgrade at the same time. To see if your PC is eligible, download the PC Health Check app (link). The app will check that your devices meets hardware and software requirements to perform an upgrade to Windows Sun Valley. You can also check the status of your device by navigating to Windows Update in settings. Once the upgrade rollout has started and the upgrade has been tested and validated for your specific PC hardware, Windows Update will indicate that the upgrade is ready for installation. +Not all eligible Windows 10 PCs will be offered the upgrade at the same time. To see if your PC is eligible, download the PC Health Check app (link). The app will check that your devices meets hardware and software requirements to perform an upgrade to Windows Sun Valley. You can also check the status of your device by navigating to **Windows Update** in **Settings**. Once the upgrade rollout has started and the upgrade has been tested and validated for your PC's hardware, Windows Update will indicate that the upgrade is ready for installation. -You can get early access to test Windows Sun Valley by joining the Windows Insider Program, or by enabling pre-release Windows 10 feature updates in Configuration Manager or Windows Server Update Services (WSUS). +You can get early access to test Windows Sun Valley by joining the [Windows Insider Program](https://insider.windows.com), or by enabling pre-release Windows 10 feature updates in Configuration Manager or Windows Server Update Services (WSUS). ## Windows Sun Valley lifecycle @@ -85,6 +85,10 @@ Microsoft 365 licenses that include Windows licenses will permit you to run Wind If you have a volume license, it will equally cover Windows Sun Valley and Windows 10 devices before and after upgrade. +## Rollback + +After you have upgraded to Windows Sun Valley, you have 10 days to use the rollback function if you wish to move back to Windows 10 while keeping your files and data. After the 10 day grace period, you will need to back up your data and perform a clean install to move back to Windows 10. + ## See also [Get started with Windows Sun Valley](windows-sv-get-started.md) From 2f9c22406530f92d022ae533148aeaab31abd9d6 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 3 Jun 2021 11:53:17 -0700 Subject: [PATCH 074/370] fix link --- windows/hub/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 748310bd3c..ee4cf53863 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -31,7 +31,7 @@ landingContent: - text: Windows Sun Valley requirements url: /windows/whats-new/windows-sv-requirements - text: Get started with Windows Sun Valley - url: /windows/whats-new/get-started-windows-sv + url: /windows/whats-new/windows-sv-get-started - text: What's new in Windows 10, version 21H2 url: /windows/whats-new/whats-new-windows-10-version-21H1 - text: Windows release information From 3370035c0aa5ec219a703f9d4cae969d054f3e5a Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 3 Jun 2021 11:57:00 -0700 Subject: [PATCH 075/370] remove hub index links to sv in other doc sets --- windows/hub/index.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/windows/hub/index.yml b/windows/hub/index.yml index ee4cf53863..2673320b9e 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -44,8 +44,6 @@ landingContent: links: - text: Configure Windows url: /windows/configuration/index - - text: Configure Windows Sun Valley - url: /windows/configuration/windows-sv-configure.md - text: Accessibility information for IT Pros url: /windows/configuration/windows-10-accessibility-for-itpros - text: Configure access to Microsoft Store @@ -60,8 +58,6 @@ landingContent: links: - text: Deploy and update Windows url: /windows/deployment/index - - text: Deploy Windows Sun Valley - url: /windows/deployment/windows-sv-deploy.md - text: Windows deployment scenarios url: /windows/deployment/windows-10-deployment-scenarios - text: Create a deployment plan @@ -77,8 +73,6 @@ landingContent: links: - text: Windows application management url: /windows/application-management/index - - text: Manage Windows Sun Valley applications - url: /windows/application-management/windows-sv-app-manage.md - text: Understand the different apps included in Windows 10 url: /windows/application-management/apps-in-windows-10 - text: Get started with App-V for Windows 10 @@ -93,8 +87,6 @@ landingContent: links: - text: Windows client management url: /windows/client-management/index - - text: Manage Windows Sun Valley - url: /windows/client-management/windows-sv-manage.md - text: Administrative tools url: /windows/client-management/administrative-tools-in-windows-10 - text: Create mandatory user profiles From 925f6fb900772415648cd214db71578a81ebcb65 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 3 Jun 2021 11:58:37 -0700 Subject: [PATCH 076/370] shorten card name in whats new --- windows/whats-new/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml index e1c75debe3..3c77fc9036 100644 --- a/windows/whats-new/index.yml +++ b/windows/whats-new/index.yml @@ -35,7 +35,7 @@ landingContent: url: windows-sv-get-started.md - - title: What's new in Windows 10 + - title: Windows 10 linkLists: - linkListType: overview links: From 0ca60cfe027bccc4de07aa8d577ad7f9da981621 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 3 Jun 2021 12:03:42 -0700 Subject: [PATCH 077/370] copy over articles to sv node --- windows/sv/windows-sv-get-started.md | 36 +++++++++++++ windows/sv/windows-sv-overview.md | 74 ++++++++++++++++++++++++++- windows/sv/windows-sv-requirements.md | 36 ++++++++++++- 3 files changed, 143 insertions(+), 3 deletions(-) create mode 100644 windows/sv/windows-sv-get-started.md diff --git a/windows/sv/windows-sv-get-started.md b/windows/sv/windows-sv-get-started.md new file mode 100644 index 0000000000..25b0d9e99c --- /dev/null +++ b/windows/sv/windows-sv-get-started.md @@ -0,0 +1,36 @@ +--- +title: Get started with Windows Sun Valley +description: Learn about features, review requirements, and plan your deployment of Windows Sun Valley, including IT Pro content, release information, and history. +keywords: ["get started", "windows sun valley"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: greg-lindsay +ms.author: greglin +ms.date: 10/16/2017 +ms.reviewer: +manager: laurawi +ms.localizationpriority: high +ms.topic: article +--- + +# Get started with Windows Sun Valley + +**Applies to** + +- Windows Sun Valley + +## Deployment planning + +Consider using the following process to deploy Windows Sun Valley to existing devices: +1. Preview Windows Sun Valley and create a deployment plan. +2. Test critical applications and management policies. +3. Update devices to the latest release of Windows 10. +4. Verify that devices meet the minimum hardware requirements for Windows Sun Valley. +5. Update deployment tools and infrastructure. +6. Update qualifying devices to Windows Sun Valley. + + +## See also + +[Windows Sun Valley deployment planning](/windows/deployment/windows-sv-deploy) diff --git a/windows/sv/windows-sv-overview.md b/windows/sv/windows-sv-overview.md index 7b375294fe..2407048dbc 100644 --- a/windows/sv/windows-sv-overview.md +++ b/windows/sv/windows-sv-overview.md @@ -18,5 +18,77 @@ ms.custom: seo-marvel-apr2020 # Windows Sun Valley overview -Overview of Windows Sun Valley. +**Applies to** +- Windows Sun Valley +This article provides an introduction and answers some frequently asked questions about Windows Sun Valley, the next client release of Windows. + +Windows Sun Valley is a newly designed Windows client operating system due to be released later in 2021. It is fresh and light, yet familiar to those who use Windows today. The goal of this release is to be the most reliable, secure, connected, and performant OS release ever. + +## How to get Windows Sun Valley + +Windows Sun Valley will delivered as an upgrade to devices running Windows 10 beginning in the first half of 2022. All upgrades to Windows Sun Valley from Windows 10 will be free. Windows Sun Valley will also be available on new devices that meet the hardware requirements. + +You must be running a current version of Windows 10 and meet the minimum hardware specifications to be eligible to upgrade. For more information, see [Windows Sun Valley requirements](windows-sv-requirements.md). + +Not all eligible Windows 10 PCs will be offered the upgrade at the same time. To see if your PC is eligible, download the PC Health Check app (link). The app will check that your devices meets hardware and software requirements to perform an upgrade to Windows Sun Valley. You can also check the status of your device by navigating to **Windows Update** in **Settings**. Once the upgrade rollout has started and the upgrade has been tested and validated for your PC's hardware, Windows Update will indicate that the upgrade is ready for installation. + +You can get early access to test Windows Sun Valley by joining the [Windows Insider Program](https://insider.windows.com), or by enabling pre-release Windows 10 feature updates in Configuration Manager or Windows Server Update Services (WSUS). + +## Windows Sun Valley lifecycle + +### Updates + +Windows Sun Valley feature updates will be released once per year in the second half of the year. Quality updates will be released each month on the second Tuesday of the month. + +Microsoft will continue to provide one cumulative package that includes all latest cumulative updates (LCUs) and servicing stack updates (SSUs), if applicable, for Windows Sun Valley. This will be provided as a single package to Windows Server Update Services (WSUS) and Catalog, and have them orchestrated on the device. This capability is also the default for devices using Windows Update. + +### Servicing + +Windows Sun Valley annual releases are supported for 24 months for the following editions: +- Home +- Pro +- Pro for Workstations +- Pro Education + +Windows Sun Valley annual releases are supported for 36 months for the following editions: +- Enterprise +- Education + +### Features and applications + +Most features and applications that are included with Windows 10 will be available on Windows Sun Valley. For information about features that are deprecated or work differently on Windows Sun Valley, see [article link here]. + +## Windows 10 lifecycle + +Starting with Windows 10, version 21H2, Windows 10 will receive only quality updates on the second Tuesday of the month. + +Windows 10 will be supported with security updates until October 2025. + +## Management and tools + +Windows Sun Valley is based on the same foundation as Windows 10. You can use your current management tools and processes to manage quality updates for both Windows 10 and Windows Sun Valley, in addition to using them to move between the two products. + +## Hardware compatibility + +Most accessories and associated software that worked with Windows 10 are expected to work with Windows Sun Valley. Check with your accessory manufacturer for specific details. + +## Application compatibility + +Microsoft is committed to ensuring your Windows 10 applications work on Windows Sun Valley. If you have [App Assure](https://www.microsoft.com/fasttrack/microsoft-365/app-assure), Microsoft will help you fix any issues at no cost. App Assure is free for organizations with 150 or more seats. For more information on eligibility requirements, see [Products and Capabilities: App Assure](https://docs.microsoft.com/fasttrack/products-and-capabilities#app-assure). + +## Licensing + +There are no unique licensing requirements for Windows Sun Valley beyond what is required for Windows 10 devices. + +Microsoft 365 licenses that include Windows licenses will permit you to run Windows Sun Valley on supported devices. + +If you have a volume license, it will equally cover Windows Sun Valley and Windows 10 devices before and after upgrade. + +## Rollback + +After you have upgraded to Windows Sun Valley, you have 10 days to use the rollback function if you wish to move back to Windows 10 while keeping your files and data. After the 10 day grace period, you will need to back up your data and perform a clean install to move back to Windows 10. + +## See also + +[Get started with Windows Sun Valley](windows-sv-get-started.md) diff --git a/windows/sv/windows-sv-requirements.md b/windows/sv/windows-sv-requirements.md index 88eb31f2f5..ddb8bf84c1 100644 --- a/windows/sv/windows-sv-requirements.md +++ b/windows/sv/windows-sv-requirements.md @@ -1,6 +1,7 @@ --- title: Windows Sun Valley requirements -description: Requirements to deploy Windows Sun Valley +description: Hardware requirements to deploy Windows Sun Valley +ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C ms.reviewer: manager: laurawi ms.audience: itpro @@ -17,5 +18,36 @@ ms.custom: seo-marvel-apr2020 # Windows Sun Valley requirements -Windows Sun Valley requirements. +This article lists the sotware and physical hardware requirements to run Windows Sun Valley. Windows Sun Valley can also be run on Virtual Machines (VMs). + +## Software requirements + +The upgrade to Sun Valley is available for devices running Windows 10, version 20H1 or newer, on eligible hardware. + +## Hardware requirements + +To install Windows Sun Valley, devices must meet the following specifications: + +Processor +- Intel 8th generation, Intel Celeron N4000, Pentium N5000 +- AMD Ryzen gen 2 (Zen+), AMD 3xxx +- Qualcomm 7c, 8c, 8cx +- 64bit architecture +- 1Ghz clock speed +- 2 cores + +Hardware +- 64GB drive +- 4GB RAM +- UEFI, Secure Boot capable & TPM 2.0 +- Monitor size 9” or more with HD Resolution +- DirectX 12 compatible graphics / WDDM 2.x + +## Network requirements + +Internet connectivity is required for the Home Edition + +## See also + +[Windows Sun Valley overview](windows-sv-overview.md) From 7ae14df3fc41513d06dc1f81b2870c694a672370 Mon Sep 17 00:00:00 2001 From: Princeton Brooke Date: Fri, 4 Jun 2021 00:45:31 -0400 Subject: [PATCH 078/370] Added Set Object Security and GPO to Policy Rules --- .../security-compliance-toolkit-10.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md index 417dd71e21..508b24313d 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md @@ -77,4 +77,16 @@ LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files It can export local policy to a GPO backup. It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file. -Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/lgpo-exe-local-group-policy-object-utility-v1-0) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319). \ No newline at end of file +Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/lgpo-exe-local-group-policy-object-utility-v1-0) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319). + +## What is the Set Object Security tool? + +SetObjectSecurity.exe enables you to set the security descriptor for just about any type of Windows securable object (files, directories, registry keys, event logs, services, SMB shares, etc.). For file system and registry objects, you can choose whether to apply inheritance rules. You can also choose to output the security descriptor in a .reg-file-compatible representation of the security descriptor for a REG_BINARY registry value. + +Documentation for the Set Object Security tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319). + +## What is the GPO to Policy Rules tool? + +Automate the conversion of GPO backups to Policy Analyzer .PolicyRules files and skip the GUI. GPO2PolicyRules is a command-line tool that is included with the Policy Analyzer download. + +Documentation for the GPO to PolicyRules tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319). From 6285fb6ecacb664b793fffdc1fce282d11b458c5 Mon Sep 17 00:00:00 2001 From: Princeton Brooke Date: Fri, 4 Jun 2021 07:44:29 -0400 Subject: [PATCH 079/370] Update windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../security-compliance-toolkit-10.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md index 508b24313d..dc7c58f214 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md @@ -81,7 +81,7 @@ Documentation for the LGPO tool can be found on the [Microsoft Security Guidance ## What is the Set Object Security tool? -SetObjectSecurity.exe enables you to set the security descriptor for just about any type of Windows securable object (files, directories, registry keys, event logs, services, SMB shares, etc.). For file system and registry objects, you can choose whether to apply inheritance rules. You can also choose to output the security descriptor in a .reg-file-compatible representation of the security descriptor for a REG_BINARY registry value. +SetObjectSecurity.exe enables you to set the security descriptor for just about any type of Windows securable object, such as files, directories, registry keys, event logs, services, and SMB shares. For file system and registry objects, you can choose whether to apply inheritance rules. You can also choose to output the security descriptor in a .reg-file-compatible representation of the security descriptor for a REG_BINARY registry value. Documentation for the Set Object Security tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319). From 228379457f489af03b3fa80fd97f44a437a2b231 Mon Sep 17 00:00:00 2001 From: dutch2005 Date: Fri, 4 Jun 2021 15:15:57 +0200 Subject: [PATCH 080/370] Update audit-other-privilege-use-events.md Added additional information about event 4985 (S) + link on an other document providing additional information about the subject. --- .../auditing/audit-other-privilege-use-events.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md index 87c74a4998..9883e2ee86 100644 --- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md +++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md @@ -23,6 +23,7 @@ ms.technology: mde This auditing subcategory should not have any events in it, but for some reason Success auditing will enable generation of event 4985(S): The state of a transaction has changed. +This refers to : https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4985 - (4985(S): The state of a transaction has changed. used by the file system transaction manager. | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------| From 840a38048575d1bbb83ef14c9877ab793d1ba891 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Fri, 4 Jun 2021 13:54:49 -0700 Subject: [PATCH 081/370] Added suggested feedback to event-id-explanation and select-types-of-rules documents. --- .../event-id-explanations.md | 2 +- .../select-types-of-rules-to-create.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index fb6a29d22d..f6ca319d9d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -109,7 +109,7 @@ A list of other relevant event IDs and their corresponding description. | 3082 | If the policy was in enforced mode, the non-WHQL driver would have been denied by the policy. | | 3084 | Code Integrity will enforce the WHQL Required policy setting on this session. | | 3085 | Code Integrity will not enforce the WHQL Required policy setting on this session. | -| 3086 | The file under validation does not meet the signing requirements for an IUM (isolated user mode) process. | +| 3086 | The file under validation does not meet the signing requirements for an isolated user mode (IUM) process. | | 3095 | This Code Integrity policy cannot be refreshed and must be rebooted instead. | | 3097 | The Code Integrity policy cannot be refreshed. | | 3100 | The application control policy was refreshed but was unsuccessfully activated. Retry. | diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 91b1a1725e..fa5065912e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -127,7 +127,7 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`. > [!NOTE] -> For others to better understand the WDAC policies that has been deployed, we recommend maintaining separate ALLOW and DENY policies on version 1903 and higher. +> For others to better understand the WDAC policies that has been deployed, we recommend maintaining separate ALLOW and DENY policies on Windows 10, version 1903 and later. ## More information about hashes From 57309f51e80c02e22b105c93f9198f14c9811faf Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 7 Jun 2021 09:38:34 -0700 Subject: [PATCH 082/370] Implemented 1 last suggestion to event ID 8036 --- .../event-id-explanations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index f6ca319d9d..e09ff64630 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -41,7 +41,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind |--------|-----------| | 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the script hosts themselves. Note: there is no WDAC enforcement on third-party script hosts. | | 8029 | Block script/MSI file | -| 8036| COM object was blocked. Learn more about COM object authorization: [Allow COM object registration in a WDAC policy (Windows 10) - Windows security - Microsoft Docs](allow-com-object-registration-in-windows-defender-application-control-policy). | +| 8036| COM object was blocked. To learn more about COM object authorization, see [Allow COM object registration in a Windows Defender Application Control policy](allow-com-object-registration-in-windows-defender-application-control-policy). | | 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | | ## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events From ec1e78030b840bb4000029b3194ac327ffdba97d Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Mon, 7 Jun 2021 13:55:47 -0700 Subject: [PATCH 083/370] overview url shortened --- windows/hub/TOC.yml | 2 +- windows/hub/index.yml | 2 +- windows/whats-new/TOC.yml | 2 +- windows/whats-new/index.yml | 2 +- windows/whats-new/{windows-sv-overview.md => windows-sv.md} | 0 5 files changed, 4 insertions(+), 4 deletions(-) rename windows/whats-new/{windows-sv-overview.md => windows-sv.md} (100%) diff --git a/windows/hub/TOC.yml b/windows/hub/TOC.yml index 18f3f6c535..1752028577 100644 --- a/windows/hub/TOC.yml +++ b/windows/hub/TOC.yml @@ -7,7 +7,7 @@ - name: What's new in Windows href: /windows/whats-new - name: Windows Sun Valley - href: /windows/whats-new/windows-sv-overview + href: /windows/whats-new/windows-sv - name: Release information href: /windows/release-health - name: Deployment diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 2673320b9e..e9086a6765 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -27,7 +27,7 @@ landingContent: - linkListType: overview links: - text: Windows Sun Valley overview - url: /windows/whats-new/windows-sv-overview + url: /windows/whats-new/windows-sv - text: Windows Sun Valley requirements url: /windows/whats-new/windows-sv-requirements - text: Get started with Windows Sun Valley diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml index 21c6326fb5..896d20ab51 100644 --- a/windows/whats-new/TOC.yml +++ b/windows/whats-new/TOC.yml @@ -4,7 +4,7 @@ expanded: true items: - name: Windows Sun Valley overview - href: windows-sv-overview.md + href: windows-sv.md - name: Windows Sun Valley requirements href: windows-sv-requirements.md - name: Get started with Windows Sun Valley diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml index 3c77fc9036..2d9e4f6076 100644 --- a/windows/whats-new/index.yml +++ b/windows/whats-new/index.yml @@ -28,7 +28,7 @@ landingContent: - linkListType: overview links: - text: Windows Sun Valley Overview - url: windows-sv-overview.md + url: windows-sv.md - text: Windows Sun Valley requirements url: windows-sv-requirements.md - text: Get started with Windows Sun Valley diff --git a/windows/whats-new/windows-sv-overview.md b/windows/whats-new/windows-sv.md similarity index 100% rename from windows/whats-new/windows-sv-overview.md rename to windows/whats-new/windows-sv.md From 3c8347fee326b81e0ef337794893e9ce3a6982b2 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 8 Jun 2021 10:23:43 -0700 Subject: [PATCH 084/370] plan and prepare --- windows/whats-new/TOC.yml | 6 ++-- windows/whats-new/index.yml | 7 ++-- ...s-sv-get-started.md => windows-sv-plan.md} | 0 windows/whats-new/windows-sv-prepare.md | 36 +++++++++++++++++++ 4 files changed, 44 insertions(+), 5 deletions(-) rename windows/whats-new/{windows-sv-get-started.md => windows-sv-plan.md} (100%) create mode 100644 windows/whats-new/windows-sv-prepare.md diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml index 896d20ab51..612896a73f 100644 --- a/windows/whats-new/TOC.yml +++ b/windows/whats-new/TOC.yml @@ -7,8 +7,10 @@ href: windows-sv.md - name: Windows Sun Valley requirements href: windows-sv-requirements.md - - name: Get started with Windows Sun Valley - href: windows-sv-get-started.md + - name: Plan to deploy Windows Sun Valley + href: windows-sv-plan.md + - name: Get ready for Windows Sun Valley + href: windows-sv-prepare.md - name: Windows 10 expanded: true items: diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml index 2d9e4f6076..7e3ba4fc82 100644 --- a/windows/whats-new/index.yml +++ b/windows/whats-new/index.yml @@ -31,9 +31,10 @@ landingContent: url: windows-sv.md - text: Windows Sun Valley requirements url: windows-sv-requirements.md - - text: Get started with Windows Sun Valley - url: windows-sv-get-started.md - + - text: Plan to deploy Windows Sun Valley + url: windows-sv-plan.md + - text: Get ready for Windows Sun Valley + url: windows-sv-prepare.md - title: Windows 10 linkLists: diff --git a/windows/whats-new/windows-sv-get-started.md b/windows/whats-new/windows-sv-plan.md similarity index 100% rename from windows/whats-new/windows-sv-get-started.md rename to windows/whats-new/windows-sv-plan.md diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md new file mode 100644 index 0000000000..25b0d9e99c --- /dev/null +++ b/windows/whats-new/windows-sv-prepare.md @@ -0,0 +1,36 @@ +--- +title: Get started with Windows Sun Valley +description: Learn about features, review requirements, and plan your deployment of Windows Sun Valley, including IT Pro content, release information, and history. +keywords: ["get started", "windows sun valley"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: greg-lindsay +ms.author: greglin +ms.date: 10/16/2017 +ms.reviewer: +manager: laurawi +ms.localizationpriority: high +ms.topic: article +--- + +# Get started with Windows Sun Valley + +**Applies to** + +- Windows Sun Valley + +## Deployment planning + +Consider using the following process to deploy Windows Sun Valley to existing devices: +1. Preview Windows Sun Valley and create a deployment plan. +2. Test critical applications and management policies. +3. Update devices to the latest release of Windows 10. +4. Verify that devices meet the minimum hardware requirements for Windows Sun Valley. +5. Update deployment tools and infrastructure. +6. Update qualifying devices to Windows Sun Valley. + + +## See also + +[Windows Sun Valley deployment planning](/windows/deployment/windows-sv-deploy) From 65360cb93aa8a91aedaa2a78c63625a3ee0444cf Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 8 Jun 2021 10:38:55 -0700 Subject: [PATCH 085/370] reset deploy content --- windows/deployment/TOC.yml | 8 +++----- windows/deployment/index.yml | 8 ++++---- windows/deployment/windows-sv-deploy.md | 26 ------------------------ windows/deployment/windows-sv-plan.md | 26 ------------------------ windows/deployment/windows-sv-prepare.md | 23 --------------------- windows/whats-new/windows-sv-plan.md | 12 +++++------ windows/whats-new/windows-sv-prepare.md | 14 ++++++------- 7 files changed, 20 insertions(+), 97 deletions(-) delete mode 100644 windows/deployment/windows-sv-deploy.md delete mode 100644 windows/deployment/windows-sv-plan.md delete mode 100644 windows/deployment/windows-sv-prepare.md diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index b66af87886..e3fcfca9e0 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -6,7 +6,7 @@ - name: What's new href: deploy-whats-new.md - name: Windows Sun Valley deployment overview - href: windows-sv-deploy.md + href: /windows/whats-new/windows-sv-overview.md - name: Windows client deployment scenarios href: windows-10-deployment-scenarios.md - name: What is Windows as a service? @@ -36,7 +36,7 @@ - name: Plan items: - name: Windows Sun Valley deployment planning - href: windows-sv-plan.md + href: /windows/whats-new/windows-sv-plan.md - name: Create a deployment plan href: update/create-deployment-plan.md - name: Define readiness criteria @@ -72,7 +72,7 @@ - name: Prepare items: - name: Prepare to deploy Windows Sun Valley - href: windows-sv-prepare.md + href: /windows/whats-new/windows-sv-prepare.md - name: Prepare to deploy Windows 10 updates href: update/prepare-deploy-windows.md - name: Evaluate and update infrastructure @@ -104,8 +104,6 @@ items: - name: Deploy Windows client items: - - name: Windows Sun Valley deployment overview - href: windows-sv-deploy.md - name: Deploy Windows client with Autopilot href: windows-autopilot/index.yml - name: Deploy Windows client with Configuration Manager diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index 7b8a56f315..ef58977660 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -1,7 +1,7 @@ ### YamlMime:Landing title: Windows client deployment resources and documentation # < 60 chars -summary: Learn about deploying and keeping Windows 10 up to date. # < 160 chars +summary: Learn about deploying and keeping Windows client devices up to date. # < 160 chars metadata: title: Windows client deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars. @@ -13,7 +13,7 @@ metadata: ms.collection: windows-10 author: greg-lindsay #Required; your GitHub user alias, with correct capitalization. ms.author: greglin #Required; microsoft alias of author; optional team alias. - ms.date: 08/05/2020 #Required; mm/dd/yyyy format. + ms.date: 06/24/2021 #Required; mm/dd/yyyy format. localization_priority: medium # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new @@ -66,8 +66,8 @@ landingContent: links: - text: What's new in Windows deployment url: deploy-whats-new.md - - text: Windows 11 deployment overview - url: windows-sv-deploy.md + - text: Windows Sun Valley overview + url: /windows/whats-new/windows-sv-overview.md - text: Windows client deployment scenarios url: windows-10-deployment-scenarios.md - text: Basics of Windows updates, channels, and tools diff --git a/windows/deployment/windows-sv-deploy.md b/windows/deployment/windows-sv-deploy.md deleted file mode 100644 index fe50501d35..0000000000 --- a/windows/deployment/windows-sv-deploy.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -title: Windows Sun Valley deployment planning -description: Understand the different ways Windows Sun Valley operating system can be deployed in your organization. Explore several Windows Sun Valley deployment scenarios. -ms.reviewer: -manager: laurawi -ms.audience: itpro -ms.author: greglin -author: greg-lindsay -keywords: upgrade, in-place, configuration, deploy -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -audience: itpro -ms.topic: article ---- - -# Windows Sun Valley deployment planning - -**Applies to** -- Windows Sun Valley - -## Windows Sun Valley deployment considerations - - - diff --git a/windows/deployment/windows-sv-plan.md b/windows/deployment/windows-sv-plan.md deleted file mode 100644 index 7244da875c..0000000000 --- a/windows/deployment/windows-sv-plan.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -title: Windows Sun Valley deployment planning -description: Understand the different ways Windows Sun Valley operating system can be deployed in your organization. Explore several Windows Sun Valley deployment scenarios. -ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 -ms.reviewer: -manager: laurawi -ms.audience: itpro -ms.author: greglin -author: greg-lindsay -keywords: upgrade, in-place, configuration, deploy -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -audience: itpro -ms.topic: article ---- - -# Windows 11 deployment planning - -**Applies to** -- Windows Sun Valley - -To successfully deploy the Windows Sun Valley operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. - -The following table summarizes various Windows Sun Valley deployment scenarios. The scenarios are each assigned to one of three categories. \ No newline at end of file diff --git a/windows/deployment/windows-sv-prepare.md b/windows/deployment/windows-sv-prepare.md deleted file mode 100644 index 2a0b778723..0000000000 --- a/windows/deployment/windows-sv-prepare.md +++ /dev/null @@ -1,23 +0,0 @@ ---- -title: Prepare to deploy Windows Sun Valley -description: Understand the different ways Windows Sun Valley operating system can be deployed in your organization. Explore several Windows Sun Valley deployment scenarios. -ms.reviewer: -manager: laurawi -ms.audience: itpro -ms.author: greglin -author: greg-lindsay -keywords: upgrade, in-place, configuration, deploy -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -audience: itpro -ms.topic: article ---- - -# Prepare to deploy Windows 11 - -**Applies to** -- Windows Sun Valley - -To successfully deploy \ No newline at end of file diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index 25b0d9e99c..337709d6fe 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -1,13 +1,13 @@ --- -title: Get started with Windows Sun Valley -description: Learn about features, review requirements, and plan your deployment of Windows Sun Valley, including IT Pro content, release information, and history. -keywords: ["get started", "windows sun valley"] -ms.prod: w10 +title: Plan to deploy Windows Sun Valley +description: Windows Sun Valley deployment planning, IT Pro content. +keywords: ["get started", "windows sun valley", "plan"] +ms.prod: w11 ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.author: greglin -ms.date: 10/16/2017 +ms.date: 06/24/2021 ms.reviewer: manager: laurawi ms.localizationpriority: high @@ -33,4 +33,4 @@ Consider using the following process to deploy Windows Sun Valley to existing de ## See also -[Windows Sun Valley deployment planning](/windows/deployment/windows-sv-deploy) +[Get ready for Windows Sun Valley](windows-sv-prepare.md) diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index 25b0d9e99c..f3692eeaff 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -1,26 +1,26 @@ --- -title: Get started with Windows Sun Valley -description: Learn about features, review requirements, and plan your deployment of Windows Sun Valley, including IT Pro content, release information, and history. +title: Prepare to deploy Windows Sun Valley +description: Prepare your infrastructure and tools to deploy Windows Sun Valley, IT Pro content. keywords: ["get started", "windows sun valley"] -ms.prod: w10 +ms.prod: w11 ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.author: greglin -ms.date: 10/16/2017 +ms.date: 06/24/2021 ms.reviewer: manager: laurawi ms.localizationpriority: high ms.topic: article --- -# Get started with Windows Sun Valley +# Prepare to deploy Windows Sun Valley **Applies to** - Windows Sun Valley -## Deployment planning +## Deployment readiness Consider using the following process to deploy Windows Sun Valley to existing devices: 1. Preview Windows Sun Valley and create a deployment plan. @@ -33,4 +33,4 @@ Consider using the following process to deploy Windows Sun Valley to existing de ## See also -[Windows Sun Valley deployment planning](/windows/deployment/windows-sv-deploy) +[Windows Sun Valley deployment planning](windows-sv-plan.md) From 1da7b6dfefcb1dd20281f3d0ac9a01476edc232d Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 8 Jun 2021 11:37:09 -0700 Subject: [PATCH 086/370] added whitepaper draft --- windows/whats-new/TOC.yml | 4 +- windows/whats-new/windows-sv-plan.md | 90 +++++++++++++++++++++++++ windows/whats-new/windows-sv-prepare.md | 63 +++++++++++++++++ windows/whats-new/windows-sv.md | 13 +++- 4 files changed, 167 insertions(+), 3 deletions(-) diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml index 612896a73f..d611e4787f 100644 --- a/windows/whats-new/TOC.yml +++ b/windows/whats-new/TOC.yml @@ -7,9 +7,9 @@ href: windows-sv.md - name: Windows Sun Valley requirements href: windows-sv-requirements.md - - name: Plan to deploy Windows Sun Valley + - name: Create a deployment plan href: windows-sv-plan.md - - name: Get ready for Windows Sun Valley + - name: Prepare to deploy Windows Sun Valley href: windows-sv-prepare.md - name: Windows 10 expanded: true diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index 337709d6fe..190595d9be 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -22,6 +22,96 @@ ms.topic: article ## Deployment planning +Planning for Sun Valley + +Sun Valley has the same underlying technology used today in Windows 10. IT Professionals can use familiar existing toolsets to plan, prepare , deploy, manage, and updateand manage both Sun Valley and Windows 10 updates alike. Because we anticipate customers organizations will be using a mix of Windows 10 devices side-by-side as they integrate Sun Valley into their environments, there are some unique yet largely familiar considerations for this new operating system to help aid in planning for upcoming deployments. + +Determining eligibility +We know one of the first questions that you will have is "Do the current PC(s) in my environment meet the Sun Valley hardware requirements bar? To assess if your device(s) meet these hardware criteria, IT Professionals can continue to use the first party analytics tools they are familiar with, including Update Compliance. In addition, Microsoft is sharing necessary information to 3rd party ISVs to enable their tools to support analytics for Sun Valley. + +Consumers can determine whether their device is eligible for Sun Valley by using the PC Health Check application to assess if a device meets the minimum hardware specifications [place forthcoming ink here]. In addition, detailed minimum requirements can be found at aka.ms/minspec [link forthcoming here]. + + +Sun Valley rollouts +In this section, we’ll share more on the rollout experience for home users benefiting from the role of intelligent rollout and for IT admin managed devices who will note some changes to management controls. +Home user, consumer devices +W indows 10 devices purchased after June 2021 that meet or exceed the minimum hardware requirements for Sun Valley will be offered Sun Valley in October of 2021. Though the message will vary by PC manufacturer, customers will see labels such as ‘this PC will upgrade to Sun Valley once available’ on products for purchase. Note, devices purchased beginning in October will see the Sun Valley offer during the out of box experience or already be imaged with Sun Valley. + +Sun Valley will be made available to current Windows 10 devices who are eligible after General Availability (GA) through the familiar Windows Update experience, first to seekers, then as part of our intelligent rollout process. The Windows Update Settings page will confirm when a device is eligible, and users can choose to upgrade or not. + + +As with Windows 10, the machine learning based intelligent rollout will be leveraged when rolling out upgrades. Our ML uses a combination of testing, close partner engagement, feedback, diagnostic data, and real-life insights to manage quality. This improves the update experience, ensuring that devices first nominated for updates are those likely to have a seamless experience, and that devices which may be problematic get the benefit of resolving potential compatibility issues before being offered an upgrade to Sun Valley. + +Managed devices + +While we are excited about the innovations and end user productivity improvements in Sun Valley, we recognize that the "right time" to move will be different for each organization. As always, for devices that you manage as an organization, you can choose between Sun Valley and Windows 10, and when the right time is for your organization to make the migration. + +Commercial customers will be able to deploy the Sun Valley update using their typical management tools to eligible devices in their organization beginning at GA. Customers upgrading from Windows Update using WUfB will have the additional benefit of two safety nets: offering blocks on non-eligible devices who do not meet the hardware requirements to upgrade to Sun Valley and Safeguard holds. Safeguard holds will function for Sun Valley devices just as they do for Windows 10. IT Professionals will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Sun Valley . + +It is worth noting that if you use Windows Update for Business to manage feature update deployments today you will need to leverage the “Target Version” policy rather than Feature Update deferrals to move from Windows 10 to Sun Valley. Deferrals are great for quality updates or to move to newer versions of the same product (e.g. Windows 10 21H1 to Windows 10 21H2), but they can not move you between products (e.g. Windows 10 to Windows Sun Valley). + +Additionally, please note that Sun Valley has a new end user license agreement. By nature of deploying with WUfB Target Version or with WSUS you are accepting this new end user license agreement on behalf of the end users within your organization. + +Finally, please note that while Windows 10 Pro or higher can upgrade for free using their existing management tools, those using S mode will need to first switch out of S mode (as S mode is currently not supported on Sun Valley). + +What about customizations that customers have in place necessary to support their deployments today? Will those continue to work for Sun Valley? + +Availability and upgrade path +The Sun Valley upgrade offer will begin for eligible devices at Sun Valley GA in October of this year (2021). This is true for eligible devices already running updated Windows 10 as well as for brand new devices . + +Enterprise customers who have a volume licensing agreement with Software Assurance or Windows Enterprise E3 subscription will be able to upgrade existing devices to Sun Valley after GA. + +To get a jump start on Sun Valley, we recommend that IT professionals join the Windows Insider Program (WIP) to deploy and validate it in their environments. + +If you're an IT administrator who's interested in exploring new features as they're being created, we recommend using the Beta Channel (available summer 2021) + +As an IT administrator, if you who would like to validate the Sun Valley release (and Windows 10 releases) before broadly deploying in your organization, we recommend you join our Windows Insider Program Release Preview Channel (available in summer 2021). + +Commercial customers can begin validating and exploring Sun Valley prior to GA. Sun Valley will be available for commercial customers to deploy beginning in the summer of 2021 via the Windows Insider Program for Business. Customers can deploy bits from the Windows Insider Pre-release category in WSUS, by configuring Manage Preview Builds to “Release Preview” with WUfB, by leveraging Windows Virtual Devices or Cloud PC*(will this be announced when this paper goes out?) and Azure Marketplace images, or even through simply downloading and deploying ISOs from our Windows Insider Program ISO Download page. Note – regardless of which way you choose to deploy, commercial customers have the benefit of free Microsoft support when validating pre-release, simply submit your support cases here. + +To learn more about the Windows Insider Program for Business, click here. + + + +Like Windows 10, Sun Valley devices will receive regular monthly quality updates to provide security updates and bug fixes, and at times, new functionality when deemed appropriate. Unlike Windows 10, however, Sun Valley devices will receive a single feature update annually. Knowing this will help you define your servicing strategy. + +For devices on in-service versions of Windows 10 that do not meet Sun Valley hardware requirements, they will continue to receive monthly Windows 10 security updates. +Servicing Duration: Sun Valley vs. Windows 10 +The duration of support changes slightly. Today, Windows 10 feature updates are released twice yearly, around March and September, via the Semi-Annual Channel. They are serviced with monthly quality updates for 18 or 30 months from the date of the release, depending on the lifecycle policy. For Sun Valley, we will support each annual release for 24 months for Home and Pro editions, and 36 months for Enterprise and Education editions, beginning at GA in October 2021. + +Windows 10 will continue to receive twice yearly feature updates . We have committed to supporting Windows 10 through October 14, 2025. + +For more information, see the Windows Release Information Page, which includes information for Windows 10 semi-annual channel and LTSC releases, as well as Sun Valley. + +Potential section from Michael Raschko (pending as of 5/31): Windows 10 currently runs on more than 1 billion devices around the world, representing considerable time and investment from consumers and organizations alike. While we expect the migration to Windows “Sun Valley” will have less overhead than previous legacy Windows versions to Windows 10, we understand that organizations will need time to complete their move to Sun Valley based on their individual situations. Further, they will want to maintain and grow the value of their Windows 10 investment in the interim. + +For organizations who cannot move to Sun Valley immediately, Microsoft’s guidance is to standardize their devices on Windows 10 version to 21H2. Windows 10, version 21H2 will be the last feature update to Windows 10 but will receive specific feature enhancements to ease any growing pains there may be in migrating to Sun Valley. These features aim to provide compatibility with Microsoft existing and future products and services. + +It’s important that organizations remain in control and have adequate time to plan for feature enhancements which could affect the experience of end users. To facilitate this, feature enhancements will be provided on a quarterly cadence and will be provided with management policies to enable or disable those features. [some of this, once we get it locked in, will belong in the Feature update section below] + +Alternative sentence coming from Ellie’s deck: We will release Windows 10, version 21H2 in the second half of 2021 to keep your users productive and secure while you chart your path to Sun Valley. this is ‘we have your back’ language, and would be great to include it +Application compatibility & readiness + +Application Compatibility +Understanding that applications will work following an OS rollout is critical in the planning stage. Since Sun Valley has been built with compatibility in mind, it’s undergoing and passing the same application compatibility testing requirements that we have in place for Windows 10 feature and quality update releases. + +Microsoft is committed to ensuring applications work on the latest versions of our software. Our promise states that applications that worked on Windows 7/8.1/10 will work on Sun Valley. [This is where app compat info goes, as Test Base and AppAssure go into the Prepare section] + + + + + + + + + + + + + + + + Consider using the following process to deploy Windows Sun Valley to existing devices: 1. Preview Windows Sun Valley and create a deployment plan. 2. Test critical applications and management policies. diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index f3692eeaff..5cf0d2459c 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -21,6 +21,62 @@ ms.topic: article - Windows Sun Valley ## Deployment readiness + +Organizations will vary in their pace relative to transitioning from Windows 10 to Sun Valley, and we expect early corporate adoptions to consist of smaller test environments before rolling out to wider groups begins. With the new Sun Valley experience, it’s highly plausible that hybrid environments of both operating systems running simultaneously will be the norm, at least initially. + +As you prepare for Sun Valley, it’s also a good time to look at the deployment infrastructure of your environment. If you aren’t already taking advantage of cloud-based management tools like Microsoft Endpoint Manager this might be the perfect scenario in which to make that leap. Or if you are on -premises, Configuration Manager’s Cloud management gateway <- additional Configuration Manager content needed here . + +Additionally, policies related to deployment may need to be updated or re-evaluated respective of update compliance deadlines, device activity policies, and the re-evaluation of older policies. A servicing mindset pointed at keeping current means that, as with Windows 10 devices, you will create a deployment plan in order to build out your servicing strategy. + +The IT Pro tools that you are familiar with and have been using in the past to prepare for deployments also work in Sun Valley; you can analyze endpoints, determine application compatibility, and manage deployments in the same way you did with Windows 10: + +Analytics +Content on Endpoint analytics needed. + +Application compatibility +Two Microsoft services that work directly with you to ensure application compatibility with Sun Valley are App Assure and Test Base. + +If you experience any issues with your apps and are enrolled in the App Assure service, Microsoft will help you identify the issue at no cost. App Assure works with you to troubleshoot the issue, determine the root cause, and can help fix the issue as well. App Assure is subscription based, but subscriptions are free for eligible customers with 150+ seats. + +Test Base is our intelligent application validation service that allows software vendors and commercial customers to test their applications. The Test Base test and validation environment runs Sun Valley as well as Windows 10 with a matrix of updates and environments in a Microsoft managed Azure environment. You can get started by enrolling in Test Base for Microsoft 365. + +Management tools +The management toolset that you use for heavy lifting during deployments of Windows 10 are still able to be leveraged in Sun Valley. There are a few nuanced differences described here: + +• Windows Server Update Service (WSUS): For commercial customers using WSUS, they will need to sync the new “Windows ” product category. +• Windows Update for Business (WUfB): For commercial customers using WUfB, they will need to leverage the Target Version capability rather than feature update deferrals to move from Windows 10 to Windows . Feature Update deferrals are great to move to newer versions of your current product (e.g. Windows 10 21H1 to Windows 10 21H2), but do not enable you to move between products (e.g. Windows 10 to Windows ). Quality update deferrals will continue to work the same across both Windows 10 and Windows . +• MEM Configuration Manager: For customers using MEM Configuration Manager, you will easily be able to sync the new “Windows ” Product category and begin upgrading eligible devices. Please note that Configuration Manager will prompt you to accept the end user license agreement on behalf of the users in your organization. If you would like to validate Sun Valley prior to release, simply sync the “Windows Insider Pre-release" category as well. +• MEM Intune: For customers using MEM Intune with E3 licenses you will be able to leverage the “Feature Update Deployments” to easily manage moving between Windows 10 versions or to Windows 21H2. +• Autopilot: Autopilot works seamlessly in a Windows Sun Valley OOBE experience (out of box experience). It’s plug and play. +• In an Intune environment, a Sun Valley boot image needs to already exist on the device for Autopilot to work with Sun Valley. If the device comes with a Windows 10 boot image, IT Pros can use Windows Autopilot to deploy Windows 10, and then use Windows Update for Business to upgrade to Windows Sun Valley. +o +o To use Windows Autopilot to upgrade existing, eligible devices, Configuration Manager plus the task sequence ‘Windows Autopilot for existing devices’ can place the Windows Sun Valley boot image onto the managed device, allowing Windows Autopilot to then deploy Sun Valley. +o Note that Windows Autopilot cannot downgrade a device from Sun Valley to Windows 10. + + + + + + + + + + + + + + + + + + + + + + + + + Consider using the following process to deploy Windows Sun Valley to existing devices: 1. Preview Windows Sun Valley and create a deployment plan. @@ -34,3 +90,10 @@ Consider using the following process to deploy Windows Sun Valley to existing de ## See also [Windows Sun Valley deployment planning](windows-sv-plan.md) + +• Technical documentation: Prescriptive and authoritative documentation on Microsoft Docs can help you plan for, prepare, and deploy Sun Valley — and to service and manage Windows devices effectively across your organization. +• Windows release health: Windows release health offers the quickest way to stay up to date on update-related news, information, and best practices, including important lifecycle reminders and the status of known issues and safeguard holds. IT administrators have access to this information, plus additional details, within the health experience Microsoft 365 admin center. +• Windows 10 update history: For every version of the Windows operating system, we publish a consolidated update history documentation experience, offering quick access to the knowledge base (KB) articles for each monthly, optional, and out-of-band release. In addition to update highlights, you’ll find a list of improvements and fixes, a summary of any known issues, and details on how to get the update, including any prerequisites. Want to see an example? See Windows 10 update history. +• Windows Tech Community: Offering technical professionals a place to discuss, share, troubleshoot, and learn around Windows, Tech Community is also the home of the Windows IT Pro Blog, our monthly Windows Office Hours events, and the Windows Video Hub. +• Microsoft Learn: We are in the process of developing online learning paths and modules to help you and your organization effectively plan, prepare, and deploy Sun Valley effectively. + diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index 2407048dbc..c25337973d 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -25,6 +25,15 @@ This article provides an introduction and answers some frequently asked question Windows Sun Valley is a newly designed Windows client operating system due to be released later in 2021. It is fresh and light, yet familiar to those who use Windows today. The goal of this release is to be the most reliable, secure, connected, and performant OS release ever. +--statement to edit +In general, you can deploy , manage, and secure Sun Valley using the same tools and solutions you use today. +You can use Configuration Manager for your deployment, though we recommend cloud-based solutions such as Microsoft Endpoint Manager to fully take advantage of more data-driven insights. Monitoring update compliance. +Since your familiar Windows 10 tools are meant to be used with Sun Valley as well, then managing, securing, and deploying Sun Valley devices will be well-known procedures in the Plan, Prepare and Deploy process. +Just as we recommend that broad deployment of new versions of Windows 10 begin with a pilot deployment phase, Sun Valley is no different. Further, you will likely have an environment that is a blend of Windows 10-capable devices and Windows 10 + Sun Valley-eligible devices. You will be poised to rollout an update to a select number of devices, once you’ve gone through the checklist of Pilot deployment tasks such as assigning the pilot devices from your Prepare phase, implementing baseline and operations updates, testing and supporting the devices, and so forth. When you deploy to your test group, we recommend cloud-based deployment solutions such as Microsoft Endpoint Manager to fully take advantage of data-driven insights, though Configuration Manager works as well. +Using artifacts from your Plan and Prepare phase (such as application assignments, security and configuration baselines, etc.) as well as data from your test deployment, will give you the confidence you seek to manage a broader rollout of Sun Valley to increasingly larger rings of eligible devices. Desktop Analytics will help you ensure that your apps are scoped to only the pilot rings you designate. +Though we’ve mentioned only a few, the tools and processes we have had in place for your previous 10 Windows deployment will be there for you with Sun Valley as well. +---------statement end + ## How to get Windows Sun Valley Windows Sun Valley will delivered as an upgrade to devices running Windows 10 beginning in the first half of 2022. All upgrades to Windows Sun Valley from Windows 10 will be free. Windows Sun Valley will also be available on new devices that meet the hardware requirements. @@ -91,4 +100,6 @@ After you have upgraded to Windows Sun Valley, you have 10 days to use the rollb ## See also -[Get started with Windows Sun Valley](windows-sv-get-started.md) +[Get started with Windows Sun Valley](windows-sv-plan.md) + + From 1e4b23e92e217e81b560a44b218dffc13828ff71 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 8 Jun 2021 13:36:24 -0700 Subject: [PATCH 087/370] some edits --- windows/whats-new/windows-sv-plan.md | 2 +- windows/whats-new/windows-sv.md | 13 ++++++++++--- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index 190595d9be..e005a6fda7 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -14,7 +14,7 @@ ms.localizationpriority: high ms.topic: article --- -# Get started with Windows Sun Valley +# Planning for Windows Sun Valley **Applies to** diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index c25337973d..1bd9dac13e 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -25,13 +25,20 @@ This article provides an introduction and answers some frequently asked question Windows Sun Valley is a newly designed Windows client operating system due to be released later in 2021. It is fresh and light, yet familiar to those who use Windows today. The goal of this release is to be the most reliable, secure, connected, and performant OS release ever. ---statement to edit +The following articles are available to learn about Windows Sun Valley. The articles are designed to be read in order. + +1. Windows Sun Valley overview: An introduction to Windows Sun Valley (this article). +2. [Windows Sun Valley requirements](windows-sv-requirements.md): Hardware, software, network, and licensing requirements to deploy Windows Sun Valley. +3. [Planning for Windows Sun Valley](windows-sv-plan.md): Guidance to create a Windows Sun Valley deployment plan. +4. [Prepare to deploy Windows Sun Valley](windows-sv-prepare.md): Procedures to ensure readiness to deploy Windows Sun Valley in your organization. + +--statement to edit
In general, you can deploy , manage, and secure Sun Valley using the same tools and solutions you use today. You can use Configuration Manager for your deployment, though we recommend cloud-based solutions such as Microsoft Endpoint Manager to fully take advantage of more data-driven insights. Monitoring update compliance. Since your familiar Windows 10 tools are meant to be used with Sun Valley as well, then managing, securing, and deploying Sun Valley devices will be well-known procedures in the Plan, Prepare and Deploy process. Just as we recommend that broad deployment of new versions of Windows 10 begin with a pilot deployment phase, Sun Valley is no different. Further, you will likely have an environment that is a blend of Windows 10-capable devices and Windows 10 + Sun Valley-eligible devices. You will be poised to rollout an update to a select number of devices, once you’ve gone through the checklist of Pilot deployment tasks such as assigning the pilot devices from your Prepare phase, implementing baseline and operations updates, testing and supporting the devices, and so forth. When you deploy to your test group, we recommend cloud-based deployment solutions such as Microsoft Endpoint Manager to fully take advantage of data-driven insights, though Configuration Manager works as well. Using artifacts from your Plan and Prepare phase (such as application assignments, security and configuration baselines, etc.) as well as data from your test deployment, will give you the confidence you seek to manage a broader rollout of Sun Valley to increasingly larger rings of eligible devices. Desktop Analytics will help you ensure that your apps are scoped to only the pilot rings you designate. -Though we’ve mentioned only a few, the tools and processes we have had in place for your previous 10 Windows deployment will be there for you with Sun Valley as well. +Though we’ve mentioned only a few, the tools and processes we have had in place for your previous 10 Windows deployment will be there for you with Sun Valley as well.
---------statement end ## How to get Windows Sun Valley @@ -84,7 +91,7 @@ Most accessories and associated software that worked with Windows 10 are expecte ## Application compatibility -Microsoft is committed to ensuring your Windows 10 applications work on Windows Sun Valley. If you have [App Assure](https://www.microsoft.com/fasttrack/microsoft-365/app-assure), Microsoft will help you fix any issues at no cost. App Assure is free for organizations with 150 or more seats. For more information on eligibility requirements, see [Products and Capabilities: App Assure](https://docs.microsoft.com/fasttrack/products-and-capabilities#app-assure). +Microsoft is committed to ensuring your Windows 10 applications work on Windows Sun Valley. If you have [App Assure](/fasttrack/microsoft-365/app-assure), Microsoft will help you fix any issues at no cost. App Assure is free for organizations with 150 or more seats. For more information on eligibility requirements, see [Products and Capabilities: App Assure](/fasttrack/products-and-capabilities#app-assure). ## Licensing From 0e4086933b45b98e4d64d6320eb84709f3cc202c Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 8 Jun 2021 14:43:21 -0700 Subject: [PATCH 088/370] some edits --- windows/whats-new/windows-sv.md | 50 +++++++++++++++++---------------- 1 file changed, 26 insertions(+), 24 deletions(-) diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index 1bd9dac13e..f63b6653dd 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -21,33 +21,33 @@ ms.custom: seo-marvel-apr2020 **Applies to** - Windows Sun Valley -This article provides an introduction and answers some frequently asked questions about Windows Sun Valley, the next client release of Windows. +This article provides an introduction and answers some frequently asked questions about Windows Sun Valley, the next client release of Windows. -Windows Sun Valley is a newly designed Windows client operating system due to be released later in 2021. It is fresh and light, yet familiar to those who use Windows today. The goal of this release is to be the most reliable, secure, connected, and performant OS release ever. +The following articles are available to learn about Windows Sun Valley. -The following articles are available to learn about Windows Sun Valley. The articles are designed to be read in order. - -1. Windows Sun Valley overview: An introduction to Windows Sun Valley (this article). +1. [Windows Sun Valley overview](windows-sv-md): An introduction to Windows Sun Valley (this article). 2. [Windows Sun Valley requirements](windows-sv-requirements.md): Hardware, software, network, and licensing requirements to deploy Windows Sun Valley. 3. [Planning for Windows Sun Valley](windows-sv-plan.md): Guidance to create a Windows Sun Valley deployment plan. 4. [Prepare to deploy Windows Sun Valley](windows-sv-prepare.md): Procedures to ensure readiness to deploy Windows Sun Valley in your organization. ---statement to edit
-In general, you can deploy , manage, and secure Sun Valley using the same tools and solutions you use today. -You can use Configuration Manager for your deployment, though we recommend cloud-based solutions such as Microsoft Endpoint Manager to fully take advantage of more data-driven insights. Monitoring update compliance. -Since your familiar Windows 10 tools are meant to be used with Sun Valley as well, then managing, securing, and deploying Sun Valley devices will be well-known procedures in the Plan, Prepare and Deploy process. -Just as we recommend that broad deployment of new versions of Windows 10 begin with a pilot deployment phase, Sun Valley is no different. Further, you will likely have an environment that is a blend of Windows 10-capable devices and Windows 10 + Sun Valley-eligible devices. You will be poised to rollout an update to a select number of devices, once you’ve gone through the checklist of Pilot deployment tasks such as assigning the pilot devices from your Prepare phase, implementing baseline and operations updates, testing and supporting the devices, and so forth. When you deploy to your test group, we recommend cloud-based deployment solutions such as Microsoft Endpoint Manager to fully take advantage of data-driven insights, though Configuration Manager works as well. -Using artifacts from your Plan and Prepare phase (such as application assignments, security and configuration baselines, etc.) as well as data from your test deployment, will give you the confidence you seek to manage a broader rollout of Sun Valley to increasingly larger rings of eligible devices. Desktop Analytics will help you ensure that your apps are scoped to only the pilot rings you designate. -Though we’ve mentioned only a few, the tools and processes we have had in place for your previous 10 Windows deployment will be there for you with Sun Valley as well.
----------statement end +## Introduction + +Windows Sun Valley is a newly designed Windows client operating system due to be released later in 2021. It is fresh and light, yet familiar to those who use Windows today. Windows Sun Valley is designed to support today's flexible [hybrid work](https://pulse.microsoft.com/the-journey-to-the-new-normal-driving-innovation-and-productivity-in-a-hybrid-world/) environment. The goal of this release is to be the most reliable, secure, connected, and performant OS release ever. + +Windows Sun Valley is built on the same foundation as Windows 10, so you can generally deploy, manage, and secure Sun Valley using the same tools and solutions you use today. + +All upgrades to Windows Sun Valley from Windows 10 will be free. ## How to get Windows Sun Valley -Windows Sun Valley will delivered as an upgrade to devices running Windows 10 beginning in the first half of 2022. All upgrades to Windows Sun Valley from Windows 10 will be free. Windows Sun Valley will also be available on new devices that meet the hardware requirements. +Windows Sun Valley will delivered as an upgrade to devices running Windows 10 beginning in the first half of 2022. Windows Sun Valley will also be available on new devices that meet the hardware requirements. -You must be running a current version of Windows 10 and meet the minimum hardware specifications to be eligible to upgrade. For more information, see [Windows Sun Valley requirements](windows-sv-requirements.md). +You must be running Windows 10, version 20H1 or later, and meet the minimum hardware specifications to be eligible to upgrade. For more information, see [Windows Sun Valley requirements](windows-sv-requirements.md). -Not all eligible Windows 10 PCs will be offered the upgrade at the same time. To see if your PC is eligible, download the PC Health Check app (link). The app will check that your devices meets hardware and software requirements to perform an upgrade to Windows Sun Valley. You can also check the status of your device by navigating to **Windows Update** in **Settings**. Once the upgrade rollout has started and the upgrade has been tested and validated for your PC's hardware, Windows Update will indicate that the upgrade is ready for installation. +For managed PCs that meet requirements, the upgrade will be provided using the same process that you use today for feature updates. + +For unmanaged PCs that meet requirements, the upgrade will be offered through Windows Update. +- Not all eligible Windows 10 PCs will be offered the upgrade at the same time. To see if your PC is eligible, download the PC Health Check app (link). The app will check that your devices meets hardware and software requirements to perform an upgrade to Windows Sun Valley. You can also check the status of your device by navigating to **Settings** > **Update & Security** > **Windows Update**. Once the upgrade rollout has started and the upgrade has been tested and validated for your PC's hardware, Windows Update will indicate that the upgrade is ready for installation. You can get early access to test Windows Sun Valley by joining the [Windows Insider Program](https://insider.windows.com), or by enabling pre-release Windows 10 feature updates in Configuration Manager or Windows Server Update Services (WSUS). @@ -61,15 +61,17 @@ Microsoft will continue to provide one cumulative package that includes all late ### Servicing -Windows Sun Valley annual releases are supported for 24 months for the following editions: -- Home -- Pro -- Pro for Workstations -- Pro Education +Windows Sun Valley annual releases are supported for 24 months or 36 months, depending on the edition. See the following table. -Windows Sun Valley annual releases are supported for 36 months for the following editions: -- Enterprise -- Education + + + + + + + + +
EditionServicing timeline
Windows Sun Valley Home24 months from the release date
Windows Sun Valley Pro
Windows Sun Valley Pro for Workstations
Windows Sun Valley Pro Education
Windows Sun Valley Enterprise36 months from the release date
Windows Sun Valley Education
### Features and applications From ea92ce15d666e34f50a95d3ef72c2257eae296fa Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 8 Jun 2021 14:57:15 -0700 Subject: [PATCH 089/370] some edits --- windows/whats-new/windows-sv.md | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index f63b6653dd..b522d4c788 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -25,7 +25,7 @@ This article provides an introduction and answers some frequently asked question The following articles are available to learn about Windows Sun Valley. -1. [Windows Sun Valley overview](windows-sv-md): An introduction to Windows Sun Valley (this article). +1. Windows Sun Valley overview (this article): An introduction to Windows Sun Valley. 2. [Windows Sun Valley requirements](windows-sv-requirements.md): Hardware, software, network, and licensing requirements to deploy Windows Sun Valley. 3. [Planning for Windows Sun Valley](windows-sv-plan.md): Guidance to create a Windows Sun Valley deployment plan. 4. [Prepare to deploy Windows Sun Valley](windows-sv-prepare.md): Procedures to ensure readiness to deploy Windows Sun Valley in your organization. @@ -63,15 +63,14 @@ Microsoft will continue to provide one cumulative package that includes all late Windows Sun Valley annual releases are supported for 24 months or 36 months, depending on the edition. See the following table. - - - - - - - - -
EditionServicing timeline
Windows Sun Valley Home24 months from the release date
Windows Sun Valley Pro
Windows Sun Valley Pro for Workstations
Windows Sun Valley Pro Education
Windows Sun Valley Enterprise36 months from the release date
Windows Sun Valley Education
+ +| 24 months from the release date | 36 months from the release date | +| --- | --- | +| Windows Sun Valley Home | Windows Sun Valley Enterprise | +| Windows Sun Valley Pro | Windows Sun Valley Education | +| Windows Sun Valley Pro for Workstations | | +| Windows Sun Valley Pro Education | | + ### Features and applications From 595141a61131183276144ea7e2fdce0af897dc5e Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 8 Jun 2021 15:59:11 -0700 Subject: [PATCH 090/370] some edits --- windows/whats-new/windows-sv-prepare.md | 21 +++++++++++---------- windows/whats-new/windows-sv.md | 4 +++- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index 5cf0d2459c..7e9f6b1e5c 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -41,17 +41,18 @@ If you experience any issues with your apps and are enrolled in the App Assure s Test Base is our intelligent application validation service that allows software vendors and commercial customers to test their applications. The Test Base test and validation environment runs Sun Valley as well as Windows 10 with a matrix of updates and environments in a Microsoft managed Azure environment. You can get started by enrolling in Test Base for Microsoft 365. Management tools -The management toolset that you use for heavy lifting during deployments of Windows 10 are still able to be leveraged in Sun Valley. There are a few nuanced differences described here: +The management toolset that you use for heavy lifting during deployments of Windows 10 are still able to be leveraged in Sun Valley. There are a few differences: -• Windows Server Update Service (WSUS): For commercial customers using WSUS, they will need to sync the new “Windows ” product category. -• Windows Update for Business (WUfB): For commercial customers using WUfB, they will need to leverage the Target Version capability rather than feature update deferrals to move from Windows 10 to Windows . Feature Update deferrals are great to move to newer versions of your current product (e.g. Windows 10 21H1 to Windows 10 21H2), but do not enable you to move between products (e.g. Windows 10 to Windows ). Quality update deferrals will continue to work the same across both Windows 10 and Windows . -• MEM Configuration Manager: For customers using MEM Configuration Manager, you will easily be able to sync the new “Windows ” Product category and begin upgrading eligible devices. Please note that Configuration Manager will prompt you to accept the end user license agreement on behalf of the users in your organization. If you would like to validate Sun Valley prior to release, simply sync the “Windows Insider Pre-release" category as well. -• MEM Intune: For customers using MEM Intune with E3 licenses you will be able to leverage the “Feature Update Deployments” to easily manage moving between Windows 10 versions or to Windows 21H2. -• Autopilot: Autopilot works seamlessly in a Windows Sun Valley OOBE experience (out of box experience). It’s plug and play. -• In an Intune environment, a Sun Valley boot image needs to already exist on the device for Autopilot to work with Sun Valley. If the device comes with a Windows 10 boot image, IT Pros can use Windows Autopilot to deploy Windows 10, and then use Windows Update for Business to upgrade to Windows Sun Valley. -o -o To use Windows Autopilot to upgrade existing, eligible devices, Configuration Manager plus the task sequence ‘Windows Autopilot for existing devices’ can place the Windows Sun Valley boot image onto the managed device, allowing Windows Autopilot to then deploy Sun Valley. -o Note that Windows Autopilot cannot downgrade a device from Sun Valley to Windows 10. +- Windows Server Update Service (WSUS): For commercial customers using WSUS, they will need to sync the new “Windows ” product category. +- Windows Update for Business (WUfB): For commercial customers using WUfB, they will need to leverage the Target Version capability rather than feature update deferrals to move from Windows 10 to Windows . Feature Update deferrals are great to move to newer versions of your current product (e.g. Windows 10 21H1 to Windows 10 21H2), but do not enable you to move between products (e.g. Windows 10 to Windows ). Quality update deferrals will continue to work the same across both Windows 10 and Windows . +- MEM Configuration Manager: For customers using MEM Configuration Manager, you will easily be able to sync the new “Windows ” Product category and begin upgrading eligible devices. Please note that Configuration Manager will prompt you to accept the end user license agreement on behalf of the users in your organization. If you would like to validate Sun Valley prior to release, simply sync the “Windows Insider Pre-release" category as well. +- MEM Intune: For customers using MEM Intune with E3 licenses you will be able to leverage the “Feature Update Deployments” to easily manage moving between Windows 10 versions or to Windows 21H2. +- Autopilot: Autopilot works seamlessly in a Windows Sun Valley OOBE experience (out of box experience). It’s plug and play. +- In an Intune environment, a Sun Valley boot image needs to already exist on the device for Autopilot to work with Sun Valley. If the device comes with a Windows 10 boot image, IT Pros can use Windows Autopilot to deploy Windows 10, and then use Windows Update for Business to upgrade to Windows Sun Valley. + +To use Windows Autopilot to upgrade existing, eligible devices, Configuration Manager plus the task sequence ‘Windows Autopilot for existing devices’ can place the Windows Sun Valley boot image onto the managed device, allowing Windows Autopilot to then deploy Sun Valley. + +Windows Autopilot cannot downgrade a device from Sun Valley to Windows 10. diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index b522d4c788..96288250c3 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -61,7 +61,9 @@ Microsoft will continue to provide one cumulative package that includes all late ### Servicing -Windows Sun Valley annual releases are supported for 24 months or 36 months, depending on the edition. See the following table. +Windows Sun Valley annual releases are supported for 24 months or 36 months, depending on the edition. + +See the following table. | 24 months from the release date | 36 months from the release date | From ba0b3bdec452c36c016c28445ce2a6ffb62cf8b4 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 8 Jun 2021 16:45:59 -0700 Subject: [PATCH 091/370] rm sv --- windows/application-management/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml index dc786fd289..95053b27f0 100644 --- a/windows/application-management/index.yml +++ b/windows/application-management/index.yml @@ -5,7 +5,7 @@ summary: Learn about managing applications in Windows client, including how to r metadata: title: Windows application management # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Learn about managing applications in Windows 10 and Windows Sun Valley. # Required; article description that is displayed in search results. < 160 chars. + description: Learn about managing applications in Windows 10. # Required; article description that is displayed in search results. < 160 chars. services: windows-10 ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. ms.subservice: subservice From 568d14d252c78c7f5bea39725af3bf0099e726b7 Mon Sep 17 00:00:00 2001 From: Joel Christiansen <43965946+jchri@users.noreply.github.com> Date: Thu, 10 Jun 2021 14:12:34 -0500 Subject: [PATCH 092/370] Update update-csp.md Spelling mistake correction. --- windows/client-management/mdm/update-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md index 89c8d33d45..094b56add7 100644 --- a/windows/client-management/mdm/update-csp.md +++ b/windows/client-management/mdm/update-csp.md @@ -17,7 +17,7 @@ ms.date: 02/23/2018 The Update configuration service provider enables IT administrators to manage and control the rollout of new updates. > [!NOTE] -> The Update CSP functionality of 'AprrovedUpdates' is not recommended for managing desktop devices. To manage updates to desktop devices from Windows Update, see the [Policy CSP - Updates](policy-csp-update.md) documentation for the recommended policies. +> The Update CSP functionality of 'ApprovedUpdates' is not recommended for managing desktop devices. To manage updates to desktop devices from Windows Update, see the [Policy CSP - Updates](policy-csp-update.md) documentation for the recommended policies. The following shows the Update configuration service provider in tree format. From 400685ccf2212aadda5e7a72e1494b4b734eac0c Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Thu, 10 Jun 2021 14:19:34 -0700 Subject: [PATCH 093/370] Added CN info to the 2nd note under table 2 Also formatted the note as lists. --- .../select-types-of-rules-to-create.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 7a56e31130..ace22beaca 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -109,7 +109,8 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the > When you create WDAC policies with [New-CIPolicy](/powershell/module/configci/new-cipolicy), you can specify a primary file rule level by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate. > [!NOTE] -> WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits. +> - WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits. +> - CN is what the code uses for the CertSubject and CertIssuer fields in the policy. You can use the inbox certutil to look at the underlying format and ensure UTF-8 is not being used for the CN. For example, printable string or IA5 or BMP is ok. ## Example of file rule levels in use From 371c0224e94e326b82e0a5215fdecfe0cd450062 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 10 Jun 2021 16:28:09 -0700 Subject: [PATCH 094/370] draft --- windows/whats-new/windows-sv-plan.md | 173 +++++++++---------- windows/whats-new/windows-sv-prepare.md | 94 ++++------ windows/whats-new/windows-sv-requirements.md | 2 + windows/whats-new/windows-sv.md | 88 ++++------ 4 files changed, 148 insertions(+), 209 deletions(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index e005a6fda7..d7fda86414 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -14,7 +14,7 @@ ms.localizationpriority: high ms.topic: article --- -# Planning for Windows Sun Valley +# Plan to deploy Windows Sun Valley **Applies to** @@ -22,103 +22,92 @@ ms.topic: article ## Deployment planning -Planning for Sun Valley - -Sun Valley has the same underlying technology used today in Windows 10. IT Professionals can use familiar existing toolsets to plan, prepare , deploy, manage, and updateand manage both Sun Valley and Windows 10 updates alike. Because we anticipate customers organizations will be using a mix of Windows 10 devices side-by-side as they integrate Sun Valley into their environments, there are some unique yet largely familiar considerations for this new operating system to help aid in planning for upcoming deployments. - -Determining eligibility -We know one of the first questions that you will have is "Do the current PC(s) in my environment meet the Sun Valley hardware requirements bar? To assess if your device(s) meet these hardware criteria, IT Professionals can continue to use the first party analytics tools they are familiar with, including Update Compliance. In addition, Microsoft is sharing necessary information to 3rd party ISVs to enable their tools to support analytics for Sun Valley. - -Consumers can determine whether their device is eligible for Sun Valley by using the PC Health Check application to assess if a device meets the minimum hardware specifications [place forthcoming ink here]. In addition, detailed minimum requirements can be found at aka.ms/minspec [link forthcoming here]. - - -Sun Valley rollouts -In this section, we’ll share more on the rollout experience for home users benefiting from the role of intelligent rollout and for IT admin managed devices who will note some changes to management controls. -Home user, consumer devices -W indows 10 devices purchased after June 2021 that meet or exceed the minimum hardware requirements for Sun Valley will be offered Sun Valley in October of 2021. Though the message will vary by PC manufacturer, customers will see labels such as ‘this PC will upgrade to Sun Valley once available’ on products for purchase. Note, devices purchased beginning in October will see the Sun Valley offer during the out of box experience or already be imaged with Sun Valley. - -Sun Valley will be made available to current Windows 10 devices who are eligible after General Availability (GA) through the familiar Windows Update experience, first to seekers, then as part of our intelligent rollout process. The Windows Update Settings page will confirm when a device is eligible, and users can choose to upgrade or not. - - -As with Windows 10, the machine learning based intelligent rollout will be leveraged when rolling out upgrades. Our ML uses a combination of testing, close partner engagement, feedback, diagnostic data, and real-life insights to manage quality. This improves the update experience, ensuring that devices first nominated for updates are those likely to have a seamless experience, and that devices which may be problematic get the benefit of resolving potential compatibility issues before being offered an upgrade to Sun Valley. - -Managed devices - -While we are excited about the innovations and end user productivity improvements in Sun Valley, we recognize that the "right time" to move will be different for each organization. As always, for devices that you manage as an organization, you can choose between Sun Valley and Windows 10, and when the right time is for your organization to make the migration. - -Commercial customers will be able to deploy the Sun Valley update using their typical management tools to eligible devices in their organization beginning at GA. Customers upgrading from Windows Update using WUfB will have the additional benefit of two safety nets: offering blocks on non-eligible devices who do not meet the hardware requirements to upgrade to Sun Valley and Safeguard holds. Safeguard holds will function for Sun Valley devices just as they do for Windows 10. IT Professionals will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Sun Valley . - -It is worth noting that if you use Windows Update for Business to manage feature update deployments today you will need to leverage the “Target Version” policy rather than Feature Update deferrals to move from Windows 10 to Sun Valley. Deferrals are great for quality updates or to move to newer versions of the same product (e.g. Windows 10 21H1 to Windows 10 21H2), but they can not move you between products (e.g. Windows 10 to Windows Sun Valley). - -Additionally, please note that Sun Valley has a new end user license agreement. By nature of deploying with WUfB Target Version or with WSUS you are accepting this new end user license agreement on behalf of the end users within your organization. - -Finally, please note that while Windows 10 Pro or higher can upgrade for free using their existing management tools, those using S mode will need to first switch out of S mode (as S mode is currently not supported on Sun Valley). - -What about customizations that customers have in place necessary to support their deployments today? Will those continue to work for Sun Valley? - -Availability and upgrade path -The Sun Valley upgrade offer will begin for eligible devices at Sun Valley GA in October of this year (2021). This is true for eligible devices already running updated Windows 10 as well as for brand new devices . - -Enterprise customers who have a volume licensing agreement with Software Assurance or Windows Enterprise E3 subscription will be able to upgrade existing devices to Sun Valley after GA. - -To get a jump start on Sun Valley, we recommend that IT professionals join the Windows Insider Program (WIP) to deploy and validate it in their environments. - -If you're an IT administrator who's interested in exploring new features as they're being created, we recommend using the Beta Channel (available summer 2021) - -As an IT administrator, if you who would like to validate the Sun Valley release (and Windows 10 releases) before broadly deploying in your organization, we recommend you join our Windows Insider Program Release Preview Channel (available in summer 2021). - -Commercial customers can begin validating and exploring Sun Valley prior to GA. Sun Valley will be available for commercial customers to deploy beginning in the summer of 2021 via the Windows Insider Program for Business. Customers can deploy bits from the Windows Insider Pre-release category in WSUS, by configuring Manage Preview Builds to “Release Preview” with WUfB, by leveraging Windows Virtual Devices or Cloud PC*(will this be announced when this paper goes out?) and Azure Marketplace images, or even through simply downloading and deploying ISOs from our Windows Insider Program ISO Download page. Note – regardless of which way you choose to deploy, commercial customers have the benefit of free Microsoft support when validating pre-release, simply submit your support cases here. - -To learn more about the Windows Insider Program for Business, click here. - - - -Like Windows 10, Sun Valley devices will receive regular monthly quality updates to provide security updates and bug fixes, and at times, new functionality when deemed appropriate. Unlike Windows 10, however, Sun Valley devices will receive a single feature update annually. Knowing this will help you define your servicing strategy. - -For devices on in-service versions of Windows 10 that do not meet Sun Valley hardware requirements, they will continue to receive monthly Windows 10 security updates. -Servicing Duration: Sun Valley vs. Windows 10 -The duration of support changes slightly. Today, Windows 10 feature updates are released twice yearly, around March and September, via the Semi-Annual Channel. They are serviced with monthly quality updates for 18 or 30 months from the date of the release, depending on the lifecycle policy. For Sun Valley, we will support each annual release for 24 months for Home and Pro editions, and 36 months for Enterprise and Education editions, beginning at GA in October 2021. +This article provides IT professionals with planning guidance for the recent Windows Sun Valley announcements, specifically: -Windows 10 will continue to receive twice yearly feature updates . We have committed to supporting Windows 10 through October 14, 2025. + - Adoption guidance + - Infrastructure planning + - Servicing cadence and lifecycle + - Application readiness + - Functionality and coexistence with Windows 10 ecosystems + +## Deployment process -For more information, see the Windows Release Information Page, which includes information for Windows 10 semi-annual channel and LTSC releases, as well as Sun Valley. - -Potential section from Michael Raschko (pending as of 5/31): Windows 10 currently runs on more than 1 billion devices around the world, representing considerable time and investment from consumers and organizations alike. While we expect the migration to Windows “Sun Valley” will have less overhead than previous legacy Windows versions to Windows 10, we understand that organizations will need time to complete their move to Sun Valley based on their individual situations. Further, they will want to maintain and grow the value of their Windows 10 investment in the interim. - -For organizations who cannot move to Sun Valley immediately, Microsoft’s guidance is to standardize their devices on Windows 10 version to 21H2. Windows 10, version 21H2 will be the last feature update to Windows 10 but will receive specific feature enhancements to ease any growing pains there may be in migrating to Sun Valley. These features aim to provide compatibility with Microsoft existing and future products and services. - -It’s important that organizations remain in control and have adequate time to plan for feature enhancements which could affect the experience of end users. To facilitate this, feature enhancements will be provided on a quarterly cadence and will be provided with management policies to enable or disable those features. [some of this, once we get it locked in, will belong in the Feature update section below] - -Alternative sentence coming from Ellie’s deck: We will release Windows 10, version 21H2 in the second half of 2021 to keep your users productive and secure while you chart your path to Sun Valley. this is ‘we have your back’ language, and would be great to include it -Application compatibility & readiness - -Application Compatibility -Understanding that applications will work following an OS rollout is critical in the planning stage. Since Sun Valley has been built with compatibility in mind, it’s undergoing and passing the same application compatibility testing requirements that we have in place for Windows 10 feature and quality update releases. - -Microsoft is committed to ensuring applications work on the latest versions of our software. Our promise states that applications that worked on Windows 7/8.1/10 will work on Sun Valley. [This is where app compat info goes, as Test Base and AppAssure go into the Prepare section] - - - - - - - - - - - - - - - - -Consider using the following process to deploy Windows Sun Valley to existing devices: +Consider using the following processes to deploy Windows Sun Valley: 1. Preview Windows Sun Valley and create a deployment plan. 2. Test critical applications and management policies. -3. Update devices to the latest release of Windows 10. +3. Update devices to the Windows 10, version 20H1 or later. 4. Verify that devices meet the minimum hardware requirements for Windows Sun Valley. -5. Update deployment tools and infrastructure. +5. Update deployment tools, infrastructure, and policies. 6. Update qualifying devices to Windows Sun Valley. + +## Phased deployment + +A phased deployment model is recommended for rolling out upgrades to devices in your organization. This is identical to the [service management model](/windows/deployment/update/create-deployment-plan) recommended for Windows 10 updates. With this method, you define the time and scope of devices that will migrate to Windows Sun Valley. A [calendar based approac](/windows/deployment/update/plan-define-strategy#calendar-approaches) is an effective method to plan Windows Sun Valley upgrades that includes scheduling of future Windows 10 and Windows Sun Valley updates. + +Also consider [assigning roles](/windows/deployment/update/plan-define-readiness) within your organization to groups and individuals you'll need to carry out specific tasks, if you have not already done so. + +## Infrastructure and tools + +You can use your current management tools and processes to manage quality updates for both Windows 10 and Windows Sun Valley, in addition to using them to move between the two products beginning on the General Availability (GA) date for Windows Sun Valley. As part of your deployment planning, you will need to [evaluate your infrastructure](/windows/deployment/update/eval-infra-tools) and tools to verify they can support deployment and updates for Windows Sun Valley. For more information about updates to support the deployment of Windows Sun Valley, see [Management tools](windows-sv-prepare.md#management-tools). + +## Configurations + +Assess your current [configurations](/windows/deployment/update/eval-infra-tools#configuration-updates) such as security baselines, administrative templates, and policies that affect updates. Then, set some criteria to define your [operational readiness](/windows/deployment/update/eval-infra-tools#define-operational-readiness-criteria), Define an infrastructure update plan to: +- Review requirements +- Identify gaps +- Implement required updates + +## Windows Sun Valley Servicing + +### Cadence + +Windows Sun Valley feature updates will be released once per year in the second half of the year. Quality updates will be released each month on the second Tuesday of the month. + +Microsoft will continue to provide one cumulative package that includes all latest cumulative updates (LCUs) and servicing stack updates (SSUs), if applicable, for Windows Sun Valley. This will be provided as a single package to Windows Server Update Services (WSUS) and Catalog, and have them orchestrated on the device. This capability is also the default for devices using Windows Update. + +### Lifecycle + +Windows Sun Valley annual releases are supported for 24 months or 36 months, depending on the edition. See the following table:
+ + +| 24 months from the release date | 36 months from the release date | +| ------------------------------- | ------------------------------- | +| Windows Sun Valley Home | Windows Sun Valley Enterprise | +| Windows Sun Valley Pro | Windows Sun Valley Education | +| Windows Sun Valley Pro for Workstations | | +| Windows Sun Valley Pro Education | | + +### Features and applications + +Most features and applications that are included with Windows 10 will be available on Windows Sun Valley. For information about features that are deprecated or work differently on Windows Sun Valley, see [article link here]. + +## Application readiness + +Windows Sun Valley is designed to work with the applications you are currently using with Windows 10. If an application compatibility issue is identified, Microsoft provides services to help you remediate the problem. For more information, see [Application compatibility](windows-sv-prepare.md#application-compatibility) + + + + + + + + + + + + + + + + + + + + + + + + ## See also diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index 7e9f6b1e5c..3d7fa0815a 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -22,79 +22,45 @@ ms.topic: article ## Deployment readiness -Organizations will vary in their pace relative to transitioning from Windows 10 to Sun Valley, and we expect early corporate adoptions to consist of smaller test environments before rolling out to wider groups begins. With the new Sun Valley experience, it’s highly plausible that hybrid environments of both operating systems running simultaneously will be the norm, at least initially. +This article provides details on how to begin testing and validating Windows Sun Valley in your environment, and prepare for deployment. Links are also provided to important resource locations for more information. -As you prepare for Sun Valley, it’s also a good time to look at the deployment infrastructure of your environment. If you aren’t already taking advantage of cloud-based management tools like Microsoft Endpoint Manager this might be the perfect scenario in which to make that leap. Or if you are on -premises, Configuration Manager’s Cloud management gateway <- additional Configuration Manager content needed here . +To prepare for deployment of Windows Sun Valley, you will need to implement your [planned updates](windows-sv-plan.md) to infrastructure, settings, and tools, including: +- Test your critical applications and management policies +- Update devices to Windows 10, version 20H1 or later +- Verify hardware meets requirements for Windows Sun Valley +- Update your management tools, infrastructure, and policies +- [Prepare users](/windows/deployment/update/prepare-deploy-windows#prepare-users) for Windows Sun Valley. -Additionally, policies related to deployment may need to be updated or re-evaluated respective of update compliance deadlines, device activity policies, and the re-evaluation of older policies. A servicing mindset pointed at keeping current means that, as with Windows 10 devices, you will create a deployment plan in order to build out your servicing strategy. +When these actions are completed, you can begin your phased deployment of Windows Sun Valley. -The IT Pro tools that you are familiar with and have been using in the past to prepare for deployments also work in Sun Valley; you can analyze endpoints, determine application compatibility, and manage deployments in the same way you did with Windows 10: +## Application compatibility -Analytics -Content on Endpoint analytics needed. +Two Microsoft services that work directly with you to ensure application compatibility with Windows Sun Valley are [App Assure](https://www.microsoft.com/fasttrack/microsoft-365/app-assure) and [Test Base](https://www.microsoft.com/testbase). -Application compatibility -Two Microsoft services that work directly with you to ensure application compatibility with Sun Valley are App Assure and Test Base. +- If you experience any issues with your apps and are enrolled in the App Assure service, Microsoft will help you identify the issue at no cost. App Assure works with you to troubleshoot the issue, determine the root cause, and can help fix the issue as well. App Assure is subscription based, but subscriptions are free for eligible customers with 150+ seats. +- Test Base is Microsoft's intelligent application validation service that allows software vendors and commercial customers to test their applications. The Test Base test and validation environment runs Windows Sun Valley as well as Windows 10 with a matrix of updates and environments in a Microsoft managed Azure environment. You can get started by enrolling in Test Base for Microsoft 365. -If you experience any issues with your apps and are enrolled in the App Assure service, Microsoft will help you identify the issue at no cost. App Assure works with you to troubleshoot the issue, determine the root cause, and can help fix the issue as well. App Assure is subscription based, but subscriptions are free for eligible customers with 150+ seats. +You can use [Desktop Analytics](/mem/configmgr/desktop-analytics/overview), to test application compatibility. To determine the impact of a potential application compatiblity issue, [assign priority to apps](/windows/deployment/update/plan-define-readiness#set-criteria-for-rating-apps) and then perform a [compatibility assessment](/mem/configmgr/desktop-analytics/compat-assessment). -Test Base is our intelligent application validation service that allows software vendors and commercial customers to test their applications. The Test Base test and validation environment runs Sun Valley as well as Windows 10 with a matrix of updates and environments in a Microsoft managed Azure environment. You can get started by enrolling in Test Base for Microsoft 365. - -Management tools -The management toolset that you use for heavy lifting during deployments of Windows 10 are still able to be leveraged in Sun Valley. There are a few differences: - -- Windows Server Update Service (WSUS): For commercial customers using WSUS, they will need to sync the new “Windows ” product category. -- Windows Update for Business (WUfB): For commercial customers using WUfB, they will need to leverage the Target Version capability rather than feature update deferrals to move from Windows 10 to Windows . Feature Update deferrals are great to move to newer versions of your current product (e.g. Windows 10 21H1 to Windows 10 21H2), but do not enable you to move between products (e.g. Windows 10 to Windows ). Quality update deferrals will continue to work the same across both Windows 10 and Windows . -- MEM Configuration Manager: For customers using MEM Configuration Manager, you will easily be able to sync the new “Windows ” Product category and begin upgrading eligible devices. Please note that Configuration Manager will prompt you to accept the end user license agreement on behalf of the users in your organization. If you would like to validate Sun Valley prior to release, simply sync the “Windows Insider Pre-release" category as well. -- MEM Intune: For customers using MEM Intune with E3 licenses you will be able to leverage the “Feature Update Deployments” to easily manage moving between Windows 10 versions or to Windows 21H2. -- Autopilot: Autopilot works seamlessly in a Windows Sun Valley OOBE experience (out of box experience). It’s plug and play. -- In an Intune environment, a Sun Valley boot image needs to already exist on the device for Autopilot to work with Sun Valley. If the device comes with a Windows 10 boot image, IT Pros can use Windows Autopilot to deploy Windows 10, and then use Windows Update for Business to upgrade to Windows Sun Valley. - -To use Windows Autopilot to upgrade existing, eligible devices, Configuration Manager plus the task sequence ‘Windows Autopilot for existing devices’ can place the Windows Sun Valley boot image onto the managed device, allowing Windows Autopilot to then deploy Sun Valley. - -Windows Autopilot cannot downgrade a device from Sun Valley to Windows 10. - - - - - - - - - - - - - - - - - - - - - - - - - - -Consider using the following process to deploy Windows Sun Valley to existing devices: -1. Preview Windows Sun Valley and create a deployment plan. -2. Test critical applications and management policies. -3. Update devices to the latest release of Windows 10. -4. Verify that devices meet the minimum hardware requirements for Windows Sun Valley. -5. Update deployment tools and infrastructure. -6. Update qualifying devices to Windows Sun Valley. +## Management tools +The following updates are required to support deploying Windows Sun Valley: +- Configuration Manager should use the current branch. + - You will easily be able to sync the new **Windows Sun Valley** product category and upgrade eligible devices. + - Configuration Manager will prompt you to accept the End User License Agreement on behalf of the users in your organization. + - If you would like to validate Sun Valley prior to release, simply sync the **Windows Insider Pre-release** category as well. +- If you use Windows Server Update Services (WSUS), you will need to sync the new Windows Sun Valley category. +- Windows Update for Business (WUfB) users can leverage the Target Version capability (not Feature Update deferrals). + - Feature Update deferrals are great to move to newer versions of a product (for example: Windows 10 21H1 to Windows 10 21H2), but deferrals do not enable you to move between products (Windows 10 to Windows Sun Valley). Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. + - WUfB has the additional benefit of two safety nets: offering blocks on non-eligible devices, and Safeguard holds. Safeguard holds will function for Windows Sun Valley devices just as they do for Windows 10. Administrators will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. +- No action is required for you to use Microsoft Intune because it is cloud-based. + - If you are using MEM Intune with E3 licenses you will be able to leverage **Feature Update Deployments** to easily manage moving between Windows 10 versions or to Windows Sun Valley. +- Windows Autopilot works seamlessly in a Windows Sun Valley Out-of-Box-Experience (OOBE) environment. + - In an Intune environment, a Windows Sun Valley boot image needs to already exist on the device for Windows Autopilot to work with Windows Sun Valley. + - If the device comes with a Windows 10 boot image, an administrator can use Windows Autopilot to deploy Windows 10, and then use WUfB to upgrade to Windows Sun Valley. + - To use Windows Autopilot to upgrade existing devices, Configuration Manager and the task sequence: **Windows Autopilot for existing devices** can place the Windows Sun Valley boot image on the managed device, allowing Windows Autopilot to deploy Windows Sun Valley. + - Windows Autopilot cannot be used to downgrade a device from Windows Sun Valley to Windows 10. ## See also [Windows Sun Valley deployment planning](windows-sv-plan.md) - -• Technical documentation: Prescriptive and authoritative documentation on Microsoft Docs can help you plan for, prepare, and deploy Sun Valley — and to service and manage Windows devices effectively across your organization. -• Windows release health: Windows release health offers the quickest way to stay up to date on update-related news, information, and best practices, including important lifecycle reminders and the status of known issues and safeguard holds. IT administrators have access to this information, plus additional details, within the health experience Microsoft 365 admin center. -• Windows 10 update history: For every version of the Windows operating system, we publish a consolidated update history documentation experience, offering quick access to the knowledge base (KB) articles for each monthly, optional, and out-of-band release. In addition to update highlights, you’ll find a list of improvements and fixes, a summary of any known issues, and details on how to get the update, including any prerequisites. Want to see an example? See Windows 10 update history. -• Windows Tech Community: Offering technical professionals a place to discuss, share, troubleshoot, and learn around Windows, Tech Community is also the home of the Windows IT Pro Blog, our monthly Windows Office Hours events, and the Windows Video Hub. -• Microsoft Learn: We are in the process of developing online learning paths and modules to help you and your organization effectively plan, prepare, and deploy Sun Valley effectively. - diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index ddb8bf84c1..e33c0381d6 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -24,6 +24,8 @@ This article lists the sotware and physical hardware requirements to run Windows The upgrade to Sun Valley is available for devices running Windows 10, version 20H1 or newer, on eligible hardware. +If you are running Windows in S mode, you will need to first switch out of S mode prior to upgrading. S mode is not supported on Sun Valley. + ## Hardware requirements To install Windows Sun Valley, devices must meet the following specifications: diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index 96288250c3..ac2765847b 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -44,59 +44,11 @@ Windows Sun Valley will delivered as an upgrade to devices running Windows 10 be You must be running Windows 10, version 20H1 or later, and meet the minimum hardware specifications to be eligible to upgrade. For more information, see [Windows Sun Valley requirements](windows-sv-requirements.md). -For managed PCs that meet requirements, the upgrade will be provided using the same process that you use today for feature updates. - -For unmanaged PCs that meet requirements, the upgrade will be offered through Windows Update. -- Not all eligible Windows 10 PCs will be offered the upgrade at the same time. To see if your PC is eligible, download the PC Health Check app (link). The app will check that your devices meets hardware and software requirements to perform an upgrade to Windows Sun Valley. You can also check the status of your device by navigating to **Settings** > **Update & Security** > **Windows Update**. Once the upgrade rollout has started and the upgrade has been tested and validated for your PC's hardware, Windows Update will indicate that the upgrade is ready for installation. +For managed PCs that meet requirements, the upgrade will be provided using the same process that you use today for feature updates. For unmanaged PCs that meet requirements, the upgrade will be offered through Windows Update. You can get early access to test Windows Sun Valley by joining the [Windows Insider Program](https://insider.windows.com), or by enabling pre-release Windows 10 feature updates in Configuration Manager or Windows Server Update Services (WSUS). -## Windows Sun Valley lifecycle - -### Updates - -Windows Sun Valley feature updates will be released once per year in the second half of the year. Quality updates will be released each month on the second Tuesday of the month. - -Microsoft will continue to provide one cumulative package that includes all latest cumulative updates (LCUs) and servicing stack updates (SSUs), if applicable, for Windows Sun Valley. This will be provided as a single package to Windows Server Update Services (WSUS) and Catalog, and have them orchestrated on the device. This capability is also the default for devices using Windows Update. - -### Servicing - -Windows Sun Valley annual releases are supported for 24 months or 36 months, depending on the edition. - -See the following table. - - -| 24 months from the release date | 36 months from the release date | -| --- | --- | -| Windows Sun Valley Home | Windows Sun Valley Enterprise | -| Windows Sun Valley Pro | Windows Sun Valley Education | -| Windows Sun Valley Pro for Workstations | | -| Windows Sun Valley Pro Education | | - - -### Features and applications - -Most features and applications that are included with Windows 10 will be available on Windows Sun Valley. For information about features that are deprecated or work differently on Windows Sun Valley, see [article link here]. - -## Windows 10 lifecycle - -Starting with Windows 10, version 21H2, Windows 10 will receive only quality updates on the second Tuesday of the month. - -Windows 10 will be supported with security updates until October 2025. - -## Management and tools - -Windows Sun Valley is based on the same foundation as Windows 10. You can use your current management tools and processes to manage quality updates for both Windows 10 and Windows Sun Valley, in addition to using them to move between the two products. - -## Hardware compatibility - -Most accessories and associated software that worked with Windows 10 are expected to work with Windows Sun Valley. Check with your accessory manufacturer for specific details. - -## Application compatibility - -Microsoft is committed to ensuring your Windows 10 applications work on Windows Sun Valley. If you have [App Assure](/fasttrack/microsoft-365/app-assure), Microsoft will help you fix any issues at no cost. App Assure is free for organizations with 150 or more seats. For more information on eligibility requirements, see [Products and Capabilities: App Assure](/fasttrack/products-and-capabilities#app-assure). - -## Licensing +### Licensing There are no unique licensing requirements for Windows Sun Valley beyond what is required for Windows 10 devices. @@ -104,12 +56,42 @@ Microsoft 365 licenses that include Windows licenses will permit you to run Wind If you have a volume license, it will equally cover Windows Sun Valley and Windows 10 devices before and after upgrade. -## Rollback +### Rollback After you have upgraded to Windows Sun Valley, you have 10 days to use the rollback function if you wish to move back to Windows 10 while keeping your files and data. After the 10 day grace period, you will need to back up your data and perform a clean install to move back to Windows 10. -## See also +## Compatibility -[Get started with Windows Sun Valley](windows-sv-plan.md) +Windows Sun Valley is based on the same foundation as Windows 10. Therefore, it supports investments that IT organizations have made to support Windows 10. + +### Management and tools + +You can use your current management tools, processes, and settings to manage quality updates for both Windows 10 and Windows Sun Valley. For more information, see [Management tools](windows-sv-prepare.md#management-tools) and [Configurations](windows-sv-plan.md#configurations). + +### Hardware compatibility + +Most accessories and associated software that worked with Windows 10 are expected to work with Windows Sun Valley. Check with your accessory manufacturer for specific details. + +### Application compatibility + +Windows Sun Valley preserves the application compatibility promise made with Windows 10, and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Programs like App Assure and FastTrack for Microsoft M365 customers will continue to be available to support IT efforts to adopt and maintain Windows Sun Valley. +## Windows Sun Valley servicing + +For details about the Windows Sun Valley servicing cadence and lifecycle, see [Windows Sun Valley servicing](sv-plan.md#servicing). + +## Windows 10 lifecycle + +For organizations who cannot move to Windows Sun Valley immediately, Microsoft’s guidance is to standardize devices on Windows 10, version 21H2. This release will be the last feature update to Windows 10, but will receive specific feature enhancements to ease migrating to Windows Sun Valley. + +Windows 10 will continue to be supported with security updates until October 2025. + + +## Next steps + +[Plan to deploy Windows Sun Valley](windows-sv-plan.md)
+[Prepare for Windows Sun Valley](windows-sv-prepare.md) + + +## See also \ No newline at end of file From 9f950b1a8e7569558c3e2d5e40ef04c480b9c791 Mon Sep 17 00:00:00 2001 From: Benzy Dharmanayagam Date: Fri, 11 Jun 2021 15:29:58 +0530 Subject: [PATCH 095/370] Updated-5138946, 5138946, 5155963, 5155998 The following articles have been updated: Changes to Windows diagnostic data collection. Configure Windows diagnostic data in your organization. Windows 10 & Privacy Compliance --- ...s-to-windows-diagnostic-data-collection.md | 25 +++-- ...ws-diagnostic-data-in-your-organization.md | 93 +++++++++++++++---- .../windows-10-and-privacy-compliance.md | 90 ++++++++++++++---- 3 files changed, 166 insertions(+), 42 deletions(-) diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md index 9514d43951..b277bb3b25 100644 --- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md +++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md @@ -24,7 +24,7 @@ ms.date: 07/21/2020 Microsoft is committed to providing you with effective controls over your data and ongoing transparency into our data handling practices. As part of this effort, we are moving our major products and services to a model where data sent back to Microsoft from customer devices will be classified as either **Required** or **Optional**. We believe this will provide our customers with a simpler experience – information should be easier to find, easier to understand, and easier to act upon through the tools we provide. -This topic is meant for IT administrators and explains the changes Windows is making to align to the new data collection taxonomy. These changes are focused in two areas: +This article is meant for IT administrators and explains the changes Windows is making to align to the new data collection taxonomy. These changes are focused in two areas: - [Taxonomy changes](#taxonomy-changes) - [Behavioral changes](#behaviorial-changes) @@ -36,7 +36,7 @@ This topic is meant for IT administrators and explains the changes Windows is ma In Windows 10, version 1903 and newer, you will see taxonomy updates in both the **Out-of-box-experience** (OOBE) and the **Diagnostics & feedback** privacy settings page. These changes are explained in the section named **Taxonomy** changes. -Additionally, in an upcoming release of Windows 10, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. We’re also clarifying the Security diagnostic data level to more accurately reflect its behavior by changing it to **Diagnostic data off**. All of these changes are explained in the section named **Behavioral changes**. +Additionally, in an upcoming release of Windows 10, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. We’re also clarifying the Security diagnostic data level to reflect its behavior more accurately by changing it to **Diagnostic data off**. All these changes are explained in the section named **Behavioral changes**. ## Taxonomy changes @@ -48,9 +48,9 @@ Starting in Windows 10, version 1903 and newer, both the **Out-of-Box-Experience > [!IMPORTANT] > No action is required for the taxonomy changes, and your existing settings will be maintained as part of this update. -## Behaviorial changes +## Behavioral changes -In an upcoming release of Windows 10, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded, the device settings will be evaluated to be at the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see the section named, **Services that rely on Enhanced diagnostic data**, later in this topic. Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change. For a list of steps, see the section named **Configure a Windows 10 device to limit crash dumps and logs**. For more information on services that rely on Enhanced diagnostic data, see **Services that rely on Enhanced diagnostic data**. +In an upcoming release of Windows 10, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded, the device settings will be evaluated to be at the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data). Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change. For a list of steps, see [Configure a Windows 10 device to limit crash dumps and logs](#configure-a-windows-10-device-to-limit-crash-dumps-and-logs). For more information on services that rely on Enhanced diagnostic data, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data). Additionally, you will see the following policy changes in an upcoming release of Windows 10: @@ -70,7 +70,7 @@ A final set of changes includes two new policies that can help you fine-tune dia - MDM policy: System/LimitDiagnosticLogCollection >[!Important] ->All of the changes mentioned in this section will not be released on versions of Windows, version 1809 and earlier as well as Windows Server 2019 and earlier. +>All the changes mentioned in this section will not be released on versions of Windows, version 1809 and earlier as well as Windows Server 2019 and earlier. ## Configure a Windows 10 device to limit crash dumps and logs @@ -88,4 +88,17 @@ Customers who use services that depend on Windows diagnostic data, such as Micro The following provides information on the current configurations: - [Microsoft Managed Desktop](/microsoft-365/managed-desktop/service-description/device-policies#windows-diagnostic-data) -- [Desktop Analytics](/mem/configmgr/desktop-analytics/overview) \ No newline at end of file +- [Desktop Analytics](/mem/configmgr/desktop-analytics/overview) + +## New Windows diagnostic data processor configuration + +**Applies to** +- Windows 10 Edu, Pro, Enterprise editions, version 1809 with July 2021 update and newer + +Enterprise customers will now have a new option for controlling their Windows diagnostic data for their Azure Active Directory joined devices. + +Previously, enterprise customers had two options in managing their Windows diagnostic data: 1) allow Microsoft to be the [controller](/compliance/regulatory/gdpr#terminology) of that data and responsible for determining the purposes and means of the processing of Windows diagnostic data in order to improve the Windows 10 operating system and deliver analytical services, or 2) turn off diagnostic data flows altogether. + +Now, customers will have a third option that allows them to be the controller for their Windows diagnostic data, while still benefiting from the purposes that this data serves, such as quality of updates and device drivers. Under this approach, Microsoft will act as a data [processor](/compliance/regulatory/gdpr#terminology), processing Windows diagnostic data on behalf of the controller. + +This new option will enable customers to use familiar tools to manage, export, or delete data to help them meet their compliance obligations. For example, using the Microsoft Azure portal, customers will have the means to respond to their own users’ requests, such as delete and export diagnostic data. Admins can easily enable the Windows diagnostic data processor configuration for Windows devices using group policy or mobile device management ([MDM](/windows/client-management/mdm/policy-csp-system)). For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index c5f2f8b2ce..b3cf4f88b5 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -22,22 +22,23 @@ ms.date: 10/13/2020 - Windows 10 Enterprise - Windows 10 Education +- Windows 10 Professional - Windows Server 2016 and newer -This article applies to Windows 10, Windows Server, Surface Hub, and HoloLens diagnostic data only. It describes the types of diagnostic data that’s sent back to Microsoft and the ways you can manage it within your organization. Microsoft uses the data to quickly identify and address issues affecting its customers. +This article applies to Windows 10, Windows Server, Surface Hub, and HoloLens diagnostic data only. It describes the types of diagnostic data sent back to Microsoft and the ways you can manage it within your organization. Microsoft uses the data to quickly identify and address issues affecting its customers. >[!IMPORTANT] >Microsoft is [increasing transparency](https://blogs.microsoft.com/on-the-issues/2019/04/30/increasing-transparency-and-customer-control-over-data/) by categorizing the data we collect as required or optional. Windows 10 is in the process of updating devices to reflect this new categorization, and during this transition Basic diagnostic data will be recategorized as Required diagnostic data and Full diagnostic data will be recategorized as Optional diagnostic data. For more information, see [Changes to Windows diagnostic data](changes-to-windows-diagnostic-data-collection.md). -## Overview +## Overview -Microsoft collects Windows diagnostic data to solve problems and to keep Windows up to date, secure, and operating properly. It also helps us improve Windows and related Microsoft products and services and, for customers who have turned on the **Tailored experiences** setting, to provide more relevant tips and recommendations to enhance Microsoft and third-party products and services for the customer’s needs. +Microsoft collects Windows diagnostic data to solve problems and to keep Windows up to date, secure, and operating properly. It also helps us improve Windows and related Microsoft products and services and, for customers who have turned on the **Tailored experiences** setting, to provide more relevant tips and recommendations to enhance Microsoft and third-party products and services for each customer’s needs. For more information about how Windows diagnostic data is used, see [Diagnostics, feedback, and privacy in Windows 10](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy). ### Diagnostic data gives users a voice -Diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 and Windows Server behaves in the real world, focus on user priorities, and make informed decisions that benefit both consumer and enterprise customers. The following sections offer real examples of these benefits. +Diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 and Windows Server behave in the real world, focus on user priorities, and make informed decisions that benefit both consumer and enterprise customers. The following sections offer real examples of these benefits. ### _Improve app and driver quality_ @@ -73,7 +74,7 @@ Later in this document we provide further details about how to control what’s ### Data transmission -All diagnostic data is encrypted using TLS and uses certificate pinning during transfer from the device to the Microsoft data management services. +All diagnostic data is encrypted using Transport Layer Security (TLS) and uses certificate pinning during transfer from the device to the Microsoft data management services. ### Endpoints @@ -110,7 +111,7 @@ Here’s a summary of the types of data that is included with each setting: | --- | --- | --- | --- | --- | | **Diagnostic data events** | No Windows diagnostic data sent. | Minimum data required to keep the device secure, up to date, and performing as expected. | Additional data about the websites you browse, how Windows and apps are used and how they perform, and device activity. The additional data helps Microsoft to fix and improve products and services for all users. | Additional data about the websites you browse, how Windows and apps are used and how they perform. This data also includes data about device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users.| | **Crash Metadata** | N/A | Yes | Yes | Yes | -| **Crash Dumps** | N/A | No | Triage dumps only

For more information about crash dumps, see [Windows Error Reporting](/windows/win32/wer/windows-error-reporting). | Full memory dumps

For more information about crash dumps, see [Windows Error Reporting](/windows/win32/wer/windows-error-reporting). | +| **Crash Dumps** | N/A | No | Triage dumps only

For more information about crash dumps, see [Windows Error Reporting](/windows/win32/wer/windows-error-reporting). | Full memory dumps

For more information about crash dumps, see [Windows Error Reporting](/windows/win32/wer/windows-error-reporting). | | **Diagnostic logs** | N/A | No | No | Yes | | **Data collection** | N/A | 100% | Sampling applies | Sampling applies | @@ -156,31 +157,31 @@ Required diagnostic data includes: ### Enhanced diagnostic data ->[!NOTE] +>[!NOTE] >We’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. making changes to the enhanced diagnostic data level. For more info about this change, see [Changes to Windows diagnostic data](changes-to-windows-diagnostic-data-collection.md). Enhanced diagnostic data includes data about the websites you browse, how Windows and apps are used and how they perform, and device activity. The additional data helps Microsoft to fix and improve products and services for all users. When you choose to send enhanced diagnostic data, required diagnostic data will always be included, and we collect the following additional information: - Operating system events that help to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components. - + - Operating system app events resulting from Microsoft apps and management tools that were downloaded from the Microsoft Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge. - + - Device-specific events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events. - + - All crash dump types, except for heap dumps and full dumps. For more information about crash dumps, see [Windows Error Reporting](/windows/win32/wer/windows-error-reporting). - ### Optional diagnostic data +### Optional diagnostic data Optional diagnostic data, previously labeled as **Full**, includes more detailed information about your device and its settings, capabilities, and device health. Optional diagnostic data also includes data about the websites you browse, device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users. When you choose to send optional diagnostic data, required diagnostic data will always be included, and we collect the following additional information: - Additional data about the device, connectivity, and configuration, beyond that collected under required diagnostic data. - + - Status and logging information about the health of operating system and other system components beyond what is collected under required diagnostic data. - + - App activity, such as which programs are launched on a device, how long they run, and how quickly they respond to input. - + - Browser activity, including browsing history and search terms, in Microsoft browsers (Microsoft Edge or Internet Explorer). - + - Enhanced error reporting, including the memory state of the device when a system or app crash occurs (which may unintentionally contain user content, such as parts of a file you were using when the problem occurred). Crash data is never used for Tailored experiences. >[!Note] @@ -190,7 +191,7 @@ Optional diagnostic data, previously labeled as **Full**, includes more detailed Use the steps in this section to configure the diagnostic data settings for Windows and Windows Server in your organization. ->[!IMPORTANT] +>[!IMPORTANT] >These diagnostic data settings only apply to components, features, and apps that are considered a part of the Windows operating system. Third-party apps and other Microsoft apps, such as Microsoft Office, that customers install may also collect and send diagnostic data using their own controls. You should work with your app vendors to understand their diagnostic data policy, and how you can opt in or opt out. For more information on how Microsoft Office uses diagnostic data, see [Overview of privacy controls for Microsoft 365 Apps for enterprise](/deployoffice/privacy/overview-privacy-controls). If you would like to control Windows data collection that is not Windows diagnostic data, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). You can configure your device's diagnostic data settings using the management tools you’re already using, such as Group Policy or MDM. @@ -224,6 +225,66 @@ You can use Group Policy to set your organization’s diagnostic data setting: Use [Policy Configuration Service Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) to apply the System/AllowTelemetry MDM policy. +## Enable Windows diagnostic data processor configuration + +The Windows diagnostic data processor configuration enables you to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from your Windows devices that meet the configuration requirements. + +### Prerequisites + +The device must have Windows 10 Pro, Education or Enterprise edition, version 1809 with July 2021 update or newer. The device must also be joined to Azure Active Directory. + +The diagnostic data setting on the device should be set to Required diagnostic data or higher, and the following endpoints need to be reachable: + +- v10c.events.data.microsoft.com +- umwatsonc.events.data.microsoft.com +- kmwatsonc.events.data.microsoft.com +- settings-win.data.microsoft.com +- *.blob.core.windows.net + +### Enabling Windows diagnostic data processor configuration + +Use the instructions below to enable Windows diagnostic data processor configuration using a single setting, through Group Policy, or an MDM solution. + +In Group Policy, to enable Windows diagnostic data processor configuration, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** and switch the **Allow commercial data pipeline** setting to **enabled**. + +If you wish to disable, at any time, switch the same setting to **disabled**. The default state of the above setting is **disabled**. To use an MDM solution, such as [Microsoft Intune](/mem/intune/configuration/custom-settings-windows-10), to deploy the Windows diagnostic data processor configuration to your supported devices, use the following custom OMA-URI setting configuration: + + - **Name:** System/AllowCommercialDataPipeline + - **OMA-URI:** ./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline + - **Data type:** Integer + +Under **Value**, use **1** to enable the service. + +If you wish to disable, at any time, switch the same setting to **0** to disable. The default is **0**. + +>[!Note] +> - If you have any additional policies that also enable you to be a controller of Windows diagnostic data, such as the services listed below, you will need to turn off all the applicable policies in order to stop being a controller for Windows diagnostic data. +> - Windows diagnostic data collected from a device before it was enabled with Windows diagnostic data processor configuration will be deleted when this configuration is enabled. +> - When you enable devices with the Windows diagnostic data processor configuration, users may continue to submit feedback through various channels such as Windows feedback hub or Edge feedback. However, the feedback data is not subject to the terms of the Windows diagnostic data processor configuration. If this is not desired, we recommend that you disable feedback using the available policies or application management solutions. + +You can also enable the Windows diagnostic data processor configuration by enrolling in services that use Windows diagnostic data. These services currently include Desktop Analytics, Update Compliance, Microsoft Managed Desktop, and Windows Update for Business. + +For information on these services and how to configure the group policies, refer to the following documentation: + +Desktop Analytics: + +- [Enable data sharing - Configuration Manager | Microsoft Docs](/mem/configmgr/desktop-analytics/enable-data-sharing) +- [Desktop Analytics data privacy - Configuration Manager | Microsoft Docs](/mem/configmgr/desktop-analytics/privacy) +- [Group policy settings - Configuration Manager | Microsoft Docs](/mem/configmgr/desktop-analytics/group-policy-settings) + +Update Compliance: + +- [Privacy in Update Compliance - Windows Deployment | Microsoft Docs](/windows/deployment/update/update-compliance-privacy) +- [Manually configuring devices for Update Compliance - Windows Deployment | Microsoft Docs](/windows/deployment/update/update-compliance-configuration-manual#required-policies) + +Microsoft Managed Desktop: + +- [Privacy and personal data - Microsoft Managed Desktop | Microsoft Docs](/microsoft-365/managed-desktop/service-description/privacy-personal-data) + +Windows Update for Business: + +- [Windows Update for Business deployment service - Windows Deployment | Microsoft Docs](/windows/deployment/update/deployment-service-overview#how-to-enable-deployment-protections) + ## Limit optional diagnostic data for Desktop Analytics For more information about how to limit the diagnostic data to the minimum required by Desktop Analytics, see [Enable data sharing for Desktop Analytics](/mem/configmgr/desktop-analytics/enable-data-sharing). diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index a33a9a416e..f0f78ca7f3 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -19,18 +19,17 @@ ms.date: 07/21/2020 # Windows 10 & Privacy Compliance:
A Guide for IT and Compliance Professionals Applies to: + - Windows 10 Enterprise - Windows 10 Education +- Windows 10 Professional - Windows Server 2016 and newer ## Overview ->[!IMPORTANT] ->Microsoft is [increasing transparency](https://blogs.microsoft.com/on-the-issues/2019/04/30/increasing-transparency-and-customer-control-over-data/) by categorizing the data we collect as required or optional. Windows 10 is in the process of updating devices to reflect this new categorization, and during this transition Basic diagnostic data will be recategorized as Required diagnostic data and Full diagnostic data will be recategorized as Optional diagnostic data. For more information, see [Changes to Windows diagnostic data](changes-to-windows-diagnostic-data-collection.md). - At Microsoft, we are committed to data privacy across all our products and services. With this guide, we provide administrators and compliance professionals with data privacy considerations for Windows 10. -Microsoft collects data through multiple interactions with users of Windows 10 devices. This information can contain personal data that may be used to provide, secure, and improve Windows 10 services. To help users and organizations control the collection of personal data, Windows 10 provides comprehensive transparency features, settings choices, controls, and support for data subject requests, all of which are detailed in this article. +Microsoft collects data through multiple interactions with users of Windows 10 devices. This information can contain personal data that may be used to provide, secure, and improve Windows 10 and our connected experiences. To help users and organizations control the collection of personal data, Windows 10 provides comprehensive transparency features, settings choices, controls, and support for data subject requests, all of which are detailed in this article. This information allows administrators and compliance professionals to work together to better manage personal data privacy considerations and related regulations, such as the General Data Protection Regulation (GDPR) @@ -45,11 +44,11 @@ When setting up a device, a user can configure their privacy settings. Those pri The following table provides an overview of the Windows 10 privacy settings presented during the device setup experience that involve processing personal data and where to find additional information. > [!NOTE] -> This table is limited to the privacy settings that are available as part of setting up a Windows 10 device (Windows 10, version 1809 and newer). For the full list of settings that involve data collection, [see Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). +> This table is limited to the privacy settings that are available as part of setting up a Windows 10 device (Windows 10, version 1809 and newer). For the full list of settings that involve data collection, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). | Feature/Setting | Description | Supporting Content | Privacy Statement | | --- | --- | --- | --- | -| Diagnostic Data |

Microsoft uses diagnostic data to keep Windows secure, up to date, troubleshoot problems, and make product improvements. Regardless of what choices you make for diagnostic data collection, the device will be just as secure and will operate normally. This data is collected by Microsoft and stored with one or more unique identifiers that can help us recognize an individual user on an individual device and understand the device's service issues and use patterns.

Diagnostic data is categorized into the following:

  • **Required diagnostic data**
    Previously known as basic diagnostic data, required diagnostic data includes information about your device, its settings, capabilities, and whether it is performing properly, whether a device is ready for an update, and whether there are factors that may impede the ability to receive updates, such as low battery, limited disk space, or connectivity through a paid network. You can find out what is collected with required diagnostic data [here](./required-windows-diagnostic-data-events-and-fields-2004.md).
  • **Optional diagnostic data**
    Previously known as full diagnostic data, optional diagnostic data includes more detailed information about your device and its settings, capabilities, and device health. When you choose to send optional diagnostic data, required diagnostic data will always be included. You can find out the types of optional diagnostic data collected [here](./windows-diagnostic-data.md).

| [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy)

[Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) | +| Diagnostic Data |

Microsoft uses diagnostic data to keep Windows secure, up to date, troubleshoot problems, and make product improvements. Regardless of what choices you make for diagnostic data collection, the device will be just as secure and will operate normally. This data is collected by Microsoft and stored with one or more unique identifiers that can help us recognize an individual user on an individual device and understand the device's service issues and use patterns.

Diagnostic data is categorized into the following:

  • **Required diagnostic data**
    Required diagnostic data includes information about your device, its settings, capabilities, and whether it is performing properly, whether a device is ready for an update, and whether there are factors that may impede the ability to receive updates, such as low battery, limited disk space, or connectivity through a paid network. You can find out what is collected with required diagnostic data [here](./required-windows-diagnostic-data-events-and-fields-2004.md).
  • **Optional diagnostic data**
    Optional diagnostic data includes more detailed information about your device and its settings, capabilities, and device health. When you choose to send optional diagnostic data, required diagnostic data will always be included. You can find out the types of optional diagnostic data collected [here](./windows-diagnostic-data.md).

| [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy)

[Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) | | Inking and typing diagnostics | Microsoft collects optional inking and typing diagnostic data to improve the language recognition and suggestion capabilities of apps and services running on Windows. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) | | Speech | Use your voice for dictation and to talk to Cortana and other apps that use Windows cloud-based speech recognition. Microsoft collects voice data to help improve speech services. | [Learn more](https://support.microsoft.com/help/4468250/windows-10-speech-voice-activation-inking-typing-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#mainspeechinkingtypingmodule) | | Location | Get location-based experiences like directions and weather. Let Windows and apps request your location and allow Microsoft to use your location data to improve location services. | [Learn more](https://support.microsoft.com/help/4468240/windows-10-location-service-and-privacy) |[Privacy Statement](https://privacy.microsoft.com/privacystatement#mainlocationservicesmotionsensingmodule) | @@ -57,7 +56,7 @@ The following table provides an overview of the Windows 10 privacy settings pres | Tailored Experiences | Let Microsoft offer you tailored experiences based on the diagnostic data you choose to send. Tailored experiences include personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) | | Advertising Id | Apps can use advertising ID to provide more personalized advertising in accordance with the privacy policy of the app provider. | [Learn more](https://support.microsoft.com/help/4459081/windows-10-general-privacy-settings) | [Privacy statement](https://support.microsoft.com/help/4459081/windows-10-general-privacy-settings) | | Activity History/Timeline – Cloud Sync | If you want Windows Timeline and other Windows features to help you continue what you were doing, even when you switch devices, send Microsoft your activity history, which includes info about websites you browse and how you use apps and services. | [Learn more](https://support.microsoft.com/help/4468227/windows-10-activity-history-and-your-privacy-microsoft-privacy) | [Privacy statement](https://privacy.microsoft.com/privacystatement#mainactivityhistorymodule) | -| Cortana |

Cortana is Microsoft’s personal digital assistant, which helps busy people get things done, even while they’re at work. Cortana on Windows is available in [certain regions and languages](https://support.microsoft.com/help/4026948/cortanas-regions-and-languages). Cortana learns from certain data about the user, such as location, searches, calendar, contacts, voice input, speech patterns, email, content and communication history from text messages. In Microsoft Edge, Cortana uses browsing history. The user is in control of how much data is shared.

Cortana has powerful configuration options, specifically optimized for a business. By signing in with an Azure Active Directory (Azure AD) account, enterprise users can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work.

| [Learn more](https://support.microsoft.com/help/4468233/cortana-and-privacy-microsoft-privacy)

[Cortana integration in your business or enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview) | [Privacy statement](https://privacy.microsoft.com/privacystatement#maincortanamodule) | +| Cortana |

Cortana is Microsoft’s personal digital assistant, which helps busy people get things done, even while they’re at work. Cortana on Windows is available in [certain regions and languages](https://support.microsoft.com/help/4026948/cortanas-regions-and-languages). Cortana learns from certain data about the user, such as location, searches, calendar, contacts, voice input, speech patterns, email, content, and communication history from text messages. In Microsoft Edge, Cortana uses browsing history. The user is in control of how much data is shared.

Cortana has powerful configuration options, specifically optimized for a business. By signing in with an Azure Active Directory (Azure AD) account, enterprise users can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work.

| [Learn more](https://support.microsoft.com/help/4468233/cortana-and-privacy-microsoft-privacy)

[Cortana integration in your business or enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview) | [Privacy statement](https://privacy.microsoft.com/privacystatement#maincortanamodule) | ### 1.2 Data collection monitoring @@ -65,6 +64,8 @@ The following table provides an overview of the Windows 10 privacy settings pres An administrator can also use the Diagnostic Data Viewer for PowerShell module to view the diagnostic data collected from the device instead of using the Diagnostic Data Viewer UI. The [Diagnostic Data Viewer for PowerShell Overview](microsoft-diagnosticdataviewer.md) provides further information. +> [!Note] +> If the Windows diagnostic data processor configuration is enabled, IT administrators should use the admin portal to fulfill data subject request to access or export Windows diagnostic data associated with a particular user’s use of a device. See [The process for exercising data subject rights](#3-the-process-for-exercising-data-subject-rights). ## 2. Windows 10 data collection management @@ -81,14 +82,14 @@ Administrators can configure and control privacy settings across their organizat The following table provides an overview of the privacy settings discussed earlier in this document with details on how to configure these policies. The table also provides information on what the default value would be for each of these privacy settings if you do not manage the setting by using policy and suppress the Out-of-box Experience (OOBE) during device setup. If you’re interested in minimizing data collection, we also provide the recommended value to set. > [!NOTE] -> This is not a complete list of settings that involve connecting to Microsoft services. To see a more detailed list, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). +> This is not a complete list of settings that involve connecting to Microsoft connected experiences. For more detailed list, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). | Feature/Setting | GP/MDM Documentation | Default State if the Setup experience is suppressed | State to stop/minimize data collection | |---|---|---|---| | [Speech](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-speech) | Group Policy:
**Computer Configuration** > **Control Panel** > **Regional and Language Options** > **Allow users to enable online speech recognition services**

MDM: [Privacy/AllowInputPersonalization](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off | Off | | [Location](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location) | Group Policy:
**Computer Configuration** > **Windows Components** > **App Privacy** > **Let Windows apps access location**

MDM: [Privacy/LetAppsAccessLocation](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off (Windows 10, version 1903 and later) | Off | | [Find my device](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#find-my-device) | Group Policy:
**Computer Configuration** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device**

MDM: [Experience/AllFindMyDevice](/windows/client-management/mdm/policy-csp-experience#experience-allowfindmydevice) | Off | Off | -| [Diagnostic Data](configure-windows-diagnostic-data-in-your-organization.md#manage-enterprise-diagnostic-data) | Group Policy:
**Computer Configuration** > **Windows Components** > **Data Collection and Preview Builds** > **Allow Telemetry**

MDM: [System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | Desktop editions:
Required diagnostic data (Windows 10, version 1903 and later)

Server editions:
Required diagnostic data | Security and block endpoints | +| [Diagnostic Data](configure-windows-diagnostic-data-in-your-organization.md#manage-enterprise-diagnostic-data) | Group Policy:
**Computer Configuration** > **Windows Components** > **Data Collection and Preview Builds** > **Allow Telemetry**

MDM: [System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)

Note: If you are planning to configure devices, using the Windows diagnostic data processor configuration option, the recommended state to minimize data collection is not applicable. For more information, see [Enabling the Windows diagnostic data processor configuration](#_238-diagnostic-data-enabling-the-windows-diagnostic-data-processor-configuration_). | Required diagnostic data (Windows 10, version 1903 and later)

Server editions:
Enhanced diagnostic data | Security (Off) and block endpoints | | [Inking and typing diagnostics](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-ink) | Group Policy:
**Computer Configuration** > **Windows Components** > **Text Input** > **Improve inking and typing recognition**

MDM: [TextInput/AllowLinguisticDataCollection](/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) | Off (Windows 10, version 1809 and later) | Off | | Tailored Experiences | Group Policy:
**User Configuration** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences**

MDM: [Experience/AllowTailoredExperiencesWithDiagnosticData](/windows/client-management/mdm/policy-csp-experience#experience-allowtailoredexperienceswithdiagnosticdata) | Off | Off | | Advertising ID | Group Policy:
**Computer Configuration** > **System** > **User Profile** > **Turn off the advertising Id**

MDM: [Privacy/DisableAdvertisingId](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) | Off | Off | @@ -111,24 +112,29 @@ You can use the following articles to learn more about Autopilot and how to use - https://docs.microsoft.com/windows/deployment/windows-Autopilot/windows-Autopilot - https://docs.microsoft.com/windows/deployment/windows-Autopilot/deployment-process -#### _2.3.2 Managing connections from Windows components to Microsoft services_ +#### _2.3.2 Windows 10 connected experiences and essential services_ -Administrators can manage the data sent from their organization to Microsoft by configuring settings associated with the functionality provided by Windows components. +Windows includes built-in apps, services, and features, that connect to the internet to provide enhanced experiences and additional capabilities. These are called “connected experiences”. For example, Microsoft Defender Antivirus is a connected experience that delivers updated protection to keep the devices in your organization secure. -For more details, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). This topic includes the different methods available on how to configure each setting, the impact to functionality, and which versions of Windows that are applicable. +Connected experiences that are critical to the proper functioning of Windows are called “essential services”. For example, the Windows licensing service confirms that you are properly licensed to use Windows. -#### _2.3.3 Managing Windows 10 connections_ +Windows connected experiences and essential services transfer data to Microsoft network endpoints, and while an administrator may want to block these endpoints for their organization to meet specific compliance objectives, we recommend that you carefully assess the impact of turning off essential services. -Some Windows components, apps, and related services transfer data to Microsoft network endpoints. An administrator may want to block these endpoints for their organization to meet their specific compliance objectives. +The article [Manage connection endpoints for Windows 10, version 20H2](/windows/privacy/manage-windows-20h2-endpoints) provides a list of endpoints for the latest Windows 10 release, along with descriptions of any functionality that would be impacted by restricting data collection. Details for additional Windows versions can be found under the **Manage Windows 10 connection endpoints** section of the left-hand navigation menu. -[Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) provides a list of endpoints for the latest Windows 10 release, along with descriptions of any functionality that would be impacted by restricting data collection. Details for additional Windows versions can be found on the [Windows Privacy site](./index.yml) under the **Manage Windows 10 connection endpoints** section of the left-hand navigation menu. +#### _2.3.3 Managing connections from Windows connected experiences to Microsoft services_ + +Administrators can manage the data sent from their organization to Microsoft by configuring settings associated with the functionality provided by Windows connected experiences and essential services. + +For more information, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). This topic includes the different methods available on how to configure each setting, the impact to functionality, and which versions of Windows that are applicable. #### _2.3.4 Limited functionality baseline_ An organization may want to further minimize the amount of data sent back to Microsoft or shared with Microsoft apps by managing the connections and configuring additional settings on their devices. Similar to [Windows security baselines](/windows/security/threat-protection/windows-security-baselines), Microsoft has released a limited functionality baseline focused on configuring settings to minimize the data sent back to Microsoft. However, the functionality of the device could be impacted by applying these settings. The [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) article provides details on how to apply the baseline, along with the full list of settings covered in the baseline and the functionality that would be impacted. Administrators that don’t want to apply the baseline can still find details on how to configure each setting individually to find the right balance between data sharing and impact to functionality for their organization. >[!IMPORTANT] ->We recommend that you fully test any modifications to these settings before deploying them in your organization. +> - We recommend that you fully test any modifications to these settings before deploying them in your organization. +> - We also recommend that if you plan to enable the Windows diagnostic data processor configuration, adjust the limited configuration baseline before deploying to ensure the Windows diagnostic setting is not turned off. #### _2.3.5 Diagnostic data: Managing notifications for change of level at logon_ @@ -144,23 +150,58 @@ Windows 10, version 1809 and newer allows a user to delete diagnostic data colle An administrator can disable a user’s ability to delete their device’s diagnostic data by setting the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Disable deleting diagnostic data** or the MDM policy `DisableDeviceDelete`. +>[!Note] +>If the Windows diagnostic data processor configuration is enabled, the Delete diagnostic data button will be disabled and the powershell cmdlet will not delete data collected under this configuration. IT administrators can instead delete diagnostic data collected by invoking a delete request from the admin portal. + +#### _2.3.8 Diagnostic data: Enabling the Windows diagnostic data processor configuration_ + +**Applies to:** + +- Windows 10 Enterprise, Pro, Education editions, version 1809 with July 2021 update and newer + +The Windows diagnostic data processor configuration enables IT administrators to be the controller, under the definition of the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows 10 devices that are Azure Active Directory (AAD) joined and meet the configuration requirements. For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). Diagnostic data does not include data processed by Microsoft with the use of essential services and connected experiences in Windows. + +The Windows diagnostic data collected from devices enabled with the Windows diagnostic data processor configuration may be associated with a specific AAD User ID or device ID. The Windows diagnostic data processor configuration provides you with controls that help respond to data subject requests (DSRs) to delete diagnostic data, at user account closure, for a specific AAD User ID. Additionally, you’re able to execute an export DSR for diagnostic data related to a specific AAD User ID. For more information, see [The process for exercising data subject rights](#3-the-process-for-exercising-data-subject-rights). Microsoft also will accommodate a tenant account closure, either because you decide to close your Azure or Azure AD tenant account, or because you decide you no longer wish to be the data controller for Windows diagnostic data, but still wish to remain an Azure customer. + +We recommend that IT administrators who have enabled the Windows diagnostic data processor configuration consider the following: + +- Restrict user’s ability to sign-in with a Microsoft Account (MSA) using [Block Microsoft account group policy](/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts). +- Restrict user’s ability to submit feedback, as any feedback or additional logs submitted by the user are not managed by the Windows diagnostic data processor configuration option. The Feedback hub app can be removed using [PowerShell](/powershell/module/appx/remove-appxpackage) and block ability to submit feedback in Microsoft Edge using [Feedback group policy](/deployedge/microsoft-edge-policies#userfeedbackallowed). + +>[!Note] +>Tenant account closure will lead to the deletion of all data associated with that tenant. + +Specific services that depend on Windows diagnostic data will also result in the enterprise becoming controllers of their Windows diagnostic data. These services include Update Compliance, Desktop Analytics, and Microsoft Managed Devices. For more information, see [Related Windows product considerations](#5-related-windows-product-considerations). + +For more information on how Microsoft can help you honor rights and fulfill obligations under the GDPR when using Windows diagnostic data processor configurations, see [General Data Protection Regulation - Microsoft GDPR | Microsoft Docs](/compliance/regulatory/gdpr). ## 3. The process for exercising data subject rights This section discusses the different methods Microsoft provides for users and administrators to exercise data subject rights for data collected from a Windows 10 device. +For IT administrators who have devices using the Windows diagnostic data processor configuration, refer to the [Data Subject Requests for the GDPR and CCPA](/compliance/regulatory/gdpr-dsr-windows). Otherwise proceed to the sections below. + ### 3.1 Delete Users can delete their device-based data by going to **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. Administrators can also use the [Clear-WindowsDiagnosticData](/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData?view=win10-ps) PowerShell cmdlet. +>[!Note] +>If the Windows diagnostic data processor configuration is being used, the Delete diagnostic data functionality will be disabled. IT administrators can delete diagnostic data associated with a user from the admin portal. + ### 3.2 View The [Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) provides a view into the diagnostic data being collected from a Windows 10 device. Administrators can also use the [Get-DiagnosticData](microsoft-diagnosticdataviewer.md#install-and-use-the-diagnostic-data-viewer-for-powershell) PowerShell cmdlet. +>[!Note] +>If the Windows diagnostic data processor configuration is enabled, IT administrators can view the diagnostic data that is associated with a user from the admin portal. + ### 3.3 Export The [Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) provides the ability to export the diagnostic data captured while the app is running, by clicking the **Export** data button in the top menu. Administrators can also use the [Get-DiagnosticData](microsoft-diagnosticdataviewer.md#install-and-use-the-diagnostic-data-viewer-for-powershell) PowerShell cmdlet script. +>[!Note] +>If the Windows diagnostic data processor configuration is enabled, IT administrators can also export the diagnostic data that is associated with a user from the admin portal. + ### 3.4 Devices connected to a Microsoft account If a user signs in to a Windows experience or app on their device with their Microsoft account, they can view, delete, and export data associated with their Microsoft account on the [Privacy dashboard](https://account.microsoft.com/privacy). @@ -168,11 +209,10 @@ If a user signs in to a Windows experience or app on their device with their Mic ## 4. Cross-border data transfers -Microsoft complies with applicable law regarding the collection, use, and retention of personal information, including its transfer across borders +Microsoft complies with applicable law regarding the collection, use, and retention of personal information, including its transfer across borders. Microsoft’s [Privacy Statement](https://privacy.microsoft.com/privacystatement#mainwherewestoreandprocessdatamodule) provides details on how we store and process personal data. - ## 5. Related Windows product considerations The following sections provide details about how privacy data is collected and managed across related Windows products. @@ -181,23 +221,33 @@ The following sections provide details about how privacy data is collected and m Windows Server follows the same mechanisms as Windows 10 for handling of personal data. +>[!Note] +>The Windows diagnostic data processor configuration is not available for Windows Server. + ### 5.2 Surface Hub -[Surface Hub](/surface-hub/) is a shared device used within an organization. The device identifier collected as part of diagnostic data is not connected to a user. To delete the Windows diagnostic data sent to Microsoft for Surface Hub, you can use the Surface Hub Delete Diagnostic Data tool available in the Microsoft Store +[Surface Hub](/surface-hub/) is a shared device used within an organization. The device identifier collected as part of diagnostic data is not connected to a user. To delete the Windows diagnostic data sent to Microsoft for Surface Hub, you can use the Surface Hub Delete Diagnostic Data tool available in the Microsoft Store. >[!IMPORTANT] >Apps and services that run on Windows but are not considered part of Windows will manage data collection using their own controls. Please contact the publisher for further guidance on how to control the data collection and transmission of these apps and services. An administrator can configure privacy-related settings, such as choosing to only send required diagnostic data. Surface Hub does not support Group Policy for centralized management. However, administrators can use MDM to apply these settings to Surface Hub. For more information about Surface Hub and MDM, see [Manage settings with an MDM provider (Surface Hub)](/surface-hub/manage-settings-with-mdm-for-surface-hub). +>[!Note] +>The Windows diagnostic data processor configuration is not available for Surface Hub. + ### 5.3 Desktop Analytics -[Desktop Analytics](/mem/configmgr/desktop-analytics/overview) is a set of solutions for Azure Portal that provide you with extensive data about the state of devices in your deployment. Desktop Analytics is a separate offering from Windows 10 and is dependent on enabling a minimum set of data collection on the device to function. +[Desktop Analytics](/mem/configmgr/desktop-analytics/overview) is a set of solutions for Azure portal that provide you with extensive data about the state of devices in your deployment. Desktop Analytics is a separate offering from Windows 10 and is dependent on enabling a minimum set of data collection on the device to function. ### 5.4 Microsoft Managed Desktop [Microsoft Managed Desktop (MMD)](/microsoft-365/managed-desktop/service-description/?view=o365-worldwide) is a service that provides your users with a secure modern experience and always keeps devices up to date with the latest versions of Windows 10 Enterprise edition, Office 365 ProPlus, and Microsoft security services. +### 5.5 Update Compliance + +[Update Compliance](/windows/deployment/update/update-compliance-monitor) is a service that enables organizations to monitor security, quality and feature updates for Windows 10 Professional, Education, and Enterprise editions, and view a report of device and update issues related to compliance that need attention. Update Compliance uses Windows 10 diagnostic data for all its reporting. + ## Additional Resources * [Microsoft Trust Center: GDPR Overview](https://www.microsoft.com/trust-center/privacy/gdpr-overview) From 1c91a7f11956210fe68a2d2ebc18b6a41b7006e3 Mon Sep 17 00:00:00 2001 From: Benzy Dharmanayagam Date: Fri, 11 Jun 2021 15:47:07 +0530 Subject: [PATCH 096/370] Fixed warnings --- .../changes-to-windows-diagnostic-data-collection.md | 2 +- windows/privacy/windows-10-and-privacy-compliance.md | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md index b277bb3b25..113c415e29 100644 --- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md +++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md @@ -27,7 +27,7 @@ Microsoft is committed to providing you with effective controls over your data a This article is meant for IT administrators and explains the changes Windows is making to align to the new data collection taxonomy. These changes are focused in two areas: - [Taxonomy changes](#taxonomy-changes) -- [Behavioral changes](#behaviorial-changes) +- [Behavioral changes](#behavioral-changes) > [!NOTE] > You can test the behavioral changes now in Windows 10 Insider Preview build 19577 and later. diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index f0f78ca7f3..e5ce1e7e04 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -89,7 +89,7 @@ The following table provides an overview of the privacy settings discussed earli | [Speech](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-speech) | Group Policy:
**Computer Configuration** > **Control Panel** > **Regional and Language Options** > **Allow users to enable online speech recognition services**

MDM: [Privacy/AllowInputPersonalization](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off | Off | | [Location](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location) | Group Policy:
**Computer Configuration** > **Windows Components** > **App Privacy** > **Let Windows apps access location**

MDM: [Privacy/LetAppsAccessLocation](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off (Windows 10, version 1903 and later) | Off | | [Find my device](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#find-my-device) | Group Policy:
**Computer Configuration** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device**

MDM: [Experience/AllFindMyDevice](/windows/client-management/mdm/policy-csp-experience#experience-allowfindmydevice) | Off | Off | -| [Diagnostic Data](configure-windows-diagnostic-data-in-your-organization.md#manage-enterprise-diagnostic-data) | Group Policy:
**Computer Configuration** > **Windows Components** > **Data Collection and Preview Builds** > **Allow Telemetry**

MDM: [System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)

Note: If you are planning to configure devices, using the Windows diagnostic data processor configuration option, the recommended state to minimize data collection is not applicable. For more information, see [Enabling the Windows diagnostic data processor configuration](#_238-diagnostic-data-enabling-the-windows-diagnostic-data-processor-configuration_). | Required diagnostic data (Windows 10, version 1903 and later)

Server editions:
Enhanced diagnostic data | Security (Off) and block endpoints | +| [Diagnostic Data](configure-windows-diagnostic-data-in-your-organization.md#manage-enterprise-diagnostic-data) | Group Policy:
**Computer Configuration** > **Windows Components** > **Data Collection and Preview Builds** > **Allow Telemetry**

MDM: [System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)

Note: If you are planning to configure devices, using the Windows diagnostic data processor configuration option, the recommended state to minimize data collection is not applicable. For more information, see [Enabling the Windows diagnostic data processor configuration](#238-diagnostic-data-enabling-the-windows-diagnostic-data-processor-configuration). | Required diagnostic data (Windows 10, version 1903 and later)

Server editions:
Enhanced diagnostic data | Security (Off) and block endpoints | | [Inking and typing diagnostics](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-ink) | Group Policy:
**Computer Configuration** > **Windows Components** > **Text Input** > **Improve inking and typing recognition**

MDM: [TextInput/AllowLinguisticDataCollection](/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) | Off (Windows 10, version 1809 and later) | Off | | Tailored Experiences | Group Policy:
**User Configuration** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences**

MDM: [Experience/AllowTailoredExperiencesWithDiagnosticData](/windows/client-management/mdm/policy-csp-experience#experience-allowtailoredexperienceswithdiagnosticdata) | Off | Off | | Advertising ID | Group Policy:
**Computer Configuration** > **System** > **User Profile** > **Turn off the advertising Id**

MDM: [Privacy/DisableAdvertisingId](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) | Off | Off | @@ -109,8 +109,8 @@ If you want the ability to fully control and apply restrictions on data being se Alternatively, your administrators can also choose to use Windows Autopilot. Autopilot lessens the overall burden of deployment while allowing administrators to fully customize the out-of-box experience. However, since Windows Autopilot is a cloud-based solution, administrators should be aware that a minimal set of device identifiers are sent back to Microsoft during initial device boot up. This device-specific information is used to identify the device so that it can receive the administrator-configured Autopilot profile and policies. You can use the following articles to learn more about Autopilot and how to use Autopilot to deploy Windows 10: -- https://docs.microsoft.com/windows/deployment/windows-Autopilot/windows-Autopilot -- https://docs.microsoft.com/windows/deployment/windows-Autopilot/deployment-process +- [Overview of Windows Autopilot](/windows/deployment/windows-Autopilot/windows-Autopilot) +- [Windows Autopilot deployment process](/windows/deployment/windows-Autopilot/deployment-process) #### _2.3.2 Windows 10 connected experiences and essential services_ @@ -146,7 +146,7 @@ Windows 10, version 1803 and newer allows users to change their diagnostic data #### _2.3.7 Diagnostic data: Managing device-based data delete_ -Windows 10, version 1809 and newer allows a user to delete diagnostic data collected from their device by using **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. An administrator can also delete diagnostic data for a device using the [Clear-WindowsDiagnosticData](/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData?view=win10-ps) PowerShell cmdlet. +Windows 10, version 1809 and newer allows a user to delete diagnostic data collected from their device by using **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. An administrator can also delete diagnostic data for a device using the [Clear-WindowsDiagnosticData](/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData) PowerShell cmdlet. An administrator can disable a user’s ability to delete their device’s diagnostic data by setting the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Disable deleting diagnostic data** or the MDM policy `DisableDeviceDelete`. @@ -183,7 +183,7 @@ For IT administrators who have devices using the Windows diagnostic data process ### 3.1 Delete -Users can delete their device-based data by going to **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. Administrators can also use the [Clear-WindowsDiagnosticData](/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData?view=win10-ps) PowerShell cmdlet. +Users can delete their device-based data by going to **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. Administrators can also use the [Clear-WindowsDiagnosticData](/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData) PowerShell cmdlet. >[!Note] >If the Windows diagnostic data processor configuration is being used, the Delete diagnostic data functionality will be disabled. IT administrators can delete diagnostic data associated with a user from the admin portal. @@ -242,7 +242,7 @@ An administrator can configure privacy-related settings, such as choosing to onl ### 5.4 Microsoft Managed Desktop -[Microsoft Managed Desktop (MMD)](/microsoft-365/managed-desktop/service-description/?view=o365-worldwide) is a service that provides your users with a secure modern experience and always keeps devices up to date with the latest versions of Windows 10 Enterprise edition, Office 365 ProPlus, and Microsoft security services. +[Microsoft Managed Desktop (MMD)](/microsoft-365/managed-desktop/service-description/) is a service that provides your users with a secure modern experience and always keeps devices up to date with the latest versions of Windows 10 Enterprise edition, Office 365 ProPlus, and Microsoft security services. ### 5.5 Update Compliance From 13ca837b40cfe77998c0319819c76763d9a980a5 Mon Sep 17 00:00:00 2001 From: Mark Stanfill Date: Fri, 11 Jun 2021 10:51:20 -0500 Subject: [PATCH 097/370] Update policy-csp-storage.md Correcting OMA-URI value --- windows/client-management/mdm/policy-csp-storage.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index a3d2099a3e..e55afed42c 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -719,7 +719,7 @@ ADMX Info: Example for setting the device custom OMA-URI setting to enable this policy: -To deny write access to removable storage within Intune’s custom profile, set OMA-URI to ```.\[device|user]\vendor\msft\policy\[config|result]\Storage/RemovableDiskDenyWriteAccess```, Data type to Integer, and Value to 1. +To deny write access to removable storage within Intune’s custom profile, set OMA-URI to ```./Device/Vendor/MSFT/Policy/Config/Storage/RemovableDiskDenyWriteAccess```, Data type to Integer, and Value to 1. See [Use custom settings for Windows 10 devices in Intune](/intune/custom-settings-windows-10) for information on how to create custom profiles. @@ -740,4 +740,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - \ No newline at end of file + From 571ca43d6a97e7d2c419e8ae53f880c1dfed2fb8 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Fri, 11 Jun 2021 10:22:00 -0700 Subject: [PATCH 098/370] Added the suggested edits for the 2nd note under the 2nd table. --- .../select-types-of-rules-to-create.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index ace22beaca..1f5068600a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -110,7 +110,7 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the > [!NOTE] > - WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits. -> - CN is what the code uses for the CertSubject and CertIssuer fields in the policy. You can use the inbox certutil to look at the underlying format and ensure UTF-8 is not being used for the CN. For example, printable string or IA5 or BMP is ok. +> - The code uses CN for the CertSubject and CertIssuer fields in the policy. You can use the inbox certutil to look at the underlying format to ensure UTF-8 is not being used for the CN. For example, you can use printable string, IA5, or BMP. ## Example of file rule levels in use From b7fd5c5eaf4a893f6f24a648b43662041cbd43df Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 11 Jun 2021 11:59:36 -0700 Subject: [PATCH 099/370] tweaks --- windows/hub/index.yml | 4 +-- windows/whats-new/TOC.yml | 4 +-- windows/whats-new/index.yml | 2 +- windows/whats-new/windows-sv-plan.md | 24 +++++++++----- windows/whats-new/windows-sv-prepare.md | 6 ++-- windows/whats-new/windows-sv-requirements.md | 13 ++++++-- windows/whats-new/windows-sv.md | 35 ++++++++------------ 7 files changed, 50 insertions(+), 38 deletions(-) diff --git a/windows/hub/index.yml b/windows/hub/index.yml index e9086a6765..60a1b71261 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -30,8 +30,8 @@ landingContent: url: /windows/whats-new/windows-sv - text: Windows Sun Valley requirements url: /windows/whats-new/windows-sv-requirements - - text: Get started with Windows Sun Valley - url: /windows/whats-new/windows-sv-get-started + - text: Plan to deploy Windows Sun Valley + url: /windows/whats-new/windows-sv-plan - text: What's new in Windows 10, version 21H2 url: /windows/whats-new/whats-new-windows-10-version-21H1 - text: Windows release information diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml index d611e4787f..fb7a0de80e 100644 --- a/windows/whats-new/TOC.yml +++ b/windows/whats-new/TOC.yml @@ -7,9 +7,9 @@ href: windows-sv.md - name: Windows Sun Valley requirements href: windows-sv-requirements.md - - name: Create a deployment plan + - name: Plan to deploy Windows Sun Valley href: windows-sv-plan.md - - name: Prepare to deploy Windows Sun Valley + - name: Prepare for Windows Sun Valley href: windows-sv-prepare.md - name: Windows 10 expanded: true diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml index 7e3ba4fc82..bf2243760c 100644 --- a/windows/whats-new/index.yml +++ b/windows/whats-new/index.yml @@ -33,7 +33,7 @@ landingContent: url: windows-sv-requirements.md - text: Plan to deploy Windows Sun Valley url: windows-sv-plan.md - - text: Get ready for Windows Sun Valley + - text: Prepare for Windows Sun Valley url: windows-sv-prepare.md - title: Windows 10 diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index d7fda86414..bdc60ffec4 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -18,21 +18,21 @@ ms.topic: article **Applies to** -- Windows Sun Valley +- Windows Sun Valley, version 21H2 ## Deployment planning -This article provides IT professionals with planning guidance for the recent Windows Sun Valley announcements, specifically: +This article provides you with planning guidance to deploy Windows Sun Valley in your organization, specifically: - Adoption guidance - Infrastructure planning - Servicing cadence and lifecycle - Application readiness - Functionality and coexistence with Windows 10 ecosystems - -## Deployment process -Consider using the following processes to deploy Windows Sun Valley: +### Deployment process + +Consider the following order of activities: 1. Preview Windows Sun Valley and create a deployment plan. 2. Test critical applications and management policies. 3. Update devices to the Windows 10, version 20H1 or later. @@ -40,9 +40,11 @@ Consider using the following processes to deploy Windows Sun Valley: 5. Update deployment tools, infrastructure, and policies. 6. Update qualifying devices to Windows Sun Valley. -## Phased deployment +### Phased deployment -A phased deployment model is recommended for rolling out upgrades to devices in your organization. This is identical to the [service management model](/windows/deployment/update/create-deployment-plan) recommended for Windows 10 updates. With this method, you define the time and scope of devices that will migrate to Windows Sun Valley. A [calendar based approac](/windows/deployment/update/plan-define-strategy#calendar-approaches) is an effective method to plan Windows Sun Valley upgrades that includes scheduling of future Windows 10 and Windows Sun Valley updates. +A phased deployment model is recommended for rolling out upgrades to devices in your organization. This is identical to the [service management model](/windows/deployment/update/create-deployment-plan) recommended for Windows 10 updates. With this method, you define the time and scope of devices that will migrate to Windows Sun Valley. + +A [calendar based approac](/windows/deployment/update/plan-define-strategy#calendar-approaches) is an effective method to plan Windows Sun Valley upgrades that includes scheduling of future Windows 10 and Windows Sun Valley updates. Also consider [assigning roles](/windows/deployment/update/plan-define-readiness) within your organization to groups and individuals you'll need to carry out specific tasks, if you have not already done so. @@ -57,7 +59,13 @@ Assess your current [configurations](/windows/deployment/update/eval-infra-tools - Identify gaps - Implement required updates -## Windows Sun Valley Servicing +## Windows 10 lifecycle + +For organizations who cannot move to Windows Sun Valley immediately, Microsoft’s guidance is to standardize devices on Windows 10, version 21H2. This release will be the last feature update to Windows 10, and will receive specific feature enhancements to ease migrating to Windows Sun Valley. + +Windows 10 will continue to be supported with security updates until October 2025. + +## Windows Sun Valley servicing ### Cadence diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index 3d7fa0815a..14f8b5e369 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -14,11 +14,11 @@ ms.localizationpriority: high ms.topic: article --- -# Prepare to deploy Windows Sun Valley +# Prepare for Windows Sun Valley **Applies to** -- Windows Sun Valley +- Windows Sun Valley, version 21H2 ## Deployment readiness @@ -31,6 +31,8 @@ To prepare for deployment of Windows Sun Valley, you will need to implement your - Update your management tools, infrastructure, and policies - [Prepare users](/windows/deployment/update/prepare-deploy-windows#prepare-users) for Windows Sun Valley. + + When these actions are completed, you can begin your phased deployment of Windows Sun Valley. ## Application compatibility diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index e33c0381d6..ddd412c1cb 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -18,13 +18,17 @@ ms.custom: seo-marvel-apr2020 # Windows Sun Valley requirements +**Applies to** + +- Windows Sun Valley, version 21H2 + This article lists the sotware and physical hardware requirements to run Windows Sun Valley. Windows Sun Valley can also be run on Virtual Machines (VMs). ## Software requirements The upgrade to Sun Valley is available for devices running Windows 10, version 20H1 or newer, on eligible hardware. -If you are running Windows in S mode, you will need to first switch out of S mode prior to upgrading. S mode is not supported on Sun Valley. +S mode is not supported on Windows Sun Valley. If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading. ## Hardware requirements @@ -49,7 +53,12 @@ Hardware Internet connectivity is required for the Home Edition +## Next steps + +[Plan to deploy Windows Sun Valley](windows-sv-plan.md)
+[Prepare for Windows Sun Valley](windows-sv-prepare.md) + ## See also -[Windows Sun Valley overview](windows-sv-overview.md) +[Windows Sun Valley overview](windows-sv.md) diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index ac2765847b..0513369d68 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -19,34 +19,34 @@ ms.custom: seo-marvel-apr2020 # Windows Sun Valley overview **Applies to** -- Windows Sun Valley + +- Windows Sun Valley, version 21H2 This article provides an introduction and answers some frequently asked questions about Windows Sun Valley, the next client release of Windows. -The following articles are available to learn about Windows Sun Valley. +The following articles are available to learn about Windows Sun Valley: 1. Windows Sun Valley overview (this article): An introduction to Windows Sun Valley. 2. [Windows Sun Valley requirements](windows-sv-requirements.md): Hardware, software, network, and licensing requirements to deploy Windows Sun Valley. 3. [Planning for Windows Sun Valley](windows-sv-plan.md): Guidance to create a Windows Sun Valley deployment plan. -4. [Prepare to deploy Windows Sun Valley](windows-sv-prepare.md): Procedures to ensure readiness to deploy Windows Sun Valley in your organization. +4. [Prepare for Windows Sun Valley](windows-sv-prepare.md): Procedures to ensure readiness to deploy Windows Sun Valley in your organization. ## Introduction Windows Sun Valley is a newly designed Windows client operating system due to be released later in 2021. It is fresh and light, yet familiar to those who use Windows today. Windows Sun Valley is designed to support today's flexible [hybrid work](https://pulse.microsoft.com/the-journey-to-the-new-normal-driving-innovation-and-productivity-in-a-hybrid-world/) environment. The goal of this release is to be the most reliable, secure, connected, and performant OS release ever. -Windows Sun Valley is built on the same foundation as Windows 10, so you can generally deploy, manage, and secure Sun Valley using the same tools and solutions you use today. +Windows Sun Valley is built on the same foundation as Windows 10, so you can deploy, manage, and secure Windows Sun Valley using the same tools and solutions you use today. All upgrades to Windows Sun Valley from Windows 10 will be free. ## How to get Windows Sun Valley -Windows Sun Valley will delivered as an upgrade to devices running Windows 10 beginning in the first half of 2022. Windows Sun Valley will also be available on new devices that meet the hardware requirements. +Windows Sun Valley will delivered as an upgrade to devices running Windows 10 beginning in the first half of 2022. Windows Sun Valley will also be available on new devices that meet the hardware requirements. +- For managed PCs that meet requirements, the upgrade will be provided using the same process that you use today for feature updates. +- For unmanaged PCs that meet requirements, the upgrade will be offered through Windows Update. +- You can get early access to test Windows Sun Valley by joining the [Windows Insider Program](https://insider.windows.com), or by enabling pre-release Windows 10 feature updates in Configuration Manager or Windows Server Update Services (WSUS). -You must be running Windows 10, version 20H1 or later, and meet the minimum hardware specifications to be eligible to upgrade. For more information, see [Windows Sun Valley requirements](windows-sv-requirements.md). - -For managed PCs that meet requirements, the upgrade will be provided using the same process that you use today for feature updates. For unmanaged PCs that meet requirements, the upgrade will be offered through Windows Update. - -You can get early access to test Windows Sun Valley by joining the [Windows Insider Program](https://insider.windows.com), or by enabling pre-release Windows 10 feature updates in Configuration Manager or Windows Server Update Services (WSUS). +For more information about eligibility to upgrade, see [Windows Sun Valley requirements](windows-sv-requirements.md). ### Licensing @@ -62,7 +62,7 @@ After you have upgraded to Windows Sun Valley, you have 10 days to use the rollb ## Compatibility -Windows Sun Valley is based on the same foundation as Windows 10. Therefore, it supports investments that IT organizations have made to support Windows 10. +Windows Sun Valley is built on the same foundation as Windows 10, so you can generally deploy, manage, and secure Sun Valley using the same tools and solutions you use today. ### Management and tools @@ -74,24 +74,17 @@ Most accessories and associated software that worked with Windows 10 are expecte ### Application compatibility -Windows Sun Valley preserves the application compatibility promise made with Windows 10, and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Programs like App Assure and FastTrack for Microsoft M365 customers will continue to be available to support IT efforts to adopt and maintain Windows Sun Valley. - +Windows Sun Valley preserves the application compatibility promise made with Windows 10, and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Programs like App Assure and FastTrack for Microsoft M365 customers will continue to be available to support IT efforts to adopt and maintain Windows Sun Valley. For more information, see [Application compatibility](windows-sv-prepare.md#application-compatibility) ## Windows Sun Valley servicing For details about the Windows Sun Valley servicing cadence and lifecycle, see [Windows Sun Valley servicing](sv-plan.md#servicing). -## Windows 10 lifecycle - -For organizations who cannot move to Windows Sun Valley immediately, Microsoft’s guidance is to standardize devices on Windows 10, version 21H2. This release will be the last feature update to Windows 10, but will receive specific feature enhancements to ease migrating to Windows Sun Valley. - -Windows 10 will continue to be supported with security updates until October 2025. +## Windows 10 servicing +Windows 10 will continue to be supported with security updates until October 2025. For more information, see [Windows 10 lifecycle](windows-sv.plan.md#windows-10-lifecycle). ## Next steps [Plan to deploy Windows Sun Valley](windows-sv-plan.md)
[Prepare for Windows Sun Valley](windows-sv-prepare.md) - - -## See also \ No newline at end of file From 023aae766a37db24913c591e833acc941e85b2d1 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 11 Jun 2021 12:52:51 -0700 Subject: [PATCH 100/370] draft --- windows/whats-new/windows-sv-plan.md | 46 ++++++-------------- windows/whats-new/windows-sv-prepare.md | 4 +- windows/whats-new/windows-sv-requirements.md | 6 +-- windows/whats-new/windows-sv.md | 8 ++-- 4 files changed, 21 insertions(+), 43 deletions(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index bdc60ffec4..8e49a77cdf 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -42,9 +42,14 @@ Consider the following order of activities: ### Phased deployment -A phased deployment model is recommended for rolling out upgrades to devices in your organization. This is identical to the [service management model](/windows/deployment/update/create-deployment-plan) recommended for Windows 10 updates. With this method, you define the time and scope of devices that will migrate to Windows Sun Valley. +A phased deployment model is recommended for rolling out upgrades to devices in your organization. This is identical to the [service management model](/windows/deployment/update/create-deployment-plan) recommended for Windows 10 updates and includes separate groups or 'rings' that receive an update at different times. For example: +- Preview: Windows Sun Valley planning and development +- Limited: Windows Sun Valley pilot deployment +- Broad: Windows Sun Valley rollout -A [calendar based approac](/windows/deployment/update/plan-define-strategy#calendar-approaches) is an effective method to plan Windows Sun Valley upgrades that includes scheduling of future Windows 10 and Windows Sun Valley updates. +With this method, you define the timing and scope of devices that will migrate to Windows Sun Valley, documenting and validating each phase before moving to the next one. + +A [calendar based approac](/windows/deployment/update/plan-define-strategy#calendar-approaches) is an effective method to plan Windows Sun Valley upgrades that includes scheduling of future Windows 10 and Windows Sun Valley updates. The calendar based approach can be very useful for update planning in a mixed Windows 10 and Windows Sun Valley enviroment. Also consider [assigning roles](/windows/deployment/update/plan-define-readiness) within your organization to groups and individuals you'll need to carry out specific tasks, if you have not already done so. @@ -59,12 +64,6 @@ Assess your current [configurations](/windows/deployment/update/eval-infra-tools - Identify gaps - Implement required updates -## Windows 10 lifecycle - -For organizations who cannot move to Windows Sun Valley immediately, Microsoft’s guidance is to standardize devices on Windows 10, version 21H2. This release will be the last feature update to Windows 10, and will receive specific feature enhancements to ease migrating to Windows Sun Valley. - -Windows 10 will continue to be supported with security updates until October 2025. - ## Windows Sun Valley servicing ### Cadence @@ -91,33 +90,14 @@ Most features and applications that are included with Windows 10 will be availab ## Application readiness -Windows Sun Valley is designed to work with the applications you are currently using with Windows 10. If an application compatibility issue is identified, Microsoft provides services to help you remediate the problem. For more information, see [Application compatibility](windows-sv-prepare.md#application-compatibility) +Windows Sun Valley is designed to work with the applications you are currently using with Windows 10. If an application compatibility issue is identified, Microsoft provides services to help you remediate the problem. For more information, see [Application compatibility](windows-sv-prepare.md#application-compatibility). +## Windows 10 coexistence +For organizations that need to maintain a mixed enviroment with coexisting Windows 10 and Windows Sun Valley devices, Microsoft’s guidance is to standardize on Windows 10, version 21H2. This release will be the last feature update to Windows 10, and will receive specific feature enhancements to ease migrating to Windows Sun Valley. +Windows 10 will continue to be supported with security updates until October 2025. +## Next steps - - - - - - - - - - - - - - - - - - - - - -## See also - -[Get ready for Windows Sun Valley](windows-sv-prepare.md) +[Prepare for Windows Sun Valley](windows-sv-prepare.md) diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index 14f8b5e369..754df4db9d 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -31,9 +31,7 @@ To prepare for deployment of Windows Sun Valley, you will need to implement your - Update your management tools, infrastructure, and policies - [Prepare users](/windows/deployment/update/prepare-deploy-windows#prepare-users) for Windows Sun Valley. - - -When these actions are completed, you can begin your phased deployment of Windows Sun Valley. +After completing these actions, you can begin your phased deployment of Windows Sun Valley. ## Application compatibility diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index ddd412c1cb..5be3c8bf06 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -22,11 +22,11 @@ ms.custom: seo-marvel-apr2020 - Windows Sun Valley, version 21H2 -This article lists the sotware and physical hardware requirements to run Windows Sun Valley. Windows Sun Valley can also be run on Virtual Machines (VMs). +This article lists the sotware and physical hardware requirements to run Windows Sun Valley. Windows Sun Valley is also supported on a Virtual Machine (VM). ## Software requirements -The upgrade to Sun Valley is available for devices running Windows 10, version 20H1 or newer, on eligible hardware. +The upgrade to Sun Valley is available for devices running Windows 10, version 20H1 or later, on eligible hardware. S mode is not supported on Windows Sun Valley. If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading. @@ -51,7 +51,7 @@ Hardware ## Network requirements -Internet connectivity is required for the Home Edition +Internet connectivity is required for the Home edition of Windows Sun Valley. ## Next steps diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index 0513369d68..e8354606db 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -42,8 +42,8 @@ All upgrades to Windows Sun Valley from Windows 10 will be free. ## How to get Windows Sun Valley Windows Sun Valley will delivered as an upgrade to devices running Windows 10 beginning in the first half of 2022. Windows Sun Valley will also be available on new devices that meet the hardware requirements. -- For managed PCs that meet requirements, the upgrade will be provided using the same process that you use today for feature updates. -- For unmanaged PCs that meet requirements, the upgrade will be offered through Windows Update. +- For managed PCs that meet requirements, the upgrade will be provided using the same process that you use today for feature updates. For more information, see [Management tools](windows-sv-prepare.md#management-tools). +- For unmanaged PCs that meet requirements, the upgrade will be offered through Windows Update using [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860). Windows 10 devices purchased after June 2021 that meet or exceed the minimum hardware requirements for Windows Sun Valley will be offered the upgrade starting in October of 2021. - You can get early access to test Windows Sun Valley by joining the [Windows Insider Program](https://insider.windows.com), or by enabling pre-release Windows 10 feature updates in Configuration Manager or Windows Server Update Services (WSUS). For more information about eligibility to upgrade, see [Windows Sun Valley requirements](windows-sv-requirements.md). @@ -78,11 +78,11 @@ Windows Sun Valley preserves the application compatibility promise made with Win ## Windows Sun Valley servicing -For details about the Windows Sun Valley servicing cadence and lifecycle, see [Windows Sun Valley servicing](sv-plan.md#servicing). +For details about the Windows Sun Valley servicing cadence and lifecycle, see [Windows Sun Valley servicing](windows-sv-plan.md#servicing). ## Windows 10 servicing -Windows 10 will continue to be supported with security updates until October 2025. For more information, see [Windows 10 lifecycle](windows-sv.plan.md#windows-10-lifecycle). +Windows 10 will continue to be supported with security updates until October 2025. For more information, see [Windows 10 lifecycle](windows-sv-plan.md#windows-10-lifecycle). ## Next steps From d96023e5dadcff575dc1f57518d014822c93246a Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 11 Jun 2021 13:48:49 -0700 Subject: [PATCH 101/370] draft2 --- windows/whats-new/windows-sv-plan.md | 16 ++++++------ windows/whats-new/windows-sv-prepare.md | 4 +-- windows/whats-new/windows-sv-requirements.md | 3 ++- windows/whats-new/windows-sv.md | 26 +++++++++++--------- 4 files changed, 28 insertions(+), 21 deletions(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index 8e49a77cdf..8904cf19e3 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -22,7 +22,7 @@ ms.topic: article ## Deployment planning -This article provides you with planning guidance to deploy Windows Sun Valley in your organization, specifically: +This article provides planning guidance to deploy Windows Sun Valley, specifically: - Adoption guidance - Infrastructure planning @@ -32,7 +32,7 @@ This article provides you with planning guidance to deploy Windows Sun Valley in ### Deployment process -Consider the following order of activities: +Consider using the following process to deploy Windows Sun Valley: 1. Preview Windows Sun Valley and create a deployment plan. 2. Test critical applications and management policies. 3. Update devices to the Windows 10, version 20H1 or later. @@ -42,20 +42,22 @@ Consider the following order of activities: ### Phased deployment -A phased deployment model is recommended for rolling out upgrades to devices in your organization. This is identical to the [service management model](/windows/deployment/update/create-deployment-plan) recommended for Windows 10 updates and includes separate groups or 'rings' that receive an update at different times. For example: +A phased deployment model is recommended for rolling out upgrades to devices in your organization. This is is described in the [service management model](/windows/deployment/update/create-deployment-plan) that is recommended for Windows 10 updates. It includes separate groups or 'rings' of devices that receive updates based on their role in your deployment plan. For example: - Preview: Windows Sun Valley planning and development - Limited: Windows Sun Valley pilot deployment - Broad: Windows Sun Valley rollout With this method, you define the timing and scope of devices that will migrate to Windows Sun Valley, documenting and validating each phase before moving to the next one. -A [calendar based approac](/windows/deployment/update/plan-define-strategy#calendar-approaches) is an effective method to plan Windows Sun Valley upgrades that includes scheduling of future Windows 10 and Windows Sun Valley updates. The calendar based approach can be very useful for update planning in a mixed Windows 10 and Windows Sun Valley enviroment. +Use a [calendar based approach](/windows/deployment/update/plan-define-strategy#calendar-approaches) to plan Windows Sun Valley upgrades, and include scheduling of future Windows 10 and Windows Sun Valley updates. The calendar based approach can be very useful for update planning in a mixed Windows 10 and Windows Sun Valley enviroment. Also consider [assigning roles](/windows/deployment/update/plan-define-readiness) within your organization to groups and individuals you'll need to carry out specific tasks, if you have not already done so. ## Infrastructure and tools -You can use your current management tools and processes to manage quality updates for both Windows 10 and Windows Sun Valley, in addition to using them to move between the two products beginning on the General Availability (GA) date for Windows Sun Valley. As part of your deployment planning, you will need to [evaluate your infrastructure](/windows/deployment/update/eval-infra-tools) and tools to verify they can support deployment and updates for Windows Sun Valley. For more information about updates to support the deployment of Windows Sun Valley, see [Management tools](windows-sv-prepare.md#management-tools). +You can use your current management tools and processes to manage quality updates for both Windows 10 and Windows Sun Valley, as well as using them to move between the two products beginning on the General Availability (GA) date for Windows Sun Valley. + +As part of your deployment planning, you will need to [evaluate your infrastructure](/windows/deployment/update/eval-infra-tools) and tools to verify they can support deployment and updates for Windows Sun Valley. For more information about updates to support the deployment of Windows Sun Valley, see [Management tools](windows-sv-prepare.md#management-tools). ## Configurations @@ -68,13 +70,13 @@ Assess your current [configurations](/windows/deployment/update/eval-infra-tools ### Cadence -Windows Sun Valley feature updates will be released once per year in the second half of the year. Quality updates will be released each month on the second Tuesday of the month. +Windows Sun Valley feature updates will be released once per year, in the second half of the year. Quality updates will be released each month, on the second Tuesday of the month. Microsoft will continue to provide one cumulative package that includes all latest cumulative updates (LCUs) and servicing stack updates (SSUs), if applicable, for Windows Sun Valley. This will be provided as a single package to Windows Server Update Services (WSUS) and Catalog, and have them orchestrated on the device. This capability is also the default for devices using Windows Update. ### Lifecycle -Windows Sun Valley annual releases are supported for 24 months or 36 months, depending on the edition. See the following table:
+Windows Sun Valley annual releases are supported for 24 months or 36 months, depending on the edition. See the following table:
 
| 24 months from the release date | 36 months from the release date | diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index 754df4db9d..5b3b15b817 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -50,7 +50,7 @@ The following updates are required to support deploying Windows Sun Valley: - Configuration Manager will prompt you to accept the End User License Agreement on behalf of the users in your organization. - If you would like to validate Sun Valley prior to release, simply sync the **Windows Insider Pre-release** category as well. - If you use Windows Server Update Services (WSUS), you will need to sync the new Windows Sun Valley category. -- Windows Update for Business (WUfB) users can leverage the Target Version capability (not Feature Update deferrals). +- Windows Update for Business (WUfB) users can leverage the **Target Version** capability (not Feature Update deferrals). - Feature Update deferrals are great to move to newer versions of a product (for example: Windows 10 21H1 to Windows 10 21H2), but deferrals do not enable you to move between products (Windows 10 to Windows Sun Valley). Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. - WUfB has the additional benefit of two safety nets: offering blocks on non-eligible devices, and Safeguard holds. Safeguard holds will function for Windows Sun Valley devices just as they do for Windows 10. Administrators will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. - No action is required for you to use Microsoft Intune because it is cloud-based. @@ -58,7 +58,7 @@ The following updates are required to support deploying Windows Sun Valley: - Windows Autopilot works seamlessly in a Windows Sun Valley Out-of-Box-Experience (OOBE) environment. - In an Intune environment, a Windows Sun Valley boot image needs to already exist on the device for Windows Autopilot to work with Windows Sun Valley. - If the device comes with a Windows 10 boot image, an administrator can use Windows Autopilot to deploy Windows 10, and then use WUfB to upgrade to Windows Sun Valley. - - To use Windows Autopilot to upgrade existing devices, Configuration Manager and the task sequence: **Windows Autopilot for existing devices** can place the Windows Sun Valley boot image on the managed device, allowing Windows Autopilot to deploy Windows Sun Valley. + - To use [Windows Autopilot to upgrade existing devices](/mem/autopilot/existing-devices), Configuration Manager and the task sequence: **Windows Autopilot for existing devices** can place the Windows Sun Valley boot image on the managed device, allowing Windows Autopilot to deploy Windows Sun Valley. - Windows Autopilot cannot be used to downgrade a device from Windows Sun Valley to Windows 10. ## See also diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index 5be3c8bf06..22999267a0 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -28,7 +28,8 @@ This article lists the sotware and physical hardware requirements to run Windows The upgrade to Sun Valley is available for devices running Windows 10, version 20H1 or later, on eligible hardware. -S mode is not supported on Windows Sun Valley. If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading. +S mode is not supported on Windows Sun Valley. +- If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading. ## Hardware requirements diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index e8354606db..50c3f38aa3 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -26,14 +26,14 @@ This article provides an introduction and answers some frequently asked question The following articles are available to learn about Windows Sun Valley: -1. Windows Sun Valley overview (this article): An introduction to Windows Sun Valley. -2. [Windows Sun Valley requirements](windows-sv-requirements.md): Hardware, software, network, and licensing requirements to deploy Windows Sun Valley. -3. [Planning for Windows Sun Valley](windows-sv-plan.md): Guidance to create a Windows Sun Valley deployment plan. -4. [Prepare for Windows Sun Valley](windows-sv-prepare.md): Procedures to ensure readiness to deploy Windows Sun Valley in your organization. +1. Windows Sun Valley overview (this article): An introduction and brief overview. +2. [Windows Sun Valley requirements](windows-sv-requirements.md): Requirements to deploy Windows Sun Valley. +3. [Planning for Windows Sun Valley](windows-sv-plan.md): Information to help you create a Windows Sun Valley deployment plan. +4. [Prepare for Windows Sun Valley](windows-sv-prepare.md): Procedures to ensure readiness to deploy Windows Sun Valley. ## Introduction -Windows Sun Valley is a newly designed Windows client operating system due to be released later in 2021. It is fresh and light, yet familiar to those who use Windows today. Windows Sun Valley is designed to support today's flexible [hybrid work](https://pulse.microsoft.com/the-journey-to-the-new-normal-driving-innovation-and-productivity-in-a-hybrid-world/) environment. The goal of this release is to be the most reliable, secure, connected, and performant OS release ever. +Windows Sun Valley is a newly designed Windows client operating system due to be released later in 2021. It is fresh and light, yet familiar to those who use Windows today. Windows Sun Valley is designed to support today's flexible [hybrid work](https://pulse.microsoft.com/the-journey-to-the-new-normal-driving-innovation-and-productivity-in-a-hybrid-world/) environment and to be the most reliable, secure, connected, and performant OS release ever. Windows Sun Valley is built on the same foundation as Windows 10, so you can deploy, manage, and secure Windows Sun Valley using the same tools and solutions you use today. @@ -41,10 +41,10 @@ All upgrades to Windows Sun Valley from Windows 10 will be free. ## How to get Windows Sun Valley -Windows Sun Valley will delivered as an upgrade to devices running Windows 10 beginning in the first half of 2022. Windows Sun Valley will also be available on new devices that meet the hardware requirements. -- For managed PCs that meet requirements, the upgrade will be provided using the same process that you use today for feature updates. For more information, see [Management tools](windows-sv-prepare.md#management-tools). +Windows Sun Valley will delivered as an upgrade to devices running Windows 10, beginning in the first half of 2022. Windows Sun Valley will also be available on new, eligible devices. +- For managed PCs that meet requirements, the upgrade will be provided using the same processes that you use today for feature updates. For more information, see [Management tools](windows-sv-prepare.md#management-tools). - For unmanaged PCs that meet requirements, the upgrade will be offered through Windows Update using [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860). Windows 10 devices purchased after June 2021 that meet or exceed the minimum hardware requirements for Windows Sun Valley will be offered the upgrade starting in October of 2021. -- You can get early access to test Windows Sun Valley by joining the [Windows Insider Program](https://insider.windows.com), or by enabling pre-release Windows 10 feature updates in Configuration Manager or Windows Server Update Services (WSUS). +- You can get early access to test Windows Sun Valley by joining the the Windows Insider Program [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel), or by enabling pre-release Windows 10 feature updates in Configuration Manager or Windows Server Update Services (WSUS). For more information about eligibility to upgrade, see [Windows Sun Valley requirements](windows-sv-requirements.md). @@ -52,7 +52,7 @@ For more information about eligibility to upgrade, see [Windows Sun Valley requi There are no unique licensing requirements for Windows Sun Valley beyond what is required for Windows 10 devices. -Microsoft 365 licenses that include Windows licenses will permit you to run Windows Sun Valley on supported devices. +Microsoft 365 licenses that include Windows 10 licenses will permit you to run Windows Sun Valley on supported devices. If you have a volume license, it will equally cover Windows Sun Valley and Windows 10 devices before and after upgrade. @@ -74,7 +74,9 @@ Most accessories and associated software that worked with Windows 10 are expecte ### Application compatibility -Windows Sun Valley preserves the application compatibility promise made with Windows 10, and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Programs like App Assure and FastTrack for Microsoft M365 customers will continue to be available to support IT efforts to adopt and maintain Windows Sun Valley. For more information, see [Application compatibility](windows-sv-prepare.md#application-compatibility) +Windows Sun Valley preserves the application compatibility promise made with Windows 10, and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Programs like App Assure and FastTrack for Microsoft M365 customers will continue to be available to support IT efforts to adopt and maintain Windows Sun Valley. + +For more information, see [Application compatibility](windows-sv-prepare.md#application-compatibility) ## Windows Sun Valley servicing @@ -82,7 +84,9 @@ For details about the Windows Sun Valley servicing cadence and lifecycle, see [W ## Windows 10 servicing -Windows 10 will continue to be supported with security updates until October 2025. For more information, see [Windows 10 lifecycle](windows-sv-plan.md#windows-10-lifecycle). +Windows 10 will continue to be supported with security updates until October 2025. + +For more information, see [Windows 10 lifecycle](windows-sv-plan.md#windows-10-lifecycle). ## Next steps From 2f475267baeea249e5c50f3650ff48ce34f11653 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 11 Jun 2021 13:53:01 -0700 Subject: [PATCH 102/370] draft3 --- windows/whats-new/windows-sv-prepare.md | 29 +++++++++++++++++++------ 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index 5b3b15b817..5c5f1687db 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -40,22 +40,37 @@ Two Microsoft services that work directly with you to ensure application compati - If you experience any issues with your apps and are enrolled in the App Assure service, Microsoft will help you identify the issue at no cost. App Assure works with you to troubleshoot the issue, determine the root cause, and can help fix the issue as well. App Assure is subscription based, but subscriptions are free for eligible customers with 150+ seats. - Test Base is Microsoft's intelligent application validation service that allows software vendors and commercial customers to test their applications. The Test Base test and validation environment runs Windows Sun Valley as well as Windows 10 with a matrix of updates and environments in a Microsoft managed Azure environment. You can get started by enrolling in Test Base for Microsoft 365. -You can use [Desktop Analytics](/mem/configmgr/desktop-analytics/overview), to test application compatibility. To determine the impact of a potential application compatiblity issue, [assign priority to apps](/windows/deployment/update/plan-define-readiness#set-criteria-for-rating-apps) and then perform a [compatibility assessment](/mem/configmgr/desktop-analytics/compat-assessment). +You can also use [Desktop Analytics](/mem/configmgr/desktop-analytics/overview), to test application compatibility. To determine the impact of a potential application compatiblity issue, [assign priority to apps](/windows/deployment/update/plan-define-readiness#set-criteria-for-rating-apps) and then perform a [compatibility assessment](/mem/configmgr/desktop-analytics/compat-assessment). ## Management tools -The following updates are required to support deploying Windows Sun Valley: -- Configuration Manager should use the current branch. +The following updates are required to support deploying Windows Sun Valley. + +### Configuration Manager + +Configuration Manager should use the current branch. - You will easily be able to sync the new **Windows Sun Valley** product category and upgrade eligible devices. - Configuration Manager will prompt you to accept the End User License Agreement on behalf of the users in your organization. - If you would like to validate Sun Valley prior to release, simply sync the **Windows Insider Pre-release** category as well. -- If you use Windows Server Update Services (WSUS), you will need to sync the new Windows Sun Valley category. -- Windows Update for Business (WUfB) users can leverage the **Target Version** capability (not Feature Update deferrals). + +### WSUS + +If you use Windows Server Update Services (WSUS), you will need to sync the new Windows Sun Valley category. + +### WUfB + +Windows Update for Business (WUfB) users can leverage the **Target Version** capability (not Feature Update deferrals). - Feature Update deferrals are great to move to newer versions of a product (for example: Windows 10 21H1 to Windows 10 21H2), but deferrals do not enable you to move between products (Windows 10 to Windows Sun Valley). Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. - WUfB has the additional benefit of two safety nets: offering blocks on non-eligible devices, and Safeguard holds. Safeguard holds will function for Windows Sun Valley devices just as they do for Windows 10. Administrators will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. -- No action is required for you to use Microsoft Intune because it is cloud-based. + +### Microsoft Intune + +No infrastructure update is required for you to use Microsoft Intune because it is cloud-based. - If you are using MEM Intune with E3 licenses you will be able to leverage **Feature Update Deployments** to easily manage moving between Windows 10 versions or to Windows Sun Valley. -- Windows Autopilot works seamlessly in a Windows Sun Valley Out-of-Box-Experience (OOBE) environment. + +### Windows Autopilot + +Windows Autopilot works seamlessly in a Windows Sun Valley Out-of-Box-Experience (OOBE) environment. - In an Intune environment, a Windows Sun Valley boot image needs to already exist on the device for Windows Autopilot to work with Windows Sun Valley. - If the device comes with a Windows 10 boot image, an administrator can use Windows Autopilot to deploy Windows 10, and then use WUfB to upgrade to Windows Sun Valley. - To use [Windows Autopilot to upgrade existing devices](/mem/autopilot/existing-devices), Configuration Manager and the task sequence: **Windows Autopilot for existing devices** can place the Windows Sun Valley boot image on the managed device, allowing Windows Autopilot to deploy Windows Sun Valley. From beb49f84712f572ce319e480a1d6952b9bf9c583 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 11 Jun 2021 13:56:14 -0700 Subject: [PATCH 103/370] draft4 --- windows/whats-new/windows-sv.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index 50c3f38aa3..c1c31de0c4 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -80,13 +80,13 @@ For more information, see [Application compatibility](windows-sv-prepare.md#appl ## Windows Sun Valley servicing -For details about the Windows Sun Valley servicing cadence and lifecycle, see [Windows Sun Valley servicing](windows-sv-plan.md#servicing). +For details about the Windows Sun Valley servicing cadence and lifecycle, see [Windows Sun Valley servicing](windows-sv-plan.md#windows-sun-valley-servicing). ## Windows 10 servicing Windows 10 will continue to be supported with security updates until October 2025. -For more information, see [Windows 10 lifecycle](windows-sv-plan.md#windows-10-lifecycle). +For more information, see [Windows 10 coexistence](windows-sv-plan.md#windows-10-coexistence). ## Next steps From ed7b18112ed0e515ef463044c6341429cae10b9a Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 11 Jun 2021 14:00:15 -0700 Subject: [PATCH 104/370] draft5 --- windows/whats-new/windows-sv-prepare.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index 5c5f1687db..9bc3e59982 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -50,18 +50,18 @@ The following updates are required to support deploying Windows Sun Valley. Configuration Manager should use the current branch. - You will easily be able to sync the new **Windows Sun Valley** product category and upgrade eligible devices. - - Configuration Manager will prompt you to accept the End User License Agreement on behalf of the users in your organization. + - Configuration Manager will prompt you to accept the End User License Agreement (EULA) on behalf of the users in your organization. - If you would like to validate Sun Valley prior to release, simply sync the **Windows Insider Pre-release** category as well. ### WSUS -If you use Windows Server Update Services (WSUS), you will need to sync the new Windows Sun Valley category. +If you use Windows Server Update Services (WSUS), you will need to sync the new **Windows Sun Valley** category. ### WUfB Windows Update for Business (WUfB) users can leverage the **Target Version** capability (not Feature Update deferrals). - Feature Update deferrals are great to move to newer versions of a product (for example: Windows 10 21H1 to Windows 10 21H2), but deferrals do not enable you to move between products (Windows 10 to Windows Sun Valley). Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. - - WUfB has the additional benefit of two safety nets: offering blocks on non-eligible devices, and Safeguard holds. Safeguard holds will function for Windows Sun Valley devices just as they do for Windows 10. Administrators will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. + - WUfB has the additional benefit of two safety nets: offering blocks on non-eligible devices, and [Safeguard holds](/windows/deployment/update/safeguard-holds). Safeguard holds will function for Windows Sun Valley devices just as they do for Windows 10. Administrators will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. ### Microsoft Intune From a7248e6d9cafecdc29fe8b25fbbf47ed878bfa63 Mon Sep 17 00:00:00 2001 From: Steve DiAcetis Date: Fri, 11 Jun 2021 14:09:12 -0700 Subject: [PATCH 105/370] Update media-dynamic-update.md Additional information on Flash removal --- windows/deployment/update/media-dynamic-update.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 34ef7cc00f..5b33d7c287 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -84,6 +84,9 @@ This table shows the correct sequence for applying the various tasks to the file > [!NOTE] > Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md). +> [!NOTE] +> Microsoft will remove the Flash component from Windows through the KB4577586 “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying KB4577586, which is available on the Catalog, between steps 20 and 21. As of July 2021, the KB4577586 “Update for Removal of Adobe Flash Player” will be included in the Latest Cumulative Update for Windows 10, versions 1607 and Windows 10, version 1507. The KB will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/). + ### Multiple Windows editions The main operating system file (install.wim) contains multiple editions of Windows 10. It’s possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last. From fe45e657bf13c815e40ef7c1e7893f7e8aa37281 Mon Sep 17 00:00:00 2001 From: Andrea Barr <81656118+AndreaLBarr@users.noreply.github.com> Date: Fri, 11 Jun 2021 14:13:45 -0700 Subject: [PATCH 106/370] FAQ Additoin This additional question and answer was requested to be added to this FAQ document by Radia Soulmani . --- .../microsoft-defender-application-guard/faq-md-app-guard.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md index 0e4406aaa5..abb97cebcc 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md @@ -51,6 +51,10 @@ Depending on your organization’s settings, it might be that Favorites Sync is Make sure to enable the extensions policy on your Application Guard configuration. +### I’m trying to watch playback video with HDR, why is the HDR option missing? + +In order for HDR video playback to work in the container, vGPU Hardware Acceleration needs to be enabled in Application Guard. + ### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)? Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune. From 611dc0328fe7cdf684864aec19db3d13b099758f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 11 Jun 2021 14:34:51 -0700 Subject: [PATCH 107/370] Update faq-md-app-guard.md --- .../faq-md-app-guard.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md index abb97cebcc..c37d466af5 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 05/12/2021 +ms.date: 06/11/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -23,9 +23,9 @@ This article lists frequently asked questions with answers for Microsoft Defende ## Frequently Asked Questions -### Can I enable Application Guard on machines equipped with 4-GB RAM? +### Can I enable Application Guard on machines equipped with 4 GB RAM? -We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. +We recommend 8 GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. `HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.) @@ -51,7 +51,7 @@ Depending on your organization’s settings, it might be that Favorites Sync is Make sure to enable the extensions policy on your Application Guard configuration. -### I’m trying to watch playback video with HDR, why is the HDR option missing? +### I’m trying to watch playback video with HDR. Why is the HDR option missing? In order for HDR video playback to work in the container, vGPU Hardware Acceleration needs to be enabled in Application Guard. @@ -102,7 +102,7 @@ Yes, both the Enterprise Resource domains that are hosted in the cloud and the d ### Why does my encryption driver break Microsoft Defender Application Guard? -Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). +Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`). ### Why do the Network Isolation policies in Group Policy and CSP look different? @@ -114,7 +114,7 @@ There is not a one-to-one mapping among all the Network Isolation policies betwe - For EnterpriseNetworkDomainNames, there is no mapped CSP policy. -Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). +Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`). ### Why did Application Guard stop working after I turned off hyperthreading? From 1464230d8a9f035ff6dc317c890fb15955901cc1 Mon Sep 17 00:00:00 2001 From: Jaime Ondrusek Date: Fri, 11 Jun 2021 15:03:48 -0700 Subject: [PATCH 108/370] Update media-dynamic-update.md A few small changes for style. --- windows/deployment/update/media-dynamic-update.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 5b33d7c287..81b0cd7857 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -85,7 +85,7 @@ This table shows the correct sequence for applying the various tasks to the file > Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md). > [!NOTE] -> Microsoft will remove the Flash component from Windows through the KB4577586 “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying KB4577586, which is available on the Catalog, between steps 20 and 21. As of July 2021, the KB4577586 “Update for Removal of Adobe Flash Player” will be included in the Latest Cumulative Update for Windows 10, versions 1607 and Windows 10, version 1507. The KB will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/). +> Microsoft will remove the Flash component from Windows through KB4577586, “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, “Update for Removal of Adobe Flash Player,” will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/). ### Multiple Windows editions @@ -459,4 +459,4 @@ Dismount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Out-Null Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null Write-Output "$(Get-TS): Media refresh completed!" -``` \ No newline at end of file +``` From c79468fa89db03a73db421805d3b77f58597e752 Mon Sep 17 00:00:00 2001 From: Jason Gerend Date: Fri, 11 Jun 2021 15:29:44 -0700 Subject: [PATCH 109/370] Update to deal with production outage issue If a customer running a failover cluster removes Authenticated Users group from this policy setting, the cluster goes down. --- .../access-this-computer-from-the-network.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md index d20934b1f3..55c80b17f7 100644 --- a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md +++ b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md @@ -14,17 +14,20 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 06/11/2021 ms.technology: mde --- # Access this computer from the network - security policy setting **Applies to** -- Windows 10 +- Windows 10, Azure Stack HCI, Windows Server 2022, Windows Server 2019, Windows Server 2016 Describes the best practices, location, values, policy management, and security considerations for the **Access this computer from the network** security policy setting. +> [!WARNING] +> If running Windows Server or Azure Stack HCI Failover Clustering, don't remove Authenticated Users from the **Access this computer from the network** policy setting. Doing so may induce an unexpected production outage. This is due to the local user account CLIUSR that is used to run the cluster service. CLIUSR is not a member of the local Administrators group and if the Authenticated Users group is removed, the cluster service won't have sufficient rights to function or start properly. + ## Reference The **Access this computer from the network** policy setting determines which users can connect to the device from the network. This capability is required by a number of network protocols, including Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+). @@ -43,6 +46,7 @@ Constant: SeNetworkLogonRight - On desktop devices or member servers, grant this right only to users and administrators. - On domain controllers, grant this right only to authenticated users, enterprise domain controllers, and administrators. +- On failover clusters, make sure this right is granted to authenticated users. - This setting includes the **Everyone** group to ensure backward compatibility. Upon Windows upgrade, after you have verified that all users and groups are correctly migrated, you should remove the **Everyone** group and use the **Authenticated Users** group instead. ### Location @@ -104,6 +108,8 @@ from servers in the domain if members of the **Domain Users** group are included If you remove the **Access this computer from the network** user right on domain controllers for all users, no one can log on to the domain or use network resources. If you remove this user right on member servers, users cannot connect to those servers through the network. If you have installed optional components such as ASP.NET or Internet Information Services (IIS), you may need to assign this user right to additional accounts that are required by those components. It is important to verify that authorized users are assigned this user right for the devices that they need to access the network. +If running Windows Server or Azure Stack HCI Failover Clustering, do not remove Authenticated Users from the Access this computer from the network policy setting. Doing so may induce an unexpected production outage. This is due to the local user account CLIUSR that is used to run the cluster service. CLIUSR is not a member of the local Administrators group and if the Authenticated Users group is removed, the cluster service will not have sufficient rights to function or start properly. + ## Related topics [User Rights Assignment](user-rights-assignment.md) From 875fc889a1780ff8a2fe413bbea8ca55a1b107fe Mon Sep 17 00:00:00 2001 From: JoyJaz <76192344+joyjaz@users.noreply.github.com> Date: Fri, 11 Jun 2021 14:29:45 -0800 Subject: [PATCH 110/370] Update configuration-service-provider-reference.md Changes made per Lavinder and Task 33226532. --- .../mdm/configuration-service-provider-reference.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 90f132759c..f076fe16e7 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2555,7 +2555,7 @@ The following list shows the CSPs supported in HoloLens devices: [PassportForWork CSP](passportforwork-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [Policy CSP](policy-configuration-service-provider.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [RemoteFind CSP](remotefind-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | -| [RemoteWipe CSP](remotewipe-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | +| [RemoteWipe CSP](remotewipe-csp.md) (**doWipe** and **doWipePersistProvisionedData** nodes only) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | | [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [TenantLockdown CSP](tenantlockdown-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 10 | | [Update CSP](update-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | @@ -2636,4 +2636,4 @@ The following list shows the CSPs supported in HoloLens devices: - 7 - Added in Windows 10, version 1909. - 8 - Added in Windows 10, version 2004. - 9 - Added in Windows 10 Team 2020 Update -- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2) \ No newline at end of file +- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2) From 57e1b9eaaedab70491466dd1199d20c5058d880c Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Sun, 13 Jun 2021 19:07:04 -0700 Subject: [PATCH 111/370] Correct bad link added in the public repo This commit corrects the bad link added in commit https://github.com/MicrosoftDocs/windows-itpro-docs/pull/9646/commits/1ca6bc2544d22c9a01b92fe2e8fa7f7f3df44c44 in PR https://github.com/MicrosoftDocs/windows-itpro-docs/pull/9646. --- .../event-id-explanations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index c3f6909aaa..9c79336c9d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -41,7 +41,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind |--------|-----------| | 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the script hosts themselves. Note: there is no WDAC enforcement on third-party script hosts. | | 8029 | Block script/MSI file | -| 8036| COM object was blocked. To learn more about COM object authorization, see [Allow COM object registration in a Windows Defender Application Control policy](allow-com-object-registration-in-windows-defender-application-control-policy). | +| 8036| COM object was blocked. To learn more about COM object authorization, see [Allow COM object registration in a Windows Defender Application Control policy](allow-com-object-registration-in-windows-defender-application-control-policy.md). | | 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | | ## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events From 83d688e3f2ea31d4c1b4dc8965dc2c6c82b264df Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Sun, 13 Jun 2021 22:08:07 -0700 Subject: [PATCH 112/370] Remove the Markdown version of this file, which has been replaced by a YAML file in the private branch. --- .../faq-md-app-guard.md | 214 ------------------ 1 file changed, 214 deletions(-) delete mode 100644 windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md deleted file mode 100644 index c37d466af5..0000000000 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ /dev/null @@ -1,214 +0,0 @@ ---- -title: FAQ - Microsoft Defender Application Guard (Windows 10) -description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard. -ms.prod: m365-security -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.date: 06/11/2021 -ms.reviewer: -manager: dansimp -ms.custom: asr -ms.technology: mde ---- - -# Frequently asked questions - Microsoft Defender Application Guard - -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration. - -## Frequently Asked Questions - -### Can I enable Application Guard on machines equipped with 4 GB RAM? - -We recommend 8 GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. - -`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.) - -`HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.) - -`HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.) - -### Can employees download documents from the Application Guard Edge session onto host devices? - -In Windows 10 Enterprise edition, version 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy. - -In Windows 10 Enterprise edition, version 1709, or Windows 10 Professional edition, version 1803, it is not possible to download files from the isolated Application Guard container to the host computer. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device. - -### Can employees copy and paste between the host device and the Application Guard Edge session? - -Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container. - -### Why don't employees see their favorites in the Application Guard Edge session? - -Depending on your organization’s settings, it might be that Favorites Sync is turned off. To manage the policy, see: [Microsoft Edge and Microsoft Defender Application Guard | Microsoft Docs](/deployedge/microsoft-edge-security-windows-defender-application-guard) - -### Why aren’t employees able to see their extensions in the Application Guard Edge session? - -Make sure to enable the extensions policy on your Application Guard configuration. - -### I’m trying to watch playback video with HDR. Why is the HDR option missing? - -In order for HDR video playback to work in the container, vGPU Hardware Acceleration needs to be enabled in Application Guard. - -### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)? - -Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune. - -### Which Input Method Editors (IME) in 19H1 are not supported? - -The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard: - -- Vietnam Telex keyboard -- Vietnam number key-based keyboard -- Hindi phonetic keyboard -- Bangla phonetic keyboard -- Marathi phonetic keyboard -- Telugu phonetic keyboard -- Tamil phonetic keyboard -- Kannada phonetic keyboard -- Malayalam phonetic keyboard -- Gujarati phonetic keyboard -- Odia phonetic keyboard -- Punjabi phonetic keyboard - -### I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering? - -This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature. - -### What is the WDAGUtilityAccount local account? - -WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It is NOT a malicious account. If *Run as a service* permissions are revoked for this account, you might see the following error: - -**Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000** - -We recommend that you do not modify this account. - -### How do I trust a subdomain in my site list? - -To trust a subdomain, you must precede your domain with two dots (..). For example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), and the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted. - -### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? - -When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md). - -### Is there a size limit to the domain lists that I need to configure? - -Yes, both the Enterprise Resource domains that are hosted in the cloud and the domains that are categorized as both work and personal have a 16383-B limit. - -### Why does my encryption driver break Microsoft Defender Application Guard? - -Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`). - -### Why do the Network Isolation policies in Group Policy and CSP look different? - -There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP. - -- Mandatory network isolation GP policy to deploy Application Guard: **DomainSubnets or CloudResources** - -- Mandatory network isolation CSP policy to deploy Application Guard: **EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)** - -- For EnterpriseNetworkDomainNames, there is no mapped CSP policy. - -Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`). - -### Why did Application Guard stop working after I turned off hyperthreading? - -If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements. - -### Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"? - -Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume. - -### Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach the PAC file? - -This is a known issue. To mitigate this you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources: - -- [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md) -- [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) - -#### First rule (DHCP Server) -1. Program path: `%SystemRoot%\System32\svchost.exe` - -2. Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))` - -3. Protocol UDP - -4. Port 67 - -#### Second rule (DHCP Client) -This is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps: - -1. Right-click on inbound rules, and then create a new rule. - -2. Choose **custom rule**. - -3. Specify the following program path: `%SystemRoot%\System32\svchost.exe`. - -4. Specify the following settings: - - Protocol Type: UDP - - Specific ports: 67 - - Remote port: any - -5. Specify any IP addresses. - -6. Allow the connection. - -7. Specify to use all profiles. - -8. The new rule should show up in the user interface. Right click on the **rule** > **properties**. - -9. In the **Programs and services** tab, under the **Services** section, select **settings**. - -10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**. - -### Why can I not launch Application Guard when Exploit Guard is enabled? - -There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**. - -### How can I disable portions of ICS without breaking Application Guard? - -ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys. - -1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**. - -2. Disable IpNat.sys from ICS load as follows:
-`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1` - -3. Configure ICS (SharedAccess) to enabled as follows:
-`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3` - -4. (This is optional) Disable IPNAT as follows:
-`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4` - -5. Reboot the device. - -### Why doesn't the container fully load when device control policies are enabled? - -Allow-listed items must be configured as "allowed" in the Group Policy Object to ensure AppGuard works properly. - -Policy: Allow installation of devices that match any of the following device IDs: - -- `SCSI\DiskMsft____Virtual_Disk____` -- `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba` -- `VMS_VSF` -- `root\Vpcivsp` -- `root\VMBus` -- `vms_mp` -- `VMS_VSP` -- `ROOT\VKRNLINTVSP` -- `ROOT\VID` -- `root\storvsp` -- `vms_vsmp` -- `VMS_PP` - -Policy: Allow installation of devices using drivers that match these device setup classes -- `{71a27cdd-812a-11d0-bec7-08002be2092f}` - -## See also - -[Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md) From 6506a888b45aa5764c3fafb4d79f3c87af7206a8 Mon Sep 17 00:00:00 2001 From: msarcletti <56821677+msarcletti@users.noreply.github.com> Date: Mon, 14 Jun 2021 10:30:40 +0200 Subject: [PATCH 113/370] Update vpnv2-csp.md Update information on NRPT applicability. --- windows/client-management/mdm/vpnv2-csp.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index 15c30be7f5..e21af0bff4 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -390,6 +390,9 @@ Optional node. Name Resolution Policy Table (NRPT) rules for the VPN profile. The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the Windows registry that determines the DNS client behavior when issuing queries and processing responses. Each row in the NRPT represents a rule for a portion of the namespace for which the DNS client issues queries. Before issuing name resolution queries, the DNS client consults the NRPT to determine if any additional flags must be set in the query. After receiving the response, the client again consults the NRPT to check for any special processing or policy requirements. In the absence of the NRPT, the client operates based on the DNS servers and suffixes set on the interface. +> [!NOTE] +> Only applications using the [Windows DNS API](https://docs.microsoft.com/en-us/windows/win32/dns/dns-reference) can make use of the Name Resolution Policy Table (NRPT) and therefore all settings configured within the DomainNameInformationList section. Applications using their own DNS implementation bypass the Windows DNS API. One example of applications not using the Windows DNS API is nslookup, so please always use the PowerShell CmdLet [Resolve-DNSName](https://docs.microsoft.com/en-us/powershell/module/dnsclient/resolve-dnsname) to check the functionality of NRPT. + **VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId A sequential integer identifier for the Domain Name information. Sequencing must start at 0. @@ -419,8 +422,8 @@ Value type is chr. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/WebProxyServers** Optional. Web Proxy Server IP address if you are redirecting traffic through your intranet. -> [!NOTE] -> Currently only one web proxy server is supported. +> [!NOTE] +> Currently only one web proxy server is supported. Value type is chr. Supported operations include Get, Add, Replace, and Delete. From c7161c13338e271240a06a7653e4c9a108ce3da3 Mon Sep 17 00:00:00 2001 From: Per Larsen Date: Mon, 14 Jun 2021 13:27:20 +0200 Subject: [PATCH 114/370] Update enroll-a-windows-10-device-automatically-using-group-policy.md Device Credential Is only supported for: - Co-management - WVD (Azure Virtual Desktop) - Autopilot deploying mode - witch is not using GPO for enrollment --- ...roll-a-windows-10-device-automatically-using-group-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 9e1150cd20..775e72cacd 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -128,7 +128,7 @@ Requirements: > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. > > The default behavior for older releases is to revert to **User Credential**. - > **Device Credential** is not supported for enrollment type when you have a ConfigMgr Agent on your device. + > **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or Azure Virtual Desktop. When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." From 4a407713ce5fa607cf7b10c333d37eb992800966 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 14 Jun 2021 13:59:58 +0100 Subject: [PATCH 115/370] Remove deploy data processor --- .openpublishing.redirection.json | 5 + .../deploy-data-processor-service-windows.md | 96 ------------------- 2 files changed, 5 insertions(+), 96 deletions(-) delete mode 100644 windows/privacy/deploy-data-processor-service-windows.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 4afc122348..cf0c97aa74 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -18919,6 +18919,11 @@ "source_path": "windows/security/threat-protection/device-control/device-control-report.md", "redirect_url": "/microsoft-365/security/defender-endpoint/device-control-report", "redirect_document_id": false + }, + { + "source_path": "windows/privacy/deploy-data-processor-service-windows.md", + "redirect_url": "windows/privacy/windows-10-and-privacy-compliance", + "redirect_document_id": false } ] } diff --git a/windows/privacy/deploy-data-processor-service-windows.md b/windows/privacy/deploy-data-processor-service-windows.md deleted file mode 100644 index 01a6bbec79..0000000000 --- a/windows/privacy/deploy-data-processor-service-windows.md +++ /dev/null @@ -1,96 +0,0 @@ ---- -title: Technical Deployment of the data processor service for Windows Enterprise -description: Use this article to understand how to deploy and manage the data processor service for Windows Enterprise. -keywords: privacy, GDPR -ms.localizationpriority: high -ROBOTS: NOINDEX, NOFOLLOW -ms.prod: w10 -ms.topic: article -f1.keywords: -- NOCSH -ms.author: siosulli -author: dansimp -manager: dansimp -audience: itpro -ms.collection: -- GDPR -- M365-security-compliance ---- - -# Data processor service for Windows Enterprise Overview - ->[!NOTE] ->This topic is intended for participants in the data processor service for Windows Enterprise preview program and requires acceptance of specific terms of use. To learn -more about the program and agree to the terms of use, see [https://aka.ms/WindowsEnterprisePublicPreview](https://aka.ms/WindowsEnterprisePublicPreview). - -The privacy landscape keeps evolving, and with it, we make changes to our services to meet our customers’ needs. -The data processor service for Windows Enterprise empowers you to be in control of diagnostic data from Windows devices, and act as data controllers for that data, under the definition of the European Union General Data Protection Regulation (GDPR). - -The data processor service for Windows Enterprise will serve as a foundation for other Microsoft services that use Windows diagnostic data. - -The data processor service for Windows Enterprise offering enables you to store and manage your Windows diagnostic data in the cloud, on top of an end-to-end data platform designed and built with compliance in mind, to help you meet your compliance obligations. -Your data is routed and stored inside an enterprise compliance boundary, operating under a prescriptive and focused set of compliance requirements, in accordance with industry standards. - -The data processor service for Windows Enterprise provides you with controls that help respond to delete data subject requests (DSRs) on diagnostic data, at user account closure, for a specific Azure AD User ID. Additionally, you’re able to execute an export DSR for a specific Azure AD User ID. -Should you desire so, Microsoft will accommodate a data processor service for Windows Enterprise tenant account closure, either because you decide to close your Azure or Azure AD tenant account, or because you decide you no longer wish to be the data controller for diagnostic data, but still wish to remain an Azure customer. - ->[!Note] ->Tenant account closure will lead to the deletion of all data associated with that tenant. - -## Deployment of data processor service for Windows Enterprise -Use the instructions below to easily manage the data processor service for Windows Enterprise using a single setting, through Group Policy, or an MDM solution, in Windows 10, version 1809 or Windows Server 2019 and newer. - -### Prerequisites -#### Versions supported -The data processor service for Windows Enterprise is currently supported on Windows 10, version 1809, and newer versions. - -#### Network requirements -The following endpoints need to be reachable from devices enrolled into the data processor service for Windows Enterprise: - - login.live.com - - cy2.vortex.data.microsoft.com.akadns.net - - v10.events.data.microsoft.com - - v10.vortex-win.data.microsoft.com/collect/v1 - -For additional information, see the “device authentication” and “diagnostic data” sections in the endpoint articles for each respective Windows version: - -[Windows 10, version 1809 endpoints](./manage-windows-1809-endpoints.md) - -[Windows 10, version 1903 endpoints](./manage-windows-1903-endpoints.md) - -### Deploying data processor service for Windows Enterprise -You can use either Group Policy or an MDM solution to deploy the data processor service for Windows Enterprise to your supported devices. - -In Group Policy, to enable data collection through the data processor service for Windows Enterprise, go to **Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds** and switch the **Allow commercial data pipeline** setting to **enabled**. - -If you wish to disable, at any time, switch the same setting to **disabled**. The default state of the above setting is **disabled**. - -To use an MDM solution, such as [Microsoft Intune](/intune/custom-settings-Windows-10), to deploy the data processor service for Windows Enterprise to your supported devices, use the following custom OMA-URI setting configuration: - -- **Name:** System/AllowCommercialDataPipeline -- **OMA-URI:** ./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline -- **Data type:** Integer - -Under **Value**, use **1** to enable the service. - -If you wish to disable, at any time, switch the same setting to **0** to disable. The default is **0**. - ->[!Note] ->Data collected from a device, before it was enrolled into the data processor service for Windows Enterprise, will not be moved into the enterprise compliance boundary. - -## Managing data processor service for Windows Enterprise -### Executing user-based data subject requests (DSRs) -To perform user-based DSRs, the data processor service for Windows Enterprise requires your organization to be reflected in Azure AD. - -If your environment is cloud-only and managed in Azure, or all your devices are Azure AD joined - you don’t need to take any further action. - -If your environment uses on-premises Active Directory to manage identities - Azure AD Connect synchronization is required, and your environment needs to be configured for hybrid Azure AD join. -To learn more, visit [How To: Plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan) and [Azure AD Connect sync: Understand and customize synchronization](/azure/active-directory/hybrid/how-to-connect-sync-whatis). - -Once you have Azure AD join or hybrid Azure AD join in place, you can learn more about executing user-based DSRs, by visiting this [page](https://review.docs.microsoft.com/microsoft-365/compliance/gdpr-dsr-windows?branch=siosulli-wps&view=o365-worldwide). - -## Geo-location -Windows Diagnostic Data collected through the data processor service for Windows Enterprise is hosted in our datacenter in the United States. \ No newline at end of file From 755b677cd9205fe7f0384eb0bbcae259be6349f3 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 14 Jun 2021 14:30:59 +0100 Subject: [PATCH 116/370] Create deploy-data-processor-service-windows.md --- .../deploy-data-processor-service-windows.md | 96 +++++++++++++++++++ 1 file changed, 96 insertions(+) create mode 100644 windows/privacy/deploy-data-processor-service-windows.md diff --git a/windows/privacy/deploy-data-processor-service-windows.md b/windows/privacy/deploy-data-processor-service-windows.md new file mode 100644 index 0000000000..01a6bbec79 --- /dev/null +++ b/windows/privacy/deploy-data-processor-service-windows.md @@ -0,0 +1,96 @@ +--- +title: Technical Deployment of the data processor service for Windows Enterprise +description: Use this article to understand how to deploy and manage the data processor service for Windows Enterprise. +keywords: privacy, GDPR +ms.localizationpriority: high +ROBOTS: NOINDEX, NOFOLLOW +ms.prod: w10 +ms.topic: article +f1.keywords: +- NOCSH +ms.author: siosulli +author: dansimp +manager: dansimp +audience: itpro +ms.collection: +- GDPR +- M365-security-compliance +--- + +# Data processor service for Windows Enterprise Overview + +>[!NOTE] +>This topic is intended for participants in the data processor service for Windows Enterprise preview program and requires acceptance of specific terms of use. To learn +more about the program and agree to the terms of use, see [https://aka.ms/WindowsEnterprisePublicPreview](https://aka.ms/WindowsEnterprisePublicPreview). + +The privacy landscape keeps evolving, and with it, we make changes to our services to meet our customers’ needs. +The data processor service for Windows Enterprise empowers you to be in control of diagnostic data from Windows devices, and act as data controllers for that data, under the definition of the European Union General Data Protection Regulation (GDPR). + +The data processor service for Windows Enterprise will serve as a foundation for other Microsoft services that use Windows diagnostic data. + +The data processor service for Windows Enterprise offering enables you to store and manage your Windows diagnostic data in the cloud, on top of an end-to-end data platform designed and built with compliance in mind, to help you meet your compliance obligations. +Your data is routed and stored inside an enterprise compliance boundary, operating under a prescriptive and focused set of compliance requirements, in accordance with industry standards. + +The data processor service for Windows Enterprise provides you with controls that help respond to delete data subject requests (DSRs) on diagnostic data, at user account closure, for a specific Azure AD User ID. Additionally, you’re able to execute an export DSR for a specific Azure AD User ID. +Should you desire so, Microsoft will accommodate a data processor service for Windows Enterprise tenant account closure, either because you decide to close your Azure or Azure AD tenant account, or because you decide you no longer wish to be the data controller for diagnostic data, but still wish to remain an Azure customer. + +>[!Note] +>Tenant account closure will lead to the deletion of all data associated with that tenant. + +## Deployment of data processor service for Windows Enterprise +Use the instructions below to easily manage the data processor service for Windows Enterprise using a single setting, through Group Policy, or an MDM solution, in Windows 10, version 1809 or Windows Server 2019 and newer. + +### Prerequisites +#### Versions supported +The data processor service for Windows Enterprise is currently supported on Windows 10, version 1809, and newer versions. + +#### Network requirements +The following endpoints need to be reachable from devices enrolled into the data processor service for Windows Enterprise: + + login.live.com + + cy2.vortex.data.microsoft.com.akadns.net + + v10.events.data.microsoft.com + + v10.vortex-win.data.microsoft.com/collect/v1 + +For additional information, see the “device authentication” and “diagnostic data” sections in the endpoint articles for each respective Windows version: + +[Windows 10, version 1809 endpoints](./manage-windows-1809-endpoints.md) + +[Windows 10, version 1903 endpoints](./manage-windows-1903-endpoints.md) + +### Deploying data processor service for Windows Enterprise +You can use either Group Policy or an MDM solution to deploy the data processor service for Windows Enterprise to your supported devices. + +In Group Policy, to enable data collection through the data processor service for Windows Enterprise, go to **Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds** and switch the **Allow commercial data pipeline** setting to **enabled**. + +If you wish to disable, at any time, switch the same setting to **disabled**. The default state of the above setting is **disabled**. + +To use an MDM solution, such as [Microsoft Intune](/intune/custom-settings-Windows-10), to deploy the data processor service for Windows Enterprise to your supported devices, use the following custom OMA-URI setting configuration: + +- **Name:** System/AllowCommercialDataPipeline +- **OMA-URI:** ./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline +- **Data type:** Integer + +Under **Value**, use **1** to enable the service. + +If you wish to disable, at any time, switch the same setting to **0** to disable. The default is **0**. + +>[!Note] +>Data collected from a device, before it was enrolled into the data processor service for Windows Enterprise, will not be moved into the enterprise compliance boundary. + +## Managing data processor service for Windows Enterprise +### Executing user-based data subject requests (DSRs) +To perform user-based DSRs, the data processor service for Windows Enterprise requires your organization to be reflected in Azure AD. + +If your environment is cloud-only and managed in Azure, or all your devices are Azure AD joined - you don’t need to take any further action. + +If your environment uses on-premises Active Directory to manage identities - Azure AD Connect synchronization is required, and your environment needs to be configured for hybrid Azure AD join. +To learn more, visit [How To: Plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan) and [Azure AD Connect sync: Understand and customize synchronization](/azure/active-directory/hybrid/how-to-connect-sync-whatis). + +Once you have Azure AD join or hybrid Azure AD join in place, you can learn more about executing user-based DSRs, by visiting this [page](https://review.docs.microsoft.com/microsoft-365/compliance/gdpr-dsr-windows?branch=siosulli-wps&view=o365-worldwide). + +## Geo-location +Windows Diagnostic Data collected through the data processor service for Windows Enterprise is hosted in our datacenter in the United States. \ No newline at end of file From b60c53c79e1162fe17eb49cb21b2c7bf7adb6a47 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 14 Jun 2021 14:38:51 +0100 Subject: [PATCH 117/370] remove file v2 --- .openpublishing.redirection.json | 2 +- .../deploy-data-processor-service-windows.md | 96 ------------------- 2 files changed, 1 insertion(+), 97 deletions(-) delete mode 100644 windows/privacy/deploy-data-processor-service-windows.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index cf0c97aa74..25a371ea28 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -18922,7 +18922,7 @@ }, { "source_path": "windows/privacy/deploy-data-processor-service-windows.md", - "redirect_url": "windows/privacy/windows-10-and-privacy-compliance", + "redirect_url": "/windows/privacy/windows-10-and-privacy-compliance", "redirect_document_id": false } ] diff --git a/windows/privacy/deploy-data-processor-service-windows.md b/windows/privacy/deploy-data-processor-service-windows.md deleted file mode 100644 index 01a6bbec79..0000000000 --- a/windows/privacy/deploy-data-processor-service-windows.md +++ /dev/null @@ -1,96 +0,0 @@ ---- -title: Technical Deployment of the data processor service for Windows Enterprise -description: Use this article to understand how to deploy and manage the data processor service for Windows Enterprise. -keywords: privacy, GDPR -ms.localizationpriority: high -ROBOTS: NOINDEX, NOFOLLOW -ms.prod: w10 -ms.topic: article -f1.keywords: -- NOCSH -ms.author: siosulli -author: dansimp -manager: dansimp -audience: itpro -ms.collection: -- GDPR -- M365-security-compliance ---- - -# Data processor service for Windows Enterprise Overview - ->[!NOTE] ->This topic is intended for participants in the data processor service for Windows Enterprise preview program and requires acceptance of specific terms of use. To learn -more about the program and agree to the terms of use, see [https://aka.ms/WindowsEnterprisePublicPreview](https://aka.ms/WindowsEnterprisePublicPreview). - -The privacy landscape keeps evolving, and with it, we make changes to our services to meet our customers’ needs. -The data processor service for Windows Enterprise empowers you to be in control of diagnostic data from Windows devices, and act as data controllers for that data, under the definition of the European Union General Data Protection Regulation (GDPR). - -The data processor service for Windows Enterprise will serve as a foundation for other Microsoft services that use Windows diagnostic data. - -The data processor service for Windows Enterprise offering enables you to store and manage your Windows diagnostic data in the cloud, on top of an end-to-end data platform designed and built with compliance in mind, to help you meet your compliance obligations. -Your data is routed and stored inside an enterprise compliance boundary, operating under a prescriptive and focused set of compliance requirements, in accordance with industry standards. - -The data processor service for Windows Enterprise provides you with controls that help respond to delete data subject requests (DSRs) on diagnostic data, at user account closure, for a specific Azure AD User ID. Additionally, you’re able to execute an export DSR for a specific Azure AD User ID. -Should you desire so, Microsoft will accommodate a data processor service for Windows Enterprise tenant account closure, either because you decide to close your Azure or Azure AD tenant account, or because you decide you no longer wish to be the data controller for diagnostic data, but still wish to remain an Azure customer. - ->[!Note] ->Tenant account closure will lead to the deletion of all data associated with that tenant. - -## Deployment of data processor service for Windows Enterprise -Use the instructions below to easily manage the data processor service for Windows Enterprise using a single setting, through Group Policy, or an MDM solution, in Windows 10, version 1809 or Windows Server 2019 and newer. - -### Prerequisites -#### Versions supported -The data processor service for Windows Enterprise is currently supported on Windows 10, version 1809, and newer versions. - -#### Network requirements -The following endpoints need to be reachable from devices enrolled into the data processor service for Windows Enterprise: - - login.live.com - - cy2.vortex.data.microsoft.com.akadns.net - - v10.events.data.microsoft.com - - v10.vortex-win.data.microsoft.com/collect/v1 - -For additional information, see the “device authentication” and “diagnostic data” sections in the endpoint articles for each respective Windows version: - -[Windows 10, version 1809 endpoints](./manage-windows-1809-endpoints.md) - -[Windows 10, version 1903 endpoints](./manage-windows-1903-endpoints.md) - -### Deploying data processor service for Windows Enterprise -You can use either Group Policy or an MDM solution to deploy the data processor service for Windows Enterprise to your supported devices. - -In Group Policy, to enable data collection through the data processor service for Windows Enterprise, go to **Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds** and switch the **Allow commercial data pipeline** setting to **enabled**. - -If you wish to disable, at any time, switch the same setting to **disabled**. The default state of the above setting is **disabled**. - -To use an MDM solution, such as [Microsoft Intune](/intune/custom-settings-Windows-10), to deploy the data processor service for Windows Enterprise to your supported devices, use the following custom OMA-URI setting configuration: - -- **Name:** System/AllowCommercialDataPipeline -- **OMA-URI:** ./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline -- **Data type:** Integer - -Under **Value**, use **1** to enable the service. - -If you wish to disable, at any time, switch the same setting to **0** to disable. The default is **0**. - ->[!Note] ->Data collected from a device, before it was enrolled into the data processor service for Windows Enterprise, will not be moved into the enterprise compliance boundary. - -## Managing data processor service for Windows Enterprise -### Executing user-based data subject requests (DSRs) -To perform user-based DSRs, the data processor service for Windows Enterprise requires your organization to be reflected in Azure AD. - -If your environment is cloud-only and managed in Azure, or all your devices are Azure AD joined - you don’t need to take any further action. - -If your environment uses on-premises Active Directory to manage identities - Azure AD Connect synchronization is required, and your environment needs to be configured for hybrid Azure AD join. -To learn more, visit [How To: Plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan) and [Azure AD Connect sync: Understand and customize synchronization](/azure/active-directory/hybrid/how-to-connect-sync-whatis). - -Once you have Azure AD join or hybrid Azure AD join in place, you can learn more about executing user-based DSRs, by visiting this [page](https://review.docs.microsoft.com/microsoft-365/compliance/gdpr-dsr-windows?branch=siosulli-wps&view=o365-worldwide). - -## Geo-location -Windows Diagnostic Data collected through the data processor service for Windows Enterprise is hosted in our datacenter in the United States. \ No newline at end of file From 15a0beb8e5756f0faa8b3f0dffec0daeb27305ad Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 14 Jun 2021 14:43:27 +0100 Subject: [PATCH 118/370] remove public preview terms --- .openpublishing.redirection.json | 7 +- ...windows-enterprise-public-preview-terms.md | 324 ------------------ 2 files changed, 6 insertions(+), 325 deletions(-) delete mode 100644 windows/privacy/data-processor-service-for-windows-enterprise-public-preview-terms.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 25a371ea28..1434fdccf8 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -18924,6 +18924,11 @@ "source_path": "windows/privacy/deploy-data-processor-service-windows.md", "redirect_url": "/windows/privacy/windows-10-and-privacy-compliance", "redirect_document_id": false - } + }, + { + "source_path": "data-processor-service-for-windows-enterprise-public-preview-terms.md", + "redirect_url": "/windows/privacy/windows-10-and-privacy-compliance", + "redirect_document_id": false + } ] } diff --git a/windows/privacy/data-processor-service-for-windows-enterprise-public-preview-terms.md b/windows/privacy/data-processor-service-for-windows-enterprise-public-preview-terms.md deleted file mode 100644 index 170bd2f449..0000000000 --- a/windows/privacy/data-processor-service-for-windows-enterprise-public-preview-terms.md +++ /dev/null @@ -1,324 +0,0 @@ ---- -title: Data processor service for Windows Enterprise public preview terms -description: Use this article to understand Windows public preview terms of service. -keywords: privacy, GDPR -ms.localizationpriority: high -ROBOTS: NOINDEX, NOFOLLOW -ms.prod: w10 -ms.topic: article -f1.keywords: -- NOCSH -ms.author: siosulli -author: dansimp -manager: dansimp -audience: itpro -ms.collection: -- GDPR -- M365-security-compliance ---- - -# Data processor service for Windows Enterprise public preview terms - -**These terms (“Terms”) must be read and accepted by a tenant admin with appropriate access rights and authority. By participating in this public preview, you: (a) agree to the following Terms, and (b) represent and warrant that you have such rights and authority.** - -These Terms govern your use of the preview described below (“**Preview**”). In order to access the Preview, you must be a current Microsoft Windows customer with an Azure Active Directory (“**AAD**”) subscription. The Preview consists of features and services that are in preview, beta, or other pre-release form for use with Windows and AAD. - - 1. **Definitions**. The following terms have the following meanings: - - 1. "**Customer Data**" means all data, including all text, sound, video, or image files that are provided to Microsoft by, or on behalf of, you through your use of Windows or AAD. - - 2. "**Feedback**" means, collectively, suggestions, comments, feedback, ideas, or know-how, in any form, that you or your users provide to Microsoft about Microsoft’s business, products, or services. - - 3. "**Personal Data**" means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. - - 4. "**Preview Data**" means all data, including all text, sound, video, or image files that are provided to Microsoft by, or on behalf of, you through use of the Services. - - 5. "**Subprocessor**" means other processors used by Microsoft to process Personal Data. - -2. **Scope of Services**. The Preview is for a service that enables organizations to become controllers of Windows diagnostic data on supported versions of Windows, with Microsoft operating as processor of the data (collectively, the “**_Services_**”). You will collaborate with Microsoft in order to provide Microsoft the ability to enable the Services for you. To access the Services, you will need to configure participating Windows devices; Microsoft will assist you in such configuration via documentation or other communications. - -3. **Intellectual Property**. - - 1. **License Grant**. During the term of this Preview (“**Term**”), Microsoft grants you and authorized users in your tenant for Windows a non-exclusive, non-transferable, non-sublicensable right and license to access and use the Services in accordance with these Terms. - - 2. **Use Terms**. These Terms supersede any Microsoft terms and conditions or other agreement. You acknowledge that (i) the Services may not work correctly or in the manner that a commercial service may function; Microsoft may change the Services for the final, commercial version or choose not to release a commercial version; (ii) Microsoft may not provide support for the Services; (iii) the Online Services Terms (OST), including any obligations Microsoft may have regarding Customer Data, do not apply to the Services or Preview Data; (iv) Microsoft has no obligation to hold, export, or return Preview Data, except as described in these Terms; (v) Microsoft has no liability for the deletion of Preview Data, except as described in these Terms; and (vi) you may lose access to the Services and Preview Data after the Term. - - 3. **Acceptable Use**. Neither you, nor those that access the Services through you, may: (a) use the Services: (i) in a way prohibited by law, regulation, governmental order or decree; (ii) to violate the rights of others; (iii) to try to gain unauthorized access to or disrupt any service, device, data, account or network; (iv) to spam or distribute malware; or (v) in a way that could harm the Services or impair anyone else’s use of it; or (b) reverse engineer, decompile, disassemble, or work around any technical limitations in the Services, or use the Services to create a competing product. You are responsible for responding to any third-party request regarding your use of the Services or Preview Data, such as a request to take down Preview Data under the U.S. Digital Millennium Copyright Act or other applicable laws. - - 4. **Data Collection, Use and Location**. The Microsoft Privacy Statement https://privacy.microsoft.com/privacystatement applies to the collection, use and location of Preview Data. In the event of a conflict between Privacy Statement and the terms of these Terms, the terms of these Terms will control. - -4. **Confidentiality**. The following confidentiality terms apply to the Preview: - - 1. During the Term plus 5 years, the parties will hold in strictest confidence and not use or disclose to any third party any Confidential Information of the other party. “Confidential Information” means all non-public information a party designates in writing or orally as being confidential, or which under the circumstances of disclosure ought to be treated as confidential. Confidential Information includes information relating to:

- 1. a party’s released or unreleased software or hardware products;

- 2. a party’s source code;

- 3. a party’s product marketing or promotion;

- 4. a party’s business policies or practices;

- 5. a party’s customers or suppliers;

- 6. information received from others that a party must treat as confidential; and

- 7. information provided, obtained, or created by a party under these Terms, including: - * information in reports; - * the parties’ electronic or written correspondence, customer lists and customer information, regardless of source; - * Personal Data; and - * Transactional, sales, and marketing information. - - 2. A party will consult with the other if it questions what comprises Confidential Information. Confidential Information excludes information (i) known to a party before the disclosing party’s disclosure to the receiving party, (ii) information publicly available through no fault of the receiving party, (iii) received from a third party without breach of an obligation owed to the disclosing party, or (iv) independently developed by a party without reference to or use of the disclosing party’s Confidential Information. - - 3. Each party will employ security procedures to prevent disclosure of the other party’s Confidential Information to unauthorized third parties. The receiving party’s security procedures must include risk assessment and controls for:

- 1. system access;

- 2. system and application development and maintenance;

- 3. change management;

- 4. asset classification and control;

- 5. incident response, physical and environmental security;

- 6. disaster recovery/business continuity; and

- 7. employee training. - -5. **Data Protection.** - - **Generally**. To the extent Microsoft is a processor of Personal Data, the General Data Protection Regulation (GDPR) Terms in Attachment 1 govern that processing and the parties also agree to the following terms: - - 1. Processing Details: The parties agree that: - * The subject-matter of the processing is limited to Personal Data within the scope of the GDPR; - * The duration of the processing shall be for the duration of your right to use the Services and until all Personal Data is deleted or returned in accordance with your instructions or these Terms; - * The nature and purpose of the processing shall be to provide the Services pursuant to these Terms; - * The types of Personal Data processed by the Services include those expressly identified in Article 4 of the GDPR to the extent included by Preview Data; and - * The categories of data subjects are your representatives and end users, such as employees, contractors, collaborators, and customers. - - 2. Data Transfers: - * Preview Data and Personal Data that Microsoft processes on your behalf may be transferred to, and stored and processed in, the United States or any other country in which Microsoft or its Subprocessors operate. You appoint Microsoft to perform any such transfer of Preview Data and Personal Data to any such country and to store and process Preview Data and Personal Data to provide the Services. - * All transfers of Preview Data and Personal Data out of the European Union, European Economic Area, United Kingdom, and Switzerland to provide the Online Services shall be governed by the Standard Contractual Clauses in Attachment 2. - * Microsoft will abide by the requirements of European Economic Area and Swiss data protection law regarding the collection, use, transfer, retention, and other processing of Personal Data from the European Economic Area and Switzerland. All transfers of Personal Data to a third country or an international organization will be subject to appropriate safeguards as described in Article 46 of the GDPR and such transfers and safeguards will be documented according to Article 30(2) of the GDPR. - * In addition, Microsoft is certified to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks and the commitments they entail. Microsoft agrees to notify you in the event that it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield principles. - -6. **No Support or Incident Response.** Microsoft will have no obligation under these Terms to correct any bugs, defects or errors in the Services or AAD, provide any updates, upgrades or new releases, or otherwise provide any technical support or maintenance for any Services or AAD. You will make reasonable efforts to promptly report to Microsoft any defects you find in the Services, as an aid to creating improved revisions of the Services. Microsoft will have no obligation under these Terms to provide you with incident response as part of the Services. - -7. **Term and Termination.** The term of the Preview begins when you accept these Terms and continues until: (a) either party terminates this Preview by providing the other party: (i) 2 days’ notice for any reason (or no reason), or (ii) notice of such party’s breach of these Terms and such party fails to cure within 15 days, or (b) upon the general availability of the Services. When the Term ends, you will no longer have access to the Services, and Microsoft will no longer have the rights to access Customer Data granted herein. Each party will, on request, return or destroy the other’s Confidential Information provided under the Preview. - -8. **Feedback.** Providing Feedback is voluntary. Microsoft is under no obligation to post or use any Feedback. By providing Feedback to Microsoft, you (and anyone providing Feedback through your use of the Preview) irrevocably and perpetually grant to Microsoft and its affiliates, under all of its (and their) owned or controlled intellectual property rights, a worldwide, non-exclusive, fully paid-up, royalty-free, transferable, sub-licensable right and license to make, use, reproduce, prepare derivative works based upon, distribute, publicly perform, publicly display, transmit, and otherwise commercialize the Feedback (including by combining or interfacing products, services or technologies that depend on or incorporate Feedback with other products, services or technologies of Microsoft or others), without attribution in any way and for any purpose. You warrant that (a) you will not provide Feedback that is subject to a license requiring Microsoft to license anything to third parties because Microsoft exercises any of the above rights in your Feedback; and (b) you own or otherwise control all of the rights to such Feedback and that no such Feedback is subject to any third-party rights (including any personality or publicity rights). - -9. **Representations and Warranties; Limitation of Liability.** - - 1. **By the Parties.** Each party represents and warrants to the other party that (a) it has all necessary rights, title, and authority to enter into and perform under these Terms; (b) its performance under these Terms will not breach any agreement with a third party; and (c) it will comply with any and all laws, rules, and regulations that are applicable to its performance under these Terms. - - 2. **Disclaimer.** EXCEPT AS OTHERWISE PROVIDED IN THESE TERMS AND TO THE EXTENT APPLICABLE LAW PERMITS, MICROSOFT (a) PROVIDES THE SERVICES AS-IS; (b) PROVIDES NO WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE; AND (c) DOES NOT GUARANTEE THAT THE SERVICES WILL BE AVAILABLE, UNINTERRUPTED, OR ERROR-FREE, OR THAT LOSS OF PREVIEW DATA WILL NOT OCCUR. - - 3. **Limitation of Liability.** Except as otherwise described in this Section 9, the only remedy either party has for claims relating to these Terms or participation in the Preview is to terminate these Terms or your participation in the Preview. NEITHER PARTY WILL BE LIABLE TO THE OTHER PARTY FOR ANY DAMAGES, INCLUDING DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES, OR DAMAGES FOR LOST REVENUE, LOST PROFIT, LOST BUSINESS INFORMATION, OR BUSINESS INTERRUPTION, EVEN IF THE PARTY KNEW OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGES. The limitations in this Section 9 do not apply to claims arising from any breach of confidentiality obligations under Section 4. - -10. **General.** - - 1. **Non-Exclusivity.** These Terms are nonexclusive. These Terms do not restrict either party from entering into the same or similar arrangement with any third party. - - 2. **Jurisdiction and Governing Law.** The laws of the State of Washington, excluding conflicts of law provisions, govern these Terms. If federal jurisdiction exists, then each party consents to exclusive jurisdiction and venue in the federal courts in King County, Washington. If no federal jurisdiction exists, then each party consents to exclusive jurisdiction and venue in the Superior Court of King County, Washington. - - 3. **Force Majeure.** A party will not be liable for failure to perform an obligation under these Terms to the extent that failure is due to a cause beyond that party’s reasonable control, including natural disaster, war, civil disturbance, or governmental action. - - 4. **Attorneys’ fees.** If a party employs attorneys to enforce any rights arising out of or relating to these Terms, the prevailing party will be entitled to recover its reasonable attorneys’ fees, costs, and other expenses. - - 5. **Assignment**. You may not assign these Terms or delegate any of your rights or obligations under these Terms to a third party without Microsoft’s prior written consent. - - 6. **Entire Agreement.** These Terms are the entire agreement between the parties regarding its subject matter and replaces all prior agreements, communications, and representations between the parties regarding its subject matter. - - 7. **Survival.** Sections 3.b, 4, 7 (with respect to post-termination obligations), and 8-10 will survive these Terms’ expiration or termination.

- -

- Attachment 1: GDPR Terms
- -For purposes of these GDPR Terms, you and Microsoft agree that you are the controller of Personal Data and Microsoft is the processor of such data, except when you act as a processor of Personal Data, in which case Microsoft is a subprocessor. These GDPR Terms apply to the processing of Personal Data, within the scope of the GDPR, by Microsoft on your behalf. These GDPR Terms do not limit or reduce any data protection commitments Microsoft makes to you in other agreement between Microsoft and you. These GDPR Terms do not apply where Microsoft is a controller of Personal Data. - -**Relevant GDPR Obligations: Articles 28, 32, and 33** - -1. Microsoft shall not engage another processor without prior specific or your general written authorization. In the case of general written authorization, Microsoft shall inform you of any intended changes concerning the addition or replacement of other processors, thereby giving you the opportunity to object to such changes. (Article 28(2)) -2. Processing by Microsoft shall be governed by these GDPR Terms under European Union (hereafter “Union”) or Member State law and are binding on Microsoft with regard to you. The subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data, the categories of data subjects and your obligations and rights are set forth in the Terms above, including these GDPR Terms. In particular, Microsoft shall: - - 1. process the Personal Data only on your documented instructions, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which Microsoft is subject; in such a case, Microsoft shall inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; - - 2. ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; - - 3. take all measures required pursuant to Article 32 of the GDPR; - - 4. respect the conditions referred to in paragraphs 1 and 3 for engaging another processor; - - 5. taking into account the nature of the processing, assist you by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR; - - 6. assist you in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Microsoft; - - 7. at your choice, delete or return all the Personal Data to you after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data; - - 8. make available to you all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you. - - 9. immediately inform you if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions. (Article 28(3)) - -3. Where Microsoft engages another processor for carrying out specific processing activities on your behalf, the same data protection obligations as set out in these GDPR Terms shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Where that other processor fails to fulfil its data protection obligations, Microsoft shall remain fully liable to you for the performance of that other processor's obligations. (Article 28(4)) - -4. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, you and Microsoft shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: - - 1. the pseudonymisation and encryption of Personal Data; - - 2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; - - 3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and - - 4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. (Article 32(1)) - -5. In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. (Article 32(2)) - -6. You and Microsoft shall take steps to ensure that any natural person acting under your authority or Microsoft’s who has access to Personal Data does not process them except on instructions from you, unless he or she is required to do so by Union or Member State law. (Article 32(4)) - -7. Microsoft shall notify you without undue delay after becoming aware of a personal data breach. (Article 33(2)). Such notification will include that information a processor must provide to a controller under Article 33(3) to the extent such information is reasonably available to Microsoft. - -

- Attachment 2 – The Standard Contractual Clauses (Processors)
- -In countries where regulatory approval is required for use of the Standard Contractual Clauses, the Standard Contractual Clauses cannot be relied upon under European Commission 2010/87/EU (of February 2010) to legitimize export of data from the country, unless Customer has the required regulatory approval. -Beginning May 25, 2018 and thereafter, references to various Articles from the Directive 95/46/EC in the Standard Contractual Clauses below will be treated as references to the relevant and appropriate Articles in the GDPR. -For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, Customer (as data exporter) and Microsoft Corporation (as data importer, whose signature appears below), each a “party,” together “the parties,” have agreed on the following Contractual Clauses (the “Clauses” or “Standard Contractual Clauses”) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1. - -**Clause 1: Definitions** - -1. 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; -1. 'the data exporter' means the controller who transfers the personal data; -1. 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC; -1. 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract; -1. 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established; -1. 'technical and organizational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. - -**Clause 2: Details of the transfer** - -The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 below which forms an integral part of the Clauses. - -**Clause 3: Third-party beneficiary clause** - -1. The data subject can enforce against the data exporter this Clause, Clause 4(2) to (9), Clause 5(1) to (5), and (7) to (10), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary. -2.1.exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. -1. The data subject can enforce against the subprocessor this Clause, Clause 5(1) to (5) and (7), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses. -1. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law. - -**Clause 4: Obligations of the data exporter** - -The data exporter agrees and warrants: - -1. that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State; -1. that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses; -1. that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 below; -1. that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation; -1. that it will ensure compliance with the security measures; -1. that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC; -1. to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(2) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension; -1. to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information; -1. that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and -1. that it will ensure compliance with Clause 4(1) to (9). - -**Clause 5: Obligations of the data importer** - -The data importer agrees and warrants: - -1. to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract; -1. that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract; -1. that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred; -1. that it will promptly notify the data exporter about: - 1. any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation, - 1. any accidental or unauthorised access, and - 1. any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so; -1. to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred; -1. at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority; -1. to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter; -1. that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent; -1. that the processing services by the subprocessor will be carried out in accordance with Clause 11; and -1. to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter. - -**Clause 6: Liability** - -1. The parties agree that any data subject who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered. -1. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. -The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities. -1. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses. - -**Clause 7: Mediation and jurisdiction** - -1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject: - 1. to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority; - 1. to refer the dispute to the courts in the Member State in which the data exporter is established. -1. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law. - -**Clause 8: Cooperation with supervisory authorities** - -1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law. -1. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law. -1. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (2). - -**Clause 9: Governing Law** - -The Clauses shall be governed by the law of the Member State in which the data exporter is established. - -**Clause 10: Variation of the contract** - -The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause. - -**Clause 11: Subprocessing** - -1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement. -1. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses. -1. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established. -1. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority. - -**Clause 12: Obligation after the termination of personal data processing services** - -1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore. -1. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1. - -**Appendix 1 to the Standard Contractual Clauses** - -**Data exporter**: Customer is the data exporter. The data exporter is a user of the Services. - -**Data importer**: The data importer is MICROSOFT CORPORATION, a global producer of software and services. - -**Data subjects**: Data subjects include the data exporter’s representatives and end-users including employees, contractors, collaborators, and customers of the data exporter. Data subjects may also include individuals attempting to communicate or transfer personal information to users of the services provided by data importer. Microsoft acknowledges that, depending on Customer’s use of the Services, Customer may elect to include personal data from any of the following types of data subjects in the personal data: - -* Employees, contractors and temporary workers (current, former, prospective) of data exporter; -* Dependents of the above; -* Data exporter's collaborators/contact persons (natural persons) or employees, contractors or temporary workers of legal entity collaborators/contact persons (current, prospective, former); -* Users (e.g., customers, clients, patients, visitors, etc.) and other data subjects that are users of data exporter's services; -* Partners, stakeholders or individuals who actively collaborate, communicate or otherwise interact with employees of the data exporter and/or use communication tools such as apps and websites provided by the data exporter; -* Stakeholders or individuals who passively interact with data exporter (e.g., because they are the subject of an investigation, research or mentioned in documents or correspondence from or to the data exporter); -* Minors; or -* Professionals with professional privilege (e.g., doctors, lawyers, notaries, religious workers, etc.). - -**Categories of data**: The personal data transferred that is included in data processed by the Services. Microsoft acknowledges that, depending on Customer’s use of the Services, Customer may elect to include personal data from any of the following categories in the personal data: - -* Basic personal data (for example place of birth, street name and house number (address), postal code, city of residence, country of residence, mobile phone number, first name, last name, initials, email address, gender, date of birth), including basic personal data about family members and children; -* Authentication data (for example user name, password or PIN code, security question, audit trail); -* Contact information (for example addresses, email, phone numbers, social media identifiers; emergency contact details); -* Unique identification numbers and signatures (for example Social Security number, bank account number, passport and ID card number, driver's license number and vehicle registration data, IP addresses, employee number, student number, patient number, signature, unique identifier in tracking cookies or similar technology); -* Pseudonymous identifiers; -* Financial and insurance information (for example insurance number, bank account name and number, credit card name and number, invoice number, income, type of assurance, payment behavior, creditworthiness); -* Commercial Information (for example history of purchases, special offers, subscription information, payment history); -* Biometric Information (for example DNA, fingerprints and iris scans); -* Location data (for example, Cell ID, geo-location network data, location by start call/end of the call. Location data derived from use of wifi access points); -* Photos, video and audio; -* Internet activity (for example browsing history, search history, reading, television viewing, radio listening activities); -* Device identification (for example IMEI-number, SIM card number, MAC address); -* Profiling (for example based on observed criminal or anti-social behavior or pseudonymous profiles based on visited URLs, click streams, browsing logs, IP-addresses, domains, apps installed, or profiles based on marketing preferences); -* HR and recruitment data (for example declaration of employment status, recruitment information (such as curriculum vitae, employment history, education history details), job and position data, including worked hours, assessments and salary, work permit details, availability, terms of employment, tax details, payment details, insurance details and location and organizations); -* Education data (for example education history, current education, grades and results, highest degree achieved, learning disability); -* Citizenship and residency information (for example citizenship, naturalization status, marital status, nationality, immigration status, passport data, details of residency or work permit); -* Information processed for the performance of a task carried out in the public interest or in the exercise of an official authority; -* Special categories of data (for example racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person’s sex life or sexual orientation, or data relating to criminal convictions or offences); or -* Any other personal data identified in Article 4 of the GDPR. - -**Processing operations**: The personal data transferred will be subject to the following basic processing activities: - -1. **Duration and Object of Data Processing**. The duration of data processing shall be for the term of the Preview. The objective of the data processing is the performance of the Services. -1. **Scope and Purpose of Data Processing**. The scope and purpose of processing personal data is described in Section 5 of this agreement. The data importer operates a global network of data centers and management/support facilities, and processing may take place in any jurisdiction where data importer or its sub-processors operate such facilities. -1. **Customer Data and Personal Data Access**. For the term designated under the applicable volume licensing agreement data importer will at its election and as necessary under applicable law implementing Article 12(b) of the EU Data Protection Directive, either: (1) provide data exporter with the ability to correct, delete, or block Customer Data and personal data, or (2) make such corrections, deletions, or blockages on its behalf. -1. **Data Exporter’s Instructions**. For Online Services and Professional Services, data importer will only act upon data exporter’s instructions as conveyed by Microsoft. -1. **Preview Data and Personal Data Deletion or Return**. Upon expiration or termination of data exporter’s use of the Services, it may extract Customer Data and personal data and data importer will delete Customer Data and personal data, each in accordance with the terms of this agreement. - -**Subcontractors**: In accordance with the DPA, the data importer may hire other companies to provide limited services on data importer’s behalf, such as providing customer support. Any such subcontractors will be permitted to obtain Customer Data and personal data only to deliver the services the data importer has retained them to provide, and they are prohibited from using Customer Data and personal data for any other purpose. - -**Appendix 2 to the Standard Contractual Clauses** - -Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(4) and 5(3): - -1. **Personnel**. Data importer’s personnel will not process Preview Data or personal data without authorization. Personnel are obligated to maintain the confidentiality of any such Preview Data and personal data and this obligation continues even after their engagement ends. -2. **Data Privacy Contact**. The data privacy officer of the data importer can be reached at the following address:
Microsoft Corporation
Attn: Chief Privacy Officer
1 Microsoft Way
Redmond, WA 98052 USA -3. **Technical and Organization Measures**. The data importer has implemented and will maintain appropriate technical and organizational measures, internal controls, and information security routines intended to protect Preview Data and personal data, as defined in Attachment 1 of this agreement, against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction as follows: The technical and organizational measures, internal controls, and information security routines set forth in Attachment 1 of this agreement are hereby incorporated into this Appendix 2 by this reference and are binding on the data importer as if they were set forth in this Appendix 2 in their entirety. From f00f9cc588b3790c897144e27cd5ea9c520ab2c2 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 14 Jun 2021 14:49:36 +0100 Subject: [PATCH 119/370] Update .openpublishing.redirection.json --- .openpublishing.redirection.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 1434fdccf8..445d23b7ea 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -18926,7 +18926,7 @@ "redirect_document_id": false }, { - "source_path": "data-processor-service-for-windows-enterprise-public-preview-terms.md", + "source_path": "windows/privacy/data-processor-service-for-windows-enterprise-public-preview-terms.md", "redirect_url": "/windows/privacy/windows-10-and-privacy-compliance", "redirect_document_id": false } From f07b4f01f30e6e85aa162856ae32936b6ad82f10 Mon Sep 17 00:00:00 2001 From: "Steve DiAcetis (MSFT)" <52939067+SteveDiAcetis@users.noreply.github.com> Date: Mon, 14 Jun 2021 08:39:15 -0700 Subject: [PATCH 120/370] Update windows/deployment/update/media-dynamic-update.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/update/media-dynamic-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 81b0cd7857..85d236c15d 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -85,7 +85,7 @@ This table shows the correct sequence for applying the various tasks to the file > Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md). > [!NOTE] -> Microsoft will remove the Flash component from Windows through KB4577586, “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, “Update for Removal of Adobe Flash Player,” will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/). +> Microsoft will remove the Flash component from Windows through KB4577586, “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, “Update for Removal of Adobe Flash Player”, will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/). ### Multiple Windows editions From 17db40a3eb6f99a7ad7d4f06edc1e1fea0e58274 Mon Sep 17 00:00:00 2001 From: Jaime Ondrusek Date: Mon, 14 Jun 2021 09:08:56 -0700 Subject: [PATCH 121/370] Update media-dynamic-update.md Corrected comma. --- windows/deployment/update/media-dynamic-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 85d236c15d..2664d3f9d8 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -85,7 +85,7 @@ This table shows the correct sequence for applying the various tasks to the file > Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md). > [!NOTE] -> Microsoft will remove the Flash component from Windows through KB4577586, “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, “Update for Removal of Adobe Flash Player”, will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/). +> Microsoft will remove the Flash component from Windows through KB4577586, “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, “Update for Removal of Adobe Flash Player” will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/). ### Multiple Windows editions From 86d8af570836ff725714dc4296572c51a294e83e Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 14 Jun 2021 10:25:05 -0700 Subject: [PATCH 122/370] Added additional text to the ApplicationControl CSP section --- ...ultiple-windows-defender-application-control-policies.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index 80ef49b096..f3935c6b4b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -101,7 +101,11 @@ To deploy policies locally using the new multiple policy format, follow these st ### Deploying multiple policies via ApplicationControl CSP -Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment. See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability. +Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.
+ +However, when policies are un-enrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is because the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP. + +See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability. > [!NOTE] > WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format WDAC policies. From 036fdabfce26f39a91fbaf7bde5fa7977f464a8d Mon Sep 17 00:00:00 2001 From: v-hearya Date: Tue, 15 Jun 2021 00:59:11 +0530 Subject: [PATCH 123/370] Broken link fixed --- browsers/internet-explorer/kb-support/ie-edge-faqs.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/browsers/internet-explorer/kb-support/ie-edge-faqs.yml b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml index 7bc45c1ec2..50862d688d 100644 --- a/browsers/internet-explorer/kb-support/ie-edge-faqs.yml +++ b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml @@ -114,8 +114,8 @@ sections: - question: | How to improve performance by using PAC scripts answer: | - - [Browser is slow to respond when you use an automatic configuration script](https://support.microsoft.com/help/315810/browser-is-slow-to-respond-when-you-use-an-automatic-configuration-scr) - - [Optimizing performance with automatic Proxyconfiguration scripts (PAC)](https://blogs.msdn.microsoft.com/askie/2014/02/07/optimizing-performance-with-automatic-proxyconfiguration-scripts-pac/) + - [Browser is slow to respond when you use an automatic configuration script](https://support.microsoft.com/en-us/topic/effa1aa0-8e95-543d-6606-03ac68e3f490) + - [Optimizing performance with automatic Proxyconfiguration scripts (PAC)](/troubleshoot/browsers/optimize-pac-performance) - name: Other questions questions: @@ -124,7 +124,7 @@ sections: answer: | For more information, see the following blog article: - [How do I set the home page in Microsoft Edge?](https://blogs.msdn.microsoft.com/askie/2017/10/04/how-do-i-set-the-home-page-in-edge/) + [How do I set the home page in Microsoft Edge?](https://support.microsoft.com/en-us/microsoft-edge/change-your-browser-home-page-a531e1b8-ed54-d057-0262-cc5983a065c6) - question: | How to add sites to the Enterprise Mode (EMIE) site list From 9354d35287519d34b15260b94fe232c63e31b670 Mon Sep 17 00:00:00 2001 From: katoma2017 <48699113+katoma2017@users.noreply.github.com> Date: Mon, 14 Jun 2021 21:44:22 -0700 Subject: [PATCH 124/370] Update update-baseline.md Update the link of Update Baseline toolkit to the Security Compliance Toolkit (which now contains Update Baseline) --- windows/deployment/update/update-baseline.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/update-baseline.md b/windows/deployment/update/update-baseline.md index 4438c95e54..91ea05a2e5 100644 --- a/windows/deployment/update/update-baseline.md +++ b/windows/deployment/update/update-baseline.md @@ -40,7 +40,7 @@ For the complete detailed list of all settings and their values, see the MSFT Wi ## How do I get started? -The Update Baseline toolkit makes it easy by providing a single command for IT Admins to load the baseline settings into Group Policy Management Console. You can get the [Update Baseline toolkit](https://www.microsoft.com/download/details.aspx?id=101056) from the Download Center. +The Update Baseline toolkit makes it easy by providing a single command for IT Admins to load the baseline settings into Group Policy Management Console. You can get the [Update Baseline toolkit](https://www.microsoft.com/en-us/download/details.aspx?id=55319) (included as a part of the Security Compliance Toolkit) from the Download Center. Today, the Update Baseline toolkit is currently only available for use with Group Policy. From 3f9c194f35c6a682b974ee07af0a064b819d41d3 Mon Sep 17 00:00:00 2001 From: msarcletti <56821677+msarcletti@users.noreply.github.com> Date: Tue, 15 Jun 2021 08:12:48 +0200 Subject: [PATCH 125/370] Update windows/client-management/mdm/vpnv2-csp.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/mdm/vpnv2-csp.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index e21af0bff4..1fed240483 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -391,7 +391,7 @@ Optional node. Name Resolution Policy Table (NRPT) rules for the VPN profile. The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the Windows registry that determines the DNS client behavior when issuing queries and processing responses. Each row in the NRPT represents a rule for a portion of the namespace for which the DNS client issues queries. Before issuing name resolution queries, the DNS client consults the NRPT to determine if any additional flags must be set in the query. After receiving the response, the client again consults the NRPT to check for any special processing or policy requirements. In the absence of the NRPT, the client operates based on the DNS servers and suffixes set on the interface. > [!NOTE] -> Only applications using the [Windows DNS API](https://docs.microsoft.com/en-us/windows/win32/dns/dns-reference) can make use of the Name Resolution Policy Table (NRPT) and therefore all settings configured within the DomainNameInformationList section. Applications using their own DNS implementation bypass the Windows DNS API. One example of applications not using the Windows DNS API is nslookup, so please always use the PowerShell CmdLet [Resolve-DNSName](https://docs.microsoft.com/en-us/powershell/module/dnsclient/resolve-dnsname) to check the functionality of NRPT. +> Only applications using the [Windows DNS API](/windows/win32/dns/dns-reference) can make use of the NRPT and therefore all settings configured within the DomainNameInformationList section. Applications using their own DNS implementation bypass the Windows DNS API. One example of applications not using the Windows DNS API is nslookup, so always use the PowerShell CmdLet [Resolve-DNSName](/powershell/module/dnsclient/resolve-dnsname) to check the functionality of the NRPT. **VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId A sequential integer identifier for the Domain Name information. Sequencing must start at 0. @@ -1603,4 +1603,3 @@ Servers - From d36f937b2b902896a15ce6c7f6bd2d47394dc089 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andre=20M=C3=BCller?= <85677225+amueller-tf@users.noreply.github.com> Date: Tue, 15 Jun 2021 11:18:00 +0200 Subject: [PATCH 126/370] Fix Defender for Endpoint link --- .../security/threat-protection/intelligence/fileless-threats.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md index 39371c3da0..31d34345c4 100644 --- a/windows/security/threat-protection/intelligence/fileless-threats.md +++ b/windows/security/threat-protection/intelligence/fileless-threats.md @@ -99,7 +99,7 @@ Besides being vulnerable at the firmware level, CPUs could be manufactured with ## Defeating fileless malware -At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Microsoft Defender for Endpoint](https://www.microsoft.com/windowsforbusiness?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats. +At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats. To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/) From 9ef8502ee4b2e602b09c4775b306e8ba73e9a3e0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT <18405051+denisebmsft@users.noreply.github.com> Date: Tue, 15 Jun 2021 07:14:26 -0700 Subject: [PATCH 127/370] Update fileless-threats.md --- .../security/threat-protection/intelligence/fileless-threats.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md index 31d34345c4..e2029f3c2c 100644 --- a/windows/security/threat-protection/intelligence/fileless-threats.md +++ b/windows/security/threat-protection/intelligence/fileless-threats.md @@ -99,7 +99,7 @@ Besides being vulnerable at the firmware level, CPUs could be manufactured with ## Defeating fileless malware -At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats. +At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats. To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/) From 3b02d8ff9dd952b9f7baac5f0cf8923522515135 Mon Sep 17 00:00:00 2001 From: Charles Inglis <32555877+cinglis-msft@users.noreply.github.com> Date: Tue, 15 Jun 2021 11:08:15 -0400 Subject: [PATCH 128/370] Fixed error in documentation for wrong value AllowWUfBCloudProcessing is a DWORD, or Integer. Not String. It also must be set to "8", not "1". This is correcting an error in documentation. --- windows/deployment/update/deployment-service-overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index 4c034921b7..256bbb7d4e 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -148,8 +148,8 @@ Following is an example of setting the policy using Microsoft Endpoint Manager: - Name: **AllowWUfBCloudProcessing** - Description: Enter a description. - OMA-URI: `./Vendor/MSFT/Policy/Config/System/AllowWUfBCloudProcessing` - - Data type: **String** - - Value: **1** + - Data type: **Integer** + - Value: **8** 6. In **Assignments**, select the groups that will receive the profile, and then select **Next**. 7. In **Review + create**, review your settings, and then select **Create**. 8. (Optional) To verify that the policy reached the client, check the value of the following registry entry: **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager \\default\\System\\AllowWUfBCloudProcessing**. From 0e3c630f274313fc7bb39bacea59b053dc18c5a7 Mon Sep 17 00:00:00 2001 From: katoma2017 <48699113+katoma2017@users.noreply.github.com> Date: Tue, 15 Jun 2021 09:50:15 -0700 Subject: [PATCH 129/370] Update windows/deployment/update/update-baseline.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/update/update-baseline.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/deployment/update/update-baseline.md b/windows/deployment/update/update-baseline.md index 91ea05a2e5..2e4ab4fd64 100644 --- a/windows/deployment/update/update-baseline.md +++ b/windows/deployment/update/update-baseline.md @@ -40,8 +40,7 @@ For the complete detailed list of all settings and their values, see the MSFT Wi ## How do I get started? -The Update Baseline toolkit makes it easy by providing a single command for IT Admins to load the baseline settings into Group Policy Management Console. You can get the [Update Baseline toolkit](https://www.microsoft.com/en-us/download/details.aspx?id=55319) (included as a part of the Security Compliance Toolkit) from the Download Center. +The Update Baseline toolkit makes it easy by providing a single command for IT Admins to load the baseline settings into Group Policy Management Console. You can get the [Update Baseline toolkit](https://www.microsoft.com/download/details.aspx?id=55319) (included as a part of the Security Compliance Toolkit) from the Download Center. Today, the Update Baseline toolkit is currently only available for use with Group Policy. - From 00d940e661cdf570067ac61ae2bad4b5daaa5da7 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 15 Jun 2021 10:52:39 -0700 Subject: [PATCH 130/370] edits --- windows/whats-new/windows-sv-plan.md | 28 +++++++------ windows/whats-new/windows-sv-prepare.md | 42 ++++++++++---------- windows/whats-new/windows-sv-requirements.md | 7 ++-- windows/whats-new/windows-sv.md | 15 +++---- 4 files changed, 50 insertions(+), 42 deletions(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index 8904cf19e3..ff388e1c4f 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -22,7 +22,9 @@ ms.topic: article ## Deployment planning -This article provides planning guidance to deploy Windows Sun Valley, specifically: +Windows Sun Valley is developed with Windows 10 as its foundation, enabling you to plan, prepare, deploy, and manage Windows Sun Valley with the same tools and methods that you use for Windows 10. As you integrate Windows Sun Valley into your environment, there will be some unique but familiar considerations as you work with a mix of Windows 10 and Windows Sun Valley devices side-by-side. + +This article provides planning guidance to help you begin depoying Windows Sun Valley, specifically: - Adoption guidance - Infrastructure planning @@ -30,9 +32,9 @@ This article provides planning guidance to deploy Windows Sun Valley, specifical - Application readiness - Functionality and coexistence with Windows 10 ecosystems -### Deployment process +#### Deployment process -Consider using the following process to deploy Windows Sun Valley: +Consider using the following processes to deploy Windows Sun Valley: 1. Preview Windows Sun Valley and create a deployment plan. 2. Test critical applications and management policies. 3. Update devices to the Windows 10, version 20H1 or later. @@ -40,7 +42,7 @@ Consider using the following process to deploy Windows Sun Valley: 5. Update deployment tools, infrastructure, and policies. 6. Update qualifying devices to Windows Sun Valley. -### Phased deployment +#### Phased deployment A phased deployment model is recommended for rolling out upgrades to devices in your organization. This is is described in the [service management model](/windows/deployment/update/create-deployment-plan) that is recommended for Windows 10 updates. It includes separate groups or 'rings' of devices that receive updates based on their role in your deployment plan. For example: - Preview: Windows Sun Valley planning and development @@ -49,15 +51,15 @@ A phased deployment model is recommended for rolling out upgrades to devices in With this method, you define the timing and scope of devices that will migrate to Windows Sun Valley, documenting and validating each phase before moving to the next one. -Use a [calendar based approach](/windows/deployment/update/plan-define-strategy#calendar-approaches) to plan Windows Sun Valley upgrades, and include scheduling of future Windows 10 and Windows Sun Valley updates. The calendar based approach can be very useful for update planning in a mixed Windows 10 and Windows Sun Valley enviroment. - Also consider [assigning roles](/windows/deployment/update/plan-define-readiness) within your organization to groups and individuals you'll need to carry out specific tasks, if you have not already done so. ## Infrastructure and tools You can use your current management tools and processes to manage quality updates for both Windows 10 and Windows Sun Valley, as well as using them to move between the two products beginning on the General Availability (GA) date for Windows Sun Valley. -As part of your deployment planning, you will need to [evaluate your infrastructure](/windows/deployment/update/eval-infra-tools) and tools to verify they can support deployment and updates for Windows Sun Valley. For more information about updates to support the deployment of Windows Sun Valley, see [Management tools](windows-sv-prepare.md#management-tools). +For information about updates that are required to support the deployment of Windows Sun Valley, see [Management tools](windows-sv-prepare.md#management-tools). + +Also see [Evaluate infrastructure and tools](/windows/deployment/update/eval-infra-tools) for a list of tasks related to deploying feature updates. ## Configurations @@ -68,15 +70,15 @@ Assess your current [configurations](/windows/deployment/update/eval-infra-tools ## Windows Sun Valley servicing -### Cadence +#### Cadence Windows Sun Valley feature updates will be released once per year, in the second half of the year. Quality updates will be released each month, on the second Tuesday of the month. -Microsoft will continue to provide one cumulative package that includes all latest cumulative updates (LCUs) and servicing stack updates (SSUs), if applicable, for Windows Sun Valley. This will be provided as a single package to Windows Server Update Services (WSUS) and Catalog, and have them orchestrated on the device. This capability is also the default for devices using Windows Update. +Microsoft will continue to provide one cumulative package that includes all latest cumulative updates and servicing stack updates, if applicable, for Windows Sun Valley. This will be provided as a single package to Windows Server Update Services (WSUS) and Catalog, and have them orchestrated on the device. This capability is also the default for devices using Windows Update. -### Lifecycle +#### Lifecycle -Windows Sun Valley annual releases are supported for 24 months or 36 months, depending on the edition. See the following table:
 
+Windows Sun Valley annual releases are supported for 24 months or 36 months, depending on the edition. This is a different servicing lifecycle than that for [Windows 10 release information](/windows/release-health/release-information). See the following table:
 
| 24 months from the release date | 36 months from the release date | @@ -86,7 +88,9 @@ Windows Sun Valley annual releases are supported for 24 months or 36 months, dep | Windows Sun Valley Pro for Workstations | | | Windows Sun Valley Pro Education | | -### Features and applications +A long term servicing channel release of Windows Sun Valley is not planned at this time. + +#### Features and applications Most features and applications that are included with Windows 10 will be available on Windows Sun Valley. For information about features that are deprecated or work differently on Windows Sun Valley, see [article link here]. diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index 9bc3e59982..85f8bd4b1b 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -40,35 +40,18 @@ Two Microsoft services that work directly with you to ensure application compati - If you experience any issues with your apps and are enrolled in the App Assure service, Microsoft will help you identify the issue at no cost. App Assure works with you to troubleshoot the issue, determine the root cause, and can help fix the issue as well. App Assure is subscription based, but subscriptions are free for eligible customers with 150+ seats. - Test Base is Microsoft's intelligent application validation service that allows software vendors and commercial customers to test their applications. The Test Base test and validation environment runs Windows Sun Valley as well as Windows 10 with a matrix of updates and environments in a Microsoft managed Azure environment. You can get started by enrolling in Test Base for Microsoft 365. -You can also use [Desktop Analytics](/mem/configmgr/desktop-analytics/overview), to test application compatibility. To determine the impact of a potential application compatiblity issue, [assign priority to apps](/windows/deployment/update/plan-define-readiness#set-criteria-for-rating-apps) and then perform a [compatibility assessment](/mem/configmgr/desktop-analytics/compat-assessment). +You can also use [Endpoint Analytics](/mem/analytics/app-reliability), to test application compatibility. ## Management tools The following updates are required to support deploying Windows Sun Valley. -### Configuration Manager - -Configuration Manager should use the current branch. - - You will easily be able to sync the new **Windows Sun Valley** product category and upgrade eligible devices. - - Configuration Manager will prompt you to accept the End User License Agreement (EULA) on behalf of the users in your organization. - - If you would like to validate Sun Valley prior to release, simply sync the **Windows Insider Pre-release** category as well. - -### WSUS - -If you use Windows Server Update Services (WSUS), you will need to sync the new **Windows Sun Valley** category. - -### WUfB - -Windows Update for Business (WUfB) users can leverage the **Target Version** capability (not Feature Update deferrals). - - Feature Update deferrals are great to move to newer versions of a product (for example: Windows 10 21H1 to Windows 10 21H2), but deferrals do not enable you to move between products (Windows 10 to Windows Sun Valley). Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. - - WUfB has the additional benefit of two safety nets: offering blocks on non-eligible devices, and [Safeguard holds](/windows/deployment/update/safeguard-holds). Safeguard holds will function for Windows Sun Valley devices just as they do for Windows 10. Administrators will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. - -### Microsoft Intune +#### Microsoft Intune No infrastructure update is required for you to use Microsoft Intune because it is cloud-based. - If you are using MEM Intune with E3 licenses you will be able to leverage **Feature Update Deployments** to easily manage moving between Windows 10 versions or to Windows Sun Valley. -### Windows Autopilot +#### Windows Autopilot Windows Autopilot works seamlessly in a Windows Sun Valley Out-of-Box-Experience (OOBE) environment. - In an Intune environment, a Windows Sun Valley boot image needs to already exist on the device for Windows Autopilot to work with Windows Sun Valley. @@ -76,6 +59,25 @@ Windows Autopilot works seamlessly in a Windows Sun Valley Out-of-Box-Experience - To use [Windows Autopilot to upgrade existing devices](/mem/autopilot/existing-devices), Configuration Manager and the task sequence: **Windows Autopilot for existing devices** can place the Windows Sun Valley boot image on the managed device, allowing Windows Autopilot to deploy Windows Sun Valley. - Windows Autopilot cannot be used to downgrade a device from Windows Sun Valley to Windows 10. +#### Configuration Manager + +Configuration Manager should use the current branch. + - You will easily be able to sync the new **Windows Sun Valley** product category and upgrade eligible devices. + - Configuration Manager will prompt you to accept the End User License Agreement (EULA) on behalf of the users in your organization. + - If you would like to validate Sun Valley prior to release, simply sync the **Windows Insider Pre-release** category as well. + +#### WSUS + +If you use Windows Server Update Services (WSUS), you will need to sync the new **Windows Sun Valley** category. + +#### WUfB + +Windows Update for Business (WUfB) users can leverage the **Target Version** capability (not Feature Update deferrals). + - Feature Update deferrals are great to move to newer versions of a product (for example: Windows 10 21H1 to Windows 10 21H2), but deferrals do not enable you to move between products (Windows 10 to Windows Sun Valley). Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. + - WUfB has the additional benefit of two safety nets: offering blocks on non-eligible devices, and [Safeguard holds](/windows/deployment/update/safeguard-holds). Safeguard holds will function for Windows Sun Valley devices just as they do for Windows 10. Administrators will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. + + + ## See also [Windows Sun Valley deployment planning](windows-sv-plan.md) diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index 22999267a0..1ec42163e8 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -22,14 +22,15 @@ ms.custom: seo-marvel-apr2020 - Windows Sun Valley, version 21H2 -This article lists the sotware and physical hardware requirements to run Windows Sun Valley. Windows Sun Valley is also supported on a Virtual Machine (VM). +This article lists the software and physical hardware requirements to run Windows Sun Valley. Windows Sun Valley is also supported on a Virtual Machine (VM). ## Software requirements The upgrade to Sun Valley is available for devices running Windows 10, version 20H1 or later, on eligible hardware. -S mode is not supported on Windows Sun Valley. -- If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading. +> [!NOTE] +> S mode is not supported on Windows Sun Valley. +> If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading. ## Hardware requirements diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index c1c31de0c4..21147d17cf 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -42,13 +42,13 @@ All upgrades to Windows Sun Valley from Windows 10 will be free. ## How to get Windows Sun Valley Windows Sun Valley will delivered as an upgrade to devices running Windows 10, beginning in the first half of 2022. Windows Sun Valley will also be available on new, eligible devices. -- For managed PCs that meet requirements, the upgrade will be provided using the same processes that you use today for feature updates. For more information, see [Management tools](windows-sv-prepare.md#management-tools). -- For unmanaged PCs that meet requirements, the upgrade will be offered through Windows Update using [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860). Windows 10 devices purchased after June 2021 that meet or exceed the minimum hardware requirements for Windows Sun Valley will be offered the upgrade starting in October of 2021. +- For PCs that are managed by your organization and meet requirements, the upgrade will be provided using the same processes that you use today for feature updates. For more information, see [Management tools](windows-sv-prepare.md#management-tools). +- For personal devices and other unmanaged PCs that meet requirements, the upgrade will be offered through Windows Update using [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860). Windows 10 devices purchased after June 2021 that meet or exceed the minimum hardware requirements for Windows Sun Valley will be offered the upgrade starting in October of 2021. - You can get early access to test Windows Sun Valley by joining the the Windows Insider Program [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel), or by enabling pre-release Windows 10 feature updates in Configuration Manager or Windows Server Update Services (WSUS). For more information about eligibility to upgrade, see [Windows Sun Valley requirements](windows-sv-requirements.md). -### Licensing +#### Licensing There are no unique licensing requirements for Windows Sun Valley beyond what is required for Windows 10 devices. @@ -56,7 +56,7 @@ Microsoft 365 licenses that include Windows 10 licenses will permit you to run W If you have a volume license, it will equally cover Windows Sun Valley and Windows 10 devices before and after upgrade. -### Rollback +#### Rollback After you have upgraded to Windows Sun Valley, you have 10 days to use the rollback function if you wish to move back to Windows 10 while keeping your files and data. After the 10 day grace period, you will need to back up your data and perform a clean install to move back to Windows 10. @@ -64,15 +64,15 @@ After you have upgraded to Windows Sun Valley, you have 10 days to use the rollb Windows Sun Valley is built on the same foundation as Windows 10, so you can generally deploy, manage, and secure Sun Valley using the same tools and solutions you use today. -### Management and tools +#### Management and tools You can use your current management tools, processes, and settings to manage quality updates for both Windows 10 and Windows Sun Valley. For more information, see [Management tools](windows-sv-prepare.md#management-tools) and [Configurations](windows-sv-plan.md#configurations). -### Hardware compatibility +#### Hardware compatibility Most accessories and associated software that worked with Windows 10 are expected to work with Windows Sun Valley. Check with your accessory manufacturer for specific details. -### Application compatibility +#### Application compatibility Windows Sun Valley preserves the application compatibility promise made with Windows 10, and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Programs like App Assure and FastTrack for Microsoft M365 customers will continue to be available to support IT efforts to adopt and maintain Windows Sun Valley. @@ -90,5 +90,6 @@ For more information, see [Windows 10 coexistence](windows-sv-plan.md#windows-10 ## Next steps +[Windows Sun Valley requirements](windows-sv-requirements.md) [Plan to deploy Windows Sun Valley](windows-sv-plan.md)
[Prepare for Windows Sun Valley](windows-sv-prepare.md) From e627e8b1daeee9f0fe8bd27b8434e37b5ac211d6 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 15 Jun 2021 11:07:22 -0700 Subject: [PATCH 131/370] edits --- windows/whats-new/windows-sv-plan.md | 12 ++++++------ windows/whats-new/windows-sv-prepare.md | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index ff388e1c4f..76f9576c7b 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -22,7 +22,7 @@ ms.topic: article ## Deployment planning -Windows Sun Valley is developed with Windows 10 as its foundation, enabling you to plan, prepare, deploy, and manage Windows Sun Valley with the same tools and methods that you use for Windows 10. As you integrate Windows Sun Valley into your environment, there will be some unique but familiar considerations as you work with a mix of Windows 10 and Windows Sun Valley devices side-by-side. +Windows Sun Valley is developed with Windows 10 as its foundation, enabling you to plan, prepare, deploy, and manage Windows Sun Valley with the same tools and methods that you use for Windows 10. As you integrate Windows Sun Valley into your environment, there will be some unique but familiar considerations working with a mix of Windows 10 and Windows Sun Valley devices side-by-side. This article provides planning guidance to help you begin depoying Windows Sun Valley, specifically: @@ -32,14 +32,14 @@ This article provides planning guidance to help you begin depoying Windows Sun V - Application readiness - Functionality and coexistence with Windows 10 ecosystems -#### Deployment process +#### Deployment processes Consider using the following processes to deploy Windows Sun Valley: -1. Preview Windows Sun Valley and create a deployment plan. -2. Test critical applications and management policies. +1. [Preview Windows Sun Valley](windows-sv.md#how-to-get-windows-sun-valley) and create a deployment plan. +2. [Test critical applications](windows-sv-prepare.md#application-compatibility) and management policies. 3. Update devices to the Windows 10, version 20H1 or later. -4. Verify that devices meet the minimum hardware requirements for Windows Sun Valley. -5. Update deployment tools, infrastructure, and policies. +4. Verify that devices meet the [minimum hardware requirements](windows-sv-requirements.md#hardware-requirements) for Windows Sun Valley. +5. [Update](windows-sv-prepare.md#management-tools) deployment tools, infrastructure, and policies. 6. Update qualifying devices to Windows Sun Valley. #### Phased deployment diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index 85f8bd4b1b..0c7db4b32a 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -49,7 +49,7 @@ The following updates are required to support deploying Windows Sun Valley. #### Microsoft Intune No infrastructure update is required for you to use Microsoft Intune because it is cloud-based. - - If you are using MEM Intune with E3 licenses you will be able to leverage **Feature Update Deployments** to easily manage moving between Windows 10 versions or to Windows Sun Valley. + - If you are using Microsoft Intune with E3 licenses you will be able to leverage **Feature Update Deployments** to easily manage moving between Windows 10 versions or to Windows Sun Valley. #### Windows Autopilot From a69125e9db70b097b651f720b7c51fd66641cde8 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 15 Jun 2021 11:21:17 -0700 Subject: [PATCH 132/370] ms.technology removed --- windows/whats-new/docfx.json | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json index 04908deceb..16f6364ce9 100644 --- a/windows/whats-new/docfx.json +++ b/windows/whats-new/docfx.json @@ -34,7 +34,6 @@ "globalMetadata": { "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", - "ms.technology": "windows", "ms.topic": "article", "audience": "ITPro", "feedback_system": "GitHub", From d517852fea164ac95a94868f2a46f49f483a3c3f Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 15 Jun 2021 13:03:47 -0700 Subject: [PATCH 133/370] edits --- windows/whats-new/windows-sv-plan.md | 7 ++++--- windows/whats-new/windows-sv.md | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index 76f9576c7b..9afc2d8cc7 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -22,7 +22,7 @@ ms.topic: article ## Deployment planning -Windows Sun Valley is developed with Windows 10 as its foundation, enabling you to plan, prepare, deploy, and manage Windows Sun Valley with the same tools and methods that you use for Windows 10. As you integrate Windows Sun Valley into your environment, there will be some unique but familiar considerations working with a mix of Windows 10 and Windows Sun Valley devices side-by-side. +Windows Sun Valley is developed with Windows 10 as its foundation, enabling you to plan, prepare, deploy, and manage Windows Sun Valley with the same tools and methods that you use for Windows 10. When you integrate Windows Sun Valley into your environment, there will be some unique but familiar considerations, as you work with a mix of Windows 10 and Windows Sun Valley devices side-by-side. This article provides planning guidance to help you begin depoying Windows Sun Valley, specifically: @@ -32,9 +32,10 @@ This article provides planning guidance to help you begin depoying Windows Sun V - Application readiness - Functionality and coexistence with Windows 10 ecosystems -#### Deployment processes +#### Deployment process + +Consider the following steps to deploy Windows Sun Valley in your environment: -Consider using the following processes to deploy Windows Sun Valley: 1. [Preview Windows Sun Valley](windows-sv.md#how-to-get-windows-sun-valley) and create a deployment plan. 2. [Test critical applications](windows-sv-prepare.md#application-compatibility) and management policies. 3. Update devices to the Windows 10, version 20H1 or later. diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index 21147d17cf..3f327156fc 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -90,6 +90,6 @@ For more information, see [Windows 10 coexistence](windows-sv-plan.md#windows-10 ## Next steps -[Windows Sun Valley requirements](windows-sv-requirements.md) +[Windows Sun Valley requirements](windows-sv-requirements.md)
[Plan to deploy Windows Sun Valley](windows-sv-plan.md)
[Prepare for Windows Sun Valley](windows-sv-prepare.md) From 662a4e02ecbe21196549f980a36787f47f543e41 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 15 Jun 2021 13:18:29 -0700 Subject: [PATCH 134/370] edits --- windows/whats-new/windows-sv-plan.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index 9afc2d8cc7..d6b6b7cde3 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -36,7 +36,7 @@ This article provides planning guidance to help you begin depoying Windows Sun V Consider the following steps to deploy Windows Sun Valley in your environment: -1. [Preview Windows Sun Valley](windows-sv.md#how-to-get-windows-sun-valley) and create a deployment plan. +1. [Preview Windows Sun Valley](windows-sv.md#how-to-get-windows-sun-valley) and create a phased deployment plan. 2. [Test critical applications](windows-sv-prepare.md#application-compatibility) and management policies. 3. Update devices to the Windows 10, version 20H1 or later. 4. Verify that devices meet the [minimum hardware requirements](windows-sv-requirements.md#hardware-requirements) for Windows Sun Valley. From cd204dd5cde3599646391b705ba17ff7857cfa9d Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 15 Jun 2021 14:06:10 -0700 Subject: [PATCH 135/370] edits --- windows/whats-new/windows-sv-plan.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index d6b6b7cde3..95f8c84268 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -89,8 +89,6 @@ Windows Sun Valley annual releases are supported for 24 months or 36 months, dep | Windows Sun Valley Pro for Workstations | | | Windows Sun Valley Pro Education | | -A long term servicing channel release of Windows Sun Valley is not planned at this time. - #### Features and applications Most features and applications that are included with Windows 10 will be available on Windows Sun Valley. For information about features that are deprecated or work differently on Windows Sun Valley, see [article link here]. From 727dfe92ff3a817a49565fdcc874cda9a8e2a495 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Tue, 15 Jun 2021 16:29:59 -0700 Subject: [PATCH 136/370] Substituted because for that per the feedback. --- ...oy-multiple-windows-defender-application-control-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index f3935c6b4b..1f9364ad64 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -103,7 +103,7 @@ To deploy policies locally using the new multiple policy format, follow these st Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.
-However, when policies are un-enrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is because the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP. +However, when policies are un-enrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP. See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability. From 4d33f48dd97275341b6023a2317c48eff9098e18 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 15 Jun 2021 16:42:32 -0700 Subject: [PATCH 137/370] Acrolinx "Bitlocker" and "Powershell" --- .../client-management/mdm/healthattestation-csp.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 9df5a62fdf..9f691cab8c 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -502,8 +502,8 @@ The following list of data points are verified by the DHA-Service in DHA-Report - [HealthStatusMismatchFlags](#healthstatusmismatchflags) \* TPM 2.0 only -** Reports if Bitlocker was enabled during initial boot. -*** The “Hybrid Resume” must be disabled on the device. Reports 1st party ELAM “Defender” was loaded during boot. +\*\* Reports if BitLocker was enabled during initial boot. +\*\*\* The “Hybrid Resume” must be disabled on the device. Reports 1st party ELAM “Defender” was loaded during boot. Each of these are described in further detail in the following sections, along with the recommended actions to take. @@ -547,8 +547,8 @@ Each of these are described in further detail in the following sections, along w - Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history. - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. -**BitlockerStatus** (at boot time) -

When Bitlocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.

+**BitLockerStatus** (at boot time) +

When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.

Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen.

@@ -614,7 +614,7 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI assets - Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as enabling VSM using WMI or a Powershell script. +- Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script. **OSKernelDebuggingEnabled**

OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development.

@@ -659,7 +659,7 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI and MBI assets - Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as enabling test signing using WMI or a Powershell script. +- Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script. **SafeMode**

Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started.

From d2955fe82fb7c463a3cbaa1702cf0d586fcad5f4 Mon Sep 17 00:00:00 2001 From: Andrea Barr <81656118+AndreaLBarr@users.noreply.github.com> Date: Tue, 15 Jun 2021 17:03:49 -0700 Subject: [PATCH 138/370] Added a question and answer Added question and answer to lines 40-49 as requested by Radia Soulmani . --- .../faq-md-app-guard.yml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index cb0bff0dc0..10ada92e34 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -36,7 +36,18 @@ sections: `HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.) `HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.) - + + - question: | + My network configuration uses a proxy and I’m running into a “Cannot resolve External URLs from MDAG Browser: Error: err_connection_refused”. How do I resolve that? + answer: | + The manual or PAC server must be a hostname (not IP) that is neutral on the site-list. Additionally, if the PAC script returns a proxy, it must meet those same requirements. + + To make sure the FQDNs (Fully Qualified Domain Names) for the “PAC file” and the “proxy servers the PAC file redirects to” are added as Neutral Resources in the Network Isolation policies used by Application Guard, you can: + + - Verify this by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral”. + - It needs to be a FQDN…just a simple IP address will not work. + - Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the Enterprise IP Ranges in the Network Isolation policies used by Application Guard. + - question: | Can employees download documents from the Application Guard Edge session onto host devices? answer: | @@ -232,4 +243,4 @@ additionalContent: | ## See also - [Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md) \ No newline at end of file + [Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md) From 3e7c3664aa0c586d4a1302d9eafd15d71dec17d5 Mon Sep 17 00:00:00 2001 From: Shaun Pearson Date: Wed, 16 Jun 2021 09:30:04 +0100 Subject: [PATCH 139/370] What's new 21H1 Small typo noticed when looking the Windows Assessment and Deployment Toolkit section --- windows/whats-new/whats-new-windows-10-version-21H1.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/whats-new/whats-new-windows-10-version-21H1.md b/windows/whats-new/whats-new-windows-10-version-21H1.md index c56c65dac3..99f122b717 100644 --- a/windows/whats-new/whats-new-windows-10-version-21H1.md +++ b/windows/whats-new/whats-new-windows-10-version-21H1.md @@ -47,7 +47,7 @@ For a full list of what's new in Microsoft Intune, see [What's new in Microsoft ### Windows Assessment and Deployment Toolkit (ADK) -There is no new ADK for Windows 10, version 21H1. The ADK for Windows 10, version 2004 will also work with Windows 10, version 20H2. For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). +There is no new ADK for Windows 10, version 21H1. The ADK for Windows 10, version 2004 will also work with Windows 10, version 21H1. For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). ## Device management @@ -136,4 +136,4 @@ This release includes the following enhancements and issues fixed: [What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
[Announcing more ways we’re making app development easier on Windows](https://blogs.windows.com/windowsdeveloper/2020/09/22/kevin-gallo-microsoft-ignite-2020/): Simplifying app development in Windows.
[Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features.
-[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
\ No newline at end of file +[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
From d8af561f11b372e4647544b91b790a89b71a09bc Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Wed, 16 Jun 2021 10:17:59 -0700 Subject: [PATCH 140/370] incorp white paper --- windows/whats-new/windows-sv.md | 64 +++++++++++++-------------------- 1 file changed, 24 insertions(+), 40 deletions(-) diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index 3f327156fc..eabaaffd5c 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -24,69 +24,53 @@ ms.custom: seo-marvel-apr2020 This article provides an introduction and answers some frequently asked questions about Windows Sun Valley, the next client release of Windows. -The following articles are available to learn about Windows Sun Valley: +Also see the following articles to learn about Windows Sun Valley: -1. Windows Sun Valley overview (this article): An introduction and brief overview. -2. [Windows Sun Valley requirements](windows-sv-requirements.md): Requirements to deploy Windows Sun Valley. -3. [Planning for Windows Sun Valley](windows-sv-plan.md): Information to help you create a Windows Sun Valley deployment plan. -4. [Prepare for Windows Sun Valley](windows-sv-prepare.md): Procedures to ensure readiness to deploy Windows Sun Valley. +- [Windows Sun Valley requirements](windows-sv-requirements.md): Requirements to deploy Windows Sun Valley. +- [Planning for Windows Sun Valley](windows-sv-plan.md): Information to help you create a Windows Sun Valley deployment plan. +- [Prepare for Windows Sun Valley](windows-sv-prepare.md): Procedures to ensure readiness to deploy Windows Sun Valley. ## Introduction -Windows Sun Valley is a newly designed Windows client operating system due to be released later in 2021. It is fresh and light, yet familiar to those who use Windows today. Windows Sun Valley is designed to support today's flexible [hybrid work](https://pulse.microsoft.com/the-journey-to-the-new-normal-driving-innovation-and-productivity-in-a-hybrid-world/) environment and to be the most reliable, secure, connected, and performant OS release ever. +Windows Sun Valley is the next evolution of Windows; the most significant update to the Windows operating system since Windows 10. It offers a fresh experience that is flexible and fluid, designed to support today's hybrid work environment and to be the most reliable, secure, connected, and performant Windows OS ever. -Windows Sun Valley is built on the same foundation as Windows 10, so you can deploy, manage, and secure Windows Sun Valley using the same tools and solutions you use today. +Windows Sun Valley contains many innovations focused on enhancing end user productivity. It is built on the same foundation as Windows 10, ensuring that the investments you have made in tools for update and device management are carried forward. Windows Sun Valley provides the benefits that commercial organizations and IT pros need and rely upon every day: best-in-class security, simplified manageability, and high availability. It also sustains the application compatibility promise we made with Windows 10, supplemented by programs like App Assure in cases where additional support is needed. -All upgrades to Windows Sun Valley from Windows 10 will be free. +In summary, because Windows Sun Valley is built on the same foundation as Windows 10, you can deploy, manage, and secure Windows SV using the same tools and solutions you use today. For Microsoft 365 customers seeking further assistance, FastTrack will continue to be available to support your efforts to adopt Windows SV. ## How to get Windows Sun Valley -Windows Sun Valley will delivered as an upgrade to devices running Windows 10, beginning in the first half of 2022. Windows Sun Valley will also be available on new, eligible devices. -- For PCs that are managed by your organization and meet requirements, the upgrade will be provided using the same processes that you use today for feature updates. For more information, see [Management tools](windows-sv-prepare.md#management-tools). -- For personal devices and other unmanaged PCs that meet requirements, the upgrade will be offered through Windows Update using [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860). Windows 10 devices purchased after June 2021 that meet or exceed the minimum hardware requirements for Windows Sun Valley will be offered the upgrade starting in October of 2021. -- You can get early access to test Windows Sun Valley by joining the the Windows Insider Program [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel), or by enabling pre-release Windows 10 feature updates in Configuration Manager or Windows Server Update Services (WSUS). +Windows Sun Valley will be delivered as an upgrade to eligible devices running Windows 10 beginning in the first half of 2022. Windows Sun Valley will also be available on new, eligible devices. + +For PCs that are managed by your organization and meet the eligibility requirements, Windows Sun Valley will be available through the same, familiar channels we utilize for Windows 10 feature updates today. You will be able to use existing deployment and management toolsets, such as Windows Update for Business, Microsoft Endpoint Management, and Windows Autopilot and those commercial customers running Pro, Enterprise and Education editions of Windows 10 will have control over when to upgrade their devices from Windows 10 to Windows Sun Valley. For more information, see Management tools. + +For personal devices and other unmanaged PCs that meet the eligibility requirements, the upgrade will be offered through Windows Update using our intelligent rollout process to ensure a smooth upgrade experience. Windows 10 devices purchased after June 2021 that meet or exceed the minimum hardware requirements for Windows Sun Valley will be offered the upgrade starting in October of 2021. + +For those interested in testing Windows Sun Valley before general availability, we recommend joining the Windows Insider Program or Windows Insider Program for Business [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel), or enabling pre-release Windows 10 feature updates in [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/servers/manage/pre-release-features) or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS). For more information about eligibility to upgrade, see [Windows Sun Valley requirements](windows-sv-requirements.md). +## Before you begin + #### Licensing There are no unique licensing requirements for Windows Sun Valley beyond what is required for Windows 10 devices. -Microsoft 365 licenses that include Windows 10 licenses will permit you to run Windows Sun Valley on supported devices. +Microsoft 365 licenses that include Windows 10 licenses will permit you to run Windows Sun Valley on supported devices. If you have a volume license, it will equally cover Windows Sun Valley and Windows 10 devices before and after upgrade. -If you have a volume license, it will equally cover Windows Sun Valley and Windows 10 devices before and after upgrade. +#### Compatibility -#### Rollback +Most accessories and associated drivers that worked with Windows 10 are expected to work with Windows Sun Valley. Check with your accessory manufacturer for specific details. -After you have upgraded to Windows Sun Valley, you have 10 days to use the rollback function if you wish to move back to Windows 10 while keeping your files and data. After the 10 day grace period, you will need to back up your data and perform a clean install to move back to Windows 10. +Windows Sun Valley also preserves the application compatibility promise made with Windows 10 and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Microsoft 365 customers can continue to use programs such as App Assure and FastTrack to support IT efforts to adopt and maintain Windows Sun Valley. For more information, see [Application compatibility](windows-sv-prepare.md#application-compatibility). -## Compatibility +#### Familiar deployment process -Windows Sun Valley is built on the same foundation as Windows 10, so you can generally deploy, manage, and secure Sun Valley using the same tools and solutions you use today. +Windows Sun Valley is built on the same foundation as Windows 10, so you can generally use the same tools and solutions you use today to deploy, manage, and secure Windows Sun Valley. You can also use your current management tools, processes, and settings to manage monthly quality updates for both Windows 10 and Windows Sun Valley. For more information, see [Management tools](windows-sv-prepare.md#management-tools) and [Configurations](windows-sv-plan.md#configurations). -#### Management and tools +#### Servicing Windows Sun Valley -You can use your current management tools, processes, and settings to manage quality updates for both Windows 10 and Windows Sun Valley. For more information, see [Management tools](windows-sv-prepare.md#management-tools) and [Configurations](windows-sv-plan.md#configurations). - -#### Hardware compatibility - -Most accessories and associated software that worked with Windows 10 are expected to work with Windows Sun Valley. Check with your accessory manufacturer for specific details. - -#### Application compatibility - -Windows Sun Valley preserves the application compatibility promise made with Windows 10, and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Programs like App Assure and FastTrack for Microsoft M365 customers will continue to be available to support IT efforts to adopt and maintain Windows Sun Valley. - -For more information, see [Application compatibility](windows-sv-prepare.md#application-compatibility) - -## Windows Sun Valley servicing - -For details about the Windows Sun Valley servicing cadence and lifecycle, see [Windows Sun Valley servicing](windows-sv-plan.md#windows-sun-valley-servicing). - -## Windows 10 servicing - -Windows 10 will continue to be supported with security updates until October 2025. - -For more information, see [Windows 10 coexistence](windows-sv-plan.md#windows-10-coexistence). +Windows Sun Valley will have an annual feature update cadence and receive monthly quality updates. For details, see [Windows Sun Valley servicing](windows-sv-plan.md#windows-sun-valley-servicing). When Windows Sun Valley reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the Windows release health hub. Monthly release notes will available via a consolidated Windows Sun Valley update history page at that time as well. ## Next steps From aef7333ad599c711065ba4a41c54fc8def5733aa Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 16 Jun 2021 11:26:46 -0700 Subject: [PATCH 141/370] Update faq-md-app-guard.yml --- .../microsoft-defender-application-guard/faq-md-app-guard.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index 10ada92e34..03baa2d537 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -9,7 +9,7 @@ metadata: ms.localizationpriority: medium author: denisebmsft ms.author: deniseb - ms.date: 05/12/2021 + ms.date: 06/16/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -45,7 +45,7 @@ sections: To make sure the FQDNs (Fully Qualified Domain Names) for the “PAC file” and the “proxy servers the PAC file redirects to” are added as Neutral Resources in the Network Isolation policies used by Application Guard, you can: - Verify this by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral”. - - It needs to be a FQDN…just a simple IP address will not work. + - It must be a FQDN. A simple IP address will not work. - Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the Enterprise IP Ranges in the Network Isolation policies used by Application Guard. - question: | From d8e7613d44998aa49989e83f8aa3c68b3aa8c381 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Wed, 16 Jun 2021 12:30:35 -0700 Subject: [PATCH 142/370] incorp white paper --- windows/whats-new/windows-sv-plan.md | 165 ++++++++++--------- windows/whats-new/windows-sv-prepare.md | 63 +++---- windows/whats-new/windows-sv-requirements.md | 42 ++--- windows/whats-new/windows-sv.md | 2 +- 4 files changed, 133 insertions(+), 139 deletions(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index 95f8c84268..1eed113eaa 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -1,5 +1,5 @@ --- -title: Plan to deploy Windows Sun Valley +title: Plan for Windows Sun Valley description: Windows Sun Valley deployment planning, IT Pro content. keywords: ["get started", "windows sun valley", "plan"] ms.prod: w11 @@ -14,7 +14,7 @@ ms.localizationpriority: high ms.topic: article --- -# Plan to deploy Windows Sun Valley +# Plan for Windows Sun Valley **Applies to** @@ -22,87 +22,104 @@ ms.topic: article ## Deployment planning -Windows Sun Valley is developed with Windows 10 as its foundation, enabling you to plan, prepare, deploy, and manage Windows Sun Valley with the same tools and methods that you use for Windows 10. When you integrate Windows Sun Valley into your environment, there will be some unique but familiar considerations, as you work with a mix of Windows 10 and Windows Sun Valley devices side-by-side. +This article provides guidance to help you plan for Windows Sun Valley in your organization. -This article provides planning guidance to help you begin depoying Windows Sun Valley, specifically: +Since Windows Sun Valley is built on the same foundation as Windows 10, you can utilize the same deployment capabilities, scenarios, and tools—as well as the same basic deployment and servicing strategy. At a high level, this strategy should include the following steps: +- Create a deployment plan. +- Define readiness criteria. +- Evaluate current infrastructure and tools. +- Determine application readiness. +- Define your servicing strategy. + +As most organizations will have a mix of Windows Sun Valley and Windows 10 and SV devices side-by-side as they integrate SV into their environments, there are some unique yet largely familiar considerations for this new operating system to help in planning for upcoming deployments. + +#### Determine eligibility + +As a first step, you will need to know which of your current PCs meet the Windows Sun Valley hardware requirements. Detailed requirements can be found at [LINK NEEDED](). However, in general you should expect that if your devices were acquired within the last 18-24 months, they will be able to run Windows Sun Valley. + +Analysis tools will be created and made available to evaluate devices against the Windows Sun Valley hardware requirements. A standalone tool will be available, and the ability to evaluate upgrade eligibility will also be integrated into your existing enterprise tool sets. + +When Windows Sun Valley reaches general availability, end users running Windows 10 Home, Pro, and Pro for Workstations can use the PC Health Check app to determine their eligibility for Windows Sun Valley. End users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade. [LINK NEEDED]() has been developed for this purpose. + +For enterprise customers, analytics tools will be available for administrators to evaluate device readiness, including Endpoint Analytics and Update Compliance. Microsoft is also sharing information with independent sofware vendors to enable their tools to support analytics for Windows Sun Valley. + +#### Windows Sun Valley availability + +As with Windows 10, the availability of Windows Sun Valley experience will vary depending on whether the device receives updates from Windows Update (unmanaged devices), or from a management solution that is maintained by an administrator (managed devices). + +##### Unmanaged devices + +For unmanaged devices, most eligible devices purchased after June of 2021 will be offered the Windows Sun Valley upgrade in October of 2021. New device messaging will vary by PC manufacturer, but users will see labels such as **This PC will upgrade to Windows Sun Valley once available** on products that are available for purchase. + +> [!NOTE] +> New devices purchased after October 2021 will see the Windows Sun Valley offer during the out of box experience, or they will already be upgraded to Windows Sun Valley. + +After General Availability (GA) date for Windows Sun Valley, the OS upgrade will be available to eligible Windows 10 devices that use Windows Update. The upgrade will be available first to seekers, then as part of Microsoft's intelligent rollout process. As with all Microsoft update managed devices, the Windows Update Settings page will confirm when a device is eligible, and users can choose to upgrade or not. + +Just like Windows 10, the machine learning based [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860) process will be leveraged when rolling out upgrades. Machine learning uses a combination of testing, close partner engagement, feedback, diagnostic data, and real-life insights to manage quality. This improves the update experience and ensures that devices first nominated for updates are those likely to have a seamless experience. Devices that might have compatibility issues with the upgrade get the benefit of resolving these issues before the upgrade is offered. + +##### Managed devices + +The innovations and end user productivity improvements in Windows Sun Valley are exciting. However, the "right time" to upgrade will be different for each organization. For devices that you manage as an organization, you can choose between Windows Sun Valley and Windows 10, and decide when the time is right to incorporate Window Sun Valley into your environment. Initially, it is expected that enterprise environments will contain a mix of Windows 10 and Windows Sun Valley. + +Organizations will be able to deploy the Windows Sun Valley upgrade to eligible devices using their existing management tools beginning at GA. Environments that use Windows Update for Business (WUfB) will have the additional benefit of two safety nets: offering blocks on non-eligible devices who do not meet the hardware requirements, and Safeguard holds. Safeguard holds will function for SV devices just as they do for Windows 10. Administrators will have access to information on which Safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. + +> [!NOTE] +> If you use WUfB to manage feature update deployments today you will need to leverage the **Target Version** policy rather than **Feature Update deferrals** to move from Windows 10 to Windows Sun Valley. Deferrals are great for quality updates or to move to newer versions of the same product (Windows 10 to Windows 10), but they cannot migrate a devices between products (Windows 10 to Windows Sun Valley). +> Additionally, Windows Sun Valley has a new end user license agreement. If you are deploying with WUfB **Target Version** or with WSUS, you are accepting this new end user license agreement on behalf of the end users within your organization. + +Some additional considerations about upgrading: + +- Windows 10 Pro or higher can upgrade for free using existing management tools. +- Devices running S mode will first need to switch out of S mode because it is not supported on Windows Sun Valley. +- Downgrade rights are available with Windows Sun Valley Pro OEM licensed devices and with Microsoft Volume Licensing, where the licensing agreement permits it. +- You can downgrade to any version of Windows Pro/Professional that has not reached its end of support date. + +##### Availability and upgrade path + +As previously mentioned, the Windows Sun Valley upgrade offer will begin for eligible devices at GA in October of 2021. This is true for eligible devices already running updated Windows 10 as well as for new devices. + +To preview Windows Sun Valley, you can join the [Windows Insider Program](https://insider.windows.com/for-business) (WIP). This enables you to begin validating Windows Sun Valley, as well as exploring new features as they’re being created. As a WIP participant in the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel), Windows Sun Valley will be available to you in the summer of 2021, well ahead of the October GA date. + +You can deploy directly from the Windows Insider Pre-release category in WSUS in a variety of ways: +1. Configure Manage Preview Builds to **Release Preview** with WUfB. +2. Leverage Windows Virtual Devices or Cloud PC* (check if this will be announced when this paper goes out) and Azure Marketplace images. +3. Download and deploy ISOs from Microsoft’s Windows Insider Program ISO Download page. + +Regardless of which way you choose to deploy, you have the benefit of free Microsoft support when validating a pre-release. All you need to do is go to [Support for business](http://support.microsoft.com/supportforbusiness/productselection?sapId=39fc4a93-68cd-5a19-f91b-f0b349a098f3) and submit your support case. This is free for any Microsoft commercial customer deploying Windows 10 version 21H2 or Windows Sun Valley 21H2 pre-release bits after the commercial preview date in summer 2021. + +Your Windows Sun Valley and Windows 10 devices will receive regular monthly quality updates to provide security updates and bug fixes. Windows Sun Valley devices will receive a single feature update annually, a change from the twice per year of Windows 10. + +Devices on in-service versions of Windows 10 that do not meet Windows Sun Valley hardware requirements will continue to receive monthly Windows 10 security updates through 2025, as well as incremental improvements to Windows 10 to support your ongoing deployments of Microsoft 365. + +##### Servicing duration + +Along with end user experience and security improvements, Windows Sun Valley introduces enhancements to our servicing approach based on your suggestions and feedback. + +Windows 10 feature updates are released twice yearly via the Semi-Annual Channel. They are serviced with monthly quality updates for 18 or 30 months from the date of the release, depending on the lifecycle policy. Windows Sun Valley will have an annual feature update cadence, targeted for release in the second half of the calendar year. +- Home, Pro, Pro for Workstations, and Pro for Education editions of Windows Sun Valley will receive 24 months of support from the date of release. +- Enterprise and Education editions of Windows Sun Valley will be supported for 36 months. + +For more details on the lifecycle and servicing strategy for Windows Sun Valley, see [Windows lifecycle and servicing update overview](). - - Adoption guidance - - Infrastructure planning - - Servicing cadence and lifecycle - - Application readiness - - Functionality and coexistence with Windows 10 ecosystems +Microsoft recognizes the importance that organizations have adequate time to plan for Windows Sun Valley. Therefore, we have committed to supporting Windows 10 through October 14, 2025. For more information, see the [Windows release information]() page. This page also includes information for Windows 10 semi-annual channel and LTSC releases. -#### Deployment process +A consolidated [update history]() is also available for every version of the Windows operating system. This information offers quick access to knowledge base articles for each monthly, optional, and out-of-band release. In addition to update highlights, you’ll find a list of improvements and fixes, a summary of any known issues, and details on how to get the update, including any prerequisites. -Consider the following steps to deploy Windows Sun Valley in your environment: +##### Application compatibility -1. [Preview Windows Sun Valley](windows-sv.md#how-to-get-windows-sun-valley) and create a phased deployment plan. -2. [Test critical applications](windows-sv-prepare.md#application-compatibility) and management policies. -3. Update devices to the Windows 10, version 20H1 or later. -4. Verify that devices meet the [minimum hardware requirements](windows-sv-requirements.md#hardware-requirements) for Windows Sun Valley. -5. [Update](windows-sv-prepare.md#management-tools) deployment tools, infrastructure, and policies. -6. Update qualifying devices to Windows Sun Valley. +Windows 10 upgrades have proven to be highly compatible, and that does not change with Windows Sun Valley. Our compatibility promise for Windows 10 is that upgrades will maintain compatibility with apps written for previously released versions. Windows Sun Valley comes with the same App Assure promise and commitment that you have known with Windows 10. Data from the App Assure program shows that Windows 10 compatibility rates are over 99.7% for our enterprise customers, including line of business apps. This great progress will not be lost. Windows Sun Valley has been subjected to, and is passing the same app compatibility validation requirements, that are in place for Windows 10 feature and quality update releases today. -#### Phased deployment +##### App Assure and Test Base -A phased deployment model is recommended for rolling out upgrades to devices in your organization. This is is described in the [service management model](/windows/deployment/update/create-deployment-plan) that is recommended for Windows 10 updates. It includes separate groups or 'rings' of devices that receive updates based on their role in your deployment plan. For example: -- Preview: Windows Sun Valley planning and development -- Limited: Windows Sun Valley pilot deployment -- Broad: Windows Sun Valley rollout +You might already be using App Assure and Test Base in your Windows 10 environment. Both of these tools will continue to function with Windows Sun Valley. With enrollment in the App Assure service, if you find any problems with an existing application as you migrate to Windows Sun Valley, Microsoft will help you remedy application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. -With this method, you define the timing and scope of devices that will migrate to Windows Sun Valley, documenting and validating each phase before moving to the next one. - -Also consider [assigning roles](/windows/deployment/update/plan-define-readiness) within your organization to groups and individuals you'll need to carry out specific tasks, if you have not already done so. - -## Infrastructure and tools - -You can use your current management tools and processes to manage quality updates for both Windows 10 and Windows Sun Valley, as well as using them to move between the two products beginning on the General Availability (GA) date for Windows Sun Valley. - -For information about updates that are required to support the deployment of Windows Sun Valley, see [Management tools](windows-sv-prepare.md#management-tools). - -Also see [Evaluate infrastructure and tools](/windows/deployment/update/eval-infra-tools) for a list of tasks related to deploying feature updates. - -## Configurations - -Assess your current [configurations](/windows/deployment/update/eval-infra-tools#configuration-updates) such as security baselines, administrative templates, and policies that affect updates. Then, set some criteria to define your [operational readiness](/windows/deployment/update/eval-infra-tools#define-operational-readiness-criteria), Define an infrastructure update plan to: -- Review requirements -- Identify gaps -- Implement required updates - -## Windows Sun Valley servicing - -#### Cadence - -Windows Sun Valley feature updates will be released once per year, in the second half of the year. Quality updates will be released each month, on the second Tuesday of the month. - -Microsoft will continue to provide one cumulative package that includes all latest cumulative updates and servicing stack updates, if applicable, for Windows Sun Valley. This will be provided as a single package to Windows Server Update Services (WSUS) and Catalog, and have them orchestrated on the device. This capability is also the default for devices using Windows Update. - -#### Lifecycle - -Windows Sun Valley annual releases are supported for 24 months or 36 months, depending on the edition. This is a different servicing lifecycle than that for [Windows 10 release information](/windows/release-health/release-information). See the following table:
 
- - -| 24 months from the release date | 36 months from the release date | -| ------------------------------- | ------------------------------- | -| Windows Sun Valley Home | Windows Sun Valley Enterprise | -| Windows Sun Valley Pro | Windows Sun Valley Education | -| Windows Sun Valley Pro for Workstations | | -| Windows Sun Valley Pro Education | | - -#### Features and applications - -Most features and applications that are included with Windows 10 will be available on Windows Sun Valley. For information about features that are deprecated or work differently on Windows Sun Valley, see [article link here]. - -## Application readiness - -Windows Sun Valley is designed to work with the applications you are currently using with Windows 10. If an application compatibility issue is identified, Microsoft provides services to help you remediate the problem. For more information, see [Application compatibility](windows-sv-prepare.md#application-compatibility). - -## Windows 10 coexistence - -For organizations that need to maintain a mixed enviroment with coexisting Windows 10 and Windows Sun Valley devices, Microsoft’s guidance is to standardize on Windows 10, version 21H2. This release will be the last feature update to Windows 10, and will receive specific feature enhancements to ease migrating to Windows Sun Valley. - -Windows 10 will continue to be supported with security updates until October 2025. +If you’ve created your own applications, Test Base for Microsoft is a service that allows independent software vendors and commercial customers to validate their apps across a variety of updates and environments in a Microsoft managed Azure environment. Both services can be of benefit to you as you roll out Windows Sun Valley into your environment. ## Next steps [Prepare for Windows Sun Valley](windows-sv-prepare.md) + +## Also see + +Learning module diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index 0c7db4b32a..c617d105a9 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -20,64 +20,51 @@ ms.topic: article - Windows Sun Valley, version 21H2 -## Deployment readiness -This article provides details on how to begin testing and validating Windows Sun Valley in your environment, and prepare for deployment. Links are also provided to important resource locations for more information. +Organizations will vary in their pace relative to transitioning from Windows 10 to SV, and we expect early corporate adoptions to consist of smaller test environments before rolling out to wider groups begins. We are committed to supporting you through your migration to Windows Sun Valley whether you are a fast adopter, or will make the transition over the coming months or years. -To prepare for deployment of Windows Sun Valley, you will need to implement your [planned updates](windows-sv-plan.md) to infrastructure, settings, and tools, including: -- Test your critical applications and management policies -- Update devices to Windows 10, version 20H1 or later -- Verify hardware meets requirements for Windows Sun Valley -- Update your management tools, infrastructure, and policies -- [Prepare users](/windows/deployment/update/prepare-deploy-windows#prepare-users) for Windows Sun Valley. +With the new Windows Sun Valley experience, hybrid environments of both operating systems running simultaneously will be the norm. Windows 10 and Windows Sun Valley are designed to co-exist during this time, so that you can use the same familiar tools and process to manage them, as well as continue to give your users the best Microsoft 365 experience. You’ll have one common management infrastructure, and support for common applications across both Windows 10 and Windows Sun Valley to simplify the migration process. You’ll use the IT Pro tools that you are familiar with and have been using in the past to prepare for deployments also work in Windows Sun Valley; you can analyze endpoints, determine application compatibility, and manage deployments in the same way you did with Windows 10. -After completing these actions, you can begin your phased deployment of Windows Sun Valley. +As you prepare for Windows Sun Valley, it’s also a good time to look at the deployment infrastructure of your environment. If you aren’t already taking advantage of cloud-based management tools like Microsoft Endpoint Manager this might be the perfect scenario in which to make that leap. Or if you are exclusively using an on-premises management tool such as Configuration Manager, using Cloud management gateway, enabling tenant attach, or enabling co-management with Microsoft Intune are all ways to help keep devices secure and up-to-date. ---insert links for the named solutions -## Application compatibility +Additionally, policies related to deployment may need to be updated or re-evaluated respective of update compliance deadlines, device activity policies, and the re-evaluation of older policies. A servicing mindset pointed at keeping current means that, as with Windows 10 devices, you will create a deployment plan in order to build out your servicing strategy. -Two Microsoft services that work directly with you to ensure application compatibility with Windows Sun Valley are [App Assure](https://www.microsoft.com/fasttrack/microsoft-365/app-assure) and [Test Base](https://www.microsoft.com/testbase). +## Analytics -- If you experience any issues with your apps and are enrolled in the App Assure service, Microsoft will help you identify the issue at no cost. App Assure works with you to troubleshoot the issue, determine the root cause, and can help fix the issue as well. App Assure is subscription based, but subscriptions are free for eligible customers with 150+ seats. -- Test Base is Microsoft's intelligent application validation service that allows software vendors and commercial customers to test their applications. The Test Base test and validation environment runs Windows Sun Valley as well as Windows 10 with a matrix of updates and environments in a Microsoft managed Azure environment. You can get started by enrolling in Test Base for Microsoft 365. +If you’re a Microsoft Endpoint Manager customer, make sure you’ve onboarded your devices to Endpoint analytics. Later this year, we’ll be providing a hardware readiness assessment directly in Endpoint analytics so that you can quickly identify which of your managed devices meet or exceed the minimum hardware requirements. -You can also use [Endpoint Analytics](/mem/analytics/app-reliability), to test application compatibility. +If you’d rather start exploring Windows Sun Valley readiness within your organization right away, take advantage of our [hardware eligibility assessment script](add link). By following the instructions to deploy and aggregate results via Microsoft Intune or Configuration Manager, you can quickly determine how many of your devices meet the hardware requirements for Windows Sun Valley. ## Management tools -The following updates are required to support deploying Windows Sun Valley. +The toolset that you use for heavy lifting during deployments of Windows 10 are still able to be leveraged in Windows Sun Valley. There are a few nuanced differences described here: -#### Microsoft Intune +#### On-premises management -No infrastructure update is required for you to use Microsoft Intune because it is cloud-based. - - If you are using Microsoft Intune with E3 licenses you will be able to leverage **Feature Update Deployments** to easily manage moving between Windows 10 versions or to Windows Sun Valley. +- Windows Server Update Service (WSUS): Commercial customers using WSUS will need to sync the new **Windows Sun Valley** product category. Once you sync the product category you will see the feature update to SV. Please note that during deployment you will be prompted to agree to the license agreement on behalf of your end users. Additionally, you will note there is no x86 (32 bit?) payload for Windows Sun Valley as such is no longer supported on Windows Sun Valley going forward. +- MEM Configuration Manager: For customers using MEM Configuration Manager, you will easily be able to sync the new “Windows Sun Valley” Product category and begin upgrading eligible devices. Please note that Configuration Manager will prompt you to accept the end user license agreement on behalf of the users in your organization. If you would like to validate Windows Sun Valley prior to release, simply sync the **Windows Insider Pre-release** category as well. -#### Windows Autopilot +#### Cloud management -Windows Autopilot works seamlessly in a Windows Sun Valley Out-of-Box-Experience (OOBE) environment. - - In an Intune environment, a Windows Sun Valley boot image needs to already exist on the device for Windows Autopilot to work with Windows Sun Valley. - - If the device comes with a Windows 10 boot image, an administrator can use Windows Autopilot to deploy Windows 10, and then use WUfB to upgrade to Windows Sun Valley. - - To use [Windows Autopilot to upgrade existing devices](/mem/autopilot/existing-devices), Configuration Manager and the task sequence: **Windows Autopilot for existing devices** can place the Windows Sun Valley boot image on the managed device, allowing Windows Autopilot to deploy Windows Sun Valley. - - Windows Autopilot cannot be used to downgrade a device from Windows Sun Valley to Windows 10. +- Windows Update for Business (WUfB) Group Policy (GP) and Configuration Service Provider (CSP) policies: Commercial customers using WUfB will need to leverage the Target Version capability rather than feature update deferrals to move from Windows 10 to Windows Sun Valley. Feature Update deferrals are great to move to newer versions of your current product, but do not enable you to move between products (Windows 10 to Windows Sun Valley). Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. This is true whether using WUfB through Group Policy Management Console (GPMC), MEM Intune, or other 3rd party management tools. +- MEM Intune: For customers using MEM Intune with E3 licenses you will be able to leverage **Feature Update Deployments** to easily manage moving between Windows 10 versions or to Windows Sun Valley, version 21H2. You will be able to continue using the same update experience controls to manage the behavior of the device once updates are offered for either Windows 10, version 21H2 and Windows Sun Valley, version 21H2. -#### Configuration Manager +## Deploy Windows Sun Valley -Configuration Manager should use the current branch. - - You will easily be able to sync the new **Windows Sun Valley** product category and upgrade eligible devices. - - Configuration Manager will prompt you to accept the End User License Agreement (EULA) on behalf of the users in your organization. - - If you would like to validate Sun Valley prior to release, simply sync the **Windows Insider Pre-release** category as well. +Since your familiar Windows 10 toolsets are meant to be used with Windows Sun Valley as well, then managing, securing, and deploying Windows Sun Valley devices will be well known procedures in the plan, prepare and deploy process. -#### WSUS - -If you use Windows Server Update Services (WSUS), you will need to sync the new **Windows Sun Valley** category. - -#### WUfB - -Windows Update for Business (WUfB) users can leverage the **Target Version** capability (not Feature Update deferrals). - - Feature Update deferrals are great to move to newer versions of a product (for example: Windows 10 21H1 to Windows 10 21H2), but deferrals do not enable you to move between products (Windows 10 to Windows Sun Valley). Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. - - WUfB has the additional benefit of two safety nets: offering blocks on non-eligible devices, and [Safeguard holds](/windows/deployment/update/safeguard-holds). Safeguard holds will function for Windows Sun Valley devices just as they do for Windows 10. Administrators will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. +Just as we recommend that broad deployment of new versions of Windows 10 begin with a pilot deployment phase, Windows Sun Valley is no different. Further, in your blended environment of Windows 10-capable devices and Windows 10 + SV-eligible devices, you will be poised to roll out an update to a select number of devices. Once you’ve gone through the checklist of pilot deployment tasks such as assigning the pilot devices from your prepare phase, implementing baseline and operations updates, testing and supporting the devices, and so forth, you can deploy to your test group. We recommend cloud-based deployment solutions such as Microsoft Endpoint Manager to fully take advantage of data-driven insights, though Configuration Manager works as well. +Using artifacts from your Plan and Prepare phase (such as security and configuration baselines, etc.) as well as data from your test deployment, will give you the confidence you seek to manage a broader rollout of Windows Sun Valley to increasingly larger rings of eligible devices. Desktop Analytics will help you ensure that your apps are scoped to only the pilot rings you designate. +Though we’ve mentioned only a few, the tools and processes we have had in place for your previous 10 Windows deployment will be there for you with Windows Sun Valley as well. ## See also [Windows Sun Valley deployment planning](windows-sv-plan.md) + +• Windows release health: Windows release health offers the quickest way to stay up to date on update-related news, information, and best practices, including important lifecycle reminders and the status of known issues and safeguard holds. IT administrators have access to this information, plus additional details, within the health experience Microsoft 365 admin center. + +• Windows Tech Community: Offering technical professionals a place to discuss, share, troubleshoot, and learn around Windows, Tech Community is also the home of the Windows IT Pro Blog, our monthly Windows Office Hours events, and the Windows Video Hub. + +• Microsoft Learn: We are in the process of developing online learning paths and modules to help you and your organization effectively plan, prepare, and deploy Windows Sun Valley effectively. diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index 1ec42163e8..469fe1924c 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -1,7 +1,6 @@ --- title: Windows Sun Valley requirements description: Hardware requirements to deploy Windows Sun Valley -ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C ms.reviewer: manager: laurawi ms.audience: itpro @@ -22,38 +21,29 @@ ms.custom: seo-marvel-apr2020 - Windows Sun Valley, version 21H2 -This article lists the software and physical hardware requirements to run Windows Sun Valley. Windows Sun Valley is also supported on a Virtual Machine (VM). - -## Software requirements - -The upgrade to Sun Valley is available for devices running Windows 10, version 20H1 or later, on eligible hardware. - -> [!NOTE] -> S mode is not supported on Windows Sun Valley. -> If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading. +This article lists the system requirements for Windows Sun Valley. Windows Sun Valley is also supported on a virtual machine (VM). For the best Windows Sun Valley upgrade experience, eligible devices should be running Windows 10, version 20H1 or later. ## Hardware requirements To install Windows Sun Valley, devices must meet the following specifications: -Processor -- Intel 8th generation, Intel Celeron N4000, Pentium N5000 -- AMD Ryzen gen 2 (Zen+), AMD 3xxx -- Qualcomm 7c, 8c, 8cx -- 64bit architecture -- 1Ghz clock speed -- 2 cores - -Hardware -- 64GB drive -- 4GB RAM -- UEFI, Secure Boot capable & TPM 2.0 -- Monitor size 9” or more with HD Resolution -- DirectX 12 compatible graphics / WDDM 2.x +- Processor: 1 gigahertz (GHz) or faster processor or SoC; dual-core CPU or greater + - Intel 8th generation, Intel Celeron N4000, Pentium N5000 + - AMD Ryzen gen 2 (Zen+), AMD 3xxx + - Qualcomm 7c, 8c, 8cx -## Network requirements +- RAM: 4 gigabyte (GB) or greater +- Hard disk space: 64GB, 64-bit architecture +- Graphics card: DirectX 12 or later with WDDM 2.x driver +- Security: Trusted Platform Module (TPM) 2.0 chip, UEFI support, Secure Boot capable +- Display: 9" monitor size or greater with HD (1366 x 768) resolution or greater +- Internet connection: Internet connectivity is necessary to perform updates and to download and take advantage of some features. It is required for the Home edition of Windows Sun Valley. -Internet connectivity is required for the Home edition of Windows Sun Valley. +For additional guidance, see [Determine eligibility](windows-sv-plan.md#determine-eligibility) NEED LINK. + +> [!NOTE] +> S mode is not supported on Windows Sun Valley. +> If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading. Switching a device out of Windows 10 in S mode also requires internet connectivity. ## Next steps diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index eabaaffd5c..1e9127bae0 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -76,4 +76,4 @@ Windows Sun Valley will have an annual feature update cadence and receive monthl [Windows Sun Valley requirements](windows-sv-requirements.md)
[Plan to deploy Windows Sun Valley](windows-sv-plan.md)
-[Prepare for Windows Sun Valley](windows-sv-prepare.md) +[Prepare for Windows Sun Valley](windows-sv-prepare.md) \ No newline at end of file From 2a9e697360c9000f9c25ac524752e0e3e4d07371 Mon Sep 17 00:00:00 2001 From: v-miegge <49650192+v-miegge@users.noreply.github.com> Date: Wed, 16 Jun 2021 12:37:14 -0700 Subject: [PATCH 143/370] Update from meeting --- .../hello-aad-join-cloud-only-deploy.md | 56 ++++++++++--------- 1 file changed, 31 insertions(+), 25 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index 0536abfc83..cc8ce73b29 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -16,36 +16,30 @@ localizationpriority: medium ms.date: 06/03/2021 ms.reviewer: --- -# Azure Active Directory Join Cloud Only Deployment +# Azure AD Joined Cloud Only Deployment ## Introduction -When you Azure Active Directory (Azure AD) join a Windows 10 device, the system prompts you to enroll in Windows Hello for Business by default. However, you may wish to disable the automatic Windows Hello for Business enrollment prompts. +When you Azure Active Directory (Azure AD) join a Windows 10 device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud only environment, then there's no additional configuration needed. + +You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. Instructions on how to disable Windows Hello for Business enrollment in a cloud only environment are included below. > [!NOTE] -> During the out-of-box experience (OOBE) flow of an Azure AD join, you'll see a provisioning PIN when you don’t have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts. +> During the out-of-box experience (OOBE) flow of an Azure AD (AAD) join, you will see a provisioning PIN when you don’t have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts. ## Prerequisites -This cloud only deployment will use Azure AD multi-factor authentication (MFA) during the Windows Hello for Business enrollment and there's no other MFA configuration needed. If you're not already registered in Azure AD MFA, you'll be guided though the MFA registration as part of the Windows Hello for Business deployment enrollment process. The necessary Windows Hello for Business prerequisites for are located at [Cloud Only Deployment](hello-identity-verification.md#cloud-only-deployment). +This cloud only deployment will use AAD multi-factor authentication (MFA) during the Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in AAD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business deployment enrollment process. -> [!NOTE] -> It's possible for federated domains to enable the “Supports MFA” flag in your federated domain settings. This tells Azure AD that the federated IDP will perform the MFA challenge. +The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#cloud-only-deployment). -You can check and view this setting with the following MSOnline PowerShell command: +Also note that it's possible for federated domains to enable the “Supports MFA” flag in your federated domain settings. This flag tells AAD that the federated IDP will perform the MFA challenge. + +Check and view this setting with the following MSOnline PowerShell command: `Get-MsolDomainFederationSettings –DomainName ` -## Use Intune to disable Windows Hello for Business enrollment - -We recommend that you disable or manage this behavior through an Intune policy using the steps in [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello). - -However, not everyone uses Intune. The following method explains how to disable Windows Hello for Business enrollment without Intune, or through a third-party mobile device management (MDM). If you're not running Intune in your organization, you can disable Windows Hello for Business via the registry. We have provided the underlying registry subkeys for disabling Windows Hello for Business. - -To disable Windows Hello for Business, run the following command. - -> [!NOTE] -> This action impacts **all** Azure AD MFA scenarios for this federated domain. +To disable this setting, run the following command. Note that this change impacts ALL Azure AD MFA scenarios for this federated domain. `Set-MsolDomainFederationSettings -DomainName -SupportsMfa $false` @@ -53,40 +47,51 @@ Example: `Set-MsolDomainFederationSettings -DomainName contoso.com -SupportsMfa $false` -If you use this Supports MFA switch with value True, you'll need to verify your federated IDP is correctly configured and working with the MFA adapter and provider used by your IDP. +If you use this Supports MFA switch with value **True**, you must verify that your federated IDP is correctly configured and working with the MFA adapter and provider used by your IDP. + +## Use Intune to disable Windows Hello for Business enrollment + +We recommend that you disable or manage Windows Hello for Business provisioning behavior through an Intune policy using the steps in [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello). + +However, not everyone uses Intune. The following method explains how to disable Windows Hello for Business enrollment without Intune, or through a third-party mobile device management (MDM). If you aren't running Intune in your organization, you can disable Windows Hello for Business via the registry. We have provided the underlying registry subkeys for disabling Windows Hello for Business. ## Create a Windows Hello for Business policy -1. Sign into the Microsoft Endpoint Manager admin center. +1. Sign into the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) admin center. 2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens. -3. Select from the following options for Configure Windows Hello for Business: +3. Select from the following options for **Configure Windows Hello for Business**: - 1. **Disabled**: If you don't want to enable Windows Hello for Business during device enrollment, select this option. When disabled, users can't provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business. + 1. **Disabled**: If you don't want to enable Windows Hello for Business during device enrollment, select this option. When disabled, users cannot provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business. + +> [!NOTE] +> This policy is only applied during new device enrollments. For currently enrolled devices, you can [set the same settings in a device configuration policy](hello-manage-in-organization.md). ## Disable Windows Hello for Business enrollment without Intune The information below can be pushed out to the devices through a third-party MDM, or some other method that you use to manage these devices, if you don't manage them with Intune. This push can also be set manually on the specific device(s). -These systems are Azure AD joined only, and aren't domain joined systems, so these settings could be made in the registry on the device(s) when Intune isn't used. +Because these systems are Azure AD Joined only, and not domain joined, these settings could be made in the registry on the device(s) when Intune isn't used. -These registry settings are the settings an Intune policy would set. If you're not using Intune, it's recommended to use the Intune Device Policy registry settings manually to disable the policy. +Here are the registry settings an Intune policy would set. If you aren't using Intune, it's recommended to use the Intune Device Policy registry settings manually to disable Windows Hello For Business enrollment. Intune Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\Device\Policies** +To find the Tenant ID, see [How to find your Azure Active Directory tenant ID](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) + These registry settings are pushed from Intune for user policies for your reference. Intune User Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\UserSid\Policies** DWORD: **UsePassportForWork** Value = **0** for Disable, or Value = **1** for Enable -These registry settings are for Local or Group Policies for your reference. +For your reference, these registry settings can be applied from Local or Group Policies. Local/GPO User Policy: **HKEY_USERS\UserSID\SOFTWARE\Policies\Microsoft\PassportForWork** Local/GPO Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork** DWORD: **Enabled** Value = **0** for Disable or Value = **1** for Enable -If there's a conflicting Device policy and User policy, the device policy or computer policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. Creating these settings could lead to unexpected results. +If there's a conflicting Device policy and User policy, the device policy or computer policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. This conflict could lead to unexpected results. ## Related reference documents for Azure AD join scenarios @@ -95,3 +100,4 @@ If there's a conflicting Device policy and User policy, the device policy or com - [How to: Plan your Azure AD join implementation](/azure/active-directory/devices/azureadjoin-plan) - [How to manage the local administrators group on Azure AD joined devices](/azure/active-directory/devices/assign-local-admin) - [Manage device identities using the Azure portal](/azure/active-directory/devices/device-management-azure-portal) +- [Azure AD Join Single Sign-on Deployment](hello-hybrid-aadj-sso.md) From 42615359a75080bbdb4049fa7c888e54efd490c4 Mon Sep 17 00:00:00 2001 From: v-miegge <49650192+v-miegge@users.noreply.github.com> Date: Wed, 16 Jun 2021 12:42:56 -0700 Subject: [PATCH 144/370] Update --- .../hello-for-business/hello-aad-join-cloud-only-deploy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index cc8ce73b29..d4468e7fc9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -55,7 +55,7 @@ We recommend that you disable or manage Windows Hello for Business provisioning However, not everyone uses Intune. The following method explains how to disable Windows Hello for Business enrollment without Intune, or through a third-party mobile device management (MDM). If you aren't running Intune in your organization, you can disable Windows Hello for Business via the registry. We have provided the underlying registry subkeys for disabling Windows Hello for Business. -## Create a Windows Hello for Business policy +## Create a Windows Hello for Business Enrollment policy 1. Sign into the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) admin center. 2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens. From ebb0962a44d53607b21c310bd28a85b80ebe6e20 Mon Sep 17 00:00:00 2001 From: v-miegge <49650192+v-miegge@users.noreply.github.com> Date: Wed, 16 Jun 2021 12:48:42 -0700 Subject: [PATCH 145/370] fixed link --- .../hello-for-business/hello-aad-join-cloud-only-deploy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index d4468e7fc9..cc20211379 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -76,7 +76,7 @@ Here are the registry settings an Intune policy would set. If you aren't using I Intune Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\Device\Policies** -To find the Tenant ID, see [How to find your Azure Active Directory tenant ID](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) +To find the Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) These registry settings are pushed from Intune for user policies for your reference. From 1d175118dc6de3a2bf6e591b558768cacd5fa707 Mon Sep 17 00:00:00 2001 From: v-miegge <49650192+v-miegge@users.noreply.github.com> Date: Wed, 16 Jun 2021 12:54:08 -0700 Subject: [PATCH 146/370] Added indents. Removed spaces. --- .../hello-aad-join-cloud-only-deploy.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index cc20211379..b5aa653cdc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -27,9 +27,9 @@ You may wish to disable the automatic Windows Hello for Business enrollment prom > [!NOTE] > During the out-of-box experience (OOBE) flow of an Azure AD (AAD) join, you will see a provisioning PIN when you don’t have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts. -## Prerequisites +## Prerequisites -This cloud only deployment will use AAD multi-factor authentication (MFA) during the Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in AAD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business deployment enrollment process. +This cloud only deployment will use AAD multi-factor authentication (MFA) during the Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in AAD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business deployment enrollment process. The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#cloud-only-deployment). @@ -49,7 +49,7 @@ Example: If you use this Supports MFA switch with value **True**, you must verify that your federated IDP is correctly configured and working with the MFA adapter and provider used by your IDP. -## Use Intune to disable Windows Hello for Business enrollment +## Use Intune to disable Windows Hello for Business enrollment We recommend that you disable or manage Windows Hello for Business provisioning behavior through an Intune policy using the steps in [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello). @@ -68,7 +68,7 @@ However, not everyone uses Intune. The following method explains how to disable ## Disable Windows Hello for Business enrollment without Intune -The information below can be pushed out to the devices through a third-party MDM, or some other method that you use to manage these devices, if you don't manage them with Intune. This push can also be set manually on the specific device(s). +The information below can be pushed out to the devices through a third-party MDM, or some other method that you use to manage these devices, if you don't manage them with Intune. This push can also be set manually on the specific device(s). Because these systems are Azure AD Joined only, and not domain joined, these settings could be made in the registry on the device(s) when Intune isn't used. @@ -80,18 +80,18 @@ To find the Tenant ID, see [How to find your Azure Active Directory tenant ID](/ These registry settings are pushed from Intune for user policies for your reference. -Intune User Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\UserSid\Policies** -DWORD: **UsePassportForWork** -Value = **0** for Disable, or Value = **1** for Enable +- Intune User Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\UserSid\Policies** +- DWORD: **UsePassportForWork** +- Value = **0** for Disable, or Value = **1** for Enable For your reference, these registry settings can be applied from Local or Group Policies. -Local/GPO User Policy: **HKEY_USERS\UserSID\SOFTWARE\Policies\Microsoft\PassportForWork** -Local/GPO Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork** -DWORD: **Enabled** -Value = **0** for Disable or Value = **1** for Enable +- Local/GPO User Policy: **HKEY_USERS\UserSID\SOFTWARE\Policies\Microsoft\PassportForWork** +- Local/GPO Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork** +- DWORD: **Enabled** +- Value = **0** for Disable or Value = **1** for Enable -If there's a conflicting Device policy and User policy, the device policy or computer policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. This conflict could lead to unexpected results. +If there's a conflicting Device policy and User policy, the device policy or computer policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. This conflict could lead to unexpected results. ## Related reference documents for Azure AD join scenarios From 835cf8dc25c0e514e9b259b18879fcc74dd056df Mon Sep 17 00:00:00 2001 From: Charles Inglis <32555877+cinglis-msft@users.noreply.github.com> Date: Wed, 16 Jun 2021 17:26:38 -0400 Subject: [PATCH 147/370] Updated error AllowWufbCloudProcessing Should be value 8, showed value 1 --- windows/deployment/update/deployment-service-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index 256bbb7d4e..b7bccbb684 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -125,7 +125,7 @@ Deployment scheduling controls are always available, but to take advantage of th > Deployment protections are currently in preview and available if you're using Update Compliance. If you set these policies on a a device that isn't enrolled in Update Compliance, there is no effect. - Diagnostic data is set to *Required* or *Optional*. -- The **AllowWUfBCloudProcessing** policy is set to **1**. +- The **AllowWUfBCloudProcessing** policy is set to **8**. #### Set the **AllowWUfBCloudProcessing** policy From dadbe6af01d60574508e5d36f41a0d262a1ce1c3 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Wed, 16 Jun 2021 14:35:00 -0700 Subject: [PATCH 148/370] incorp white paper --- windows/whats-new/windows-sv-plan.md | 56 ++++++++++---------- windows/whats-new/windows-sv-prepare.md | 2 +- windows/whats-new/windows-sv-requirements.md | 6 ++- windows/whats-new/windows-sv.md | 22 ++++---- 4 files changed, 46 insertions(+), 40 deletions(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index 1eed113eaa..310e572df1 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -31,86 +31,88 @@ Since Windows Sun Valley is built on the same foundation as Windows 10, you can - Determine application readiness. - Define your servicing strategy. -As most organizations will have a mix of Windows Sun Valley and Windows 10 and SV devices side-by-side as they integrate SV into their environments, there are some unique yet largely familiar considerations for this new operating system to help in planning for upcoming deployments. +Most organizations will have a mix of Windows Sun Valley and Windows 10 devices side-by-side as they integrate the upgrade into their environments. As such, there are unique yet largely familiar considerations to take into account when planning your deployments. -#### Determine eligibility +## Upgrade eligibility -As a first step, you will need to know which of your current PCs meet the Windows Sun Valley hardware requirements. Detailed requirements can be found at [LINK NEEDED](). However, in general you should expect that if your devices were acquired within the last 18-24 months, they will be able to run Windows Sun Valley. +As a first step, you will need to know which of your current PCs meet the Windows Sun Valley hardware requirements. Detailed requirements can be found [here](windows-sv-requirements.md). However, in general you should expect that if your devices were purchased within the last 18-24 months, they will be able to run Windows Sun Valley. -Analysis tools will be created and made available to evaluate devices against the Windows Sun Valley hardware requirements. A standalone tool will be available, and the ability to evaluate upgrade eligibility will also be integrated into your existing enterprise tool sets. +Analysis tools will be developed and made available to validate devices against the Windows Sun Valley hardware requirements. A standalone tool is planned, and upgrade eligibility will also be integrated into your existing enterprise deployment tools. When Windows Sun Valley reaches general availability, end users running Windows 10 Home, Pro, and Pro for Workstations can use the PC Health Check app to determine their eligibility for Windows Sun Valley. End users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade. [LINK NEEDED]() has been developed for this purpose. -For enterprise customers, analytics tools will be available for administrators to evaluate device readiness, including Endpoint Analytics and Update Compliance. Microsoft is also sharing information with independent sofware vendors to enable their tools to support analytics for Windows Sun Valley. +For organizations with investments in enterprise deployment tools, analytics functionality will be available to evaluate device readiness, including Endpoint Analytics and Update Compliance. Microsoft is also sharing information with independent sofware vendors to enable their tools to support analytics for Windows Sun Valley. -#### Windows Sun Valley availability +## Windows Sun Valley availability -As with Windows 10, the availability of Windows Sun Valley experience will vary depending on whether the device receives updates from Windows Update (unmanaged devices), or from a management solution that is maintained by an administrator (managed devices). +As with Windows 10, the availability of Windows Sun Valley will vary depending on whether the device is unmanaged and receives updates from Windows Update, or a device is managed using tools operated by an IT administrator. ##### Unmanaged devices -For unmanaged devices, most eligible devices purchased after June of 2021 will be offered the Windows Sun Valley upgrade in October of 2021. New device messaging will vary by PC manufacturer, but users will see labels such as **This PC will upgrade to Windows Sun Valley once available** on products that are available for purchase. +For unmanaged devices, most eligible devices purchased after June of 2021 will be offered the Windows Sun Valley upgrade in October of 2021. Messaging on new devices will vary by PC manufacturer, but users will see labels such as **This PC will upgrade to Windows Sun Valley once available** on products that are available for purchase. > [!NOTE] -> New devices purchased after October 2021 will see the Windows Sun Valley offer during the out of box experience, or they will already be upgraded to Windows Sun Valley. +> New devices purchased after October 2021 will see the Windows Sun Valley offer during the out of box experience (OOBE), or they will already be upgraded to Windows Sun Valley. -After General Availability (GA) date for Windows Sun Valley, the OS upgrade will be available to eligible Windows 10 devices that use Windows Update. The upgrade will be available first to seekers, then as part of Microsoft's intelligent rollout process. As with all Microsoft update managed devices, the Windows Update Settings page will confirm when a device is eligible, and users can choose to upgrade or not. +After General Availability (GA) date for Windows Sun Valley, the OS upgrade will be available to eligible devices that use Windows Update. The upgrade will be available first to seekers, then as part of Microsoft's intelligent rollout process. The Windows Update Settings page will confirm when a device is eligible, and users can choose whether or not to upgrade. Just like Windows 10, the machine learning based [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860) process will be leveraged when rolling out upgrades. Machine learning uses a combination of testing, close partner engagement, feedback, diagnostic data, and real-life insights to manage quality. This improves the update experience and ensures that devices first nominated for updates are those likely to have a seamless experience. Devices that might have compatibility issues with the upgrade get the benefit of resolving these issues before the upgrade is offered. ##### Managed devices -The innovations and end user productivity improvements in Windows Sun Valley are exciting. However, the "right time" to upgrade will be different for each organization. For devices that you manage as an organization, you can choose between Windows Sun Valley and Windows 10, and decide when the time is right to incorporate Window Sun Valley into your environment. Initially, it is expected that enterprise environments will contain a mix of Windows 10 and Windows Sun Valley. +The right time to upgrade will be different for each organization and environment. You can choose between Windows Sun Valley and Windows 10, and decide when the time is right to integrate Window Sun Valley into your environment. Initially, it is expected that many organizations will operate with a mix of Windows 10 and Windows Sun Valley. -Organizations will be able to deploy the Windows Sun Valley upgrade to eligible devices using their existing management tools beginning at GA. Environments that use Windows Update for Business (WUfB) will have the additional benefit of two safety nets: offering blocks on non-eligible devices who do not meet the hardware requirements, and Safeguard holds. Safeguard holds will function for SV devices just as they do for Windows 10. Administrators will have access to information on which Safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. +You can deploy the Windows Sun Valley upgrade to eligible devices using your existing management tools beginning at GA. If you use Windows Update for Business (WUfB), you will have the additional benefit of two safety nets: offering blocks on non-eligible devices that do not meet the hardware requirements, and Safeguard holds. Safeguard holds will function for Windows Sun Valley devices the same way that they do for Windows 10. Administrators will have access to information on which Safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. > [!NOTE] -> If you use WUfB to manage feature update deployments today you will need to leverage the **Target Version** policy rather than **Feature Update deferrals** to move from Windows 10 to Windows Sun Valley. Deferrals are great for quality updates or to move to newer versions of the same product (Windows 10 to Windows 10), but they cannot migrate a devices between products (Windows 10 to Windows Sun Valley). -> Additionally, Windows Sun Valley has a new end user license agreement. If you are deploying with WUfB **Target Version** or with WSUS, you are accepting this new end user license agreement on behalf of the end users within your organization. +> If you use WUfB to manage feature update deployments today, you will need to leverage the **Target Version** policy rather than **Feature Update deferrals** to move from Windows 10 to Windows Sun Valley. Deferrals are great for quality updates or to move to newer versions of the same product (Windows 10 to Windows 10), but they cannot migrate a devices between products (Windows 10 to Windows Sun Valley).
+> Additionally, Windows Sun Valley has a new end user license agreement (EULA). If you are deploying with WUfB **Target Version** or with WSUS, you are accepting this new EULA on behalf of the end users within your organization. -Some additional considerations about upgrading: +Additional considerations: - Windows 10 Pro or higher can upgrade for free using existing management tools. - Devices running S mode will first need to switch out of S mode because it is not supported on Windows Sun Valley. - Downgrade rights are available with Windows Sun Valley Pro OEM licensed devices and with Microsoft Volume Licensing, where the licensing agreement permits it. -- You can downgrade to any version of Windows Pro/Professional that has not reached its end of support date. +- You can downgrade to any version of Windows Pro that has not reached its end of support date. -##### Availability and upgrade path +## Availability and upgrade path -As previously mentioned, the Windows Sun Valley upgrade offer will begin for eligible devices at GA in October of 2021. This is true for eligible devices already running updated Windows 10 as well as for new devices. +As previously mentioned, the Windows Sun Valley upgrade offer will begin for eligible devices at GA in October of 2021. This is true for existing eligible devices as well as for new devices. -To preview Windows Sun Valley, you can join the [Windows Insider Program](https://insider.windows.com/for-business) (WIP). This enables you to begin validating Windows Sun Valley, as well as exploring new features as they’re being created. As a WIP participant in the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel), Windows Sun Valley will be available to you in the summer of 2021, well ahead of the October GA date. +To preview Windows Sun Valley, you can join the [Windows Insider Program](https://insider.windows.com/for-business) (WIP). This enables you to begin validating Windows Sun Valley, and to explore new features as they’re being created. As a WIP participant in the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel), Windows Sun Valley will be available to you in the summer of 2021, well ahead of the October GA date. You can deploy directly from the Windows Insider Pre-release category in WSUS in a variety of ways: 1. Configure Manage Preview Builds to **Release Preview** with WUfB. 2. Leverage Windows Virtual Devices or Cloud PC* (check if this will be announced when this paper goes out) and Azure Marketplace images. 3. Download and deploy ISOs from Microsoft’s Windows Insider Program ISO Download page. -Regardless of which way you choose to deploy, you have the benefit of free Microsoft support when validating a pre-release. All you need to do is go to [Support for business](http://support.microsoft.com/supportforbusiness/productselection?sapId=39fc4a93-68cd-5a19-f91b-f0b349a098f3) and submit your support case. This is free for any Microsoft commercial customer deploying Windows 10 version 21H2 or Windows Sun Valley 21H2 pre-release bits after the commercial preview date in summer 2021. +Regardless of which way you choose to deploy, you have the benefit of free Microsoft support when validating a pre-release. Just go to [Support for business](http://support.microsoft.com/supportforbusiness/productselection?sapId=39fc4a93-68cd-5a19-f91b-f0b349a098f3) and submit your support case. This is free for any Microsoft commercial customer deploying Windows 10 version 21H2 or Windows Sun Valley 21H2 pre-release bits after the commercial preview date in the summer of 2021. -Your Windows Sun Valley and Windows 10 devices will receive regular monthly quality updates to provide security updates and bug fixes. Windows Sun Valley devices will receive a single feature update annually, a change from the twice per year of Windows 10. +## Quality updates -Devices on in-service versions of Windows 10 that do not meet Windows Sun Valley hardware requirements will continue to receive monthly Windows 10 security updates through 2025, as well as incremental improvements to Windows 10 to support your ongoing deployments of Microsoft 365. +- Windows Sun Valley and Windows 10 devices will receive regular monthly quality updates. +- Windows Sun Valley devices will receive a single feature update annually, a change from the twice per year of Windows 10. +- Devices on in-service versions of Windows 10 that do not meet Windows Sun Valley hardware requirements will continue to receive monthly Windows 10 security updates through 2025, as well as incremental improvements to Windows 10 to support your ongoing deployments of Microsoft 365. -##### Servicing duration +## Servicing duration Along with end user experience and security improvements, Windows Sun Valley introduces enhancements to our servicing approach based on your suggestions and feedback. -Windows 10 feature updates are released twice yearly via the Semi-Annual Channel. They are serviced with monthly quality updates for 18 or 30 months from the date of the release, depending on the lifecycle policy. Windows Sun Valley will have an annual feature update cadence, targeted for release in the second half of the calendar year. +Windows 10 feature updates are released twice yearly via the Semi-Annual Channel. They are serviced with monthly quality updates for 18 or 30 months from the date of the release, depending on the lifecycle policy. Windows Sun Valley will have an annual feature update cadence, targeted for release in the second half of the calendar year: - Home, Pro, Pro for Workstations, and Pro for Education editions of Windows Sun Valley will receive 24 months of support from the date of release. - Enterprise and Education editions of Windows Sun Valley will be supported for 36 months. -For more details on the lifecycle and servicing strategy for Windows Sun Valley, see [Windows lifecycle and servicing update overview](). +THIS SECTION DOESNT EXIST: For more details on the lifecycle and servicing strategy for Windows Sun Valley, see [Windows lifecycle and servicing update overview](). Microsoft recognizes the importance that organizations have adequate time to plan for Windows Sun Valley. Therefore, we have committed to supporting Windows 10 through October 14, 2025. For more information, see the [Windows release information]() page. This page also includes information for Windows 10 semi-annual channel and LTSC releases. A consolidated [update history]() is also available for every version of the Windows operating system. This information offers quick access to knowledge base articles for each monthly, optional, and out-of-band release. In addition to update highlights, you’ll find a list of improvements and fixes, a summary of any known issues, and details on how to get the update, including any prerequisites. -##### Application compatibility +## Application compatibility Windows 10 upgrades have proven to be highly compatible, and that does not change with Windows Sun Valley. Our compatibility promise for Windows 10 is that upgrades will maintain compatibility with apps written for previously released versions. Windows Sun Valley comes with the same App Assure promise and commitment that you have known with Windows 10. Data from the App Assure program shows that Windows 10 compatibility rates are over 99.7% for our enterprise customers, including line of business apps. This great progress will not be lost. Windows Sun Valley has been subjected to, and is passing the same app compatibility validation requirements, that are in place for Windows 10 feature and quality update releases today. -##### App Assure and Test Base +#### App Assure and Test Base You might already be using App Assure and Test Base in your Windows 10 environment. Both of these tools will continue to function with Windows Sun Valley. With enrollment in the App Assure service, if you find any problems with an existing application as you migrate to Windows Sun Valley, Microsoft will help you remedy application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index c617d105a9..8da15603d9 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -1,5 +1,5 @@ --- -title: Prepare to deploy Windows Sun Valley +title: Prepare for Windows Sun Valley description: Prepare your infrastructure and tools to deploy Windows Sun Valley, IT Pro content. keywords: ["get started", "windows sun valley"] ms.prod: w11 diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index 469fe1924c..d9c0d22b1a 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -21,7 +21,7 @@ ms.custom: seo-marvel-apr2020 - Windows Sun Valley, version 21H2 -This article lists the system requirements for Windows Sun Valley. Windows Sun Valley is also supported on a virtual machine (VM). For the best Windows Sun Valley upgrade experience, eligible devices should be running Windows 10, version 20H1 or later. +This article lists the system requirements for Windows Sun Valley. Windows Sun Valley is also supported on a virtual machine (VM). ## Hardware requirements @@ -41,6 +41,10 @@ To install Windows Sun Valley, devices must meet the following specifications: For additional guidance, see [Determine eligibility](windows-sv-plan.md#determine-eligibility) NEED LINK. +## Operating system requirements + +For the best Windows Sun Valley upgrade experience, eligible devices should be running Windows 10, version 20H1 or later. + > [!NOTE] > S mode is not supported on Windows Sun Valley. > If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading. Switching a device out of Windows 10 in S mode also requires internet connectivity. diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index 1e9127bae0..b1b09d27be 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -32,21 +32,19 @@ Also see the following articles to learn about Windows Sun Valley: ## Introduction -Windows Sun Valley is the next evolution of Windows; the most significant update to the Windows operating system since Windows 10. It offers a fresh experience that is flexible and fluid, designed to support today's hybrid work environment and to be the most reliable, secure, connected, and performant Windows OS ever. +Windows Sun Valley is the next evolution of Windows; the most significant update to the Windows operating system since Windows 10. It offers many innovations focused on enhancing end user productivity in a fresh experience that is flexible and fluid. Windows Sun Valley is designed to support today's hybrid work environment, and intended to be the most reliable, secure, connected, and performant Windows OS ever. -Windows Sun Valley contains many innovations focused on enhancing end user productivity. It is built on the same foundation as Windows 10, ensuring that the investments you have made in tools for update and device management are carried forward. Windows Sun Valley provides the benefits that commercial organizations and IT pros need and rely upon every day: best-in-class security, simplified manageability, and high availability. It also sustains the application compatibility promise we made with Windows 10, supplemented by programs like App Assure in cases where additional support is needed. - -In summary, because Windows Sun Valley is built on the same foundation as Windows 10, you can deploy, manage, and secure Windows SV using the same tools and solutions you use today. For Microsoft 365 customers seeking further assistance, FastTrack will continue to be available to support your efforts to adopt Windows SV. +This release is built on the same foundation as Windows 10, so the investments you have made in tools for update and device management are carried forward. Windows Sun Valley also sustains the application compatibility promise we made with Windows 10. For Microsoft 365 customers seeking further assistance, FastTrack will continue to be available to support your efforts to adopt Windows Sun Valley. ## How to get Windows Sun Valley Windows Sun Valley will be delivered as an upgrade to eligible devices running Windows 10 beginning in the first half of 2022. Windows Sun Valley will also be available on new, eligible devices. -For PCs that are managed by your organization and meet the eligibility requirements, Windows Sun Valley will be available through the same, familiar channels we utilize for Windows 10 feature updates today. You will be able to use existing deployment and management toolsets, such as Windows Update for Business, Microsoft Endpoint Management, and Windows Autopilot and those commercial customers running Pro, Enterprise and Education editions of Windows 10 will have control over when to upgrade their devices from Windows 10 to Windows Sun Valley. For more information, see Management tools. +For PCs that are managed by your organization and meet the eligibility requirements, Windows Sun Valley will be available through the same channels that you use for Windows 10 feature updates today. Existing deployment and management tools such as Windows Update for Business, Microsoft Endpoint Management, and Windows Autopilot can be used to deploy and manage Windows Sun Valley. Commercial organizations running Pro, Enterprise and Education editions of Windows 10 will have control over when to upgrade their devices from Windows 10 to Windows Sun Valley. For more information, see [Management tools](windows-sv-prepare.md#management-tools). -For personal devices and other unmanaged PCs that meet the eligibility requirements, the upgrade will be offered through Windows Update using our intelligent rollout process to ensure a smooth upgrade experience. Windows 10 devices purchased after June 2021 that meet or exceed the minimum hardware requirements for Windows Sun Valley will be offered the upgrade starting in October of 2021. +For personal devices and other unmanaged PCs that meet the eligibility requirements, the Windows Sun Valley upgrade will be offered through Windows Update using Microsoft's [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860) process. Windows 10 devices purchased after June 2021 that meet or exceed the minimum hardware requirements for Windows Sun Valley will be offered the upgrade starting in October of 2021. -For those interested in testing Windows Sun Valley before general availability, we recommend joining the Windows Insider Program or Windows Insider Program for Business [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel), or enabling pre-release Windows 10 feature updates in [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/servers/manage/pre-release-features) or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS). +If you are interested in testing Windows Sun Valley before general availability, you can join the Windows Insider Program or Windows Insider Program for Business [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel). You can also preview Windows Sun Valley by enabling pre-release Windows 10 feature updates in [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/servers/manage/pre-release-features) or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS). For more information about eligibility to upgrade, see [Windows Sun Valley requirements](windows-sv-requirements.md). @@ -62,15 +60,17 @@ Microsoft 365 licenses that include Windows 10 licenses will permit you to run W Most accessories and associated drivers that worked with Windows 10 are expected to work with Windows Sun Valley. Check with your accessory manufacturer for specific details. -Windows Sun Valley also preserves the application compatibility promise made with Windows 10 and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Microsoft 365 customers can continue to use programs such as App Assure and FastTrack to support IT efforts to adopt and maintain Windows Sun Valley. For more information, see [Application compatibility](windows-sv-prepare.md#application-compatibility). +Windows Sun Valley preserves the application compatibility promise made with Windows 10 and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Microsoft 365 customers can continue to use programs such as App Assure and FastTrack to support IT efforts to adopt and maintain Windows Sun Valley. For more information, see [Application compatibility](windows-sv-prepare.md#application-compatibility). -#### Familiar deployment process +#### Familiar processes -Windows Sun Valley is built on the same foundation as Windows 10, so you can generally use the same tools and solutions you use today to deploy, manage, and secure Windows Sun Valley. You can also use your current management tools, processes, and settings to manage monthly quality updates for both Windows 10 and Windows Sun Valley. For more information, see [Management tools](windows-sv-prepare.md#management-tools) and [Configurations](windows-sv-plan.md#configurations). +Windows Sun Valley is built on the same foundation as Windows 10, so generally you can use the same tools and solutions you use today to deploy, manage, and secure Windows Sun Valley. Your current management tools and processes will work to manage monthly quality updates for both Windows 10 and Windows Sun Valley. For more information, see [Management tools](windows-sv-prepare.md#management-tools). #### Servicing Windows Sun Valley -Windows Sun Valley will have an annual feature update cadence and receive monthly quality updates. For details, see [Windows Sun Valley servicing](windows-sv-plan.md#windows-sun-valley-servicing). When Windows Sun Valley reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the Windows release health hub. Monthly release notes will available via a consolidated Windows Sun Valley update history page at that time as well. +Windows Sun Valley will have an annual feature update cadence and receive monthly quality updates. For details, see [Windows Sun Valley servicing](windows-sv-plan.md#windows-sun-valley-servicing). + +When Windows Sun Valley reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the Windows release health hub. Monthly release notes will available from a consolidated Windows Sun Valley update history page. ## Next steps From 6ceaf03326d07c9cad486be76f8f654af46deeaa Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Wed, 16 Jun 2021 14:50:02 -0700 Subject: [PATCH 149/370] incorp white paper --- windows/whats-new/windows-sv-plan.md | 6 ++++-- windows/whats-new/windows-sv-prepare.md | 9 +++------ 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index 310e572df1..87cefa2210 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -110,11 +110,13 @@ A consolidated [update history]() is also available for every version of the Win ## Application compatibility -Windows 10 upgrades have proven to be highly compatible, and that does not change with Windows Sun Valley. Our compatibility promise for Windows 10 is that upgrades will maintain compatibility with apps written for previously released versions. Windows Sun Valley comes with the same App Assure promise and commitment that you have known with Windows 10. Data from the App Assure program shows that Windows 10 compatibility rates are over 99.7% for our enterprise customers, including line of business apps. This great progress will not be lost. Windows Sun Valley has been subjected to, and is passing the same app compatibility validation requirements, that are in place for Windows 10 feature and quality update releases today. +Windows 10 upgrades have proven to be highly compatible, and that does not change with Windows Sun Valley. Microsoft's compatibility promise for Windows 10 that upgrades will preserve application compatibility is maintained for Windows Sun Valley. Windows Sun Valley comes with the same App Assure promise and commitment that you have known with Windows 10. Data from the App Assure program shows that Windows 10 compatibility rates are over 99.7% for our enterprise customers, including line of business apps. Windows Sun Valley has passed the same app compatibility validation requirements that are in place for Windows 10 feature and quality update releases. #### App Assure and Test Base -You might already be using App Assure and Test Base in your Windows 10 environment. Both of these tools will continue to function with Windows Sun Valley. With enrollment in the App Assure service, if you find any problems with an existing application as you migrate to Windows Sun Valley, Microsoft will help you remedy application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. +You might already be using App Assure and Test Base in your Windows 10 environment. Both of these tools will continue to function with Windows Sun Valley. + +With enrollment in the App Assure service, if you find any problems with an existing application as you migrate to Windows Sun Valley, Microsoft will help you remedy application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. If you’ve created your own applications, Test Base for Microsoft is a service that allows independent software vendors and commercial customers to validate their apps across a variety of updates and environments in a Microsoft managed Azure environment. Both services can be of benefit to you as you roll out Windows Sun Valley into your environment. diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index 8da15603d9..db5959e103 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -20,14 +20,11 @@ ms.topic: article - Windows Sun Valley, version 21H2 +Windows 10 and Windows Sun Valley are designed to coexist, so that you can use the same familiar tools and process to manage both operating systems. One common management infrastructure that supports common applications across both Windows 10 and Windows Sun Valley helps to simplify the migration process. You can analyze endpoints, determine application compatibility, and manage Windows Sun Valley deployments in the same way that you do with Windows 10. -Organizations will vary in their pace relative to transitioning from Windows 10 to SV, and we expect early corporate adoptions to consist of smaller test environments before rolling out to wider groups begins. We are committed to supporting you through your migration to Windows Sun Valley whether you are a fast adopter, or will make the transition over the coming months or years. +As you prepare for Windows Sun Valley, it’s also a good time to look at the deployment infrastructure of your environment. If you aren’t already taking advantage of cloud-based management tools like Microsoft Endpoint Manager this might be the perfect time. Or, if you are exclusively using an on-premises management tool such as Configuration Manager (Note: Config Mgr is part of MEM, need clarification here), using Cloud management gateway, enabling tenant attach, or enabling co-management with Microsoft Intune are all ways to help keep devices secure and up-to-date. ---insert links for the named solutions -With the new Windows Sun Valley experience, hybrid environments of both operating systems running simultaneously will be the norm. Windows 10 and Windows Sun Valley are designed to co-exist during this time, so that you can use the same familiar tools and process to manage them, as well as continue to give your users the best Microsoft 365 experience. You’ll have one common management infrastructure, and support for common applications across both Windows 10 and Windows Sun Valley to simplify the migration process. You’ll use the IT Pro tools that you are familiar with and have been using in the past to prepare for deployments also work in Windows Sun Valley; you can analyze endpoints, determine application compatibility, and manage deployments in the same way you did with Windows 10. - -As you prepare for Windows Sun Valley, it’s also a good time to look at the deployment infrastructure of your environment. If you aren’t already taking advantage of cloud-based management tools like Microsoft Endpoint Manager this might be the perfect scenario in which to make that leap. Or if you are exclusively using an on-premises management tool such as Configuration Manager, using Cloud management gateway, enabling tenant attach, or enabling co-management with Microsoft Intune are all ways to help keep devices secure and up-to-date. ---insert links for the named solutions - -Additionally, policies related to deployment may need to be updated or re-evaluated respective of update compliance deadlines, device activity policies, and the re-evaluation of older policies. A servicing mindset pointed at keeping current means that, as with Windows 10 devices, you will create a deployment plan in order to build out your servicing strategy. +Policies related to deployment may need to be updated or re-evaluated, considering update compliance deadlines, device activity policies, and the replacement of older policies. A servicing mindset focused on keeping current means creating a deployment plan to build out your servicing strategy. ## Analytics From b0191eb0f632c0ff5a95d53789ef550dd6f51362 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Wed, 16 Jun 2021 14:54:50 -0700 Subject: [PATCH 150/370] toc and index --- windows/whats-new/TOC.yml | 2 +- windows/whats-new/index.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml index fb7a0de80e..71e18303ee 100644 --- a/windows/whats-new/TOC.yml +++ b/windows/whats-new/TOC.yml @@ -7,7 +7,7 @@ href: windows-sv.md - name: Windows Sun Valley requirements href: windows-sv-requirements.md - - name: Plan to deploy Windows Sun Valley + - name: Plan for Windows Sun Valley href: windows-sv-plan.md - name: Prepare for Windows Sun Valley href: windows-sv-prepare.md diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml index bf2243760c..fbea14e982 100644 --- a/windows/whats-new/index.yml +++ b/windows/whats-new/index.yml @@ -31,7 +31,7 @@ landingContent: url: windows-sv.md - text: Windows Sun Valley requirements url: windows-sv-requirements.md - - text: Plan to deploy Windows Sun Valley + - text: Plan for Windows Sun Valley url: windows-sv-plan.md - text: Prepare for Windows Sun Valley url: windows-sv-prepare.md From c307294265b743b49e0b295603929e96a82149ac Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Thu, 17 Jun 2021 13:29:36 +0100 Subject: [PATCH 151/370] Update policy-csp-system.md --- .../client-management/mdm/policy-csp-system.md | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 4d1e1393b7..536bae0e06 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -215,13 +215,20 @@ The following list shows the supported values: -This policy setting opts the device into the Windows enterprise data pipeline. +This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms. -If you enable this setting, data collected from the device will be opted into the Windows enterprise data pipeline. +To enable this behavior, you must complete two steps: -If you disable or don't configure this setting, all data from the device will be collected and processed in accordance with our policies for the Windows standard data pipeline. +- Enable this policy setting +- Join an Azure Active Directory account to the device -Configuring this setting does not change the telemetry collection level or the ability of the user to change the level. This setting only applies to the Windows operating system and apps included with Windows, not third-party apps or services running on Windows 10. +Windows diagnostic data is collected when the **AllowTelemetry** policy setting is set to 1 – Required (Basic) or above. + +If you disable or do not configure this setting, Microsoft will be the controller of the Windows diagnostic data collected from the device and processed in accordance with Microsoft’s privacy statement at https://go.microsoft.com/fwlink/?LinkId=521839 unless you have enabled policies like 'Allow Update Compliance Processing' or 'Allow Desktop Analytics Processing”. + +Configuring this setting does not change the Windows diagnostic data collection level set for the device or the operation of optional analytics processor services like Desktop Analytics and Update Compliance. + +See the documentation at https://aka.ms/ConfigureWWD for information on this and other policies that will result in Microsoft being the processor of Windows diagnostic data. From eff900dc59988d59668fc3997ed761dcd46d2a56 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 17 Jun 2021 08:41:57 -0700 Subject: [PATCH 152/370] Update fod-and-lang-packs.md --- windows/deployment/update/fod-and-lang-packs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md index 193b4d95ad..fc45328c40 100644 --- a/windows/deployment/update/fod-and-lang-packs.md +++ b/windows/deployment/update/fod-and-lang-packs.md @@ -18,7 +18,7 @@ ms.custom: seo-marvel-apr2020 > Applies to: Windows 10 -As of Windows 10 version 21H2, we are enabling non-Administrator user accounts to add both a display language and its corresponding language features. +In Windows 10 version 21H2, non-Administrator user accounts can add both a display language and its corresponding language features. As of Windows 10 version 1709, you can't use Windows Server Update Services (WSUS) to host [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FODs) locally. Starting with Windows 10 version 1803, language packs can no longer be hosted on WSUS. From 50cdba229bad471d1e5e215c7e9686e9eb9285a8 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 17 Jun 2021 08:48:44 -0700 Subject: [PATCH 153/370] Update windows/security/threat-protection/auditing/audit-other-privilege-use-events.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../auditing/audit-other-privilege-use-events.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md index 9883e2ee86..2e147e1fde 100644 --- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md +++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md @@ -23,7 +23,6 @@ ms.technology: mde This auditing subcategory should not have any events in it, but for some reason Success auditing will enable generation of event 4985(S): The state of a transaction has changed. -This refers to : https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4985 - (4985(S): The state of a transaction has changed. used by the file system transaction manager. | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------| @@ -36,4 +35,3 @@ This refers to : https://docs.microsoft.com/en-us/windows/security/threat-protec - [4985](event-4985.md)(S): The state of a transaction has changed. - From d43d7a8504a3676dbf0107d6d0ead84b090846d7 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 17 Jun 2021 08:50:33 -0700 Subject: [PATCH 154/370] Update audit-other-privilege-use-events.md --- .../auditing/audit-other-privilege-use-events.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md index 2e147e1fde..7e8dea77c3 100644 --- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md +++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md @@ -21,8 +21,7 @@ ms.technology: mde - Windows 10 - Windows Server 2016 - -This auditing subcategory should not have any events in it, but for some reason Success auditing will enable generation of event 4985(S): The state of a transaction has changed. +This auditing subcategory should not have any events in it, but for some reason Success auditing will enable the generation of event [4985(S): The state of a transaction has changed](/windows/security/threat-protection/auditing/event-4985). | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------| From 7647aeec7f20705366ccf52ccbec19b42918e75b Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Thu, 17 Jun 2021 09:56:55 -0600 Subject: [PATCH 155/370] Pencil edit to fix Acro Line 63: casue ---> cause --- windows/whats-new/whats-new-windows-10-version-21H1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/whats-new-windows-10-version-21H1.md b/windows/whats-new/whats-new-windows-10-version-21H1.md index 99f122b717..70725f4a9b 100644 --- a/windows/whats-new/whats-new-windows-10-version-21H1.md +++ b/windows/whats-new/whats-new-windows-10-version-21H1.md @@ -60,7 +60,7 @@ Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) has a perf WDAG performance is improved with optimized document opening times: - An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (WDAG) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link. -- A memory issue is fixed that could casue a WDAG container to use almost 1 GB of working set memory when the container is idle. +- A memory issue is fixed that could cause a WDAG container to use almost 1 GB of working set memory when the container is idle. - The performance of Robocopy is improved when copying files over 400 MB in size. ### Windows Hello From 4be947cda64690349d761a581161a80dc5b6040e Mon Sep 17 00:00:00 2001 From: gkomatsu Date: Thu, 17 Jun 2021 14:51:38 -0700 Subject: [PATCH 156/370] Update enterprisedesktopappmanagement-csp.md Fixing Typo Timeout -> TimeOut --- .../client-management/mdm/enterprisedesktopappmanagement-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md index 60cff29616..20cd2f1e44 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md @@ -401,7 +401,7 @@ The following table MsiInstallJob describes the schema elements. Command-line options to be used when calling MSIEXEC.exe -Timeout +TimeOut Amount of time, in minutes that the installation process can run before the installer considers the installation may have failed and no longer monitors the installation operation. From aa92580204aca962bbc54ed0ebe7e2d972814f64 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Thu, 17 Jun 2021 16:01:09 -0700 Subject: [PATCH 157/370] Added MEMCM clarification --- .../deployment/deploy-wdac-policies-with-memcm.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md index 73357d0809..a8d37771c9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md @@ -35,6 +35,8 @@ MEMCM includes native support for WDAC, which allows you to configure Windows 10 - [Optional] Reputable apps as defined by the Intelligent Security Graph (ISG) - [Optional] Apps and executables already installed in admin-definable folder locations that MEMCM will allow through a one-time scan during policy creation on managed endpoints. +Please be aware that MEMCM does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable WDAC altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot, or wait for the next reboot. + For more information on using MEMCM's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) ## Deploy custom WDAC policies using Packages/Programs or Task Sequences From afae51855042cfe4c59a72fab5c65086cd0cf566 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Thu, 17 Jun 2021 16:23:28 -0700 Subject: [PATCH 158/370] Added FIle Rule Precedence Order --- .../select-types-of-rules-to-create.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 1f5068600a..e03aed4e50 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -120,6 +120,9 @@ To create the WDAC policy, they build a reference server on their standard hardw As part of normal operations, they will eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they will not need to update their WDAC policy. If the unsigned, internal application is updated, they must also update the WDAC policy to allow the new version. +## File rule precedence order +WDAC has a built in file rule conflict logic that translates to as precedence order. It will first processes all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deploy-wdac-policies-with-managed-installer.md). Lastly, if none of these exists, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md). + ## More information about filepath rules Filepath rules do not provide the same security guarantees that explicit signer rules do, as they are based on mutable access permissions. Filepath rules are best suited for environments where most users are running as standard rather than admin. Path rules are best suited to allow paths that you expect will remain admin-writeable only. You may want to avoid path rules for directories where standard users can modify ACLs on the folder. From 4cac115392ab4615a65e85638331d198ff23d265 Mon Sep 17 00:00:00 2001 From: Andrea Barr <81656118+AndreaLBarr@users.noreply.github.com> Date: Thu, 17 Jun 2021 16:36:54 -0700 Subject: [PATCH 159/370] Adding Question and Answer Added a question and answer as requested from Radia Soulmani . --- .../faq-md-app-guard.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index 03baa2d537..98fc46090b 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -70,6 +70,11 @@ sections: answer: | Make sure to enable the extensions policy on your Application Guard configuration. + - question: | + I’m trying to watch playback video with HDR, why is the HDR option missing? + answer: | + In order for HDR video playback to work in the container, vGPU Hardware Acceleration needs to be enabled in Application Guard. + - question: | How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)? answer: | From bbc34e8734653f6fa1c720a0f1a200df6d10123d Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 17 Jun 2021 20:11:47 -0700 Subject: [PATCH 160/370] Acrolinx "preceed" and other minor corrections --- .../mdm/enterprisedesktopappmanagement-csp.md | 44 +++++++++---------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md index 20cd2f1e44..78f0b5cb28 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md @@ -20,6 +20,7 @@ The EnterpriseDesktopAppManagement configuration service provider is used to han Application installations can take some time to complete, hence they are done asynchronously. When the Exec command is completed, the client can send a generic alert to the management server with a status, whether it's a failure or success. For a SyncML example, see [Alert example](#alert-example). The following shows the EnterpriseDesktopAppManagement CSP in tree format. + ``` ./Device/Vendor/MSFT EnterpriseDesktopAppManagement @@ -37,6 +38,7 @@ EnterpriseDesktopAppManagement --------UpgradeCode ------------Guid ``` + **./Device/Vendor/MSFT/EnterpriseDesktopAppManagement** The root node for the EnterpriseDesktopAppManagement configuration service provider. @@ -194,15 +196,15 @@ The following table describes the fields in the previous sample: The following table describes the fields in the previous sample: -| Name | Description | -|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Get | Operation being performed. The Get operation is a request to report the status of the specified MSI installed application. | -| CmdID | Input value used to reference the request. Responses will include this value which can be used to match request and response. | +| Name | Description | +|--------|-----------------------| +| Get | Operation being performed. The Get operation is a request to report the status of the specified MSI installed application.| +| CmdID | Input value used to reference the request. Responses will include this value which can be used to match request and response. | | LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. | -**SyncML to perform MSI install operations for an application targeted to a specific user on the device. The Add command is required to preceed the Exec command.** +**SyncML to perform MSI install operations for an application targeted to a specific user on the device. The Add command is required to precede the Exec command.** ```xml @@ -292,7 +294,8 @@ The following table describes the fields in the previous sample: -> **Note**  Information status on the MSI job will be reported using standard OMA-DM notification mechanism. The status reported is represented using standard MSIEXEC return codes as HRESULT as defined in the MSIEXEC topic on Microsoft TechNet at . +> [!Note] +> Information status on the MSI job will be reported using standard OMA-DM notification mechanism. The status reported is represented using standard MSIEXEC return codes as HRESULT as defined in the MSIEXEC topic on Microsoft TechNet at [Msiexec (command-line options)](https://technet.microsoft.com/library/cc759262%28v=ws.10%29.aspx). @@ -550,21 +553,18 @@ Here's a list of references: ```xml - 4 - 1224 - - - ./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{AF9257BA-6BBD-4624-AA9B-0182D50292C3}/DownloadInstall - - - Reversed-Domain-Name:com.microsoft.mdm.win32csp_install - int - informational - - 0 - + 4 + 1224 + + + ./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{AF9257BA-6BBD-4624-AA9B-0182D50292C3}/DownloadInstall + + + Reversed-Domain-Name:com.microsoft.mdm.win32csp_install + int + informational + + 0 + ``` - - - From fd05fdfcbfcb588e46dfb9e3a89117cb6763352b Mon Sep 17 00:00:00 2001 From: 38cat <85171837+38cat@users.noreply.github.com> Date: Fri, 18 Jun 2021 15:57:40 +0900 Subject: [PATCH 161/370] Update policy-csp-localusersandgroups.md Windows 10, version 20H2 was already released. Is this warning need? --- .../client-management/mdm/policy-csp-localusersandgroups.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index 68938fa3b7..5f21ba8658 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -14,9 +14,6 @@ manager: dansimp # Policy CSP - LocalUsersAndGroups -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
From 3017e669b01e2b77df0bfcf621039734caacc8d3 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Fri, 18 Jun 2021 14:25:35 +0100 Subject: [PATCH 162/370] minor updates for DPSW --- .../changes-to-windows-diagnostic-data-collection.md | 1 + ...figure-windows-diagnostic-data-in-your-organization.md | 8 +++++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md index 113c415e29..38c0dfcce4 100644 --- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md +++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md @@ -87,6 +87,7 @@ With the Enhanced diagnostic data level being split out into new policies, we're Customers who use services that depend on Windows diagnostic data, such as Microsoft Managed Desktop or Desktop Analytics, may be impacted by the behavioral changes when they are released. These services will be updated to address these changes and guidance will be published on how to configure them properly. The following provides information on the current configurations: + - [Microsoft Managed Desktop](/microsoft-365/managed-desktop/service-description/device-policies#windows-diagnostic-data) - [Desktop Analytics](/mem/configmgr/desktop-analytics/overview) diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index b3cf4f88b5..2e8b46a246 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -66,7 +66,7 @@ Depending on the diagnostic data settings on the device, diagnostic data can be - Small payloads of structured information referred to as diagnostic data events, managed by the Connected User Experiences and Telemetry component. - - Diagnostic logs for additional troubleshooting, also managed by the Connected User Experience and Telemetry component. + - Diagnostic logs for additional troubleshooting, also managed by the Connected User Experience and Telemetry component. - Crash reporting and crash dumps, managed by [Windows Error Reporting](/windows/win32/wer/windows-error-reporting). @@ -120,7 +120,7 @@ Here’s a summary of the types of data that is included with each setting: This setting was previously labeled as **Security**. When you configure this setting, no Windows diagnostic data is sent from your device. This is only available on Windows Server, Windows 10 Enterprise, and Windows 10 Education. If you choose this setting, devices in your organization will still be secure. ->[!NOTE] +>[!NOTE] > If your organization relies on Windows Update, the minimum recommended setting is **Required diagnostic data**. Because no Windows Update information is collected when diagnostic data is off, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates. ### Required diagnostic data @@ -247,7 +247,9 @@ Use the instructions below to enable Windows diagnostic data processor configura In Group Policy, to enable Windows diagnostic data processor configuration, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** and switch the **Allow commercial data pipeline** setting to **enabled**. -If you wish to disable, at any time, switch the same setting to **disabled**. The default state of the above setting is **disabled**. To use an MDM solution, such as [Microsoft Intune](/mem/intune/configuration/custom-settings-windows-10), to deploy the Windows diagnostic data processor configuration to your supported devices, use the following custom OMA-URI setting configuration: +If you wish to disable, at any time, switch the same setting to **disabled**. The default state of the above setting is **disabled**. + +To use an MDM solution, such as [Microsoft Intune](/mem/intune/configuration/custom-settings-windows-10), to deploy the Windows diagnostic data processor configuration to your supported devices, use the following custom OMA-URI setting configuration: - **Name:** System/AllowCommercialDataPipeline - **OMA-URI:** ./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline From c6737199096ae32a6330abd04fc33755935886f0 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Fri, 18 Jun 2021 14:48:37 +0100 Subject: [PATCH 163/370] Update configure-windows-diagnostic-data-in-your-organization.md --- ...configure-windows-diagnostic-data-in-your-organization.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 2e8b46a246..033030780e 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -231,7 +231,8 @@ The Windows diagnostic data processor configuration enables you to be the contro ### Prerequisites -The device must have Windows 10 Pro, Education or Enterprise edition, version 1809 with July 2021 update or newer. The device must also be joined to Azure Active Directory. +- The device must have Windows 10 Pro, Education or Enterprise edition, version 1809 with July 2021 update or newer. +- The device must be joined to Azure Active Directory. The diagnostic data setting on the device should be set to Required diagnostic data or higher, and the following endpoints need to be reachable: @@ -257,7 +258,7 @@ To use an MDM solution, such as [Microsoft Intune](/mem/intune/configuration/cus Under **Value**, use **1** to enable the service. -If you wish to disable, at any time, switch the same setting to **0** to disable. The default is **0**. +If you wish to disable, at any time, switch the same setting to **0**. The default value is **0**. >[!Note] > - If you have any additional policies that also enable you to be a controller of Windows diagnostic data, such as the services listed below, you will need to turn off all the applicable policies in order to stop being a controller for Windows diagnostic data. From c0911676bac82fb37ecce47c5823569b32c55e53 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Fri, 18 Jun 2021 15:52:14 +0100 Subject: [PATCH 164/370] minor dpsw updates_2 --- .../changes-to-windows-diagnostic-data-collection.md | 2 +- windows/privacy/windows-10-and-privacy-compliance.md | 9 +++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md index 38c0dfcce4..814dedb66d 100644 --- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md +++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md @@ -102,4 +102,4 @@ Previously, enterprise customers had two options in managing their Windows diagn Now, customers will have a third option that allows them to be the controller for their Windows diagnostic data, while still benefiting from the purposes that this data serves, such as quality of updates and device drivers. Under this approach, Microsoft will act as a data [processor](/compliance/regulatory/gdpr#terminology), processing Windows diagnostic data on behalf of the controller. -This new option will enable customers to use familiar tools to manage, export, or delete data to help them meet their compliance obligations. For example, using the Microsoft Azure portal, customers will have the means to respond to their own users’ requests, such as delete and export diagnostic data. Admins can easily enable the Windows diagnostic data processor configuration for Windows devices using group policy or mobile device management ([MDM](/windows/client-management/mdm/policy-csp-system)). For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). +This new option will enable customers to use familiar tools to manage, export, or delete data to help them meet their compliance obligations. For example, using the Microsoft Azure portal, customers will have the means to respond to their own users’ requests, such as delete and export diagnostic data. Admins can easily enable the Windows diagnostic data processor configuration for Windows devices using group policy or mobile device management ([MDM](/windows/client-management/mdm/policy-csp-system)). For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) in [https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization](configure-windows-diagnostic-data-in-your-organization) diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index e5ce1e7e04..c6fade565c 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -65,7 +65,7 @@ The following table provides an overview of the Windows 10 privacy settings pres An administrator can also use the Diagnostic Data Viewer for PowerShell module to view the diagnostic data collected from the device instead of using the Diagnostic Data Viewer UI. The [Diagnostic Data Viewer for PowerShell Overview](microsoft-diagnosticdataviewer.md) provides further information. > [!Note] -> If the Windows diagnostic data processor configuration is enabled, IT administrators should use the admin portal to fulfill data subject request to access or export Windows diagnostic data associated with a particular user’s use of a device. See [The process for exercising data subject rights](#3-the-process-for-exercising-data-subject-rights). +> If the Windows diagnostic data processor configuration is enabled, IT administrators should use the admin portal to fulfill data subject requests to access or export Windows diagnostic data associated with a particular user’s use of a device. See [The process for exercising data subject rights](#3-the-process-for-exercising-data-subject-rights). ## 2. Windows 10 data collection management @@ -82,14 +82,14 @@ Administrators can configure and control privacy settings across their organizat The following table provides an overview of the privacy settings discussed earlier in this document with details on how to configure these policies. The table also provides information on what the default value would be for each of these privacy settings if you do not manage the setting by using policy and suppress the Out-of-box Experience (OOBE) during device setup. If you’re interested in minimizing data collection, we also provide the recommended value to set. > [!NOTE] -> This is not a complete list of settings that involve connecting to Microsoft connected experiences. For more detailed list, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). +> This is not a complete list of settings that involve connecting to Microsoft connected experiences. For a more detailed list, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). | Feature/Setting | GP/MDM Documentation | Default State if the Setup experience is suppressed | State to stop/minimize data collection | |---|---|---|---| | [Speech](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-speech) | Group Policy:
**Computer Configuration** > **Control Panel** > **Regional and Language Options** > **Allow users to enable online speech recognition services**

MDM: [Privacy/AllowInputPersonalization](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off | Off | | [Location](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location) | Group Policy:
**Computer Configuration** > **Windows Components** > **App Privacy** > **Let Windows apps access location**

MDM: [Privacy/LetAppsAccessLocation](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off (Windows 10, version 1903 and later) | Off | | [Find my device](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#find-my-device) | Group Policy:
**Computer Configuration** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device**

MDM: [Experience/AllFindMyDevice](/windows/client-management/mdm/policy-csp-experience#experience-allowfindmydevice) | Off | Off | -| [Diagnostic Data](configure-windows-diagnostic-data-in-your-organization.md#manage-enterprise-diagnostic-data) | Group Policy:
**Computer Configuration** > **Windows Components** > **Data Collection and Preview Builds** > **Allow Telemetry**

MDM: [System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)

Note: If you are planning to configure devices, using the Windows diagnostic data processor configuration option, the recommended state to minimize data collection is not applicable. For more information, see [Enabling the Windows diagnostic data processor configuration](#238-diagnostic-data-enabling-the-windows-diagnostic-data-processor-configuration). | Required diagnostic data (Windows 10, version 1903 and later)

Server editions:
Enhanced diagnostic data | Security (Off) and block endpoints | +| [Diagnostic Data](configure-windows-diagnostic-data-in-your-organization.md#manage-enterprise-diagnostic-data) | Group Policy:
**Computer Configuration** > **Windows Components** > **Data Collection and Preview Builds** > **Allow Telemetry**

MDM: [System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)

Note: If you are planning to configure devices, using the Windows diagnostic data processor configuration option, the recommended state to minimize data collection is not applicable. See [Enabling the Windows diagnostic data processor configuration](#238-diagnostic-data-enabling-the-windows-diagnostic-data-processor-configuration) below for more information. | Required diagnostic data (Windows 10, version 1903 and later)

Server editions:
Enhanced diagnostic data | Security (Off) and block endpoints | | [Inking and typing diagnostics](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-ink) | Group Policy:
**Computer Configuration** > **Windows Components** > **Text Input** > **Improve inking and typing recognition**

MDM: [TextInput/AllowLinguisticDataCollection](/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) | Off (Windows 10, version 1809 and later) | Off | | Tailored Experiences | Group Policy:
**User Configuration** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences**

MDM: [Experience/AllowTailoredExperiencesWithDiagnosticData](/windows/client-management/mdm/policy-csp-experience#experience-allowtailoredexperienceswithdiagnosticdata) | Off | Off | | Advertising ID | Group Policy:
**Computer Configuration** > **System** > **User Profile** > **Turn off the advertising Id**

MDM: [Privacy/DisableAdvertisingId](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) | Off | Off | @@ -108,7 +108,8 @@ If you want the ability to fully control and apply restrictions on data being se Alternatively, your administrators can also choose to use Windows Autopilot. Autopilot lessens the overall burden of deployment while allowing administrators to fully customize the out-of-box experience. However, since Windows Autopilot is a cloud-based solution, administrators should be aware that a minimal set of device identifiers are sent back to Microsoft during initial device boot up. This device-specific information is used to identify the device so that it can receive the administrator-configured Autopilot profile and policies. -You can use the following articles to learn more about Autopilot and how to use Autopilot to deploy Windows 10: +You can use the following articles to learn more about Autopilot and how to use Autopilot to deploy Windows 10: + - [Overview of Windows Autopilot](/windows/deployment/windows-Autopilot/windows-Autopilot) - [Windows Autopilot deployment process](/windows/deployment/windows-Autopilot/deployment-process) From 81271f6350475aad223a2ae910817091c42bda69 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Fri, 18 Jun 2021 16:00:25 +0100 Subject: [PATCH 165/370] Update changes-to-windows-diagnostic-data-collection.md --- .../privacy/changes-to-windows-diagnostic-data-collection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md index 814dedb66d..6d5194e8c5 100644 --- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md +++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md @@ -102,4 +102,4 @@ Previously, enterprise customers had two options in managing their Windows diagn Now, customers will have a third option that allows them to be the controller for their Windows diagnostic data, while still benefiting from the purposes that this data serves, such as quality of updates and device drivers. Under this approach, Microsoft will act as a data [processor](/compliance/regulatory/gdpr#terminology), processing Windows diagnostic data on behalf of the controller. -This new option will enable customers to use familiar tools to manage, export, or delete data to help them meet their compliance obligations. For example, using the Microsoft Azure portal, customers will have the means to respond to their own users’ requests, such as delete and export diagnostic data. Admins can easily enable the Windows diagnostic data processor configuration for Windows devices using group policy or mobile device management ([MDM](/windows/client-management/mdm/policy-csp-system)). For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) in [https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization](configure-windows-diagnostic-data-in-your-organization) +This new option will enable customers to use familiar tools to manage, export, or delete data to help them meet their compliance obligations. For example, using the Microsoft Azure portal, customers will have the means to respond to their own users’ requests, such as delete and export diagnostic data. Admins can easily enable the Windows diagnostic data processor configuration for Windows devices using group policy or mobile device management ([MDM](/windows/client-management/mdm/policy-csp-system)). For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) in [configure-windows-diagnostic-data-in-your-organization](configure-windows-diagnostic-data-in-your-organization.md) From ebdaba2b58dc25fc7c53b0af93826d17717fe56f Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Fri, 18 Jun 2021 16:20:19 +0100 Subject: [PATCH 166/370] minor_update --- .../changes-to-windows-diagnostic-data-collection.md | 2 +- windows/privacy/windows-10-and-privacy-compliance.md | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md index 6d5194e8c5..f582ab8f63 100644 --- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md +++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md @@ -102,4 +102,4 @@ Previously, enterprise customers had two options in managing their Windows diagn Now, customers will have a third option that allows them to be the controller for their Windows diagnostic data, while still benefiting from the purposes that this data serves, such as quality of updates and device drivers. Under this approach, Microsoft will act as a data [processor](/compliance/regulatory/gdpr#terminology), processing Windows diagnostic data on behalf of the controller. -This new option will enable customers to use familiar tools to manage, export, or delete data to help them meet their compliance obligations. For example, using the Microsoft Azure portal, customers will have the means to respond to their own users’ requests, such as delete and export diagnostic data. Admins can easily enable the Windows diagnostic data processor configuration for Windows devices using group policy or mobile device management ([MDM](/windows/client-management/mdm/policy-csp-system)). For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) in [configure-windows-diagnostic-data-in-your-organization](configure-windows-diagnostic-data-in-your-organization.md) +This new option will enable customers to use familiar tools to manage, export, or delete data to help them meet their compliance obligations. For example, using the Microsoft Azure portal, customers will have the means to respond to their own users’ requests, such as delete and export diagnostic data. Admins can easily enable the Windows diagnostic data processor configuration for Windows devices using group policy or mobile device management ([MDM](/windows/client-management/mdm/policy-csp-system)). For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) in [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index c6fade565c..7a44461fae 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -131,9 +131,10 @@ For more information, see [Manage connections from Windows operating system comp #### _2.3.4 Limited functionality baseline_ -An organization may want to further minimize the amount of data sent back to Microsoft or shared with Microsoft apps by managing the connections and configuring additional settings on their devices. Similar to [Windows security baselines](/windows/security/threat-protection/windows-security-baselines), Microsoft has released a limited functionality baseline focused on configuring settings to minimize the data sent back to Microsoft. However, the functionality of the device could be impacted by applying these settings. The [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) article provides details on how to apply the baseline, along with the full list of settings covered in the baseline and the functionality that would be impacted. Administrators that don’t want to apply the baseline can still find details on how to configure each setting individually to find the right balance between data sharing and impact to functionality for their organization. +An organization may want to minimize the amount of data sent back to Microsoft or shared with Microsoft apps by managing the connections and configuring additional settings on their devices. Similar to [Windows security baselines](/windows/security/threat-protection/windows-security-baselines), Microsoft has released a limited functionality baseline focused on configuring settings to minimize the data sent back to Microsoft. However, the functionality of the device could be impacted by applying these settings. The [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) article provides details on how to apply the baseline, along with the full list of settings covered in the baseline and the functionality that would be impacted. Administrators that don’t want to apply the baseline can still find details on how to configure each setting individually to find the right balance between data sharing and impact to functionality for their organization. >[!IMPORTANT] + > - We recommend that you fully test any modifications to these settings before deploying them in your organization. > - We also recommend that if you plan to enable the Windows diagnostic data processor configuration, adjust the limited configuration baseline before deploying to ensure the Windows diagnostic setting is not turned off. @@ -160,14 +161,14 @@ An administrator can disable a user’s ability to delete their device’s diagn - Windows 10 Enterprise, Pro, Education editions, version 1809 with July 2021 update and newer -The Windows diagnostic data processor configuration enables IT administrators to be the controller, under the definition of the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows 10 devices that are Azure Active Directory (AAD) joined and meet the configuration requirements. For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). Diagnostic data does not include data processed by Microsoft with the use of essential services and connected experiences in Windows. +The Windows diagnostic data processor configuration enables IT administrators to be the controller, under the definition of the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows 10 devices that are Azure Active Directory (AAD) joined and meet the configuration requirements. For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) in [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). Diagnostic data does not include data processed by Microsoft with the use of essential services and connected experiences in Windows. The Windows diagnostic data collected from devices enabled with the Windows diagnostic data processor configuration may be associated with a specific AAD User ID or device ID. The Windows diagnostic data processor configuration provides you with controls that help respond to data subject requests (DSRs) to delete diagnostic data, at user account closure, for a specific AAD User ID. Additionally, you’re able to execute an export DSR for diagnostic data related to a specific AAD User ID. For more information, see [The process for exercising data subject rights](#3-the-process-for-exercising-data-subject-rights). Microsoft also will accommodate a tenant account closure, either because you decide to close your Azure or Azure AD tenant account, or because you decide you no longer wish to be the data controller for Windows diagnostic data, but still wish to remain an Azure customer. We recommend that IT administrators who have enabled the Windows diagnostic data processor configuration consider the following: - Restrict user’s ability to sign-in with a Microsoft Account (MSA) using [Block Microsoft account group policy](/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts). -- Restrict user’s ability to submit feedback, as any feedback or additional logs submitted by the user are not managed by the Windows diagnostic data processor configuration option. The Feedback hub app can be removed using [PowerShell](/powershell/module/appx/remove-appxpackage) and block ability to submit feedback in Microsoft Edge using [Feedback group policy](/deployedge/microsoft-edge-policies#userfeedbackallowed). +- Restrict user’s ability to submit feedback, as any feedback or additional logs submitted by the user are not managed by the Windows diagnostic data processor configuration option. The Feedback hub app can be removed using [PowerShell](/powershell/module/appx/remove-appxpackage) and you can block the ability to submit feedback in Microsoft Edge using [Feedback group policy](/deployedge/microsoft-edge-policies#userfeedbackallowed). >[!Note] >Tenant account closure will lead to the deletion of all data associated with that tenant. From 0e3e9a00129c3a331ec248982607271001cc853a Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Fri, 18 Jun 2021 16:34:21 +0100 Subject: [PATCH 167/370] Update windows-10-and-privacy-compliance.md --- windows/privacy/windows-10-and-privacy-compliance.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index 7a44461fae..9d66846576 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -89,7 +89,7 @@ The following table provides an overview of the privacy settings discussed earli | [Speech](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-speech) | Group Policy:
**Computer Configuration** > **Control Panel** > **Regional and Language Options** > **Allow users to enable online speech recognition services**

MDM: [Privacy/AllowInputPersonalization](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off | Off | | [Location](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location) | Group Policy:
**Computer Configuration** > **Windows Components** > **App Privacy** > **Let Windows apps access location**

MDM: [Privacy/LetAppsAccessLocation](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off (Windows 10, version 1903 and later) | Off | | [Find my device](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#find-my-device) | Group Policy:
**Computer Configuration** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device**

MDM: [Experience/AllFindMyDevice](/windows/client-management/mdm/policy-csp-experience#experience-allowfindmydevice) | Off | Off | -| [Diagnostic Data](configure-windows-diagnostic-data-in-your-organization.md#manage-enterprise-diagnostic-data) | Group Policy:
**Computer Configuration** > **Windows Components** > **Data Collection and Preview Builds** > **Allow Telemetry**

MDM: [System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)

Note: If you are planning to configure devices, using the Windows diagnostic data processor configuration option, the recommended state to minimize data collection is not applicable. See [Enabling the Windows diagnostic data processor configuration](#238-diagnostic-data-enabling-the-windows-diagnostic-data-processor-configuration) below for more information. | Required diagnostic data (Windows 10, version 1903 and later)

Server editions:
Enhanced diagnostic data | Security (Off) and block endpoints | +| [Diagnostic Data](configure-windows-diagnostic-data-in-your-organization.md#manage-enterprise-diagnostic-data) | Group Policy:
**Computer Configuration** > **Windows Components** > **Data Collection and Preview Builds** > **Allow Telemetry**

MDM: [System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)

**Note**: If you are planning to configure devices, using the Windows diagnostic data processor configuration option, the recommended state to minimize data collection is not applicable. See [Enabling the Windows diagnostic data processor configuration](#238-diagnostic-data-enabling-the-windows-diagnostic-data-processor-configuration) below for more information. | Required diagnostic data (Windows 10, version 1903 and later)

Server editions:
Enhanced diagnostic data | Security (Off) and block endpoints | | [Inking and typing diagnostics](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-ink) | Group Policy:
**Computer Configuration** > **Windows Components** > **Text Input** > **Improve inking and typing recognition**

MDM: [TextInput/AllowLinguisticDataCollection](/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) | Off (Windows 10, version 1809 and later) | Off | | Tailored Experiences | Group Policy:
**User Configuration** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences**

MDM: [Experience/AllowTailoredExperiencesWithDiagnosticData](/windows/client-management/mdm/policy-csp-experience#experience-allowtailoredexperienceswithdiagnosticdata) | Off | Off | | Advertising ID | Group Policy:
**Computer Configuration** > **System** > **User Profile** > **Turn off the advertising Id**

MDM: [Privacy/DisableAdvertisingId](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) | Off | Off | From ad30fcef294b1f0efa6b8853b0efdc0d49bef2e9 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Fri, 18 Jun 2021 10:03:16 -0700 Subject: [PATCH 168/370] Added the suggested edits. --- .../deployment/deploy-wdac-policies-with-memcm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md index a8d37771c9..c5fd34e870 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md @@ -35,7 +35,7 @@ MEMCM includes native support for WDAC, which allows you to configure Windows 10 - [Optional] Reputable apps as defined by the Intelligent Security Graph (ISG) - [Optional] Apps and executables already installed in admin-definable folder locations that MEMCM will allow through a one-time scan during policy creation on managed endpoints. -Please be aware that MEMCM does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable WDAC altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot, or wait for the next reboot. +Note that MEMCM does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable WDAC altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot. For more information on using MEMCM's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) From 503f2da0abecffe98fe95c5f564311dc13949ce0 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Fri, 18 Jun 2021 10:18:23 -0700 Subject: [PATCH 169/370] Added the suggested edits. --- .../select-types-of-rules-to-create.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index e03aed4e50..99f5695221 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -121,7 +121,7 @@ To create the WDAC policy, they build a reference server on their standard hardw As part of normal operations, they will eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they will not need to update their WDAC policy. If the unsigned, internal application is updated, they must also update the WDAC policy to allow the new version. ## File rule precedence order -WDAC has a built in file rule conflict logic that translates to as precedence order. It will first processes all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deploy-wdac-policies-with-managed-installer.md). Lastly, if none of these exists, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md). +WDAC has a built-in file rule conflict logic that translates to precedence order. It will first processes all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deploy-wdac-policies-with-managed-installer.md). Lastly, if none of these exists, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md). ## More information about filepath rules From c24b0d494a1fd3bc184899a90c17e7538289ba6e Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 21 Jun 2021 12:40:01 +0100 Subject: [PATCH 170/370] Update policy-csp-system.md --- .../mdm/policy-csp-system.md | 89 ++++++++++++++++++- 1 file changed, 85 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 536bae0e06..36cad84743 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -28,6 +28,9 @@ manager: dansimp
System/AllowCommercialDataPipeline
+
+ System/AllowDesktopAnalyticsProcessing +
System/AllowDeviceNameInDiagnosticData
@@ -43,6 +46,9 @@ manager: dansimp
System/AllowLocation
+
+ System/AllowMicrosoftManagedDesktopProcessing +
System/AllowStorageCard
@@ -55,6 +61,9 @@ manager: dansimp
System/AllowUserToResetPhone
+
+ System/AllowWuFBCloudProcessing +
System/BootStartDriverInitialization
@@ -224,7 +233,7 @@ To enable this behavior, you must complete two steps: Windows diagnostic data is collected when the **AllowTelemetry** policy setting is set to 1 – Required (Basic) or above. -If you disable or do not configure this setting, Microsoft will be the controller of the Windows diagnostic data collected from the device and processed in accordance with Microsoft’s privacy statement at https://go.microsoft.com/fwlink/?LinkId=521839 unless you have enabled policies like 'Allow Update Compliance Processing' or 'Allow Desktop Analytics Processing”. +If you disable or do not configure this setting, Microsoft will be the controller of the Windows diagnostic data collected from the device and processed in accordance with Microsoft’s privacy statement at https://go.microsoft.com/fwlink/?LinkId=521839 unless you have enabled policies like Allow Update Compliance Processing or Allow Desktop Analytics Processing. Configuring this setting does not change the Windows diagnostic data collection level set for the device or the operation of optional analytics processor services like Desktop Analytics and Update Compliance. @@ -257,6 +266,28 @@ The following list shows the supported values:
+ +**System/AllowDesktopAnalyticsProcessing** + + + + +This policy setting, in combination with the Allow Telemetry and Configure the Commercial ID, enables organizations to configure the device so that Microsoft is the processor for Windows diagnostic data collected from the device, subject to the Product Terms. + +To enable this behavior, you must complete three steps: + +- Enable this policy setting +- Set **AllowTelemetry** to 1 – Required (Basic) or above 1 +- Set the Configure the Commercial ID setting for your Desktop Analytics workspace + +This setting has no effect on devices unless they are properly enrolled in Desktop Analytics. + +When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments. + +If you disable or do not configure this policy setting, devices will not appear in Desktop Analytics. + +
+ **System/AllowDeviceNameInDiagnosticData** @@ -609,6 +640,27 @@ The following list shows the supported values:
+ +**System/AllowMicrosoftManagedDesktopProcessing** + + + + +This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data. + +For customers who enroll into the Microsoft Managed Desktop service, this policy will be enabled by default to allow Microsoft to process data for operational and analytic needs. For more information, see [Privacy and personal data - Microsoft Managed Desktop | Microsoft Docs](privacy-personal-data.md). + +This setting has no effect on devices unless they are properly enrolled in Microsoft Managed Desktop. + +When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments. + +If you disable this policy setting, devices may not appear in Microsoft Managed Desktop. + +>[!IMPORTANT] + +> You should not disable or make changes to this policy as that will severely impact the ability of Microsoft Managed Desktop to manage the devices. + +
**System/AllowStorageCard** @@ -845,11 +897,18 @@ ADMX Info: -Allows IT admins to enable diagnostic data from this device to be processed by Update Compliance. -If you enable this setting, it enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. +This policy setting, in combination with the Allow Telemetry and Configure the Commercial ID, enables organizations to configure the device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms. -If you disable or do not configure this policy setting, diagnostic data from this device will not be processed by Update Compliance. +To enable this behavior, you must complete three steps: + +- Enable this policy setting +- Set **AllowTelemetry** to 1 – Required (Basic) or above 1 +- Set the Configure the Commercial ID setting for your Update Compliance workspace + +When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments. + +If you disable or do not configure this policy setting, devices will not appear in Update Compliance. @@ -932,6 +991,28 @@ The following list shows the supported values:
+ +**System/AllowWuFBCloudProcessing** + +
+ + + + +This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms. + +To enable this behavior, you must complete three steps: + +- Enable this policy setting +- Set **AllowTelemetry** to 1 – Required (Basic) or above 1 +- Join an Azure Active Directory account to the device + +When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments. + +If you disable or do not configure this policy setting, devices enrolled to the Windows Update for Business deployment service will not be able to take advantage of some deployment service features. + +
+ **System/BootStartDriverInitialization** From 353358e8173321373e87b61fe44c76e11d657b1c Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 21 Jun 2021 12:46:24 +0100 Subject: [PATCH 171/370] Update policy-csp-system.md --- windows/client-management/mdm/policy-csp-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 36cad84743..c19189a66c 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -648,7 +648,7 @@ The following list shows the supported values: This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data. -For customers who enroll into the Microsoft Managed Desktop service, this policy will be enabled by default to allow Microsoft to process data for operational and analytic needs. For more information, see [Privacy and personal data - Microsoft Managed Desktop | Microsoft Docs](privacy-personal-data.md). +For customers who enroll into the Microsoft Managed Desktop service, this policy will be enabled by default to allow Microsoft to process data for operational and analytic needs. For more information, see [Privacy and personal data - Microsoft Managed Desktop | Microsoft Docs](/microsoft-365/managed-desktop/service-description/privacy-personal-data.md). This setting has no effect on devices unless they are properly enrolled in Microsoft Managed Desktop. From b235ebe8c8421df84a90173b6556e35becf7b33b Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 21 Jun 2021 14:45:26 +0100 Subject: [PATCH 172/370] Update policy-csp-system.md --- windows/client-management/mdm/policy-csp-system.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index c19189a66c..149be2e826 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -277,7 +277,7 @@ This policy setting, in combination with the Allow Telemetry and Configure the C To enable this behavior, you must complete three steps: - Enable this policy setting -- Set **AllowTelemetry** to 1 – Required (Basic) or above 1 +- Set **AllowTelemetry** to 1 – Required (Basic) or above - Set the Configure the Commercial ID setting for your Desktop Analytics workspace This setting has no effect on devices unless they are properly enrolled in Desktop Analytics. @@ -903,7 +903,7 @@ This policy setting, in combination with the Allow Telemetry and Configure the C To enable this behavior, you must complete three steps: - Enable this policy setting -- Set **AllowTelemetry** to 1 – Required (Basic) or above 1 +- Set **AllowTelemetry** to 1 – **Required (Basic)** or above - Set the Configure the Commercial ID setting for your Update Compliance workspace When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments. @@ -1004,7 +1004,7 @@ This policy setting configures an Azure Active Directory joined device so that M To enable this behavior, you must complete three steps: - Enable this policy setting -- Set **AllowTelemetry** to 1 – Required (Basic) or above 1 +- Set **AllowTelemetry** to 1 – **Required (Basic)** or above - Join an Azure Active Directory account to the device When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments. From 7cc627275eb7ef939abb5f7a37dc94d2a5e978a5 Mon Sep 17 00:00:00 2001 From: Guillaume Bordier Date: Mon, 21 Jun 2021 17:13:49 +0200 Subject: [PATCH 173/370] changed screen capture to remove double quotes --- .../images/pinreset/allowlist.png | Bin 33880 -> 33638 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist.png b/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist.png index 097b1e036df4ddd9e2f4dd657f4a9aef2a97dc1c..5b1df9448e00e4ddc1e45396eba1bba735ef6533 100644 GIT binary patch literal 33638 zcma&N2UL?yyDl6XhzO{N3J6$UK|w^N6PgvJBLdPDq=pWmgeIc!DFUz3gb;c!iPS(s zKtw@GLQhBnp%Wk^0Rn{1AHVP0`|Pv#I{!J(S}ay(&CD}%&&)mdbzS%K!ProT?}W$+ z006-E^vT0#0KgFp0C0$QoQqR(BxT#1^Y4)VGoAYYIPT&C=f_c(dj|IafT~2^-B-sr zzj=I~So#A1f6f2-JM`A^*hK)~?atGO_nrsa(Z_hh&d%l@93VQfT-{7m`~3#-#-ZBQ zSJDm-Um61JYinF6&AW2Jq;yvDtrgzODyap zJV}KQ0O&h=3UcVu%)Mq-S2#R>z@@KaVi}D&~@MQ_U@UmLjY~l2lL0?JcgHD6190e z@u&0t%kL>ccAIe#RonhRp_-s|elgY$J0Li~veB0+6U>Wu#Hjq&lF2t?u%*Y8ZEv z^Pa~^r3-WdBKyRN6a05(#1LABdsSEVZ%?90O?^Bq;8V-iPJur4>?3v6gM16i2|RD| zQ+VoiG?!D|roAB#+nfpHwDO@_Zf7@U7bGLc1!J?q6=zaoYv+yXK2QLFi6?H)uuw$P zY8Q$pqqZ8 z{HktYIji<}Lg#f*^V#0RTiE znwzKAdsQ|&^3^0*BH?0w^I~WDEUR7_wK&qBbx36|3>zg7Bw~-k&G%M1A^XX4b!snY z#5-m|*J@j3OODwRhvBQ}*T?_^4J zWZ8>?L-hd)mJ%(wX%>+Dg>Xdw1Vu^Q%RXnAjOlN`RcLJw^X{ngwWw6X9|q)*|ha6#3?&Cs3Pg!nRt9N$UhG7C;%+IwwcIsz^URodR_ z*XTF4@n_9pO?NivDW5;TqF&6%!_0~dEs}9B6n6r<1Oh-hT1(8~MfTxV&6mt(1WX~+ z=GSc->_)Hfs^eb2>Z~7C!ojEy4Auu+923c_M{XK`?Y)fK#q z1)7(Ji`M!~#iMQx(i9dm4-p~33;ZeOL1P{vrGfCTa58+c+<%n67_v}pJ?B2HiEe_Y zgy+r+b&rv53@1EJNh|SLxH+cb{&xf;=uL|1la>q>J()nsfQ34LI2Q>VQKwRcYtTPt zN@t-*3x|1(6tU%dP5{8gN;U9eK~qzcZZtw77^~(yhBA-LB^(_wYJN&euGH&(Q2JrF ze!x)Gyw~U-2-^gGdd}tI5i|FR!Zf>QR2)n|Yczbd1)?BgS3a(68b??1-S5@{8+9<} zFM0=Nn#&%HJ#DtX##5;{(kvK;ZPI}47vk$qHiHB80ouUYD}=bFMS_m7lxkwJ?fg4? zZ*yO-EG4dO}S;FVA{zm9y28*C)1ly%%-37TwEf-5I54;!^@eCRx8DMFA&4o zLT=O5jVLnD+ym$H?e|&28sMj*-T~8S!|&|J8neLKSLtFF&Gmc330A-pX`xqz$1pko zK*F<>W8>TWO^^59Q%ns9dG+xg71YZWJPM}dON z{Bh*1A*~^&c>&Mh%GT!eA`)}YRKR2B89Upy>K4HXzcnKvA~yezMcA-2)Xek1AG3Vl zqggZ)l#5H?0bC#x+&aDFzvQ*1ZJ786Ir}@UiA^Ldd}o@9}1jPuv2& zwhzx8=+zy|ooTyY`PDxkjpJwN@)N zCcjgik?&lZ8#VKEh6mfSBhVNb;oR)_ONo9Q?;iQ>UZhXr2a_T#4}N?y(|A&%scOw` ztm!nzcn%+0k(Uo6OgNj1$Nhn1W*L=Daz;A8xW4CGCUF+jJ36?LSh=5z@0V=G8Mh@= zn8R%rV$g$zKrF754-s8C5896$_X8%cA|5G~jVlk5S!pO2?`r;vu*v}T&~q?Pz?ndX z9iq{HmaNsUs&TSMxuYS5y{FOSczD8cn=+!x*(xc); ze2xEOnd!CX9HR~mhPn@BrUiuRc&}Uzb*qTTB6f@2x{zFncJVfLt9kD9Da;BX*K}_o zN=(L1$$)q4J2dZ8=J|E zXib3Oh7A(0$ZD;F6tq|%FFtSDe9YH0UQQQN^NwpL%p44dhoIcPzZM$le7Ha~qV?Yy zOA$e4D+Ws>jQGyOKOnR!Z?dS@v4k;<_wWgq+C9X1+ItxT=DBNKqGSux6YxI4ZuCO@ zA?GcCM)ll1CpGUun_dt@aH$zj!+}(L0f3x4%b?)+nB$oB7lXV2SKTfpc;FF)iTaK- zx%HXH^4qM>h+VB?G)UZfGtbAzq)s)}r^Z87ML`E2bw36+L=jvE%N!;Y6AsJ=)TT1J zal=Je>sq&IE6g%2%PZdh6(b(C()k_S2p4G*=;)N)V~8l1%rgUPLxR>9nDLC8qqD>B z(!7QrC!uzNOd;KYYGlm1=@N>PN2hq^KHCOMEguGm#J@~(ZfPgzYEu@jwWn)8(yvmO?b;&7r@Iwc5r|yMURj4X@9iXw z=}Z_GUJrkr0M{D(1SRtr47!sCYm>_qTC_^@_DJ@fo~aHygQhNAsOL`%m~J2sf}4&> zdc9E7+@~Pp-T-FI6FT}es;-9t#_R;TLPIr}g^LV4;0VAcK<{KzbIkGPca#Tz2ajb6 z_pJNvFJqO*=V^!*yoG(ZQ}!XiqFMMMV7b1D*tox*Hi_}!0 zF4GBm$=g1s=`Xf|v|TzC50P}IOnQV0ymaf=^Da@j<0?LqqbxnTvvIqyfEHuz(P71% zN@Ec1jBtjdgmev$l5q{4-b(#vykRe4oFl!rFk&het-Ps$L069gtSfe95pL7ZT*^JS z=RK5P0&#w+(2lo!UH0f!G-X5~T(bvH1^|YTU562f=4iQGB>&ew8mj}Fzo5<8?HIC?nvO z%C|`8j<<+x37SJcp06JTOOwuzW?L_Td)-j`c)e*RQ`GavO?sGy5luh#W!h$4OG0wZ zFc!l=8pqkK!Kw7fh@epG>m287r>d%&!ey5&5r##98v1!Gi&0e1w5mnHT1SN6SN3MTl?K zDEk^g-L>;rzIwNBjpiGVF#AJC*O|%gY04I)t+uuAag8G53rB+tpLuf4f4(NS7`3FS zTQjL#=!Du%47EZSbw5LUhp-k$7t-9r>MP6leBcc0c}0Su>huYh$aAz0zDI^CF$Z>; zLH-bKCugI9-Pt(BD*G@o?;%T#6erM+BwGZOw7>L%{;h^Vl%=Zx03~PH3zhGGJ`l=O zn%gbh^11)Y^hMw~x!|w6 zD--!zUuknaFByX%I1D(OY&r@CMF1(xq9R%Oz^xzbJt{~6W9 z@2hL#F=i^sD|ijj1SP(?g&|Q$?(Iqi&j0pgG}I;O~nCm-86|rZREQ zoh^>N*{-IphblV!{KvcxlNP#k#xXI~AYe`lLp1Cl?*>#mK^4hF+>&fy^@+Ky547~X z4~(`{qVJB9!_-}u#IQNAGw?uinjU@7l(D2Y+_S+LuEqqO;T&e*eQyo-e@s|c2clxu z80D9PGzuO?j^uJe&%@I-SLnNgei}6aP+fWjmx*1`6urC7b+HoVVVDc!xzscIrm;De z0hQPBU;5i@>D@%bC9+lJL4C7B!zfxmB+@^X*jXY=tD_d%*1GuK&JmBvPWZ$i|2AbQ z0BCSx%o`Ht&3o+YVZn{ zx0dxrS?bS5wAZ*NC=qJa629oB;X~y^?XPOOkMF8@zmKUt;L}iFyQQ(K+x&5<`Oxt@ zQnfg{0jsOUHfPV}ZxaL|!Eiw)gP@jZDqvxk?1#;*cg>&&rYy22iAcn1V;8-l}g1*3g`dZv% zZL3`g!-^`QTaoUD6MGBJ*aXlCu~Qy*Jqf-b@HkjJdv$JBN}uTqRo*cur3b$Rwu(%> z^j`_Jw@+PG_ufCAp?d^iT=`fO;@!fCasMa$LFGQHzh`7%=Y<$F80?esS8P6Cb?*D; zSMK`O$jUwyqSIW*a7lgh6U*Yc8@&QSMLeu)mO_VFSp-&XvCetqTtl5;$#nGUWr*^* zTZEwO{LlR&qg~)e-vkD&%8s2uJqC4$=Ad$QY8z`UI~3BCXo#b|$Wh~%K5(}`vDRm?ErrWo zYdHhlgVMPlKD?0%w<~y5PxK*w7H|(MKI@&wrJI@%9~hwMSPm05o?RWdA~ZuOwC7tC zvZYd^;RBwgEHjT(X7`|h^ZuJoX`k$g-`E6r=-|K^;NV?y=W4Uy7K zYUqUv)`B6s_55eueoZ4uI5cGbElvCx1vfI>eJ#=|2aTv9Gl&*#Qq2`VxG)XEt|HP$ z$wxm#jSPLu$S{{`b|X${EUpaxyxyP#CCDhXn58vH;=GD2l$zRuQqA~64Vd9+we<*l z`AWHs!*fqm?-97{*?U~~*D!h;LphBBcWo6`AB%1Q*~V!YyLjZzgZmR5Z}8{2+p#Nl ze%@jMWyb*8gMB54h02?o;(Sra{bcuPQW%hO@4*iE+w^+52lX(Y#O)`_8qGGMTA!|U z3z(}TvpjNt&E&4y-cdCeFZmMzeexlT2FzD;w_hGRQyW)&fFBY;${GPv#k*l z!Z(c3hPi`3S4-RMxI;7pf4Em0%P`f(nu=G4)H=a+MUFDpxVmmw4t#0)tCci89Kn@} zhJlW`$4%GbA4OZqc$;4%EIw9c-WVw$@=*4-h3pUsjdhbzcI5_1b3X}wP&@l)Yy$8I z;FMCl=9)$%0+w>-2 z6J7PtM(OBo0n%C;xNt(_&aaTM!AxqMzUhIr_)v*b;AHG0X*8rr9D^f!EiN1h*xAb; z#^185!u(E9{3M{YYfR0KY~Gpg?(FpCwyy@iY5$8svaklCn_~rSWJ>n}ptSm~XXfu| z?t&RgJNklDb7)<2wIl|nqjt#0s3N-fgJF)i*{^kYQN88xSba%cHEE8>cC2r-(10Dw!4j+uX(kKd>? z*OU$JNElAAZv$O4ocH|fn;^#eOFZjk10O%PfOvpJcX#*LN_F+!AlJcmBL{Gyu{`QE zC>N-y&r&w}cBsm^M-hE~roz7?7DvuofsOW;%yjG3O>NkrLJNhx;a*oIhUjVR=NZ;l zq3;^&2`zACpar!382g*C(RvSFUUF?C)Yw}?{X5YiZ-T}*=&fvMtSnfKRm2cvZ_5t{ z_QY91Y{Lc_@q=nKi(Y6|y~z3$4b_YRl1=Lk1r9ta&ZV!EXXA^kQRo`cw>;GZyU@z4 z@C{2?1j=G|iQDer4pB|pN#9a%#%O2uvzCHQ<2wj4D4hW-Jb`?F7yuaNePrPM?P-nu zG-&Re^5-3rX{S_kc1SpF6D*Kk?0qiKq!&)cjQ&34S2Ayx#k^)(?`jG0j- z{1w$$3i)|_HaYOT6vmD)B*|ohzCppp=u}P^knz#{{6h0f9Xs%dyaGo+Fv#b_q#U!e zFNtPaTFlSw*VnVZs~HH(t1|X$eRYGb%PDJ-GLa$W_5IGxkt3+K1WOLt1~K{3q+5`Q zx6Nm?$dmN^{v$FyxG&b*we^Izg40W7#U6w7KQZPz6V96idZE^C z6YE>8gbLAH*p!goi+u5v7%3xD4pqtvN9)PkS;FHZNjdQ{cKA;ph^Uv}%`#TKE}cR$ ziz=Kct}9FEwdIdjQo_v31`>Jemf`m9jPboE7hk8!8n?z?lV(Bhq@}o0NnxHfNqfB? z@#DJKj1Ks)?N*F=vUNdmM0%yL9|3MQSS0LIphq}&X#b3dMpJc0(J$eowYi>~MD$GAe2S>z z>qV{<;zG$_tlN~_M+GM<2PU>vJYPn4LGfuzc4}dLKUpfpecd)3O#ZlO@%y)Bp%fP+ z)a2Q1TSpEihD8*cf5<2V4Ke5Dx98Wp6SO(4J-1FsFe@e-ohynZZ)KNOG&uK1vH$i_ zf79Nctaxv~)?R$;2u7KsbiFHJ&qD+b&Okg zwwX}WH(1kS>;;*6R{H672Y@&2ZhkLv*6-s*%(*)R`m~rPlbX@niBJyH*c&g<^v7C0 z$4eFr`byj(hZLR`Rq(79@2&opxSsaMj(;!-XS5go=w|@HDJu@;!FjY@Pec9*dvYKB z5#=})&i(faVqo@y2I((x@ko+77dIo8Cnxu7wdC*Yjqa%r^8f__@PWye+3ua)D897V_W$NTc2M|-8~)8ne3Z3U*S1dbfQmD3q(W@I2z{jrC$DS=$p$;4Mq4U$>A7lJ<)L6gT^|yyBHk_x@RT6a;YF6OvbM$l2St| z=bNRL+As+3Kxibod&=E0ddI9yWM<;d>Uf-WH?&wIlr`#jR$XZyRW;X78Go6MZef!+ zIurn~D42`v_kBB28d|$=D_EceOq9F;VQJp2(f4E5%*JRUQt?Nb8VF$2 z@|T?@f9Bw$r)=7CZS%8DNPVw1e@Yb=Kzl=oan84K4WEZwK@h35AZ!tG9^=Fo8 zDXzY>PWW-1IpvI$G!pfMZP4kr&t-|~P1mZfIUh_2Lef+bWJio(K>n-o-SD13M$O=V z%;)r7gS4@4jX_3BB-;Zkdw&gPsp0VrbA!G|SG{Yo?}5NxGOYsC4x`S0`CO$?_7u3Mj8CMa#YVKwd)>!aa)`!Bq1ZE2n0q9J&rlZe1e9`&|FXlS5< zTgmu@jgg6C-!qiGy(*bVzr(LzhSy|EKJ1W>QZ^cAgYtBSCooV6-X<h=x_9!tdsU z(y=-{X?L-5MPzj8p+AWPeaoD~@#Xw+0x%ufVdS}1eJCJ&0z%2~19_y)sIK&rzMKb9 zmfpF^e(=tMB7a8Onubb;*Zw4)R(1vM_$)%Oc1=?C_NnB!+RDptVQ;dRpo1gx?ktAp zp>;{S~b2b-gvU)gI zQ1%Fc0eK}8VaHd8dU92cC`cP|YhycNp;*Q8xoxu+OXfd_10^GMjgq&SAq1XQrB8ti z6g4l2w=n%NbhA#*Q{Qz?1pmx3vIeHpNDxX4Z~z}Bm)Eo~X)^H74?(sHq|w8jkw&!j zJ$I;bC>FIheH*RP_ii-CwdHF0EoI7ivUiY*u6G?rmUelD@Z!^d`>j7Y3#i1| z*;z&~Cu;#%>o(YKD*;&icmwoy*R4f;mAmU2rxC|*{+ZC_$N$|I+6-F9|7@E!f_6-N zuk#0p{BP~RvzVq9clsw!wdIAhKz_hQRjk!Tgxz$nc}Il=N!9G?n)%h0<;}slJ1RbY z|IK?ETR5-VRoM3|R+?))<@7x9o47+ggHeOTKSl_@raq6K<46{Ok}su`*Om{fSbbeB zQIa*{q(X3>H+@&uINlckxF5&KoZvjiW&gz{U8?0&cwo1SKwf}*=TVAspn8!tgi2J6 zP2kLsip}iXvNoo1C<;eQ={&FlKB&cmX=@G45C_xQjN0qI z*@9z_b37LA;&0S6;icRB3*Tloo>7blTmHMhs6dOs$2Xr=v@YV$`qX7HQ(rmGOA@W z5KFp7!MrY-g{C{12!6uJ;ZS)OawA~TbTZ?Z2nlGrI7HZD;7V6xzg>{}2mjZK+7Jqx zlzci}W(P7J8U!rQyI0%rq^s{%$a&f1d3wq-=fpCRTioeypt6tbU5cu$iljkBrl~45 z@_y#3EJ>9@;Wyj0;p5hU6?rKBCN9oRZXBd$(6=iu4VqheH|4uu`nn89BMc^l-u0`d ze{e=^H%Mi#3_g-b_f(Ur=v9##B6Ps9dQ1)dV~;2c-p0i9h1*`_dNpb;_mJ<>^}6{! z3XD5PoZdY+I{IpHuv7mllc82=m%Xb~n)9X5zxFoJVtR}!YTB^5h720Su?}y zhbK1HA(z!!-16jYklNcXE#8x6lLa$?QS1nI|4CbB^H}&%<49dRwfqtqvDeylLja!n zS7jLb3tnR7?f{8&ryLA)Y8dxq>fBW>@v<$j=qZJ7a|(N;gLHl>Mhb5D=Ub46>n;q}&WU z%R>rB2Zw@TGj>@oBa=mLTOK=>v~I(vR$JER;MjXhXha)I%1;!{;?=4)NQY@J8JrI> zCBYMUe3k#&)fQMzIxMBqE3 z;!r>5{!#J~0?FoP9kBq5S*068Pd5dQZ^fX~?ruiaI{^!YWl-2_{S|kUS+5X)J?|_mWZHdBXxQSA8{(R8Fv0H27)DW z%b+irQ5hl=zvabVIIRH@_seS=Lf}51IjIcW zhychK1FtE3gvVeI4YI%(84IJ6Ya1h;9}SpT?P&Q{q~;NXul~N&c8CUosRWb5OmH(RuE?pUyB1v+IyHS2T ze`aA_`R}XnRBBSUOLjOuylI038q;|W_hF`?Hi?OAD^xqI7uXQEGQPfDH*NtbpQc}& z==;wFzO;6@M20DJ&Yhm2HUB;8$iME)3`J7}g<9?iLBUKF?|Unr5lGbX6pwyz!SI&B zgqUVnLv>9}{^a@2bWk8rV?S!Yi75jtc8(ZWRq+%Hib>FD#{u}G{_{S+FZTv@7c@7$ z{mUtOxC{&easv`FF`*mt!{c%T^HtMJnPvT-g=~&eNa>q%;~=qMKGsDR2XTrBnzrdp z9P_EYJ!|4=m30c@dm#$>FvJm94odreTd6laRON(X8xi-ZGH~_!Yxj`sFsV-TQV2>D zw(a<6bn+y&u11g}ucCse17cPyo0TGWb7F%sLpO&19Y+!ZS> zU)Ije5(eixpB*B~48`YzTii>6iMAqs-QCjC$UnQwn0XvyU}HP9%nw6yXh`U*6iN4L zNjZ(o5h#2GSKl5~ourd11U$$cK=6}F-?Dn;8m{5uq3wt@bIz#2YT0zc%3DDKlD@ z*SokV#Q&(uT))XA4SS<@Fd^Te<;!*Ok4;(JxU1zvjr}XTbX`qSF6_~cneLyU$@O-J z$9OZQ9&DH!IG651x|7%_ev5+@5$UYh{8>_CujWoqxcWjt(r8E7#fS+-MNGI^K={pq z)SF`EydNLC4mM=iKBrvJSi?)9SO?{0ANl%Ebs&%p~)&m565%5Y$Ee|J0Gqy9~j2MDt|__ z?5j;>YCmq?UM&CJvcHb_9d(5JN?~E)=U%M?_0>+P?1vxY;^^ighD-|PDohRhF>ITI zMGgH})Lvzm&eKxMB-L1l$eFr3uq%Vek{btaS>K3)`&|R-_4oYz90pa9D+hH;rj{-WfWyI$8$12vHUVD9U+J9MZaupYP zU`b_sj-_mM;huOM#89sU@iC_>Xcyx?X?_MtgvnOZvI8e6ge#7)El2yYbC&E8#m^Mn zX76_5hnt&mNNmHjYfMLG%e#ZjYx^d9($%2Oq2F~>C>ZBo-y*$A%6A^!ACs6(+zg0fL6%$o5A>J?y51etz}-MxpFA|qx8uORIp zSxCxO+GDT1vF+dc-b+*Nl+a`2VW){3OR}Hs8<;hw1?)o8tF-2C-5ZF+o^|$c6Rw5{ zL@=IghM}0MTAk|DJxB-Xpn~kUIzs+z8^`#x*6q{Y+akHz2aWVkL-l|XSo?5Bgj^&p zR4XJq*lB=jeYN*d;&{mCd!~ek`^@V%(*Oz)Eg|#wfLs8bSW>c{f;WG9hj^&|qeqX_ z4t81jb3KeiXh|L|zMtqx3A4zV96YMX+bx{0uYZ z$WG9?b#S&xD}G@S0&}3rW)~;`BR9E|9LUYhFf`y0eq2+A-BGnmxquLe3Mfm9On^%cZ0m;QvOacG%iuRyr+7 z`00BX)aE^>@KBiZ?zSpDV6HgvMfv%Nu`yv9oNUj@5`FxbVoyG6;lXL}mxX$N@jD4X!ON)>&$a#b0Qc zMq~ZqnWf0g*?b_%`X8oEYv-up@If96jm0GbEkkS7LkQb!qP!2k4POXyVrrNyES8Gw zZ}NkonML z14W~+M6&278_5`7>dF%`#;=-TxAg&b*r((;=JH^vsT77oDW`CabE4(POBobdRBnm) z#LOKt%jxRONc!_c&93Vsg$_VjAvc01kaWXVDBt|UYL?}MN927E%kG;_TZA31`jkcW z7BA7i&Ebya-sGyIX?4bPEA|WNof7UDFtc=BqzUMn)!x!!A#i5Sjt;-^&fv2YJg7FS zp*XP%uUWh+KzC0tg^M6ev_R!UgWRt3#!@p3N)a2o;*GbFQkKtEdvrre(Sqg7SUhx1 z`bE8s69csN+^V}?w`JEbzGd_lJbphP{2(Vj(EWf1)ohXR3`X!IgWknBt6biXwv|>@ zdW1DnYb9Ro@Rd@T#-{jH>?FUrFS~_RlR7(|%b_d1*q|@s7l`JM{3(6y+S}!87>mh< zInQCwnWO7LKioSd=3FOZ!xe5&PtQDVsuD-^tC`-DropXW|F>zjtXzm|Ugg#CDFE3BuPJya4ZRf5?mc-T?8%zPv#l zEg+Xz>{z(1EH;ZIp|x2xz0U|9%+uN`ryvhXswb=^qLfXx8#t)UcJ}A#?xCS=sn#Qs z9qy%>%iBL!HLWyq%95rXgoIQs%MiuRaPU!4$be4}*)he!;7zIC9y!tin^?X%oW8R+ zof(-pxL(gqHIiBQ-K9?O$d}A0t_SbSK6|>V7cKUSv<_$W&FZHshGVVMK}ta-D$CH0 z1zAVJDT#y1E>MDu?uLkAN%^S+(05{NL-!Z9XJ4LM(1OJS#DG(JxZ*YQcuUL|2fE57 zFm3sP+(m0Cq=M(6kL#Vqlv)!`=9xO{++N`8j8!SS3V#TD*r4&fmjLmXgvzAV7792R zk&0d$@RZ54oULo|G&|-=YES5FA?w60td-rDJwPU!R{UsayeqY9ezo^EK_e|I{}ZqG z0E;QnX;&HQKD9a`@Di#-)h!Y_u2`Zi=pRG6Zc!uRNS_fPe}vvWH2H9zuk`1{&gOI? zA#?&vC(k}q=srquAw7a#f);fO2Y&88I{v-W_tym3+)bGFytczo@@^|(49?TbcRnmp zdFKZp zw!)jfNSt(+HS>&EQvWLQ!aFAaIXYUaHM09?gxf)s+^EiUw|AMFt9AW7frF{XvNwT7 zNTVItT+2R6vOQe8>@&$+EOP?m+hISQvBnsuh8>0$mfAXDKa~4)_gsP)Spe`68U=Qt`aC zj0*POiHCR$nL^klZsQ*A_SnRi{)fj65W>~$wtKrl_<*8wdr>zpBu8syrjy-NYevBm zy)|{+&RIlwiw3Y+(MWl#H;$r<7ZZPRJ`5h$ZZFW4$ zwDP=W;Q__l<*%B^6o!()2l@ozFjQo6GO^;zeg^GUBQ*zE|uH;eZE2R*kudo zQkWY$t0$}CVBdcNyf@cfk`3Y@8t~4?*-Z;RjV7t z&0K2ZV%~mP->S;6qdrtR=V#DRm+$)wY}b;7>vWqa@Xz+oqp2faFRYF5_;&|Vz|DNF zUB|`;jjSN|5K2A%J^rAZg=nv@UkYpA#wvUpkB4lg%#t>X`J`W{=>-`n5|)ajr}GZ! zhIpeG=@=WJ)-99%?72n84l89qOD}w}Kx(dj5l`5PJEuQ96JmILr{Rex)d2sX)rvTz z02_NuYMfV{^^`MN!8byJx4F>Y&J^Mx42@r=$$mEJ8wlH+_pP343G#KF5+25rvAE?Z zWjRUPaJZf+QBOd%;};PT{)^POc6m$#{lbl4Te8-bA!w2N`j?IDs8z+lvjwy)xeFm- zxVP}W%eCIdKaw5uakOhl?s;usLTaQd=#}UE!Ll4K!Xs#7c&7L@%YAw&OJuY{pO+c> zTeawyG$pGzwz$V+>1@SAnYo+BlO2W9X8y3zRpVz7;r{!NiL_b>CWKXF>03Wz&p)~U z!l{L97~<2~HL`xtU(_zS%*iZ^l$Y|MM|d>{B&JI=>|S<<6{%k}sP2VEw!gNWh%puX zY0;i*g~$SM0~B}&UA8&aL7LM^6ktR^L0Zvmer9d2tAlN zfb{w!L!oQ0ZR8gOYJ;m3NVXBhD0tT5`{C@@p#55py3!>@*eTI4Oh4pN9M=#Z?gf~$}?_UfMGzKhrF}Pg^A4h z`oOu!ah|Mtx7r15J(kFZIk2c`V@t+p*iDLylyBZv0m?ERw6e2b+`{pEj}vfrr5e?S zE!u7mmxzLCOJHgL`{^HSusa$hglv)ABn!jgzxB2ktI?D`UrtK)`i<}@=oyKa`sgAW z@+unC(Ig7C3`{W3R<{!P3W7klT3e!H_MG3|-CvI>I*BoEJFiF(x@tgo6?(Sgy4H}j z?MJK>30@J(uqK&W`f5cK(7rsibZ>D=jS;};i5@t)aM$+YhIv)T>Ohniwn`HYw!ocm zaCe9as|Glt=q@!|fJly{UfNTyNxQX!-Rb%r@^m_K?&56fk+u1nq#=5~Dr)769d5Ne zU|fXSu-U?iunW=6!Lzq)l_ZTAi5ndB^H?`1KFH4B$KPL{+ijD%A;W?L$8c3MT-#?0 zBT^9Lm^E|f@$R+0gS8j_kG0D(*QMYTIHe{?nex zykR34X%M;iz2e1pthmXqpypypiXd<8f`#F;$II1mxzNc%^(ARBE3$ZIF~oyBUrT*GQ)swWl=Ki`_BxPG&KbotDdyMf`)QPM)Er;c^w zYcIufk?6bGjRr}f=+YC&z}1*}dS_mDG*V8l*?=ARVh(R*(n>BgYXWB|BUZ_I>EUZ$ z(Ly$IlH1~6JjhFW%jUM)FNT-!mm(8y!ZHOdw?Du>?Owaf67fcDVl#i+dZXBDaiWRa zubpP#oibOwc-AR3pFw*oCwi2!>CE)1k><^*jjNm6{48~E%c;=2 zQ`BE}ZFhGLmh4AOSR(rk-8a$BuJ2pbwTQk?Ar*jz2B*_~+J@er^9VJO6Z{WwnkL1t zv*lZg)6Q8fqZMRV3{u=D$Vc(nff!z6Kbu3n_NHc;CZ_L7aD|y7a@(LV?>^02&G_x7B7cD|W zeF}_97%4k5Z$>f8vy~VcUSH8R6$H&?Zkkarz}y(HcU9m)jzL9gy{;YB_0b2GRzKrF zMpOn(`4VfOb69O#4%q~r$m1UeLvKX} z>_jd?xg(eUXc6+=BABEMTHG&H)W#P()XTmX*fFAEeiq~b(nVqFQsj`H$zqkLV$hFE zwtt6I#q3Jjci1XCl~WISKfpf;ndPD$r9ip#%`?W;8%@VEY!5^{7j0HD_P-Q{D7xl( zR17Ak<@G+J>?IXOP=_bDMVKNpH`v_pNifuj-5n_>vX*Uv6zUTh50}BC!i;?bbHlYp?H3yVLB*8aElMgXE-*=QAQYnXy?>e3 zxy%P>^z{awc7@zf(vS=_U4&SFJ9482#^dE;vchs46;ImJc6B$TYk;Tcpb4dnb;K{l zo#l@aw`J?Si>AvhMP}(qLffV_3Qq;Sgpo?~icB_JEwa zQYhNUtJoSXm)Jt}{t=o;HX3BrNMvx>6Wk4-x9Bk)fUmpxt&jv?!+#vdB>Y!e@uJbc zS#Hk0bG`nbIT#tvjnD6VJ**N|r`mW@OVCew@gh>$8K9%<*>x>L*}BpSiH|zM*fZr& zes2ntW(|jndc2O><($6!Pl+$(wn1{Ni$EMd1M?;tn{w#l`X4I))KkJHR>70YIEb_c zJv&bJTT^=lh(Gqf5Nl1R@K)w;0m$_2C(_3J3*tnP?b90EK7@0F@1kick<)v&beBT?8dtUM0{IAb{ zgfT$LjeizsJHGti8Dh}?Nk;u&2_pa0S^v*DC;!)^l+%z(j@3&nYn(ZZ9p^d4)v-I5 z%Y8Ml>8X4a(t^nvzN0aQTX}e8oM??^IEI8Y0`1Jr=lDHIwY~)IHz(!waxy6htIV6uM5mcvKdOT#GI#{ zuYr^g8$F|61gQ9J>^D9{B-rKmgSd#QX8Hfr3(8)*2lF%m63!K=ml<>m{ujyi&)Wad zbf2Epq*&TY$km$anBTh>C25qk#E%@0K<_lT4@--w_>T0Liqnj2HwTK%YA`usZy-wAdF&?v{M9oNn}mFSW;ULWQ7r#3P1sp< z5Edy@1%{0JgKF&=p>g9yJdLf?qC|3@!Sqz)jk#;W(dFQi{mxn!T-4V$PZ@^|mJuD|(tifk$@(NlUs_n+V)N=!i7 zQcdR(v8^D*oBQp;F-q6vZZ1MR}j9_#Hg z=6x4cKcrk=&u5IY`-gtqNsmkockbX9%T*4@l=}gGWcZKF(u&l;)c(7AMm?fM?|YB( z)+;z|B$*?OHvJeJX;VPb&7mHaAl*-vDeRG{f%&8(kV)@mQGZiHzn=K$e!;G0N7`Hh zT2>JiMY6QErVk$`AMB1w9M#XU&zZ#SLQ^9q@CpLGDJT549}~)#CEl8zYB=^5UHOhg zo1m#2_?}gxb)0B=F=d*O58ccF4CaO}@jnQUtNdUHaQ;;I>!9pO@x-zUdxc> zj&7Uwwz!$JWV{l*wUb3tm-?&y{=fFlGpwntYu8xWii(QBmTCp*Dxp_F zM5Rjah)9jpP(z7|fPlbOngl`-2%Si;0W5&D&v(T;k-EaBM`L6Th z{5W6!u`aHaxmM;{bB;0Y=NV)E%eBwtc%;>@4d@)xlos@$o)K;{a{A1efMAh$JQZB~ zM9FV==2$0QpebfUuFx zVO%Z=gfk=G`iI&muX>`{ZiaUBa3eWSGnt0-hIPLhR$c7oH&fKse5d z>DJ7#-U$xe+&^=5y_DY8YG!zOI7W7k&HTU|$B|0-yE(&Qvyaw1fhAbDP|q;@FnGHw z_N#WSkKI)6*We%!$Zy#;nVeO@#bR`zz&XO_)2k)@crpi;v7@wxTz1!aggY2q^?J)z z!WP_OcEb&yz%4|lhdhJG%+W)>^+7s2=sbNcjLsdjASu`k016y3BaHT_O_9&gWv+Iz zfZgJ_R5_mljtb1e7A#FwqgG=9QqN-xPEIyc{=32a0f@*IIoJB##!G>R8#Z4CHleYx=#VLo7j&x;Y{}<(6XSm(M2=@M z`y6WYyU`*jcw4{z8Lo9rh+hq?JI0Zax}u<*R8$L(*btI9-4+{Lfr_DEOo2^0l^o)beFtDws&kT>gm?YT2OXj*N|O#M=2Z|^TQkTgM^CUpq zoI>2{qQ>A$$gmta7_CG(N}a#g+TlI8yGm*&!FPW%$1EpOR zw~!}}L(k=+*tt7|L zZn6b;?VZnt+y|0@X3#;akX}yNg}PSCTkW%dxbL60vi`i&#fNbKkO~ffBxww ze=M`5`N(UN;Ib)T?{07Ojr{!l<&zJGWj4nkq%-aZC0?@e3Gjn__pi{Fv(5q}SUvT( za}f_E;`ly(+UZ?>Q4jFfa7XDVy2rRnhgrKFqszdKM#PIqJI&OOC+*E18Tz-!ZK|eD zev#F-kTFoRdqR#(sJf|9gRFk(gL8S&kv>fpS%Ne1tK2{-8R|^XnJnwUFNva;&l>oV@ksTUSVLG^?CQr7x`Q` z_@Ex+hT*-?O~;h_*KyMyZKvFNcEe}aCze{kK^IkF7c2aVR7QYxqa$4<6La^X9xx}8hx9rH-U^scCyI&U002U z#%t9CI!%f?Xe&Q>d$ltzK|`^+RowLQg|7%h}kgFa2#&dBXI!?(+RVVsmp^!EAS8gyuHE*c?| zK2IeTysutaQm2(cJivu_+Qo>?T*I)TH0A zH+9D!AztPQX%60|o*8G~RA{ZTNu+j;@t*oTVf$Y3kae3tgF%J1)1*{S<;n+Zqbz!j zZAtyI?51LaMv`bWc=1tdw|se5kt*4q%U>%u^vGkuB_t)An~Ehrg? zIpXu&uH<-(k#sWoNe%I-t>#zSji~Z*vxy(jT%HCd3F>F3^~SkUZ`%OxhSlD zx>z?8BM0(deb^0`=yV~-JN0MRP`CE0>*+fIvnTA;u%_9DZ1>Y=EKUQItXh(G#j*V9 z%I%1r&K2&Wq3cQpbAsJ2-LoR;DOClliN@{lhsO7v6~iy1*+%lpF5@!u`VfflT?LWPxgV9YddEPIXra>I&3xb`uT^LixGcPQtn@;Zfuq| zG>mbJ2?;^MC0%ee#EaQoC>&DY1!4_eGPr?L$?*A=b zQH+<)43*wHXpl@@HRe3Y+1pp96G8O=@f1oExVn$v<5HWA0xMR8PTT>q3C_?bA5OWj zk(dtxKqZSY9^RgHiWAVIJ;?G8c}rtvo4HS0b0lX^XI69kOen-@FdT3B zrI49D{kTqL9-yf*f3R{4C%(tK1%pK`-*D8q#qHcfkHc&_F6xU8o$3CI({sG_+uubd zy2cZo)WTuR2=YLBu+to%sJGqkhWh4EXgkbIN-a3`*YKrl5B`1l04CpX7Kl_CPX2>F z<^MkY@Z${Ln(h453qD*ibZJU}PZ!I7%&q-f+?;<+mjC9n3BjM*8g0>ipfkU?r0<9x z$ZZew2V^@E=%Js9hrv9Cf5TH|B@ViE-QXn;m5nRAy1I|2}S z?_czK`{l=Bf6sa(4+WG4Un{IOqg@)>BOo1C(lyo==OsAM_J05*9(+&alyMgsmekBN z#@eal86|(R=6s@)Z?sZq=Z)(`-QRPbUK#Uj!rR64^R*u4Kp3Y|iY0cnal*S$>t#HRUeaYJl zJ&`(XOO#4z4A05Y2khlg4}g?45FzX;rcOVboxf8C+0R{+3FkkK${zLl zmssPmSz4~NW~?Talw6A-i(3 z!E`yN;Hi#8&19QKR0>saa);sYRNfGP-~gfw!?WKnPMnCntRkjj^X1b^=yWLi(wWDA zn6V@5 z@DY8Sb;F}iHYaGZRdZmc*Dc1xrC9Ur!h;iK6-9U^alE=dmf=Bvo4>?c*RA5h7{ci$6i|fUeS9e6 z+t-klN~~4k9)pW8p4{6VzPTs<1X}|jiV^`EkDiLTgGQ5bYimCYw(ZdE_OFPO-gKvo z+qWlNf8ra{{{}JrWw-{3Eq1C?>~_&3NxCfiTFvseQhoBTWFc_4_7|y!8|ynZ_C*AC z<>H)J^PGs?SY2-s+?x;jtM^`VA8@Y_f45OwJ<$)C5f!z^@dKpD-rcC!X$HS9@%S9U zU#FECcgR|wWv5q_c~pR59piOW;(l2_LCYPL>#cM9fP{D`xFByq!p6YKd5#fNT z%zVV!c`)l@ZK}5qm$K~?<0OSV_j5oPxs?XTsrBTk6lvx>DLXYYM7{E%dXkq5_cA$F zP&j>?a;v3>a+X0DlZ;S@wMuRi3e@=lPOzRiNMiQIn8}kOq4gHN&TI*e)ys^yb<1|BbQdZ{*@a1Jg) zSf<}4BmMxHLfw=3HVSs@FrQg{7t$){7Wx<&{Up*V0~>pOuI#Ea0!fQ$wcQa5>qE@r zrF;V*)59lPE-r}8SG_;)vp8>yvEdWq_ZRDBP{{{22oh*5qfDN(wX(<#(xqM#OBsE) zVynU&CI@E~`Wcr7x}c@IMp`82=koD}SiTZ-^OWPZcT;D9fw3=}Wl34oj5JKC5xs?bEc-0LFN^|LZ=5F{J9;vEK_r@tqB7 z1TzJPi5D#tsC0c&c|%fIkAT5~E37U&Y%HCZiF-Cj5HS5?f&#udX+hotsmBG+KgufM z@_h8w+{CsMHhp1nYV+6$ed-FA+(7nq zckl%U8uWYI5EDa=hvcLV5)CCla}ry>ilf_)G!*)v-3-0{Af~^=<+0D1BFaq~tlBEY-sp5eRoA_V zCqf|dx*>EriT}#VMt#M+tw7L6GX;;FazNV!wOKb)=vA5?ot0bD^r^Csx5~>+3P9m) zvRKj(_cFAG!`UpRa-aS&`0utkHQOF+1CM{@=Oj$Lq9!OA!pqBO7B(u5LBZI$sAb_G^yC3 zn_Oopp>j4?!WeIrEIXMjx?687m#BogeHJU*iIc`VkE$QomVq!GopF`Wwbo?rNr&y$ zB357fhlYCTvRLt7$q6+e*uN80gw0yZrt9Ue4T!DHR_n#%77ia@p4Vh=$PVST2c9xF z-8!2p1dT&R0 z=M*%h;*8yk6y!T|FD;olAYabES!J8V<;scNyKU!Ljn z|87K~Xe^X`Yf8zGgw?1WfDLPW$c1W!Mk#(uszVeHr1+a_czKqyESX$Ry~;^De6WdW z=!yW&CRkPv=j0QXMG@eaqbDvhHAR%a{EEhJd8qCL9?ZxG|Iqo&9)Fw_A`q)tYoHIf z1pJg}_Rd4y6fXiU8U8__Bv$$CiE4K6$ZWrOE%2V@-u=?WX;{?91o3J=n=fd7YJPOo z!hGIJ$u@=MvUWWd_ptDa15ltgS&CT+b}!~xfIXBYUh7U3tDC>T4e7d8_w_wfZO%PM zgB@YcPCK93v(N=e zB@G%%O|*k<){4=^0pw96m*++xCb_w5NkzoMIv-k!4 z3IIOHoL6B@WofB-C*$uG?$$`*TV2OmtEaMj`ULm~vQn^3yR0(qQ_9&D6`)nhT)Mg< zCOF)CD5X63;^aX!4}L*+=0~`u6V*ftp`t>68nrEfbp; z#bU)f(RMGjCipVw%K`m1v8H5nV4LXH4NO{Xgrl% zKTrDcbWy{kV7cH+ZzxV=M6q)??qFn5({zVGLr)j%2`BdPp)QUR63Ma5y z?jcr-qPD2Jsq=UuVc!NN=PW;>hzaWE7Y9-oM8&JZz8fIqDS_O=E~=fq$ZJ4XhF}KC z>fk`sri87#7!CU+S~k<%w?4Z{FJ6)0q|obzMZtzu=PV?&tnGRRNk~ZkpS)MG zV_n#>`J5>A#>{@U2=*zX^D}ytlm1D&LgWYI+u>Cl^m;D4v@asgldy_yDVSEZ3?A*R zrXv2%R&IV#Exs}}dsoA?Nu9DGS*c(`z z_Dja~!~Ef*(BA7r`T5V1y?0mrN}~pu@VLaX9+3Yyar_QA$8Q)Rn1n#agDcZSwZ z1J3Y3=<4L;*`0EvaqoDq7buy!#uqj|HfABmhAN%R-K1~O$7A;WCiFAxK5j2tYO!r* z4YNd+2ftb_0qpvE&w$!{%}u8yI0EJmoeciPbbR;KfZrz*3if|D?K@`yH<$-x+Q1hn z5A;7&5qt987XzNghy9U(==A~&@b|{?ui!)5%`Ppjd-*>#=CrFsvrK!h_C$h9-tl20lsu_dRL`d!v&TSVqWK#1+b3*V@30kM;J^72hf>$+AqzVG9a zmVY+Em;YUt%_%swH^SyqD)TOHuCKHknrX+ZZj7F7uc<^KhK5cU4((4ddjLb1#I`Mh zY%Zv$ONSJE*$Ku@COWI%g-7KK)Kp}@JBuc*J%48?!dDI z4ozHG3Hl-gsU5HGW=Zuu0gNCc|J<6S9fHqs_iTHLOp-7nD|EE>3D{Xb!J7tX#N)El zDgc@AnI*ka#9I87mE=Pl(4a)JrVez)M(|3cb)n>SPtW+FeoiTTKVyBWasHNU{s9Q+ z+6V2t;{NNy`Hr!OJ+pz{?32)xnl+CEDG25^7~Cez;yRv@oMD%k_L{%i$@2kuIuuLk zjzqizIcaa~sM>6_#K6Jv17`TXqp5Ed#f{6TFDsB7z=@O{Jv!ew|MV#hU+0U0QLb z1a|zyNDk+l?pVMJ3KCy67SLFW^mWA*m<%|S@6!4&ZF+AP%x~Y<>G{?Zo&QL&x8~P_ zJ(Z}&u-Fmc4;#Xr#d}Q+h<%4y;FZ!==+^Y&7*nMRNWrc7;-BvZ$H7djjmqp-i-Bh& zhc%?0L9uI4n|^t*YZiQ`enYuvxl3Yk+wUavFe+||@n2^#7zFJ;CztCCykK(yI zNu81l!f*znl#P#E^y<^Xg|{6R;*X$?8%gRZ?7l#JHad~gEkC#JdKIBBGf;^(cK=M& z9Dd#`f##E^q9%?D4Se*e`(Q9-%L-f=BJm>-=6 z{1^iSk<#;~ZKit%;g^8S=+vjH=(qf1`1+D1vxbk{3?Q!R*`bk!4^6yH=8}7ek6d)G zhmue%R(&D%>bAqEgU`};%Z2ckF+E`?6cOpLStq@(B=m1dw8z`CRSgAE!vOYlIwdwH zVA0sDG4l;{=REl>S1~n|!<3A5kZ{pTM9BWIfw;3L{}-ApIqAxT74GdNa&CBr{0lO{ zzz`kvcXWZB!QD@GeW>?oAe#G8WQ~{(1QMRFllu`v5TsU)k2wnmC+FKlOyKc0NE*q& zi0nE2YO)Yp)VAL9d3^akP#t0L7FrH)Ny#^IEL$9YJL=s^$nP~>hWXOGZ6}G!5JC-H zMqg68v+8h_p;P$?@b+7;W*6pvy1As|*GM-*+T9%^H@F=Cj@`(TZD;iZli4PZ$&Gqk zD}ZV@sKS{2`><6YB~iGfsy$=}pZ(PwBjphk~cj z)syDi+8uX%mTjJA+y(64UT}5*_HWZbx0HxL+B)`SSy|ctZp(F)VGxm3YJuA@$^A5P znMyLaR0eB*eLJbGD!KF%I2KLVAzmZ;leq(|qh65YMLuh}L}>y)YggSswckuBsaF3b zw)JD;Whi96@@4g{nCON8y6VdW)o{Rf;zXO9tfE^RmpM|c?nOipD(Ks!J{iHo;_re& zcr~q*dcL>BCdW`?sQ4mXN$J^JYwHaQk&`f##q$JJ`~_6)OavKSc3IYCQ>f7*lH~hf zl+d_&-;{L>dpAZSp(g_3xAHE1Bi3cCqRIMQkY?b@5fsa&{KaM3Xp_cTZOqY?PSe~1 z7shm=hO`kiseuq}?0>9~^5PO6HRW0FHsR$ip9gQc(L3G1NPk^Jg^U(o{1A$@ znIB2IZe@IovcVnVGpqzT4J$Yo)uzN~DK-Fm$k}6jbJiQj&JT<}KwGsb{3a7f>MK;d z#QeUP*0tGXS*=>7uOVUhkJYi5!s+5{&5Wp_JZKX7l3g&DH|$)VU(ww}g3L^%^s>ZM zkYxD*Zq-p_+cNdUQIK~D!R@~6(yDVPCqdy^#F0iNM~^D=&L7aieul*`G+W6zcfEMo ztLiLDpJF84I*sil&>QdqV#9h}$wDDz)aT^~kQ9?EeN%*A4jh5v)GC5zdVA zbz!dFPjVf3Gzq)hmeVo!F+Y9tWZRPM81wTF@%gDE#Mz=qDt#+d z@aDA-h%T7a@Z7GMQk=`1f3Zm4jc8kZnn2+1!*PAMbb6zc_DD26`vRSwA_~|S(AcPr zXx{S;z$h$gH>9yUZn|PC=f7xvE$(RsbJ;@6%Vut0_|pK2OWvHX?YojiBOHXWd_5WvzXVk-1j(f6z>uyM$U^(i;TEmKWX;ggW zz6^V3%K_r>1#P1z2rsv`vOxPKwp-GxzDsK~oz!?Mt z8Fil{g~n!qJEXPmFEA&wtQU{e;`9w-$P@a*3hQPVM zTor+h-hbp~elAG=kjr$;vw!wC_o+qIa{KPV!cEHJ>onK7!LA)&r6DakT8Dl`s2ZZn zGN~nFq_bnJah&eNB*$p@mwy=99=ORWZk0css#Fmc7&xUS*kkm5rSmurb0cV^-XYeC zM!OKrBZtA{Cllg)PWmywJkppGCpRKs@E0ewH%cJI86C6d^Ej*odBL0`iD(X(m-Yd^ zA&>dL&`llBExKI@Vb8l?jo2fF9z$=fy}X??*my!tqBvMER9d9|(t@%7<7 zznCw-RpO;hRhN5=5v>D+Adttnnby+K7^Znzqc4LltHqAXuY0w@JK2AS?#jP6lv^)) zqh8Nw>yqQ(do8=X$e;EJn!iLvYcGnJ${JbL%V#^JHQiHM={FUxk|ic46^8p9di@SAfg% zS$)FVmGpKQ9L9Mo`!)nHYsI;O14Z#TvlQN~(p_(TA+-E-Tixy%hly{KeOVZYBKJ$@ zVc^mjH~>!Nm2AoA5udJ2cvTS93SH?R)$04ohhPuhdQ}Cla70h|uWMIYdSY}6|X*3hN z4bR~r*YWK}NSB^YFHL(9ZPy#IScF>JSw%w~DU%g7AN`k;7(p(5lU_lJ-F-khy4UX% z^j@EXT*Z7&5+GL1HwWcg6$pvCg4>u9zLz*-bZ@1c$*EY%+DA*RJrpYF6r3j7U}5%c zSu*)|vnqeYD$pIS%T-`PKdZr|f>-=TNY7nEavV<3_KV}X(pw8k@coj(BthzX|0^^V z`W1*3{lz{GXz)OBbZXTWeGMZez~R}K&kC1`RixsbXP=E4vy=M7>lLxZ_{KqpyZ7c| z`Z>jxu$(z<^Qp^9{qqB{hJDr>i(&MaRSoo7MFqz+?!GjUbnv$lzU`2`)V9hKVBU>A zLR~EEDg=S)R~5by_dUUlo{`vu5F0IV9?F8B7Kp_w$AH>9W!74To}Fio63R9ncCs~1 zt||`F;&`23&LWN)zg5kP96cLD$en*Um$_y=6k1fpA-{gl4k+HKUJsamn!@hrVCh>o z^g4dW(ikO|A*Qd>o0Zfe1z8U4FU2&qEo_^+kO@(ZS#e$aH&f{OtvfB06vXQ{6>cZy zli7D|?DqznsWPwjg7j&zSc15YiDHSrXFBWD>2v+wUWYhbg}=t5*U6X3@$s(79Airo zE+bWj#KgNHV)M&4rw?KzWkGS0yOp0X?(xBIXc$%ept9;bij<{z@6LV0%7rXE1iOg9 z@*1QwBZ)YRfMPcm!-_JK0mWAs`T7J5EfKNc*HmF4yOm?Fu+7d5aR7|HHtn656eu$@ zsWZFLiW*MHLNOp4#08A=oaS%n=cU}H60t@LM#zxuht)%ilUl|T8>bV3jS4;&GgW+6 zsF%)(yUutQ=I5EX>)!vHX;fiv3=`Ay_9 z{rbrMg4;zm<*ea_hx))lOqK39SytXFkd4t%>*~d_e4zn_s0|__q-~*#%_q?oN3~uo zhsjwPGs_wJ`YPU2#n93cqouX75O(Y*WK7v5>9^c=U}{i%osY-6VsX5(iquxh+!hR5 zJC~NBxm^m}a^;J+=3CC+zPJ54cU`&K61tcav`+47i;T}bDLM2Ex-qrV{a&Tm zlFZ00-5Vb;Ux>EvhUb4*;UW^17#{lpPLn?&R~5IdlTc2c%xe2zK`+Rlb}+F2#Qv4@ z*WXopc{0k)CQFb#XrIg8ISi*^?GRdiy6@6ZtX2}_#i!KrM%Fx(Q7aq zCGtxAr&VaL?(Avq8t$}@C&u1S+Su%s=8W!P1Qo7b9l{iHdTsp1a69a;IJsAsKZ)U& zCi;AQ=4O|XndHrRhndi`Ik;NS7{acoPN9;pw>=1G zr^d3jRUurtKJ0jI5BL1=2B4=iUOHylB_S8zvuXE^ulZV{=U3qCN_N|WqH3%iQI(%d zqCj7Eqwm&!(WY(W=OU)H?YNB#PS*qKXq&y*8gzQn$PBVj9=kytYe}CE6-jsOD(B6M zweG}|4P2V$gsTaI$LQPZ%w8G=pfB(Zj8}jN(HT47yS9izcrR~1De*K0 zDZBz&U9Sw(DrLz?A-7po4%fuZhP(PkYynKs2h=)J;KfW(_}oVS*QCe>N=~SmAH*6l z^Jpb?pY3|rtZ%pxaLpuFx&NGgfD9nA!)+gD~aKf1p8;MCP?yO)CX06ZC=OkX@t`Ovxx2 zZAPT<`WJ?Uus9lj(MXEzof2OvI@;K4>{8MP<_kth=NU zD;jJWYhh5(fM?Ik=t{PyMSzbTpPaeBi{~0usTfOa zaxJ_prQQ1`7G1oLq4$qHCI79@>2)?YN|B^(vtm3goDd_gQD35qJ%nHRi|AQ!x)Wc+2d@ARGE zzls`&-)99`D6uT7>=n+i4FIa&%6lV~Rja@2wQdU=_}r6YG^uni%R4fSH@<*L|HOP> zL#)^GczT@#x^ak;o^v5*z6&EVC}Rkve`o?%iqmO&{Gr@CdgVN{C_Gc8QtEoZivM)4 zk;8_g5V}g)e?xZsW=m9?`;UJwXIePdqFYazK|6S|g#b-vedhP2jzRb7Q zl4FKKRhzPEI@;(IgO&K(4!c_i5ev`8hG1VgmbC-u8bKRwZNx>J+{I-Kzw@Ws$$_#{ zxiaTvEpXP9jIdxg1o9YW_(cw};+qaUeZ;PJKz4U*n2ZsTLr&a>l);QDu2|J=HH}gT_xRTI&6fc9=@0lHt!O(mmFAu&9C~LU{cB3S8@H z+H#?|sgZpQuYfXg3>ScmdBg&%HPEs#7Wi?2&p+DquRlj(_KvwfJOw2l`N50C04uMA zGmF)cItKU~V3h^8>6*94SOOtxg|E)e@g!XZNLN?s0fuv@s)Y-lOr2kC>$WXB|84kO zv3a%6FH;Ly6Sm~cOjlD7eO$+T0Jbuq)X_oW8hm!7;a4czMz*ra94?`RoZynaKbOI$ zIYk)u2Glryi`TQO2vKrjt*w*9i?k?RV$fD3P+!J5lJ_PW1 zcl!16WZgOT%eI$-bULcV%El(cwjSh4!Cz z6tjOY`MdG{Q!!Lb?tX1}^M;~^aBT!bUYxxft})zD;fS}D2wQuLEQ?9nx7KNy>Q$G2 z+OXdX+cNb}8tdL4uD%V@4}AzwvQ3S#kHF0znb0LHj95|#H?&P8VLrf=>k>?@-g9o= z7)9=TYx})G2;LKaZxO$ z59U?hYTX#+rQY)1gQ7e}7sJVhsU%6@m*<+4X=cc;zNVH~%5GlTZna9k7yxko8lfzh zm1^y1qk4%s#H6RrmtvU|ll9#Wn4^%Td&i+W$$d{+Fb5P%m zmT>POhwtEm?w%RM3}tjrazd5)$5+*t0^K_-r_-6L(&uYG*K|(ogi|Dtxw!dY%cISA zHkG~PP!?Df6Qjk3;z!r^AA5CVy}#y8C)CsNPsffUb`!5dy?)BcI)oKpu)UkWoyml; zQ!lB7<@=&XpHTZ?&}EvB5OuGtocysp^RVE)wS$)8rIKd55B2ULUHg4o$B}d|_X-ke z-6YVF_9QS&Xq)7-U$imCV2CZJ_Gm>(wL^th2T12pg**H6iPp`K2~)T9DJVPfbNJp? zUeyQ&%1L4brog)$=lwI;d&r-H4me3mJR6g%&_8luFTi+Eu97lVue*FWGm&&?bP~%i z5^7|*yb}tk(@(4ES$%Lk-TTp7RZ?BH?>pO^@c}Vo=EpZ(#d8@pSB9wa@{d>2GCi_+ z0eN>_TwOhPHWoBSZqVOD=_GC+FZKT|EVjXan<@_t-7R(8+Puek`gjsFERp+xX3WtA zzo^eannTn1BWT%SA6U#dtRzc=`bHwch&_KzxUs%1*ORf~PhsyrBetM_XxgyxJ4v?0 z4bhhZ;sY-w!aa%;t%i3-idd@3S3l)Kn47wK*lhb1bw{yS+9q?t&$wvJZJkLGoRD(K zWlfE;zy&@@e35SS0^<4r2%?1FR~97^+uM+@>tMyIq@lvKITVZ0pu#M*?6Cd40@c*i zhL1SuEN4RLwj5>19+_y1SWr!Ilh&Fr%}getFO+=TV!&JSFA3*N?G%fJGgZX@x(`k_ z3WO`2A&y5KK0Z|KtncdLGODIuNhBNJ_(LSOkR^F z1W2&c8`?O#zXBD;I&%WQMJhqh-`1U93am~O zUi9yfg+56>Ytn3*?utM@Kq~%eCnz^jIIvKaC8sdFWT^Gm!jqIuwLSmrXGbfsgZN( zrBAS7;TVm2m7k?W!SyXC0FmuwM(OgMU0vl$o7>Nc70x4-;B^rMFp{%L{|Fqz)@#4Z z{0@<23{9<%f7~R^d|xvbg_SuJ9&rp^xesNK*5}$N9sA|_AAZ(vhbh*N`Uuf<_VwWK zy|kVcw+_$2Z71aPj_bQV+ZPOtR$@1qIFk#q>zcIVu6973QMo_UgN+i{+J*S1hYjB9w{h4pJP}+S_80~T; z#o<|-M`?Vxj(*GLR*=??PAYEF^iRk2cdLs*i2V!wMLkvctxQ;OL_&84$}-}5{JJg2 z^Q{W%J*p}DiME%|)9XsPV|M9vtOu$sQ-?w!L*~s!SyrQdGvE%V#gh7R-$K=Q{evNg z0C{iAu5XUOCzTfz)^ZRv;o%D+E5z}=Ed_NVUwnpem1`wmfOkdU`iCnm#g%+;snLu` zxW#x+@m`frTf~z#F#iTYX*irMfsN=8!7>-)p^fsjJslCm(L4GU5R@{x0<@DmzeRIq zQ6}w=LtzgApGO<-c5P(7J;RT$%eBQS+Q}B|UxYt=={QWPG|-(Z-pW+>X@*JM67uZC zUa{_?^b|M_e$lA;IDWtX?+g$4QV^w{^g3R~!KZJ^h}eKM##aZTtM=JI+ud;~_}HnP z)qvD++XVqhi8G*KoEQ|^b40bSDDZrFT>7EQ%zRyfDE#%R_6;GqVdph3j!z+xZ)Ei_ z=32RPykg74CR)OPMN_YOb28$@4VHL0%)|PV)eZ-^jSqSF<`yR${HZ83{a6Gup^!cQ zGl3f|Ur8RBh&_sXz=?5`F5%A#%*-J}vM8BPtJhx6hd-*&3NRt-)NM799%OB*>+x&U z*y0iOVoSz4oIs6Y6`TP218QqOtc~%gv*qkqN%+J=NUzh}66c5dr`7s?he7jUxjuu@ z#vS}@Pby?zqi6ob zs<&IL{Eea+#kkn4cdqg#%W=pXiT|d*_-$p|#!Uj=@Z>M_Qf8Aup`2Oj&21Sxdha+8rJ}Y1-qCVPzgbpU2@B5WPc=Q@3d@B|m#&0RVlu z>QRAM@}%$P@>6y-4mU2YaP3;aOBln;j)a{()c5ihWazXs4lTinN=sUB5eb6zHa%{e z%{)ppVWYzC@c;+it>dgXH7!fF%r|JUa#}hiFY$T!DTkRXrSgshTd#J-qPc`I8!EJp z+0(B!#-i8~yLm_GKc72N{2#3hh$(MsqtNipDDTY2$@|uV)AL1l%`Klu3l+NS6zaFH zTY$#HM<&B=KkLXZmTK8Zsp-xwP;!E=KBImri(XzEaRw>?^3-I=xDkHbgO%}e zFJ7bS*5il=&8z!=RM6!{LZto_^(>xCxq8>MBa6zpCM!dlIpSF0kQM)&czZ?6fc^?B zuVHP6_8Ckg(ARfSh$iKpm`2rwcIkt}87yd7`+RZTMiY4adX%5^BBstOl~IQ&w^wHEcPp9|%~10oC9^G9aLAuP1S zdJ5UkyymBB!D4+ev$-lN31=!aZoFz|AF*1fjVbUm)ET*}A)2yEc+Bt_)A>br2;&u$ zYD)V2*3fi&?z}@p>^W78P-cETy4X|3(lb25>^?8_(>wC@ZyUv!@H2B}mz43C%4$lU z!+lqh>2jGO)c`+;7rP8yOq(CM)kIvsFj^?Sw2n(JE4Je~0k|`j_D4_{|0%AK`WIKQ zYKrgaGrK>z@O#ACDXdVTWp_ZE2k@mbX#KSF4pw9h|o-Go0p($72`j`mb2UB1HH(EUbs8mOapfPWN2bB~$ddf*w)zu>B% zQ=+C)0zZGtl!rsjV4g3u3s5bYyW<<-gC=Sf&u`nwC$zLc>iBBwcIq{~Z-_@Z{37nD zoAp=;vau7oa>1=lIq=CXErxeKmyY24{rzS6aoReYT!18+k4cL|df)Lp zn^C;k>xud)k#&n=Lv>$&@!YELbn;0oJjaopOI#79D3&ExYRL@^ww(WPoZFov{QbZH zoe@cs?!HIxZ};R<)#UXv(9&}sW&}agl2k^_5hr$@BP8tQh1{V*yT`?5%FF4=UUIcU zL&d!TsJ7uB9Hp5IGGp(IC&PIPI+i!OH_cGFRwzTy9}^vHeD()B>js!6&w#b}Fi$NW zAh#@G9^aRE&seic3cSqq0W0P5%iFt?cEqE2eVNC#Vxd>p4tmJLP`v@q-n)C`=KKJ= z@C@v1v&ZEI->IsM6}8UVj)|<1l9QD_8I?Iu%{*yIeH?{p(6jX9aW#W_v5zm)@p(J7 zJ2HgWiIkCf(c3>|@G4h~#G8K-$^+c(%i_k+RU0q1u<&Z4y~a%UwQP<}S%>rqv!ukm z5I-v695N+C>;7?T`QhmUD^Q%N`?^(HC7%fl?*r{c!# z;!@67{kh8guK>CUufz-bRbwt~1pq`ZkQOWxORzT%S7P^6UM=*!OM)jDMKxM=u1OJ#Sv4-qF=~s^)B0TSTDzXB;UpE z@yN#N^d+RK32X6h%f;x)hKpn??|p3bvxe~&-QWml+Srd0Z?Sr&G^GyWc_Z&aOzxY+ zCGy1sw{o0Lic)YBxRzh(vIwm6zYV%dUuW zyau|WAmYis1Ti+G2lC?(@1%6LQ^Hx(=Ggs2u|UoYXQ+CHk9v%MW|EHZ*hC`cW z!gx+TGxk6>Ra8DOY5G&X0oJtQ=*m%6sIsbMc8GGsHo=ETE0ybba4|O0R>Mx!8~Oq=oc(zxxiV9Xct-u=s0*oTYGk2#N>h8D&}H(TN>hPsWSNmy zKEtAvzqZc)V&l-4e+E-`O_frQ0P<{sDr;02h5z5|P_NJ{IVT%C;8>hh^wWgv10{6@W}EI;55lsoi{-8Ko(%Gyg= z{^syWWiCliirFq>$T>9KGxDnaxltg|_f=kodXJwg@JKM`KqD{>#k|g$!uzt{@#Zam z3`k>pdSmSi?TTsTqt|u*F3#%S<)XAn?bf$h;tuSh8A(`?E1JFf0=r(er`}N&&~vdC zpI)~W=^*W~)4k~}E;~@x;Zu!-uMZq1YL(z9)#d3%dkufV9o#XLrj`fB;RZ4M2tUO> zO^c&wzSBI_rB9WWD~&@3;|q6&=+befzPV^03$O4jA3tC=#Texkl)$`RF1nFP4N>p} zJGHox92XCF_xndx@i#B+@JG*uq%q3x2F$x)J=YRcR^g07pB=m?g#9x5bJ78C1%WqN zQ~1Rk^*M{;NNIB_VZix>s+u!oEvCtT?!sKgVMzyhm{SJ*= zXjav&RIdnw!K%)YWM*3FC?8WKDWlYq%s>mKmiT^qA)2A39~0=xKU9gHFek&`1wL|Z zqq9#ddK0fRZ700#>R0M2;+0c(kXt)!nclUH#n{e}6xzcbU^dXZ%(`p-(CBM?g0%?l z1<6qp`=!2Jxu4PAzi>7v*Sny;61Ln17WdVId`UWN>VRLSf|KE19#k%@8qN&Ww~A|3 z9e+;z)5^3?Z~B6v1|@N%{Mn4w4fB{HSmS*N1s#+?rQ(3UAuhSgA4>k)96xN__=t^i zK&d)4P{tJLonwf>?ts`GUXs*k2rIBFLha`u#ZlUo^0s_tNgce_q~B52@x!gqtP-i| zXu?#P686r~aOeuZZE!qYt=F#6g6)*ymVRb_Ud9@v+atC92hE$EP$=jzcMi6~%UT~$ zFAI6DK0JHb)v{q@crA1>de|l3iVDRBo6MGazoUbI9ae@XQU+^2x&|9W)pwM0PF#m; z5RVO=?eHvr9b0Ef%{HtWPVlFie=?{Q!g1EG;T**Sz->Hut1Kx(9BM`d-~4e21wR6~ z=#?2drySMFetg)mMJ6B&{=^leq%#557neQ{(Oo6vS z9B^*26I-BZm=@jnO7ltCl^*6BMwU` zd2eJ$^?0K}&aOa2QzGo(Wbzzs-yKp&>ry(-OUn@z678iLJx!j-uY+Ca(1B-=TJ?vf13WGSqAt zEnY6(5=*?D*+>2j5@roFHCuhf&I?FrFKVZyr#DTxy1Fj)RUvb~E*R#!LAyqt!9%0Z z`XF6+o)O-IVG7^JCKCmnJ^_WA8VXE*q^E<1y~6^DAVsQ~)&re9vOKd=3G+aOE0&-l z93ZeN^uwb|PxEsYk(I^3Iq~I4YN*HGwcqZw62(2@?N6TRG9=Y0pvDx(&yc zHA?zgACv>NF>a3UqSyc;u}?rSZy`5SFl)}E*nx}MV3~n)z!SLUPrMUr2MRtAi_h+= z>jysvhn6R=67EnItT%2>vh)nfEW8P#rf?sxTNsS=;c}IresKJ^99- z(k)#w3^`*2zN!?cJx6?knfoYE$+!(r67iNFz_%vi7CyOq005a;Qeuc}TvqgmccQkc zPl1<2qUwn$d5;e@>yI!=Xk;dO zC=isF&M$0A%r8ENg|2JLjd^yw&<=8VZ53P~^CG0=sZZx2E@Zs;h8qLJJX&`Rc~HHA z&2AK5&(iKDnrG0Oie_*o%re5kmx9b(Up4gJo09V8ih*vxo{_^Zss`%d2cI`M3%b@X zKX^@}mcFzSE}b4UOAWUu`3B!hpWP=UeZA{8c3C*|(T7_t=K^fvxV(WVprN*0;lZgK z`rx`~OBqIi8TvgNf@eUM&*P{)&F)F{_4xaU)s`A%aBzM+K|9p;!-sX&`fK`yK*#?6 z511ks_8W)S{~+-CGnv#Zy5STPuQvJUZQ4V^h+cWQr)~Dl`;hLQcX*?!c*kbbwjzjG z1~O6IIa+ET_t&7?)eY+T#hcg4bZo#UHa*@S!OM`ltF z0n3U+?$o+;W?qaSDJ1Pa_vhm>hD^ub-`{!lTTtO1`S*Y4-~fQ=v%m9c0KiFGZbprJ z-0}F|Z?Gz8GJ!ZJ2L;VAR!eQ`|SVLwD&W#wz6RWW{i)hUHLxy2IRNL09B#Y z3*0y%j$|4Eb+eWbQunL{>2=ah8E)|_gtZZoqBwCPu4`eSnYd(t$d=9e&6M&yFRrQF zq#$5}BS5Jh+Z_z3K**Ra%o{b3Oe9ntrtsXpVPNO#?8 zz7Ajv-z;l3!Ae1cF;-mJW7mcK+MJ{!B14xp{*3A%{WD5G_2#@mq`-hLKOcD41C!Xo zMtJ!j$GQU!t~ikwLeT!IBj-s<5;^6S}0a`!D~o z#r#$|Ll|u41TWn@c0nwH@|fkpgnar!nFv|b{5^r|aed_J+jp1i!bqEmd}ek?eW4Th zV2MndqQ+XG=S_#dJbNRARasxnJf1XPRB7aWRH>EmBdjyi4P=kZr@icCwUvr3WXo-L z%_gMftQ~Z^5sg*u@y_P>>*ZP-fuq>X#OymkTwvYEUik2F2O7x5osfu}CA>@S>Otb< zl3ki~!n&h|QE+GN4(8eF_~-ETftOv+dP^;=$wQlAvo z1ZDU*PAr79o=s%b_w!-?4Wev@s{feiH>wHsyVPKWJ8@l0PLF^mV!X2f=N?Zi7W4J5 zJe(v9vUfA*ZYl>cXFCpR*akQzjYtSoqntr-#=Ce@JBYw|0*d^-h?O*TA<5H+za$vX zGS-E}@LmAQ9}PK}qH$5OYp`)>9eUuT>8ztO*T1^sSg}RPA&!|FGxhL&>v3b;oYBTNbr@+4|Cr?# zKqzYrABK!*fU1(-ru)4kKNE?@l8(M&9A-;oRfm zS8l1n?>71_uO0mTkM3(QqWtZDIY5}e9lihlTwWC}i!D-_Td((0d+STjfk@}#`{hEz z?!U$sve$Vuib2s-(A5hUB1oD?c#Y)`D4j7MIkYtx9y~3WVgy*|%x*SXXQ_n^&+3>l z&I4}4Hug*Jq24$YSJPuh)hr8wxgiEn<^l@h!vRE(n_n0%n&JDudFV9GZiZ0RVsKbZXZ->nC!>uG@x^onjNp^L&MB z{c9%bVkBuM!(U?G(SA`NR!8s-cm2CzGRj*1vePJi;STOvyly$XA9&*`kH`5D&dfQ& z<8;^J#Pi%2KjKAP(=%7DKZU%}9JWJ2GTV!L~dJ^xCaa==V=d_ye(6a&K@+g_&x~SW0TH( zsIMZsw}MvKYJ^!a&X}pUI+t-xczO*!tDGYW%4=NZVQTSEhcITw z=zyeu`lCOf>~}Y_h+;hk4T$Nqu0nfJW>0{X)biaLF1jaeH+K0eYpRmfR_ujTwYpF@ z{f#3P9#c#p4P9u@{F-Z8KjpGHAC2koW_1TeduC4#n0BzlB!+(0GiV~P)F^`1q=D*` z`0_0KqPj=fz}cV)u=xX*swHL^lftNoJJSE_vW#BHv_sva4;U+>415`=;k?U1AM}|p zM#0kQCyEN8-xn? z36kIKQ*nhItX6fHRxYd(MyUnZ3xNRqJ%Y^`)Z9WWW&0TJ$nRCd_EMz1eNGzx^@0C+ z=J^nRdvH;^zNNkDiOKh4Ipv<2r}0#(M7N;*Fx10U*ZaXTDU2qzL?U6-BHbK*s=H(QADoYfpp6mzU~M;Sb2 z`>4sPv%Z561da+YulX~|!2bvc6zSX>_$2k_B<@(HJnoJi@TFB{?b>FijBLCkw$JH4 z5pvvqitZp`?^`qxNZL72aYsC*?@z4gM)NQ9;vc20nAk_yDc_Xp^9aG+M2)@k;rr6%@Ha_sV z+B(ZW?%(M3{{W}|6TMoLay@VTzR5U=_s-Ol&MW5f!)NfS)>l@RHwR~L-tIG!{h!#C z`yN%Mf~^ktr9jwf43Y=Xk;sP&lgg>=vC;VyQ1)Q1^1-j4E5!t7-^uCI|I_PpqXoHGM&Ap+-dFB-4cl*AJ;v#;depml1{`~Knf`bM;ESene5J6;-b%yQs zL;jKo+fLPBt|jkV(!yF|Vxej_BG7HLhG5C@q6)s%V$SM!i9gf1Eg!`X8)|Cq)dimr z$hKE8kq9*_^6O$Z=3``~*0gUnRQ7nJKBEEjds39|?$tS6*y5St%Km_SjP1WC^3rwb z^j=NYo1Gv=JrSE!V*hhbA#g=eVxgcHmq}U3-a|$VgNflL^WMgF0g+dn|3ezM39>4j z-Q$vVdN@k&rNEdPx07`q{kmb>IjElbd6@Aq*R;R>ZQ9e@jY`kq)8F5A_VgsiI$d?I z8e^=E?raY}S72mkZY7Oy_0?!a=&m2^i0`5QP&2MO8A?^Fl^E<*5GzyhCX;@@V{rmw zg4*?oYfsF5LbFInteCvKJkm3*x@SfI41Q00Pdf>lXUV*)XkL{cYyT$2aBz_ zdkUNC7OL%(ydEhqZ?l(BPg|&YW=)$Vsp%dp+zK`iv!&5v@iSjnOKbK4LAIpUxg0sJ zGD?K?eELg<#T_wEdb|$3L1P2V5Rsmv6__!if@T}t#FWwSLLdCJEM?uldf>=Jen)Po zVbZ>=oqO)1vRh4^{jv@kdM)pp43O>kJk^l|bA)F#?2M0fe=&6ZnEr>yX)Kx>|jqqBQs_m)GMeFz0MehXRp78#=si%MQO3`jV4fs-pH`2U>GpDap<9s1N z%bts{oD^w-2{WWd6CKV_nC8}WGNq&JeAuM2GM-}@73Z+Tuf_59{a|&jTz>?Z>OV5K(z?-+=)zifB?FGy^=#2x z<>e;p9$8-q_rUt#83G!Ixqzv%Q<4^a)Y8}Z%+wLubia7>-ZuR^H`gxgXMFLBQ}~wa zbngDH`*dHv-rIqJf$#3QVQ05Cr;@IG`}PfXjlUQ&(fn540eeq-Yg$M{x-sUsNM`Ny zE1@7p_7%Sys|yYCZ!^e?E-v~mZbZMg)@-stN2}}9WeOG+Cr}L)N+bd@DbS_c1Aq9yNTEXO2OfVJ;7vVHlM&W~FWH^?QYX!!j)aPRjQkO)ur zt8m}J+P50|8v!HG#QP6gzSj%lM8{ZyO}_i(Z&!MDS5S+uyn@y;|8jEQE#~RCf0i>w zb{qFoYAfh*`V!G|YriD?+*qv_Vw%JvsMFNQPC~)!rxbnmeS}BY`^|f_)=-t~b%|i* zcRCD1cOCqe)7i?n?(D$QCKF0FTkXl0+P4mFEsTw*otZsKGK1K8?ya4?R<9j%*XRmn z7v?-YNrd?+Gx1R<%so?n$j(FRBgoa)%%H zi%*|e#P#y4&zI?Ea}dDe`ni=KewX%4oNZU;R4wAAxjw_;iUhgvLb6kUBTHFJ^Wy!& zqNHfOm`vq`2Ly!{U6abd4dvqE_zPVlL&Jq;G(Q9@hCJM6Q`v!X^vz*M$}b{as4}y{ z?}CC8&*u6jI0jv^b{>Fx{_qZ{8?mpkZ#FW~Ky6LGqM|{> z7j!JwhqL>pttW;^))AGgBvg|W6WGoxiD;U z?r?~OS8?HGhT0STrjO;%hGb2tgRiq0Ch>A$Wa0IF#KdQ`8Infy<{9XO`mlf+X_GZp zoti5~T3YKogip1y=JP6`%6s5kn~xuQk^?8^?k)r&$_BRI3{Sz?=40FLsr%0z2!0Ee zLdvtnj8sJXMSh8;=yANpT8`SDob5u&St*O+KWC=XKx1DVwDRs9zGhX{9hN{f1XCR6 z(|xMDxGxxuZYxUwrqA^4Ic3(=i_tZ$8uX7 zO}V|i+@fjw{KQH^bK>y(=dQN(&t6c7LgQgTProt@O2%N;ax~)FlqkpFSGq7Kr;3hh z{*qB`rm^=+bFrJaD`=*)W)1i75UFM2m1lDd7Ur~N`uRY?T>U!d#;4Y1-j#QOAo!U} zbsL~Tkw^@xHOwe?GR5gqGnZZ7mY}yVp7s1Ujc}_7R!I}+ zvM3nCxntUiQP38Mu*^@}&yxPr>gl*yMsj#TzxynG$*9+~Jw|oDk)7y@8o?_EyDsv6 zlCukt96S~+YLSs3H-!I^k*qOk3K9a{jAMOT$9q&_OtBNY+KxX2kJP7?!E|63 z9`aYHwwadUTXQE{o*rxoT<)VS6|8(C4lC8kkw3l+4=*^Ijw~j-?OGjo3IQfhX75sn*!3)0H&*cV&@@rPVYCRx~h|x#rTYfqNvmFoSe-Kjlh z2``WnA?XS0-~2{Q4g$FLbgq$ewDo<4}pN+WIc;o|>u_EsbU^ z6V-Xc1s``RAvR|9+# zmTm##7?Z?Dm{WtharFcSe8SBUz%-EPm8p)e2~e26es2d~u3~xL8I<3w+AF9RSp&6c zc4%VS%@7N*o;HTpf*!r#9WQz5=vYdK82=bG6A(xY3?TTF-I5pmm;!fSSZcghzf*8p znB&*HgjH~o;i(-$86%$gpe}HbEgr3bK!?fbPf780!L1fre^jIbfrDd=j})UEOKQ() zVMs3OrJGO9@oT0F6*Q{3=6xCIl=;c+`?lxDi>3~lXYKAu35QRfV1}@s4Gc4}N~!qG zya4-bj{2htN|yw;@bPsjj1psrs!;P2HnbuTe=)wv%B40_u=w5WpF_F!C2!7NQ{Km* z%D-1W!N*(Pu|u_XPJA7dwpIoq*wnDkznnrOJG{&bm!1FVfkz;ukU);X%^; zX54C62cljU4!0;Xs~?i7Ou9NlRHZ>u@OQzgnW~UXVRxgwnUhONmK#ls6kd^vM2CF| zZ;;nP$Ykc8s{cXa5^dH9p0)M7OX7oy2WfEN%nmNb-FW!0&u!(qp$R)v@gX+ti=#6l z+Cn8SIENeL41X=@To_05t&j1Kz7g|~?HOpW>+Ktmz6SoV7_BYsg2qGNp3R*7+Niib zh>>n=t)@iE*am?k=6T1k6E-SKI*aB9AO4M_Gfu!8gZCN&p0RQ_otVK(Fi2|7E3g!& zIZZyb9oxlx#I7I2f7+H9v%P)Ajv*TYl>U0e2~y!WVis`D5LgM_3lMY8$*NrP5n7&q zw@-C-aeii#O>-gH>IoQ}Ap7Xzs?Qb2peK4B(H|qs6nonp!Zn<5(W?=z&og_3e z)LJkuq#H3d^r7xC5JDD^jo0QD!3sQ1UPIu9T5FL)l*{BdW9N>jNn^c{TN43M#onUc z>U{%IvH0P{($cV{&cVQK_(6tg`O^{Q-cnCFl)`!_?a*WluM&>lVXMY5<~-|8z`8CS zNma}5zE_pTbDmbhzC%#P%k5517+eY0GB~#%>M$7VRPxryb|JpM2v&Ejl%oXGg@jfAI?La@d5oaI zsH|v^&>4XKNVyIjSJA)na-x*5Usubc?nYbK%FZFxKEcV01y)xfcXANZxV)G#ol$;P6wLkPrr+p&X8GH`Kd_>GLUfJvc$rX0rtBS3ghen z^W2uuVtKK2X}1233k!6muvkhRrB+v{R-~u2is4NSriuH|9{clz#hbNs6D!-cWo!3c z5z7$>`qE*c_2f=Fh=dShaFO;Tq^ig>zG|g~R@rOr7K^W%kP-ZaVzbXwy>2Pef%;lq zpL9zq`=v2qm&{B&Oj^5E{O6URvHOL`)+-vJ){~73?<#+E67BkJ=O@v?lJt1(3WkE{ z9mUB*Kl~<4sNKQLh4gw!R^puoP0M|?k1c4gQiBdt32+yA;P0E9nTgQK9e`r^nR zUwp(!9usgAul4Z=#Y@-BEy%z15psllvb%rj^p?Ma@z-(Ee4KbfrTs08=<61TjNb90 zA9#vIjGacX-r9ys|4b`6U2>u*MB{n@xUyuDF(6A-CuCV~dG~i~BQUMUszijs1P##M z8lx~41}9>+ zcc~eLIRuD`*GrG%g8QPJ25w-sA9NBcLOp*Y@H}y}?DU)^ z)$)TDlQ_J-awk9tJe$2~No`WikA+55Z-lovRHUH|9SI)y<5)T))O{`U35c_F5?2VC z;J}8~tM@P}ge)Of>Q7}SffM1C@LzsonDkk~9S5%J37!04JORs+j|d{S(CNJ4ivn)r z-HKhAxMaHpR-qbpAmK>9v)*jYQ zv!|*=s5PWF*4a#D$(~2-f`!#d3#bn5p|{^g??e^(#8{%3H(9N#09XrO;2S(;?YdW> zzi9jG5Y;bOZKOIiL`+gcV6x=Adsz%4sCMMT{p0KNAxk$S3 zruj2sA@(8U+h9Fp^C3m&GwhTHLPkYPD#Uz&yJ?C?rWR@7<8Hdbavr~s%(>$MGG=H& zr)IMfOP5wq-;{TjYnpYgpdm$578>MBND|p(kX0*@iQJm%k@1acqUZzsKvwd>i2=s1 zj^YzJI~((<6LS5dD?*FsP5!MIbANXpfBr{s&2(?HxcUCzZA86V;|U!he^vT#gn}irrrRi=({Do5?I1Vz96I? zP(u99?Y#O3{$-V^!c(HbIPx%#>8*x9-iR!U`d8ulQMrFg%gbDr{GY0G4n?+qPSG#2 zFOxw)1pXS~dHio9^VqYqQwULBFnlKG>s&YVBpaf{6ort$|$%$aA;f;iZT!FlP( z2l+K*f>msv*qyoiz>^5S#ea%KK=HpX9PT^wpYpIgdv3yX^8dNi8DpQnb;nel6k4&tHi{MjlQw2HBxdV-rk(=G(t^|E1sG4&D5;^VrdGDKR}Y zwNbAL#u#5ekXQBJ4S!@!CG5N&=_Tds<%T|`ajW(RKMcn$D6V)xd$yk=&FiPKg)Zwt zgii}5>3Cmw!6Tgx5RLzjjMym&fVvt_6mD;2H-lIbr7!`&d5xWYix1ZARfD5Yy~XUZ ze%v{(?UuKcafciM2{AHBpuyGOd)~Rnzh?_@vF<4T&gqyWs3p7O7-Oi~^3kKbQuAVL zn>U6st6gPN`+&Rqx8`@v0ifhWzG{U4cdwX_vF~evsZ{u9`2b;1T85L&r`q1!dWx}r zaBq`ma2&EK-bQr=D(*&}VoiJJ-wU34u`_?7-!*ou{UL3_&@1;Gdt8)}zC-%+Q1AAfXAD%tyWyd@x4B$n$S>PS3PI@#v%`eyXc0%Xm2-8>U_^I?;#03)C&sKbU$J;((YBmPajM=PwQ%JZ80sOBK&Z2$do?Fh#*GRTh5_>R=sX_D^O{p?kzdw$m`Uxl~mAYqhmGs?HDb- zo{_2u%+!D_mJFKcP2=?iX2-g4SVrtg={3|eRMNlsm5IW@aXhm1JBo?jTxoTe1#hUx1s)84&?D+jF?fDbd=h6I z?gX)eOy6d5wD)z;(Zoi(%-q^mhhM_7J+UIAu69D+7{*q!W3M-z~okTKd?uemh@3T>;|JB}m zhBcLTecz0V*Z`G5l&Yd2AfVC&1T3TU-lRrFYUq&AK?GDpK%_|^AiWcMq+>-&LJ1IR zLJutj2oNBIJR4@lYv!8gy5IYLKfUj9-1`#=Ig(w@z0Y&4_5c4?#F$}AhpgdP%lex) zYUqFz9VI1f6jxvMZ)EhH4D0Do@`%SNuUoEBPjdM9Qd|utHiRBV6?acjMC1h>7(UV5 z4+bsow45`7>ICu-%^sNg$wNa=@0QG%FAb(hGIv^L?f9~m<}tH*gYfHl&P&O*1a8^8 zE@$C`>F?+_heS|9rIXo(Y2?dke4?+8#iz;NmAQ1LoJHwG^5y)7Z6SUy&8t_3IXOw# zdKlKuSK1Ed@nlf}s~YEpUBily)f35ltq%J4xai8boKJ1KCkQ9(+> zu#=%Tyx#=&4l}HkRq!QAuluF4(GR9%NiKmAfy3q%EIg*;10s&nq8ei68}jQ(QK+vMqOlYao4pJeVg+*1bnr>~HBczN| zi=~+R*OK_g;qJt?X6^BV+xFheBP}-w%J#AXMTZUgP7_~U9?ZQ$kSbw~vvMO?$M=@X z@ANxfUukjZ-*{d199JzOZ?sEiI!bUy)0x;Z2?_CZg^XdA-Z(1NdG|ZVl;e@gj*7I1 zW`fYJ$D;(new={p3+Y4Jp1XVx>%{_{DjGggoHyD>K^4SZn9+IBMzl}E$An|wHpow3 zY|_XMam4awsx-m_v--K2yhGF4kYmStjX-Gus+%XgN&H)Zeh5B4rcaY+=?$d_i*H_K zC7Z#N)L&fY&4dJpYxeGg2PD!_|CQ&j4GrGrupF(5oHN!6@Bi>oN?3L<`1z3SXIB^N zjdI2WeecneJNG+MMz)(~`Z6A1*r?g=kE_|9fek|ze_dTdWJ>QGZt|`f3>J5+K2xaT zH$M?t17RXmD&!P^xG{p4Sf?T3T@hC3lxvcSX9S`?4{Fa>1`-M}QeW1W7Hgnl&$1>Q z`Z`#NToZw7H>#Q$p*6B@d_su10y^FIs_RVxleW74h;@y#x_FSu4!JrXFGmh)>Sl=C%7>A^1$R)`uo^C>G}AGDX$T7>=k; zsBACX7VH217aE(fI&`!LxZg{k}9tWQR@xx&Uj10E$=3|XueD%xLhrn;gWutk?7{VI+NZ0dFBl! zK@XOU=2}22SCued-0DRYoXt70Vy1Ulu`^YDz|E<%Pg1ix?)KK{Cf2A&5u)wI4Vpbu zLviNH=85WFYdx#)^P7WFc7io|kg4w{=MO=eE9J$pg ztJLBCeY9N0H2sMgelz}j)G?~z9Gxi&wxggycBXIl^b>?625X)&_W83E9Rr^HcH@nN z*Gg^N;U@&MsA+jHx(fy; z&km&4J_Wm*s~5I4MpRinCypSMhw|TV9|6QIGM+t{VEX8=$J@@ToXIna%_4kg?{Bs7Gp_Lv3cui(os_PA&+QE z+B-`7qkvVd&j&Aziryl6rwmC!q_Oj`1>X=oef`l3KZ-n-Y6wF@V`m)%L^bsOT`qLG z)j>e>Rm@iU=sB-M?QW@V*E96V+TpmWckL`gxm$^+&#||^zZrg^qjI2N^_?K;<;|v6 zNXkd|yw`092<#$G;R&vqE@2DMShZ^HPm|MqUE9G`cSS0zc@BJ%s(Hs6@eXO}LATlP zM|{Rhwgwt<^gFCmmeFYrIk3(sC9eq|Ue0_PRmUSWA^<#rMn`4&O4c4;zJ+ja zrAM#7hfxOznRko5vQHyzcMr$Ymrv3yifXzEiv0I4x_v@69zfigWxjwERAl2mNO$w* z5jJqsvkUyz>Z)}h1bcH+;}_$%Maz`HQ-$+SyB8zo&d)q=PDD%E=a)bDM!VnYqa}qs zlEt!w$T&vomiD?X_$9oh8J|jHZC_{@6mb~2E7s-b5qY^09nizv4ffS!OC4B97Lbvm zMx(Ymh57FdS35=2u_BUe52u;f^dChZj0(3I{(R`R;SNjDM3Yz9OgVd^py%?_7o6)? zl3llYf)&sy&%Qo-oFFKY=Q zn6^d{suf@Id*k%wDkZT->EhRhme7D>jZymE`F0^ajkc*^{L7}I2XwaXj~JJ!LK&;8eY5nJ7?ZcQ3mn3sPaR6Nf5ELVTiV*UW7OJjYljhJ zgF0^ojmSpX7kaEO&X3_G2LlaP>A@AnCNnNN3r)(JhGbclYD9HDWNpY${{6xWTFzL` z8HxU@Bh;p;AMfeODU*5xdglOzXTW*f-FAd|Czx}XGw860bEmwPp+zna+v3S~b1v>; z*BgX`Zdk^a_hVF=k!@X7{W`lh^IdVB#1!%MA8oMT`rg&Bl8TYI0+&E?vhU{jO9+*S z1kd;8!z65@hC6)P;)L8ND~wUuGd;lQVZL0PRJjO&F&-7{$ssFy48!ft>3spOv!x~C zWgZq<2j-y-VZ*R?GespQ&1q4@JE_)^=3f6O6<^U(U2FA9e%;J~W7m|X5GffMcKW8a zK_!SgO^o54Tyf&}!IYG8O2>Uuf15EE)7HStH2Rq094F;Hc9o=i+%S;k-D2TfvoOEv z0E=a9f}D5Uux>08B{h$1-l|jfNeg-1AR}nJLeB|JO&2j-UwHo-HU?Eb1JNlUBU9e# z|5^w2habR)4>=*I7@oBU@Lm<;|E}CkStSWnrKx{beoo3FpI8-koA~!YlvgXr5_yKD zLcdQ)7q`hhx0FMnr|0M2piCpA&r5&!UalQZ?LHfA$n6m|6G{})dL-h!NPW$(w=a|% zv->UiKJ{QQ2SZm!U$sqncV5Q9LaUsZ#aOoUsD@rEc$Cz4D|Um7dg_i1CNcojeKK$E zr_Sxe1IEAW+&+}_mgI1ZKXxEe!KQa6U0Q7%QZ;Q~>JHXaEon1qsss6pyDn1yIVKJR z#9n3T`zmGtW%qkdq8Es(hv>QU+qsO-UOfI?riV)Ysj#+taO6Y!-%rTDN9I-sT++gA z3qAT-fw=nAzr@)$YYuhk{7hi!hyjwMuKlQ+;p7t_Wddyf^tb#^k`90W28elU3)4j? zcT|x4bRD#V?LTJLuxJZDhWWoG3m6y#fePAhp*Z3Hs0{}M{w{#K4e;okmHL++t~Zb2 zFL@)fd?pxn#Du}#(u)5Q+D|Sj7 zH$1Jl+wgIK=R^=MLkj@K`}OK^UXc?WX+rYx2ET`}>T9Q%Ka~8=g+U4+Msh^WXcvrY z#ausgo&HB`*ZlZ7@q@qh;kM^t_I`Oaj30`Mt~%i@D?mt;uMMsCH^2nd8{(#)*hIv=)sFodQGVfIVVGAczBNHX$h8JQsGOb3n7kTNNC=^1%C#zr3T#IdU~H(O{|F=Z}v zdRDdE;{Z=ly6O4IqO3vB@kK$1X%o3`4mR%VwP7yL@ys+WSA((1*eFqTsNDVa4avL5 z;Uw&22<>nO+N(UTi3*QE9shwc3Ivhlw_bSc$`cjo^7esaZ3!Alj~fwYR1y3R!{HCz z^F7%StE;O8C-x2bN$U%z(>cW2NH1696r0q|1Ou-;Fx zansl{kU7LSv{G&_6rK!dlFeqTGzP@+JH|v{G0n6wu12_Y%PW#AM}1$EuDgOTDOJW9 z)?NR<3fdXIY^8SMa>Cj+93B-G`#>6FjeV6=FUP|R!#C=&G-oQll~@DI5vmpN)k-M| zpJBSj5NUdC6V~zpkTwI_ZOzo9^<2`9T|^|l#0wvQMKgAt{guN>XNcn1A&Fw8&AjUC zZ#$GMW&xFYvYVc48}3Uz?Y+tPdGrEJ~Y}e#9!@nIzj0pLL$SIT$9% z<{epxXf*X8pf7J8h;03%_A)~kXY)>5I_ZR4lvXc^J6cbUJ3~Ani2N?q;H-&Rw|9

lpYe6KI-{@F<2^VS@YY9zx+A2m~A8A1ANJ7XcNLqZJeXwPF(dmaZ3 zcSJ5kTjijXMA$+>-kj891N-?gCNvT3V2J^H&LJxMYJ8y(nDeVTE!U8ohFKZpRb5#njagM&4-BQ$CX*E4iL-ZF8doi%5Ea2CuyKbXP{<-V;y#)JoCm;HWY zQb!u>%F*(qdb_dpq_O0ita&ol_f3=QR2cn;o=!YOG8em`4$ErtVfil~6lxzA&Y8EF z!Q^f#$Ks=<_|V3sIoMt_3|)|7og?&g;i_hqqnPoeI8V8EGq;Mw0l`E!E}OmR)P> z?D51mVEvv~QLCh8LNNb|>o&Qz%Jn_m!M{Vc!(jRniIMa6mA)MFj2z^kaPK{ROFi8h z_#s%q?{v^A{}o3~&i5H8ibeKuXSBZCJ^yO64a^kt0+{=uIuv2>crFpzrrS=)e9=+$ zmBi!+WjyJC_6l^+D$Rv5yi%TZDmfh8wfv4r3T!gLEbDJQL|cV(%H|~wd(NiZnXK}* zO+x-KFC=s%S4o0cttoB^lZ(Wyd9(rb@3E1;PuNL{1;qCoz7qza^D5g{|&31&}gDu;{DiBTlLij#w;tBo?C%gJkN zsC#P?7)P`Z`rZOc)V>}U>f-AdlVdUMFRmeBPOp2E+y@)_wlv9+|7gpASpt!mRQ%G& z4}ZPF@o9;K-k8)kNHXQ}El_rt=?z)=?OOg^LjLSqi!(boi(zA>xm|q=o}JWBj~(c6 zD_fYsVQ0-l=N+Fn)FqSZ=ailqaWe?-oeI-+?0^ve+NS_kVez^3(CqE{Z(+5BB;?x0 zi)@(p%wg1aU&WA9BBy#kpFuwY)JK*{EB*|S(>|e+`>2iVrizn#w17EycUPIbj2VAo z6*lfN*ZPKtS01gL3)0@x_8B^Q9c~f;tmdJ@yp%O&M4VWn!>oyQ+i-O|ykw1RY?&uZ zU;nVN5qQ_daUc(ylO{;R_~F?9_a+R+ zhZZ=I1s@zqC*33Q;!L55~|PyZCK)azr46=;VUO^R-q=| zt1r@kB~}g|?bIq|#xeHOa0+X%1ci6mO-;UqXXw|fU6z+l!RoQoo|;)QHs>#OP-F)% zzRP-t8S-9r4Zq1=JDWQ!hR?Fc#7Z%08b(L>iWEa$>zQWdAWZ{K(%_(@3VGT=I$3YPaBE_UQ`J)Lor5VgjA3p_&OGs) zmxNA5YKN9jNB!r!a(PFAL+Viz_NaIS44zf-6zzP2?N-9}1ecH+(LLk^6q<9~vUh^D zeC@|UnJc4Pw~)6QkS|jCj_2{bv@GB?ta`A!a*4LurlqDZxaDlFc=sMWV4xJWRf%-1 zhCHvhHGK%~UM`V3QOsK<0U|5SW`#FN;zdZ1mN&dv<%U~;ptAu-L2sqPgVF1rbFi3Uw@=a39$)ck zY?G})d9s<8D0c~P%0)}xb5Hh8V45U%OYj(6hCb=5@vudP6h8j);(iDsD4E|G^s5bD zVb+hMxmwqXR>_Gy`fNe+s>Hycio^8E=m%O9*fEZVH1YMDX10~f)d{n4X9Ne!)NVeO z-ex`$$WfrHSJ}SfnN^7)o=|Sr*LK?#?IQ%T+47J3A-6JLY;GO7?Sb77AOzdE7$QT2 zqBUv^^w)6ae=c&nrhHu#C5+7kyaOZ?*>B}FBH6)Tr+Y9pmLwE>ceaB|zo;w%a0(~o z3!Aae4i1`|%~~p1C9_@Ds>2RFExck2l&8%Xqeuad8hClV9px6Tqf*3cXD{-2jkwh= ze?DH5t!rnnbCqj};Ircg`*_v(o;F1>qAy@q%}cDu;)|^srr%D@CyH$1f@q<8*WH+K zunI{7Qx9r?w#7F%dl7yW4H8x-qE^e9eP?qg4Hq3LD-n7P(yJNvQdZ`riJu!xvb?uGk!h8owj{ivlx4%=0greAL z58a=4%b)HSlPK_h8dv^f*O-424zYEXU{lS3SJ}v6CKGu)zc;;E^j^zQL8^OPMC@)o znj&i}M(;p|D`Miqa4_cS8bWHs&ICtOss0frs!8CiD9K};5E&ESL_?_HOBCRpI1o|J z(0_NMi8rZfs^P~S0+l-b5~1vTJ#7%1(pe-C-5qeQ_`O4aLS=D-Ric3PHc&q5t9mFmGJPnHUuYV|nuZrM$ zWj~?8?4r_e6Srl)-aSUI)$d%I&l?6^lPYsoD9n7_35qZXsBupb+qD;md-R%TmPojQQB44Y|R|N3_~7>~)`x(lpGec$Gnl!}*y4SJ`^u+ClNq_KdT&`il zr+bXI=L>JZ*ZJm_wt*i*-KjXy5YK3tng7y~Vchnoi*1jp@!_1bONsFEz69ZOwn^AN zsvg)~ag@N?>3wqFhb?<3DtZ4Tp_u;D-b2j4j(j~8|EC*ogtelC-N6XyX#YuCbMcAo zFRp*?U(o)D1JHu!03*U?$-JUs=eY>ua{qc~)6|>DRG^sO#LBelsgF$3>RrzUKKZa=3m~xF6=%m zYLp)I_rgIUvYzMHHYX`9Oef7N+7%qDRN;r)lOP)8nU!vuh<`_i_?kohD3K8yHVJAm z6W7Fi2s%SY1*E*?b_J@=0hA{^{ z^~9n*k0*2*UeF%Gp2|Iq*#iQT)-I>&+`XrCmRUcEJ0{SsW+Ry|W z-8BJGomU-(>OAR385Nj*)+M}qLCas%3NW4xakcGT2%ZiUf3SwK*l z&(a@`FB&+f5j*p=Q|Yt~0LiX-AX{9_Q`~%Xp~B;G9iJ+=U~h9ik=M2tX&?YdC_-*=xKx1j0$xzl4V2sTx`cIOjhjC5zHR29 zX2ee^i?hk0{{hqBr2vmFkAOi`hm__kr&7;*d0v_b4gnPT^cU;X!OKIqL$)5p#e9w- z^Ha?t|%w>Qb zmu&MmD?SPc6y3O1q*B9ED4z@IDV+q5cZGw0q7QuTMd!rzi@k^%y=CAvz!4i8lR zdJ_Vc!9R1ffU$Hx$l*xW-+Wko#+D+u|2#OqmN6%RUEW6JqOPsdgnTm#(A9f`MUpGj zQqpGzh7&bIetYqh$9C_++a&i)ET zm1V#_G>U5CQ>3_?ds}}cx?Gz$5W^1$#G+o;WIyb&#A4(Anm%&5um!pNBtGvGFnS)4xnk8B%o!=3rNqCuQt zY!(RV#~HVLMIIJ<{6P*#{ED6trZSEqF1%g|f^Q_*2g%3NOauM_bZF5sKldm(-^i|f zzQ1%3@|}=>O-E!J!6kC=K-CX7DUTd(w*)6v$HE?)vK;9lyk)7zQ5;@rd}|k+WOUW7 zlUyxz!&vyo9H}EZ-g;#k%%e$I^7(4exrhPE4$ImL5EA@>A$;D zk&dt8g_dg3p5{JdE){oWC*rPmW63!p3G9~VPK#7Pf3t+Nuo3*Gbv%cbjQ!7@876&o z?+PG&au@xGi04iePGcj?;zE>&e8V5@gPNXG-*4jBECrW*9*j^cf)Zyvc-V1?6RBW5In`>=r)em@es0WLM=B`fL#7Yw?sYe;W(rH=%kOiY)F77@ zVP7&WEC$p7g-($`flmmR{y+pY>#8@ozy8%}!W^JwxO6Qy&h$UdZ-bo#PdLKvVlC5C zQ85CbIsEIZh6H9HbIK~xe=shEX0f?NrC_ihjFP%X)NgOAa9NQB5_=Yziji;X;CL zX@U!nVeSvHDQrZ>=C{JB8!Gbb`UI)^y;_LtT1RVI&b$ekuUz3=-FGF`BhsU_&M|Nk zGk{C?cJzgW`P+&+jQ82Keg2)t(R_U(rAVpqwzEffo4Cu{8$CnAWt?`SckF>wEfMoB zG#5}-xZ1pYc>B0oii>4o&og3JY8$}xHfmX(3GVDg9!(L_go7Hsw`1Q(nfe#J{`%9y!fkDw+k1&Eox-$-#EQRzz zkI3D_5DG6W11Oza!MIx(@qbb_nCd|@CC8piR;exG7`*Esnr zuX!suOZ*0AWRP^o`QAm_mA`;^2bN+B`YJ3|AhyPRnafmIB_-%l^y?dPd1qp7eRwh} zK@uVQNwZv55bL`on0E(vkA32~*Avte!{CyOY~JEmIN3$q9VS*~f#P$0o0%I?vcYHRK6qu-g%~pI=Pm>5lScc^|dB=nY?y3vj;| zKD>o9&}8=9iL?DK(&3d*e^Y9M-?Dgs?*QU>??f%BePK*oYwe=}CFMmRYxo%;Prq(s zf&5|l{Yl#_GYkqEV`4^zyC}hpznG~e-R3CNT^EZ{ZQFS}zk6F}yCN~-jIv|y#CEqNrrBS;S*~($EEv#g(Al3 z^Wuq+joBB)8#H5g^8$aZlx-hYw+_Ycw1Jy~^a2F`wnT82vvfDU!TP z)6C?KK4u z9D@NUQzn~e!P>bd)>)GEG?c|*VpynUVTJBk9HV4!P52=E)8)0tm1np;TWs`)y~-{x zw*7AqsytRIg@_SpGRr8N6daJ1!nn7I9Uz^$@d@eaASfSJ@Kg1)KW%o^*R);-+(Ni* z+o+Y8-W)dXXzmskVCUC^|MNYcF&@Wm@3eH0eX$C&cc40*M;cuBnnM{wNH#BVG%0uA z)YtRdB`TmL-B0yCrqsZEcrZU!OFozWFlJ7vS4642qG&5NWlJC3g@SIYj6j@}1KbJS zPJ8pY-H9U&uWH<@apnL*ChcrCOLDHmK)_Z3#(StdO~BX+L@v245OEJd-4%Mu_mszHRRFoul^dRY&D=?mH>SV zursxLIXunDf4r1^yu?q(hm`2kej2+D&g2tW6QJzDb2hNDIW}@0uXs)Ix4_X#qC%M5 zVyzywdreLRgI*~zbx5MG_n7>bUOwTVw-rmQ!}bJ8+wBBQoV}5nQ(-ZM{*YduA883& zv$6;(kRW|^nL9<0O?#szwQtAL1hgxv@UDqV@-u#h@{K;xxRF`_=dM!cQ6c4S;-_g+ zuItj|{&GmXP8WGq)Tlje19N+NK{PfYvRrd$xm?oIRq1j+sdm`A$RH&3VWtdLtS?S0 zS&}%!T^xCMrtRi0-rL@y_5cwC`N@ZdkJ6*Mb0s7vckXIah(g9ggHG$_cO`6%DWrw< zU+_kSGV|6t?$C6{|NlT}QJdoi(k7gshqZIBQ-ZoPK7#lP9-~>b*`i!}i!=5v#R_%(p7_ zwgMlO^l}JOM|`f(%!9-|Ea@G0I0FO8#gQpxYxK1ZtPm%(+nyaJ8?8W1c9;wuG)`E= zVEhy@qVkPhxoWytbk9O3U++S8%UnvTQtyC7lyP?&W#I)qrn-TWq$ul{%G2HGlx9Dd zYO@`(cemdS?uvLn;)vic>?o8Zj2%(fExZ#vH27=Pn#V%0!VpAdFG*BPI>GM&-JiS(Ff6dS%c@I5_0E%C8V#V^@SB}aLUn6SqI!u z{&K@_?m0-TXQ_6{vrtHAE4c*csshSN%~BSNaG4odpPGaRX?Lw72WC(l0qTOuj7u_f zwn!=fQlo0U?rBua%1xu!B>^P`hR|c_9M`M)3uUlQy~E-fdJnAQbBpDF{MHBbj03m# zJC!|#CUofQ`95{9i!iRTZ-F{J6k~4qkjoavc5`^P_wLY6;zju{y4z(ea;!xCgUsno z<FKG zF?%4nCtpmOB-G93!uit1xG9Krd$r>h0fWeq{p9-NyR-M-5PuX{SE?azzLgWkqIYWz6HyjPOP20B zE_{l2lpL&WWo_yyVT!awHpu!bjHfY{WH(TQ?|ZGA3ofcy{QNj~_HzPgVV#ap(I!QF z4Bk3Lz1NZplBcI^BIGC|v2m(OMthI7&qo?=9uQLFqr@$d%9OQtje}@cE1DiCS{B6t z$ADg~pqdv%<3;1d=8B_o!kkX?R1oH51_kX}Z&pNJfYnm&(rj=Kvy(dl{A-=PpN7h@ zYxP-kfYNRC%O!IPDYt|S@i=*XW6Dyt$KjC-ls$4GY0@N19NnjnZ(bTl(WFx zLDrfhm~td(%uKE-7QWh%M0+0?IH*%)KirSLqxml8X}D5valB=>1GFaqEC#vOhDd=d z?KGBn<8nfu!)BttsTp_nSQKI;SCTk9gEr2uZ`y0yp3NF(ee>4q zlydkn-n#q0_bIbjuUKTNf+Ff}Uv6)aC))_StcP&gCr}#IFh(4H$0P6EZ%a-sKJJ@L z*y#Sj5mCPd2&8t}f!<1kIN6Zz3v;NiV8Ek&Xa7Lb=2)37%GKNh6VLS-Vbg4EsiwTS z+FpT0X-d?l+Q-UCT8`^Zqwd{aYdduyyQao;XQkaJB#xD?X%pO3p2Guni}GWnYo zZ_v}6-&2fHo5L$@ix{I$T9=s=cgpQLVNk7q+>2CuTf^m=Mn|tmUbAXl7es2Yx|(HA zvG!EE%J;FJbO`=(7H*K;u5IW>mLS0mbS>{>ORGfxVvNUWhZ76KbQ`go~J3ZT@#MkomdaEkxzP-KDpX!yx%Y#YrGD?!PwoEPA5Y>-+H)KXT ze6vDL9iBN=cb8v`l+_DN+#YXbU*F%}{6JpbRTF)Pzrz+3PrrXZnM-hTG}To2kG zMgM?&VM{Th#{HU|8kCMUPM7{wZx}cZ@4exQ(VaMi@u6o{%n-3;K0YJU7SjAWxZbh} zgLckjZ(7XL&PmMK|8;dF~*ZRvO znj1PF)M8LYEvu}#(sfBTW^T%%k9$;VMwpqaN15M)xbuu{VoA7K^?r~C%Oq7kMP>A! zR%(_G~!%k+^ zzA&MeYbv;xa+DJ75tt=@2t_xD(Ob(bDejdr^d*Hf*%wRD8}tOjcy{l4@NQKMAFonM zS(hjIjCWZo&G%XQLSj}IA+_PJ6QeMtf@*!FDExd=8$OG)=aT!5IR_Yjbi@A|D0!?&~(Y;jqnz-{xVK zr_`BVpZ65}?WKB)2w&GS$+@dCeGpdVA0kb6i-n8_p?*`TB-c+_&9bhHk;=cBxQ4*O?&GqR%7oOWh{@e21Wp!yG@a0~1Jtt-iSxVd z+J>JpC)Xpc%gl3lp)oHKh$DV$IiS^NFLGvpp1L%M)l%a8`*DS0Q=vId36jvLYfoYA z+&jf>lZ_KZS;aoMlH1ZjfS<%x3wBk2}(P(Uc6WBk{t@hR*eFs*{aLw=HF!-mENeqnf*o`a0y29#uO(R-89 zGpp!-Msn+~a?pGKbag!CyKppkU-1&90L+&TY?eoB8DN<%x!f)-I%cg=7QmcZ83fv4 zPSjEG=;$ar$Z-A?pdbhyyRh1VvMRr@(tqA*xEk^kuPyiROj3Hfv&p|r+@VM7qv^Kb z$Q@M?`4;leX(V< z7d~sgvM=Wb+UuZTv`;QLM_$?tYNk9Qh)xOe!ZHCXHI}@+=9<7NIc|-9Q0(5-OW$d- zse5mz-q-rA4LZ!1HBP-{oz2{1%Hv_Wo+%6sP}5 zmcyfu&PO%we_gZPp7KrVRY^AkL-gDd_mnu*B7@dS;&gJRm2}Uz$L#L`64--R#*w>T zq5EHQS2B=^LzJ7@QH;iU1Ay`N-w_EAsZNN#TKu Date: Mon, 21 Jun 2021 16:16:33 +0100 Subject: [PATCH 174/370] Update policy-csp-system.md --- windows/client-management/mdm/policy-csp-system.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 149be2e826..b879108731 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -231,13 +231,13 @@ To enable this behavior, you must complete two steps: - Enable this policy setting - Join an Azure Active Directory account to the device -Windows diagnostic data is collected when the **AllowTelemetry** policy setting is set to 1 – Required (Basic) or above. +Windows diagnostic data is collected when the Allow Telemetry policy setting is set to 1 – **Required (Basic)** or above. -If you disable or do not configure this setting, Microsoft will be the controller of the Windows diagnostic data collected from the device and processed in accordance with Microsoft’s privacy statement at https://go.microsoft.com/fwlink/?LinkId=521839 unless you have enabled policies like Allow Update Compliance Processing or Allow Desktop Analytics Processing. +If you disable or do not configure this setting, Microsoft will be the controller of the Windows diagnostic data collected from the device and processed in accordance with Microsoft’s [privacy statement](https://go.microsoft.com/fwlink/?LinkId=521839) unless you have enabled policies like Allow Update Compliance Processing or Allow Desktop Analytics Processing. Configuring this setting does not change the Windows diagnostic data collection level set for the device or the operation of optional analytics processor services like Desktop Analytics and Update Compliance. -See the documentation at https://aka.ms/ConfigureWWD for information on this and other policies that will result in Microsoft being the processor of Windows diagnostic data. +See the documentation at [ConfigureWWD](https://aka.ms/ConfigureWWD) for information on this and other policies that will result in Microsoft being the processor of Windows diagnostic data. @@ -277,7 +277,7 @@ This policy setting, in combination with the Allow Telemetry and Configure the C To enable this behavior, you must complete three steps: - Enable this policy setting -- Set **AllowTelemetry** to 1 – Required (Basic) or above +- Set **AllowTelemetry** to 1 – **Required (Basic)** or above - Set the Configure the Commercial ID setting for your Desktop Analytics workspace This setting has no effect on devices unless they are properly enrolled in Desktop Analytics. @@ -1764,8 +1764,7 @@ The following list shows the supported values: -This policy setting, in combination with the System/AllowTelemetry - policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. +This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior, you must complete two steps: @@ -1777,7 +1776,7 @@ To enable this behavior, you must complete two steps: When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics. -Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send Required (Basic) or Optional (Full) diagnostic data to Microsoft. +Enabling enhanced diagnostic data in the Allow Telemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send Required (Basic) or Optional (Full) diagnostic data to Microsoft. If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. From 55f8acd57f9ba09b77f08b47e8fa612dbbc21e56 Mon Sep 17 00:00:00 2001 From: Guillaume Bordier Date: Mon, 21 Jun 2021 17:17:32 +0200 Subject: [PATCH 175/370] Update hello-feature-pin-reset.md removed double quotes from ConfigureWebSignInAllowedUrls proposed value. --- .../hello-for-business/hello-feature-pin-reset.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 6d1ae1fbd1..c772362fa2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -197,7 +197,7 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au - **Description:** (Optional) List of domains that are allowed during PIN reset flows. - **OMA-URI:** ./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls - **Data type:** String - - **Value**: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be "signin.contoso.com;portal.contoso.com" + - **Value**: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be signin.contoso.com;portal.contoso.com (no double quotes) ![Custom Configuration for ConfigureWebSignInAllowedUrls policy](images/pinreset/allowlist.png) @@ -218,4 +218,4 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) - [Event ID 300 - Windows Hello successfully created](hello-event-300.md) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) \ No newline at end of file +- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) From fbd691a0183bb23582c11491bef1c242689c1d6b Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 21 Jun 2021 16:27:11 +0100 Subject: [PATCH 176/370] Update policy-csp-system.md --- windows/client-management/mdm/policy-csp-system.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index b879108731..7336fae115 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -272,7 +272,7 @@ The following list shows the supported values: -This policy setting, in combination with the Allow Telemetry and Configure the Commercial ID, enables organizations to configure the device so that Microsoft is the processor for Windows diagnostic data collected from the device, subject to the Product Terms. +This policy setting, in combination with the Allow Telemetry and Configure the Commercial ID policy settings, enables organizations to configure the device so that Microsoft is the processor for Windows diagnostic data collected from the device, subject to the Product Terms. To enable this behavior, you must complete three steps: @@ -898,7 +898,7 @@ ADMX Info: -This policy setting, in combination with the Allow Telemetry and Configure the Commercial ID, enables organizations to configure the device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms. +This policy setting, in combination with the Allow Telemetry and Configure the Commercial ID policy settings, enables organizations to configure the device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms. To enable this behavior, you must complete three steps: From f18c6b40cad1b33dc34ec88253677dfe4068bcb5 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 21 Jun 2021 16:35:32 +0100 Subject: [PATCH 177/370] Update policy-csp-system.md --- windows/client-management/mdm/policy-csp-system.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 7336fae115..68a2c05711 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -657,10 +657,10 @@ When these policies are configured, Windows diagnostic data collected from the d If you disable this policy setting, devices may not appear in Microsoft Managed Desktop. >[!IMPORTANT] - -> You should not disable or make changes to this policy as that will severely impact the ability of Microsoft Managed Desktop to manage the devices. +> You should not disable or make changes to this policy as that will severely impact the ability of Microsoft Managed Desktop to manage the devices.

+ **System/AllowStorageCard** From 21f573f0e47e9e85938b128248927a49f433b529 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 21 Jun 2021 16:40:42 +0100 Subject: [PATCH 178/370] Update policy-csp-system.md --- windows/client-management/mdm/policy-csp-system.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 68a2c05711..766e283570 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -56,7 +56,7 @@ manager: dansimp System/AllowTelemetry
- System/AllowUpdateComplianceProcessing + System/AllowUpdateComplianceProcessing
System/AllowUserToResetPhone @@ -801,7 +801,8 @@ The following list shows the supported values for Windows 8.1: In Windows 10, you can configure this policy setting to decide what level of diagnostic data to send to Microsoft. The following list shows the supported values for Windows 10 version 1809 and older, choose the value that is applicable to your OS version (older OS values are displayed in the brackets): -- 0 – **Off (Security)** This turns Windows diagnostic data off. + +- 0 – **Off (Security)** This turns Windows diagnostic data off. **Note**: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), HoloLens 2, and Windows Server 2016 (and later versions). Using this setting on other devices editions of Windows is equivalent to setting the value of 1. - 1 – **Required (Basic)** Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date. - 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows apps are used, how they perform, and advanced reliability data, such as limited crash dumps. @@ -854,7 +855,7 @@ ADMX Info:
-**System/AllowUpdateComplianceProcessing** +**System/AllowUpdateComplianceProcessing** From cbad357f3183fc6e0ddb449aba1b72f50c11a548 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 21 Jun 2021 16:40:52 +0100 Subject: [PATCH 179/370] Update policy-csp-system.md --- windows/client-management/mdm/policy-csp-system.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 766e283570..6443af10bb 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -657,6 +657,7 @@ When these policies are configured, Windows diagnostic data collected from the d If you disable this policy setting, devices may not appear in Microsoft Managed Desktop. >[!IMPORTANT] + > You should not disable or make changes to this policy as that will severely impact the ability of Microsoft Managed Desktop to manage the devices.
From 92a5cbe7b46044ad7c91c55d4f7de5a46bd74fec Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 21 Jun 2021 16:43:33 +0100 Subject: [PATCH 180/370] Update policy-csp-system.md --- windows/client-management/mdm/policy-csp-system.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 6443af10bb..766e283570 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -657,7 +657,6 @@ When these policies are configured, Windows diagnostic data collected from the d If you disable this policy setting, devices may not appear in Microsoft Managed Desktop. >[!IMPORTANT] - > You should not disable or make changes to this policy as that will severely impact the ability of Microsoft Managed Desktop to manage the devices.
From 6490ee28f6d7c7c4d1a202416f8a4b44e3cc887e Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 21 Jun 2021 16:47:56 +0100 Subject: [PATCH 181/370] Update policy-csp-system.md --- windows/client-management/mdm/policy-csp-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 766e283570..71b47496b8 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -657,8 +657,8 @@ When these policies are configured, Windows diagnostic data collected from the d If you disable this policy setting, devices may not appear in Microsoft Managed Desktop. >[!IMPORTANT] -> You should not disable or make changes to this policy as that will severely impact the ability of Microsoft Managed Desktop to manage the devices. +> You should not disable or make changes to this policy as that will severely impact the ability of Microsoft Managed Desktop to manage the devices.
From 0f75888d9b2259f5e0de1dc080ba46e15b6ff8a5 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 21 Jun 2021 16:52:05 +0100 Subject: [PATCH 182/370] Update policy-csp-system.md --- windows/client-management/mdm/policy-csp-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 71b47496b8..766e283570 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -657,8 +657,8 @@ When these policies are configured, Windows diagnostic data collected from the d If you disable this policy setting, devices may not appear in Microsoft Managed Desktop. >[!IMPORTANT] - > You should not disable or make changes to this policy as that will severely impact the ability of Microsoft Managed Desktop to manage the devices. +
From 26809832d8713b27cfbff76bbec99d77a988873f Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 21 Jun 2021 16:58:23 +0100 Subject: [PATCH 183/370] Update policy-csp-system.md --- .../mdm/policy-csp-system.md | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 766e283570..74b876af4f 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -228,8 +228,8 @@ This policy setting configures an Azure Active Directory joined device so that M To enable this behavior, you must complete two steps: -- Enable this policy setting -- Join an Azure Active Directory account to the device + 1. Enable this policy setting + 2. Join an Azure Active Directory account to the device Windows diagnostic data is collected when the Allow Telemetry policy setting is set to 1 – **Required (Basic)** or above. @@ -276,9 +276,9 @@ This policy setting, in combination with the Allow Telemetry and Configure the C To enable this behavior, you must complete three steps: -- Enable this policy setting -- Set **AllowTelemetry** to 1 – **Required (Basic)** or above -- Set the Configure the Commercial ID setting for your Desktop Analytics workspace + 1. Enable this policy setting + 2. Set **AllowTelemetry** to 1 – **Required (Basic)** or above + 3. Set the Configure the Commercial ID setting for your Desktop Analytics workspace This setting has no effect on devices unless they are properly enrolled in Desktop Analytics. @@ -903,9 +903,9 @@ This policy setting, in combination with the Allow Telemetry and Configure the C To enable this behavior, you must complete three steps: -- Enable this policy setting -- Set **AllowTelemetry** to 1 – **Required (Basic)** or above -- Set the Configure the Commercial ID setting for your Update Compliance workspace + 1. Enable this policy setting + 2. Set **AllowTelemetry** to 1 – **Required (Basic)** or above + 3. Set the Configure the Commercial ID setting for your Update Compliance workspace When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments. @@ -1004,9 +1004,9 @@ This policy setting configures an Azure Active Directory joined device so that M To enable this behavior, you must complete three steps: -- Enable this policy setting -- Set **AllowTelemetry** to 1 – **Required (Basic)** or above -- Join an Azure Active Directory account to the device + 1. Enable this policy setting + 2. Set **AllowTelemetry** to 1 – **Required (Basic)** or above + 3. Join an Azure Active Directory account to the device When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments. @@ -1769,8 +1769,8 @@ This policy setting, in combination with the Allow Telemetry policy setting, ena To enable this behavior, you must complete two steps: -- Enable this policy setting -- Set the **AllowTelemetry** level: + 1. Enable this policy setting + 2. Set the **AllowTelemetry** level: - For Windows 10 version 1809 and older: set **AllowTelemetry** to Enhanced. (**Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1) - For Windows 10 version 19H1 and later: set **AllowTelemetry** to Optional (Full) From 98918dc567478c00c37821b66c79b0ba1107fe72 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 21 Jun 2021 09:10:40 -0700 Subject: [PATCH 184/370] Update windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../select-types-of-rules-to-create.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 99f5695221..b06abc4571 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -121,7 +121,7 @@ To create the WDAC policy, they build a reference server on their standard hardw As part of normal operations, they will eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they will not need to update their WDAC policy. If the unsigned, internal application is updated, they must also update the WDAC policy to allow the new version. ## File rule precedence order -WDAC has a built-in file rule conflict logic that translates to precedence order. It will first processes all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deploy-wdac-policies-with-managed-installer.md). Lastly, if none of these exists, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md). +WDAC has a built-in file rule conflict logic that translates to precedence order. It will first process all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deploy-wdac-policies-with-managed-installer.md). Lastly, if none of these exists, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md). ## More information about filepath rules From ff1f1a9d6aad7464fa236d97408e0830397b2f7b Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 21 Jun 2021 17:30:23 +0100 Subject: [PATCH 185/370] dpsw updates --- windows/client-management/mdm/policy-csp-system.md | 2 +- ...windows-diagnostic-data-in-your-organization.md | 14 +++++++------- .../privacy/windows-10-and-privacy-compliance.md | 2 +- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 74b876af4f..2c16e189c8 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -648,7 +648,7 @@ The following list shows the supported values: This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data. -For customers who enroll into the Microsoft Managed Desktop service, this policy will be enabled by default to allow Microsoft to process data for operational and analytic needs. For more information, see [Privacy and personal data - Microsoft Managed Desktop | Microsoft Docs](/microsoft-365/managed-desktop/service-description/privacy-personal-data.md). +For customers who enroll into the Microsoft Managed Desktop service, this policy will be enabled by default to allow Microsoft to process data for operational and analytic needs. For more information, see [Privacy and personal data - Microsoft Managed Desktop](/microsoft-365/managed-desktop/service-description/privacy-personal-data.md). This setting has no effect on devices unless they are properly enrolled in Microsoft Managed Desktop. diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 033030780e..e1399e402a 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -271,22 +271,22 @@ For information on these services and how to configure the group policies, refer Desktop Analytics: -- [Enable data sharing - Configuration Manager | Microsoft Docs](/mem/configmgr/desktop-analytics/enable-data-sharing) -- [Desktop Analytics data privacy - Configuration Manager | Microsoft Docs](/mem/configmgr/desktop-analytics/privacy) -- [Group policy settings - Configuration Manager | Microsoft Docs](/mem/configmgr/desktop-analytics/group-policy-settings) +- [Enable data sharing](/mem/configmgr/desktop-analytics/enable-data-sharing) +- [Desktop Analytics data privacy](/mem/configmgr/desktop-analytics/privacy) +- [Group policy settings](/mem/configmgr/desktop-analytics/group-policy-settings) Update Compliance: -- [Privacy in Update Compliance - Windows Deployment | Microsoft Docs](/windows/deployment/update/update-compliance-privacy) -- [Manually configuring devices for Update Compliance - Windows Deployment | Microsoft Docs](/windows/deployment/update/update-compliance-configuration-manual#required-policies) +- [Privacy in Update Compliance](/windows/deployment/update/update-compliance-privacy) +- [Manually configuring devices for Update Compliance](/windows/deployment/update/update-compliance-configuration-manual#required-policies) Microsoft Managed Desktop: -- [Privacy and personal data - Microsoft Managed Desktop | Microsoft Docs](/microsoft-365/managed-desktop/service-description/privacy-personal-data) +- [Privacy and personal data - Microsoft Managed Desktop](/microsoft-365/managed-desktop/service-description/privacy-personal-data) Windows Update for Business: -- [Windows Update for Business deployment service - Windows Deployment | Microsoft Docs](/windows/deployment/update/deployment-service-overview#how-to-enable-deployment-protections) +- [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview#how-to-enable-deployment-protections) ## Limit optional diagnostic data for Desktop Analytics diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index 9d66846576..b75beff331 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -175,7 +175,7 @@ We recommend that IT administrators who have enabled the Windows diagnostic data Specific services that depend on Windows diagnostic data will also result in the enterprise becoming controllers of their Windows diagnostic data. These services include Update Compliance, Desktop Analytics, and Microsoft Managed Devices. For more information, see [Related Windows product considerations](#5-related-windows-product-considerations). -For more information on how Microsoft can help you honor rights and fulfill obligations under the GDPR when using Windows diagnostic data processor configurations, see [General Data Protection Regulation - Microsoft GDPR | Microsoft Docs](/compliance/regulatory/gdpr). +For more information on how Microsoft can help you honor rights and fulfill obligations under the GDPR when using Windows diagnostic data processor configurations, see [General Data Protection Regulation Summary](/compliance/regulatory/gdpr). ## 3. The process for exercising data subject rights From 0a665b0078552a7d72dfd7b721edbc5700c5fde4 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 21 Jun 2021 17:40:57 +0100 Subject: [PATCH 186/370] dpsw updates --- windows/client-management/mdm/policy-csp-system.md | 2 +- ...figure-windows-diagnostic-data-in-your-organization.md | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 2c16e189c8..934e125625 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -648,7 +648,7 @@ The following list shows the supported values: This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data. -For customers who enroll into the Microsoft Managed Desktop service, this policy will be enabled by default to allow Microsoft to process data for operational and analytic needs. For more information, see [Privacy and personal data - Microsoft Managed Desktop](/microsoft-365/managed-desktop/service-description/privacy-personal-data.md). +For customers who enroll into the Microsoft Managed Desktop service, this policy will be enabled by default to allow Microsoft to process data for operational and analytic needs. For more information, see [Privacy and personal data](/microsoft-365/managed-desktop/service-description/privacy-personal-data.md). This setting has no effect on devices unless they are properly enrolled in Microsoft Managed Desktop. diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index e1399e402a..25b389048a 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -271,9 +271,9 @@ For information on these services and how to configure the group policies, refer Desktop Analytics: -- [Enable data sharing](/mem/configmgr/desktop-analytics/enable-data-sharing) +- [Enable data sharing for Desktop Analytics](/mem/configmgr/desktop-analytics/enable-data-sharing) - [Desktop Analytics data privacy](/mem/configmgr/desktop-analytics/privacy) -- [Group policy settings](/mem/configmgr/desktop-analytics/group-policy-settings) +- [Group policy settings for Desktop Analytics](/mem/configmgr/desktop-analytics/group-policy-settings) Update Compliance: @@ -282,11 +282,11 @@ Update Compliance: Microsoft Managed Desktop: -- [Privacy and personal data - Microsoft Managed Desktop](/microsoft-365/managed-desktop/service-description/privacy-personal-data) +- [Privacy and personal data](/microsoft-365/managed-desktop/service-description/privacy-personal-data) Windows Update for Business: -- [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview#how-to-enable-deployment-protections) +- [How to enable deployment protections](/windows/deployment/update/deployment-service-overview#how-to-enable-deployment-protections) ## Limit optional diagnostic data for Desktop Analytics From 1f63e30538e368bba8f7804d7d131e3d0d940f8d Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 21 Jun 2021 17:53:58 +0100 Subject: [PATCH 187/370] Update policy-csp-system.md --- windows/client-management/mdm/policy-csp-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 934e125625..641739b466 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -237,7 +237,7 @@ If you disable or do not configure this setting, Microsoft will be the controlle Configuring this setting does not change the Windows diagnostic data collection level set for the device or the operation of optional analytics processor services like Desktop Analytics and Update Compliance. -See the documentation at [ConfigureWWD](https://aka.ms/ConfigureWWD) for information on this and other policies that will result in Microsoft being the processor of Windows diagnostic data. +See the documentation at [ConfigureWDD](https://aka.ms/ConfigureWDD) for information on this and other policies that will result in Microsoft being the processor of Windows diagnostic data. From f20b7e7a1f92c38fffd20c3abdde85630969aefa Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Mon, 21 Jun 2021 13:58:34 -0700 Subject: [PATCH 188/370] edits --- windows/whats-new/windows-sv-plan.md | 126 +++++++++---------- windows/whats-new/windows-sv-requirements.md | 53 ++++++-- windows/whats-new/windows-sv.md | 28 ++--- 3 files changed, 117 insertions(+), 90 deletions(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index 87cefa2210..aa15b3748b 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -25,101 +25,101 @@ ms.topic: article This article provides guidance to help you plan for Windows Sun Valley in your organization. Since Windows Sun Valley is built on the same foundation as Windows 10, you can utilize the same deployment capabilities, scenarios, and tools—as well as the same basic deployment and servicing strategy. At a high level, this strategy should include the following steps: -- Create a deployment plan. -- Define readiness criteria. -- Evaluate current infrastructure and tools. -- Determine application readiness. -- Define your servicing strategy. +- [Create a deployment plan](/windows/deployment/update/create-deployment-plan) +- [Define readiness criteria](/windows/deployment/update/plan-define-readiness) +- [Evaluate infrastructure and tools](/windows/deployment/update/eval-infra-tools) +- [Determine application readiness](/windows/deployment/update/plan-determine-app-readiness) +- [Define your servicing strategy](/windows/deployment/update/plan-define-strategy) -Most organizations will have a mix of Windows Sun Valley and Windows 10 devices side-by-side as they integrate the upgrade into their environments. As such, there are unique yet largely familiar considerations to take into account when planning your deployments. +If you are looking for ways to optimize your approach to deploying Windows Sun Valley, or if deploying a new version of an operating system is not a familiar process for you, some additional items to consider are provided below. -## Upgrade eligibility +## Determining eligibility -As a first step, you will need to know which of your current PCs meet the Windows Sun Valley hardware requirements. Detailed requirements can be found [here](windows-sv-requirements.md). However, in general you should expect that if your devices were purchased within the last 18-24 months, they will be able to run Windows Sun Valley. +As a first step, you will need to know which of your current devices meet the Windows Sun Valley hardware requirements. Detailed requirements can be found at [Windows Sun Valley requirements](windows-sv-requirements.md). In general, you should expect that a device purchased in the last 18-24 months will be able to run Windows Sun Valley. -Analysis tools will be developed and made available to validate devices against the Windows Sun Valley hardware requirements. A standalone tool is planned, and upgrade eligibility will also be integrated into your existing enterprise deployment tools. - -When Windows Sun Valley reaches general availability, end users running Windows 10 Home, Pro, and Pro for Workstations can use the PC Health Check app to determine their eligibility for Windows Sun Valley. End users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade. [LINK NEEDED]() has been developed for this purpose. - -For organizations with investments in enterprise deployment tools, analytics functionality will be available to evaluate device readiness, including Endpoint Analytics and Update Compliance. Microsoft is also sharing information with independent sofware vendors to enable their tools to support analytics for Windows Sun Valley. +Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows Sun Valley hardware requirements. When Windows Sun Valley reaches general availability, end users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the **PC Health Check** app to determine their eligibility for Windows Sun Valley. End users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.  + +Enterprise organizations looking to evaluate device readiness in their environments can expect this capability to be integrated into existing Microsoft tools, such as Endpoint Analytics and Update Compliance. This capability will be available when Windows Sun Valley is generally available. Microsoft is also working with software vendor partners to facilitate Windows Sun Valley device readiness into their solutions. ## Windows Sun Valley availability -As with Windows 10, the availability of Windows Sun Valley will vary depending on whether the device is unmanaged and receives updates from Windows Update, or a device is managed using tools operated by an IT administrator. - -##### Unmanaged devices - -For unmanaged devices, most eligible devices purchased after June of 2021 will be offered the Windows Sun Valley upgrade in October of 2021. Messaging on new devices will vary by PC manufacturer, but users will see labels such as **This PC will upgrade to Windows Sun Valley once available** on products that are available for purchase. - -> [!NOTE] -> New devices purchased after October 2021 will see the Windows Sun Valley offer during the out of box experience (OOBE), or they will already be upgraded to Windows Sun Valley. - -After General Availability (GA) date for Windows Sun Valley, the OS upgrade will be available to eligible devices that use Windows Update. The upgrade will be available first to seekers, then as part of Microsoft's intelligent rollout process. The Windows Update Settings page will confirm when a device is eligible, and users can choose whether or not to upgrade. - -Just like Windows 10, the machine learning based [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860) process will be leveraged when rolling out upgrades. Machine learning uses a combination of testing, close partner engagement, feedback, diagnostic data, and real-life insights to manage quality. This improves the update experience and ensures that devices first nominated for updates are those likely to have a seamless experience. Devices that might have compatibility issues with the upgrade get the benefit of resolving these issues before the upgrade is offered. +Windows Sun Valley will be offered to eligible Windows 10 devices beginning the last quarter of calendar year 2021. The availability of Windows Sun Valley will vary according to a device's hardware and whether or not the device receives updates directly or from a management solution that is maintained by an IT administrator. ##### Managed devices -The right time to upgrade will be different for each organization and environment. You can choose between Windows Sun Valley and Windows 10, and decide when the time is right to integrate Window Sun Valley into your environment. Initially, it is expected that many organizations will operate with a mix of Windows 10 and Windows Sun Valley. +Managed devices are devices that are under organization control. For example: devices managed by Microsoft Endpoint Manager (Microsoft Intune or Microsoft Endpoint Configuration Manager) or another endpoint management solution. -You can deploy the Windows Sun Valley upgrade to eligible devices using your existing management tools beginning at GA. If you use Windows Update for Business (WUfB), you will have the additional benefit of two safety nets: offering blocks on non-eligible devices that do not meet the hardware requirements, and Safeguard holds. Safeguard holds will function for Windows Sun Valley devices the same way that they do for Windows 10. Administrators will have access to information on which Safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. +If you manage devices on behalf of your organization, you will be able to upgrade eligible devices to Windows Sun Valley using your existing deployment and management tools when the upgrade reaches general availability. Organizations that use Windows Update for Business will have additional benefits, such as: + +- Blocking the upgrade on non-eligible devices. +- Additional insight into safeguard holds. While safeguard holds will function for Windows Sun Valley devices just as they do for Windows 10 today, administrators using Windows Update for Business will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. > [!NOTE] > If you use WUfB to manage feature update deployments today, you will need to leverage the **Target Version** policy rather than **Feature Update deferrals** to move from Windows 10 to Windows Sun Valley. Deferrals are great for quality updates or to move to newer versions of the same product (Windows 10 to Windows 10), but they cannot migrate a devices between products (Windows 10 to Windows Sun Valley).
-> Additionally, Windows Sun Valley has a new end user license agreement (EULA). If you are deploying with WUfB **Target Version** or with WSUS, you are accepting this new EULA on behalf of the end users within your organization. +> Additionally, Windows Sun Valley has a new end user license agreement. If you are deploying with Windows Update for Business **Target Version** or with Windows Server Update Services, you are accepting this new end user license agreements on behalf of the end users within your organization. Additional considerations: -- Windows 10 Pro or higher can upgrade for free using existing management tools. +- Devices running Windows 10 Pro or higher can upgrade for free using existing management tools. - Devices running S mode will first need to switch out of S mode because it is not supported on Windows Sun Valley. - Downgrade rights are available with Windows Sun Valley Pro OEM licensed devices and with Microsoft Volume Licensing, where the licensing agreement permits it. - You can downgrade to any version of Windows Pro that has not reached its end of support date. -## Availability and upgrade path +##### Unmanaged devices -As previously mentioned, the Windows Sun Valley upgrade offer will begin for eligible devices at GA in October of 2021. This is true for existing eligible devices as well as for new devices. +Unmanaged devices are those that are not managed by an IT administrator on behalf of an organization. For operating system (OS) deployment, these devices are not subject to organizational policies that manage upgrades or updates. -To preview Windows Sun Valley, you can join the [Windows Insider Program](https://insider.windows.com/for-business) (WIP). This enables you to begin validating Windows Sun Valley, and to explore new features as they’re being created. As a WIP participant in the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel), Windows Sun Valley will be available to you in the summer of 2021, well ahead of the October GA date. - -You can deploy directly from the Windows Insider Pre-release category in WSUS in a variety of ways: -1. Configure Manage Preview Builds to **Release Preview** with WUfB. -2. Leverage Windows Virtual Devices or Cloud PC* (check if this will be announced when this paper goes out) and Azure Marketplace images. -3. Download and deploy ISOs from Microsoft’s Windows Insider Program ISO Download page. - -Regardless of which way you choose to deploy, you have the benefit of free Microsoft support when validating a pre-release. Just go to [Support for business](http://support.microsoft.com/supportforbusiness/productselection?sapId=39fc4a93-68cd-5a19-f91b-f0b349a098f3) and submit your support case. This is free for any Microsoft commercial customer deploying Windows 10 version 21H2 or Windows Sun Valley 21H2 pre-release bits after the commercial preview date in the summer of 2021. - -## Quality updates - -- Windows Sun Valley and Windows 10 devices will receive regular monthly quality updates. -- Windows Sun Valley devices will receive a single feature update annually, a change from the twice per year of Windows 10. -- Devices on in-service versions of Windows 10 that do not meet Windows Sun Valley hardware requirements will continue to receive monthly Windows 10 security updates through 2025, as well as incremental improvements to Windows 10 to support your ongoing deployments of Microsoft 365. - -## Servicing duration - -Along with end user experience and security improvements, Windows Sun Valley introduces enhancements to our servicing approach based on your suggestions and feedback. - -Windows 10 feature updates are released twice yearly via the Semi-Annual Channel. They are serviced with monthly quality updates for 18 or 30 months from the date of the release, depending on the lifecycle policy. Windows Sun Valley will have an annual feature update cadence, targeted for release in the second half of the calendar year: -- Home, Pro, Pro for Workstations, and Pro for Education editions of Windows Sun Valley will receive 24 months of support from the date of release. -- Enterprise and Education editions of Windows Sun Valley will be supported for 36 months. - -THIS SECTION DOESNT EXIST: For more details on the lifecycle and servicing strategy for Windows Sun Valley, see [Windows lifecycle and servicing update overview](). -Microsoft recognizes the importance that organizations have adequate time to plan for Windows Sun Valley. Therefore, we have committed to supporting Windows 10 through October 14, 2025. For more information, see the [Windows release information]() page. This page also includes information for Windows 10 semi-annual channel and LTSC releases. -A consolidated [update history]() is also available for every version of the Windows operating system. This information offers quick access to knowledge base articles for each monthly, optional, and out-of-band release. In addition to update highlights, you’ll find a list of improvements and fixes, a summary of any known issues, and details on how to get the update, including any prerequisites. +Unmanaged eligible devices running Windows 10 that were purchased after June 2021 will be offered the Windows Sun Valley upgrade in the last quarter of the 2021 calendar year. Messaging on new devices will vary by PC manufacturer, but users will see labels such as **This PC will upgrade to Windows Sun Valley once available** on products that are available for purchase. + +> [!NOTE] +> New devices purchased after October 2021 will see the Windows Sun Valley offer during the out of box experience (OOBE), or they will already be upgraded to Windows Sun Valley. + +The Windows Sun Valley upgrade will be available initially on eligible, unmanaged devices to users who manually seek the upgrade through Windows Update. As with all Microsoft Update managed devices, the **Windows Update Settings** page will confirm when a device is eligible, and users can upgrade if they choose to. + +Just like Windows 10, the machine learning based [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860) process will be leveraged when rolling out upgrades. Machine learning uses a combination of testing, close partner engagement, feedback, diagnostic data, and real-life insights to manage quality. This improves the update experience and ensures that devices first nominated for updates are those likely to have a seamless experience. Devices that might have compatibility issues with the upgrade get the benefit of resolving these issues before the upgrade is offered. + +## Windows Sun Valley readiness considerations + +The recommended method for organizations to determine if their infrastructure, deployment processes, and management tools are ready for Windows Sun Valley is to join the [Windows Insider Program for Business](https://insider.windows.com/for-business). As a participant in the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel), you can validate that your devices and applications work as expected, and explore new features in details. + +As you plan your endpoint management strategy for Windows Sun Valley, consider moving to cloud-based mobile device management (MDM), such as [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). If a cloud-only approach isn't right for your organization just yet, you can still modernize and streamline essential pieces of your endpoint management strategy as follows: +- Create a [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview) (CMG) to manage Configuration Manager clients over the internet. +- Attach your existing Configuration Management estate to the cloud with [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions) so you can manage all devices from within the Microsoft Endpoint Manager admin center. +- Use [co-management](/mem/configmgr/comanage/overview) to concurrently manage devices using both Configuration Manager and Microsoft Intune, allowing you to take advantage of cloud-powered capabilities like [Conditional Access](/azure/active-directory/conditional-access/overview). + +For more information on the benefits of these approaches, see [Cloud Attach Your Future: The Big 3](https://techcommunity.microsoft.com/t5/configuration-manager-blog/cloud-attach-your-future-part-ii-quot-the-big-3-quot/ba-p/1750664). + +The introduction of Windows Sun Valley is also a good time to review your hardware refresh plans and prioritize eligible devices to ensure an optimal experience for your users. + +## Servicing and support + +Along with end user experience and security improvements, Windows Sun Valley introduces enhancements to Microsoft's servicing approach based on your suggestions and feedback. + +Windows Sun Valley and Windows 10 devices will receive regular monthly quality updates to provide security updates and bug fixes. However, Windows Sun Valley devices will receive a single feature update annually, targeted for release in the second half of each calendar year. +- Home, Pro, Pro for Workstations, and Pro for Education editions of Windows Sun Valley will receive 24 months of support from the date of release. +- Enterprise and Education editions of Windows Sun Valley will be supported for 36 months from the date of release. + +When Windows Sun Valley reaches general availability, a consolidated Windows Sun Valley update history will be available on support.microsoft.com, similar to what is [available today for Windows 10](https://support.microsoft.com/topic/windows-10-update-history-1b6aac92-bf01-42b5-b158-f80c6d93eb11). Similarly, the [Windows release health](/windows/release-health/) hub will offer quick access to Windows Sun Valley servicing announcements, known issues, and safeguard holds. + + +It is important that organizations have adequate time to plan for Windows Sun Valley. Microsoft also recognizes that many organizations will have a mix of Windows Sun Valley and Windows 10 devices across their ecosystem. Devices on in-service versions of Windows 10 that do not meet Windows Sun Valley hardware requirements will continue to receive monthly Windows 10 security updates through 2025, as well as incremental improvements to Windows 10 to support ongoing Microsoft 365 deployments. For more information, see the [Windows 10 release information](/windows/release-health/release-information) page, which offers information about Windows 10 semi-annual channel and LTSC releases. ## Application compatibility -Windows 10 upgrades have proven to be highly compatible, and that does not change with Windows Sun Valley. Microsoft's compatibility promise for Windows 10 that upgrades will preserve application compatibility is maintained for Windows Sun Valley. Windows Sun Valley comes with the same App Assure promise and commitment that you have known with Windows 10. Data from the App Assure program shows that Windows 10 compatibility rates are over 99.7% for our enterprise customers, including line of business apps. Windows Sun Valley has passed the same app compatibility validation requirements that are in place for Windows 10 feature and quality update releases. +Microsoft's compatibility promise for Windows 10 is maintained for Windows Sun Valley. Data from the App Assure program shows that Windows 10 compatibility rates are over 99.7% for enterprise organizations, including line of business (LOB) apps. Microsoft remains committed to ensuring that the apps you rely upon continue to work as expected when you upgrade. Windows Sun Valley is subject to the same app compatibility validation requirements that are in place for Windows 10 today, and it is passing these requirements. -#### App Assure and Test Base +#### App Assure and Test Base for Microsoft 365 + +If you run into compatibility issues or want to ensure that your organization's applications are compatible from day one, App Assure and Test Base for Microsoft 365 can help. + +With enrollment in the [App Assure](/windows/compatibility/app-assure) service, if you find any problems with an existing application as you migrate to Windows Sun Valley, Microsoft will help you remedy those application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. + +For software vendors and systems integrators, [Test Base for Microsoft 365](https://www.microsoft.com/testbase) (currently in public preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software vendors for participation by completing a short form. You might already be using App Assure and Test Base in your Windows 10 environment. Both of these tools will continue to function with Windows Sun Valley. -With enrollment in the App Assure service, if you find any problems with an existing application as you migrate to Windows Sun Valley, Microsoft will help you remedy application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. - -If you’ve created your own applications, Test Base for Microsoft is a service that allows independent software vendors and commercial customers to validate their apps across a variety of updates and environments in a Microsoft managed Azure environment. Both services can be of benefit to you as you roll out Windows Sun Valley into your environment. - ## Next steps [Prepare for Windows Sun Valley](windows-sv-prepare.md) diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index d9c0d22b1a..99d261a3d9 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -25,21 +25,20 @@ This article lists the system requirements for Windows Sun Valley. Windows Sun V ## Hardware requirements -To install Windows Sun Valley, devices must meet the following specifications: +To install or upgrade to Windows Sun Valley, devices must meet the following minimum hardware requirements: -- Processor: 1 gigahertz (GHz) or faster processor or SoC; dual-core CPU or greater - - Intel 8th generation, Intel Celeron N4000, Pentium N5000 - - AMD Ryzen gen 2 (Zen+), AMD 3xxx - - Qualcomm 7c, 8c, 8cx +- Processor: 1 gigahertz (GHz) or faster with two or more cores on a [compatible 64-bit processor](http://aka.ms/CPUlist) or system on a chip (SoC) +- RAM: 4 gigabytes (GB) or greater +- Storage: 64GB or greater available storage is required to install Windows Sun Valley + - Additional storage space might be required to download updates and enable specific features +- Graphics card: Compatible with DirectX 12 or later with WDDM 2.0 driver +- System firmware: UEFI, Secure Boot capable +- TPM: Trusted Platform Module (TPM) version 2.0 +- Display: High definition (720p) display, 9" or greater monitor, 8 bits per color channel +- Internet connection: Internet connectivity is necessary to perform updates and to download and take advantage of some features. + - Windows Sun Valley Home edition requires an Internet connection and a Microsoft Account to complete device setup on first use. -- RAM: 4 gigabyte (GB) or greater -- Hard disk space: 64GB, 64-bit architecture -- Graphics card: DirectX 12 or later with WDDM 2.x driver -- Security: Trusted Platform Module (TPM) 2.0 chip, UEFI support, Secure Boot capable -- Display: 9" monitor size or greater with HD (1366 x 768) resolution or greater -- Internet connection: Internet connectivity is necessary to perform updates and to download and take advantage of some features. It is required for the Home edition of Windows Sun Valley. - -For additional guidance, see [Determine eligibility](windows-sv-plan.md#determine-eligibility) NEED LINK. +For additional guidance, see [Determine eligibility](windows-sv-plan.md#determine-eligibility). ## Operating system requirements @@ -49,6 +48,34 @@ For the best Windows Sun Valley upgrade experience, eligible devices should be r > S mode is not supported on Windows Sun Valley. > If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading. Switching a device out of Windows 10 in S mode also requires internet connectivity. +## Feature-specific requirements + +Some features in Windows Sun Valley have requirements beyond those listed above. See the following list: + +- **5G support** requires 5G capable modem. +- **Auto HDR** requires an HDR monitor. +- **BitLocker to Go** requires a USB flash drive. This feature is available in Windows Pro and above editions. +- **Client Hyper-V** requires a processor with second level address translation (SLAT) capabilities. This feature is available in Windows Pro editions and above. +- **Cortana** requires a microphone and speaker and is currently available on Windows 11 for the Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, Mexico, Spain, United Kingdom, and United States +- **DirectStorage** requires 1TB or greater NVMe SSD to store and run games that uses the "Standard NVM Express Controller" driver and a DirectX12 Ultimate GPU +- **DirectX 12 Ultimate** is available with supported games and graphics chips +- **Presence** requires sensor that can detect human distance from device or intent to interact with device +- **Intelligent Video Conferencing** requires video camera, microphone and speaker (audio output) +- **Multiple Voice Assistant** requires a microphone and speaker +- **Snap** three column layouts require a screen that is 1920 effective pixels or greater in width +- **Mute** and **unmute** from Taskbar requires video camera, microphone, and speaker (audio output). App must be compatible with feature to enable global mute/unmute +- **Spatial Sound** requires supporting hardware and software +- **Microsoft Teams** requires video camera, microphone and speaker (audio output) +- **Touch** requires a screen or monitor that supports multi-touch +- **Two-factor authentication** requires use of PIN, biometric (fingerprint reader or illuminated infrared camera), or a phone with Wi-Fi or Bluetooth capabilities +- **Voice Typing** requires a PC with a microphone +- **Wake on Voice** requires Modern Standby power model and microphone +- **Wi-Fi 6E** requires new WLAN IHV hardware and driver and a Wi-Fi 6E capable AP/router +- **Windows Hello** requires a camera configured for near infrared (IR) imaging or fingerprint reader for biometric authentication. Devices without biometric sensors can use Windows Hello with a PIN or portable Microsoft compatible security key +- **Windows Projection** requires a display adapter which supports Windows Display Driver Model (WDDM) 2.0 and a Wi-Fi adapter that supports Wi-Fi Direct +- **Xbox** app requires an Xbox Live account, which is not available in all regions. Please go to the Xbox Live Countries and Regions page for the most up-to-date information on availability. Some features in the Xbox app will require an active Xbox Game Pass subscription. See https://www.xbox.com/xbox-game-pass to learn more about the pass. + + ## Next steps [Plan to deploy Windows Sun Valley](windows-sv-plan.md)
diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index b1b09d27be..31c967b779 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -22,34 +22,36 @@ ms.custom: seo-marvel-apr2020 - Windows Sun Valley, version 21H2 -This article provides an introduction and answers some frequently asked questions about Windows Sun Valley, the next client release of Windows. +This article provides an introduction and answers some frequently asked questions about Windows Sun Valley, the next Windows client operating systgem release. -Also see the following articles to learn about Windows Sun Valley: +Also see the following articles to learn more about Windows Sun Valley: - [Windows Sun Valley requirements](windows-sv-requirements.md): Requirements to deploy Windows Sun Valley. -- [Planning for Windows Sun Valley](windows-sv-plan.md): Information to help you create a Windows Sun Valley deployment plan. +- [Planning for Windows Sun Valley](windows-sv-plan.md): Information to help you plan for Windows Sun Valley in your organizatioin. - [Prepare for Windows Sun Valley](windows-sv-prepare.md): Procedures to ensure readiness to deploy Windows Sun Valley. ## Introduction Windows Sun Valley is the next evolution of Windows; the most significant update to the Windows operating system since Windows 10. It offers many innovations focused on enhancing end user productivity in a fresh experience that is flexible and fluid. Windows Sun Valley is designed to support today's hybrid work environment, and intended to be the most reliable, secure, connected, and performant Windows OS ever. -This release is built on the same foundation as Windows 10, so the investments you have made in tools for update and device management are carried forward. Windows Sun Valley also sustains the application compatibility promise we made with Windows 10. For Microsoft 365 customers seeking further assistance, FastTrack will continue to be available to support your efforts to adopt Windows Sun Valley. +This release is built on the same foundation as Windows 10, so the investments you have made in tools for update and device management are carried forward. Windows Sun Valley also sustains the application compatibility promise made with Windows 10, supplemented by programs like App Assure. For Microsoft 365 customers seeking further assistance, FastTrack will continue to be available to support your efforts to adopt Windows Sun Valley. ## How to get Windows Sun Valley -Windows Sun Valley will be delivered as an upgrade to eligible devices running Windows 10 beginning in the first half of 2022. Windows Sun Valley will also be available on new, eligible devices. +Windows Sun Valley will be delivered as an upgrade to eligible devices running Windows 10, beginning in the last quarter of the 2021 calendar year. Windows Sun Valley will also be available on new, eligible devices. -For PCs that are managed by your organization and meet the eligibility requirements, Windows Sun Valley will be available through the same channels that you use for Windows 10 feature updates today. Existing deployment and management tools such as Windows Update for Business, Microsoft Endpoint Management, and Windows Autopilot can be used to deploy and manage Windows Sun Valley. Commercial organizations running Pro, Enterprise and Education editions of Windows 10 will have control over when to upgrade their devices from Windows 10 to Windows Sun Valley. For more information, see [Management tools](windows-sv-prepare.md#management-tools). +For administrators managing devices on behalf of their organization, Windows Sun Valley will be available through the same, familiar channels that you utilize today for Windows 10 feature updates. You will be able to use existing deployment and management tools, such as Windows Update for Business, Microsoft Endpoint Management, and Windows Autopilot. For more information, see [Plan for Windows Sun Valley](windows-sv-plan.md). -For personal devices and other unmanaged PCs that meet the eligibility requirements, the Windows Sun Valley upgrade will be offered through Windows Update using Microsoft's [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860) process. Windows 10 devices purchased after June 2021 that meet or exceed the minimum hardware requirements for Windows Sun Valley will be offered the upgrade starting in October of 2021. +For eligible PCs that are not managed by an organization, the Windows Sun Valley upgrade will be offered through Windows Update using Microsoft's intelligent rollout process to ensure a smooth upgrade experience. Windows Sun Valley will initially be offered to Windows 10 devices purchased after June 2021 that meet or exceed the minimum hardware requirements. -If you are interested in testing Windows Sun Valley before general availability, you can join the Windows Insider Program or Windows Insider Program for Business [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel). You can also preview Windows Sun Valley by enabling pre-release Windows 10 feature updates in [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/servers/manage/pre-release-features) or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS). +For more information about device eligibility, see [Windows Sun Valley requirements](windows-sv-requirements.md). -For more information about eligibility to upgrade, see [Windows Sun Valley requirements](windows-sv-requirements.md). +For those interested in testing Windows Sun Valley before general availability, you can join the [Windows Insider Program](https://insider.windows.com) or [Windows Insider Program for Business](https://insider.windows.com/for-business). You can also preview Windows Sun Valley by enabling pre-release Windows 10 feature updates in [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/servers/manage/pre-release-features) or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS). ## Before you begin +Many organizations will have a mixed environment of Windows Sun Valley and Windows 10 devices. The following is a quick summary of licensing, compatibility, management, and servicing considerations. + #### Licensing There are no unique licensing requirements for Windows Sun Valley beyond what is required for Windows 10 devices. @@ -64,16 +66,14 @@ Windows Sun Valley preserves the application compatibility promise made with Win #### Familiar processes -Windows Sun Valley is built on the same foundation as Windows 10, so generally you can use the same tools and solutions you use today to deploy, manage, and secure Windows Sun Valley. Your current management tools and processes will work to manage monthly quality updates for both Windows 10 and Windows Sun Valley. For more information, see [Management tools](windows-sv-prepare.md#management-tools). +Windows Sun Valley is built on the same foundation as Windows 10, so generally you can use the same tools and solutions you use today to deploy, manage, and secure Windows Sun Valley. Your current management tools and processes will work to manage monthly quality updates for both Windows 10 and Windows Sun Valley. For more information, see [Prepare for Windows Sun Valley](windows-sv-prepare.md). #### Servicing Windows Sun Valley -Windows Sun Valley will have an annual feature update cadence and receive monthly quality updates. For details, see [Windows Sun Valley servicing](windows-sv-plan.md#windows-sun-valley-servicing). - -When Windows Sun Valley reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the Windows release health hub. Monthly release notes will available from a consolidated Windows Sun Valley update history page. +Like Windows 10, Windows Sun Valley will receive monthly quality updates. However, it will have an annual feature update cadence. When Windows Sun Valley reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the Windows release health hub. Monthly release notes will available via a consolidated Windows SV update history page at that time as well. For more information, see [Windows Sun Valley servicing](windows-sv-plan.md#windows-sun-valley-servicing). ## Next steps [Windows Sun Valley requirements](windows-sv-requirements.md)
-[Plan to deploy Windows Sun Valley](windows-sv-plan.md)
+[Plan for Windows Sun Valley](windows-sv-plan.md)
[Prepare for Windows Sun Valley](windows-sv-prepare.md) \ No newline at end of file From 3e49e11277468a943426735c54d2bb692e2024f7 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Mon, 21 Jun 2021 14:11:04 -0700 Subject: [PATCH 189/370] edits --- windows/whats-new/windows-sv-plan.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index aa15b3748b..31658c2150 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -55,7 +55,7 @@ If you manage devices on behalf of your organization, you will be able to upgrad - Additional insight into safeguard holds. While safeguard holds will function for Windows Sun Valley devices just as they do for Windows 10 today, administrators using Windows Update for Business will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. > [!NOTE] -> If you use WUfB to manage feature update deployments today, you will need to leverage the **Target Version** policy rather than **Feature Update deferrals** to move from Windows 10 to Windows Sun Valley. Deferrals are great for quality updates or to move to newer versions of the same product (Windows 10 to Windows 10), but they cannot migrate a devices between products (Windows 10 to Windows Sun Valley).
+> If you use WUfB to manage feature update deployments today, you will need to leverage the **Target Version** policy rather than **Feature Update deferrals** to move from Windows 10 to Windows Sun Valley. Deferrals are great for quality updates or to move to newer version of the same product (Windows 10 to Windows 10), but they cannot migrate a device between products (Windows 10 to Windows Sun Valley).
> Additionally, Windows Sun Valley has a new end user license agreement. If you are deploying with Windows Update for Business **Target Version** or with Windows Server Update Services, you are accepting this new end user license agreements on behalf of the end users within your organization. Additional considerations: @@ -69,8 +69,6 @@ Additional considerations: Unmanaged devices are those that are not managed by an IT administrator on behalf of an organization. For operating system (OS) deployment, these devices are not subject to organizational policies that manage upgrades or updates. - - Unmanaged eligible devices running Windows 10 that were purchased after June 2021 will be offered the Windows Sun Valley upgrade in the last quarter of the 2021 calendar year. Messaging on new devices will vary by PC manufacturer, but users will see labels such as **This PC will upgrade to Windows Sun Valley once available** on products that are available for purchase. > [!NOTE] From 18e50e69af70791ad22788321e44d64f71e6d2de Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Mon, 21 Jun 2021 16:05:43 -0700 Subject: [PATCH 190/370] draft of final --- windows/whats-new/windows-sv-plan.md | 4 +- windows/whats-new/windows-sv-prepare.md | 107 ++++++++++++++----- windows/whats-new/windows-sv-requirements.md | 2 +- windows/whats-new/windows-sv.md | 4 +- 4 files changed, 88 insertions(+), 29 deletions(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index 31658c2150..3f6adedbbd 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -33,7 +33,7 @@ Since Windows Sun Valley is built on the same foundation as Windows 10, you can If you are looking for ways to optimize your approach to deploying Windows Sun Valley, or if deploying a new version of an operating system is not a familiar process for you, some additional items to consider are provided below. -## Determining eligibility +## Determine eligibility As a first step, you will need to know which of your current devices meet the Windows Sun Valley hardware requirements. Detailed requirements can be found at [Windows Sun Valley requirements](windows-sv-requirements.md). In general, you should expect that a device purchased in the last 18-24 months will be able to run Windows Sun Valley. @@ -43,7 +43,7 @@ Enterprise organizations looking to evaluate device readiness in their environme ## Windows Sun Valley availability -Windows Sun Valley will be offered to eligible Windows 10 devices beginning the last quarter of calendar year 2021. The availability of Windows Sun Valley will vary according to a device's hardware and whether or not the device receives updates directly or from a management solution that is maintained by an IT administrator. +Windows Sun Valley will be offered to eligible Windows 10 devices beginning later in the 2021 calendar year. The availability of Windows Sun Valley will vary according to a device's hardware and whether or not the device receives updates directly or from a management solution that is maintained by an IT administrator. ##### Managed devices diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index db5959e103..238373f36b 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -22,46 +22,105 @@ ms.topic: article Windows 10 and Windows Sun Valley are designed to coexist, so that you can use the same familiar tools and process to manage both operating systems. One common management infrastructure that supports common applications across both Windows 10 and Windows Sun Valley helps to simplify the migration process. You can analyze endpoints, determine application compatibility, and manage Windows Sun Valley deployments in the same way that you do with Windows 10. -As you prepare for Windows Sun Valley, it’s also a good time to look at the deployment infrastructure of your environment. If you aren’t already taking advantage of cloud-based management tools like Microsoft Endpoint Manager this might be the perfect time. Or, if you are exclusively using an on-premises management tool such as Configuration Manager (Note: Config Mgr is part of MEM, need clarification here), using Cloud management gateway, enabling tenant attach, or enabling co-management with Microsoft Intune are all ways to help keep devices secure and up-to-date. ---insert links for the named solutions +After you evaluate your hardware to see if it meets [requirements](windows-sv-requirements.md) for Windows Sun Valley, it's also a good time to review your deployment infrastructure, tools, and overall endpoint and update management processes and look for opportunities to simplify and optimize. -Policies related to deployment may need to be updated or re-evaluated, considering update compliance deadlines, device activity policies, and the replacement of older policies. A servicing mindset focused on keeping current means creating a deployment plan to build out your servicing strategy. +## Infrastructure and tools -## Analytics +The tools that you use for heavy lifting during Windows 10 deployments can still be leveraged for Windows Sun Valley. Aa few nuanced differences are described below: -If you’re a Microsoft Endpoint Manager customer, make sure you’ve onboarded your devices to Endpoint analytics. Later this year, we’ll be providing a hardware readiness assessment directly in Endpoint analytics so that you can quickly identify which of your managed devices meet or exceed the minimum hardware requirements. +#### On-premises solutions -If you’d rather start exploring Windows Sun Valley readiness within your organization right away, take advantage of our [hardware eligibility assessment script](add link). By following the instructions to deploy and aggregate results via Microsoft Intune or Configuration Manager, you can quickly determine how many of your devices meet the hardware requirements for Windows Sun Valley. +- If you use Windows Server Update Service (WSUS), you will need to sync the new **Windows Sun Valley** product category. Once you sync the product category you will see Windows Sun Valley offered as an option. -## Management tools +> [!NOTE] +> During deployment, you will be prompted to agree to the license agreement on behalf of your end users. Additionally, you will not see an x86 option because Windows Sun Valley is not supported on 32-bit architecture. -The toolset that you use for heavy lifting during deployments of Windows 10 are still able to be leveraged in Windows Sun Valley. There are a few nuanced differences described here: +- If you use Microsoft Endpoint Configuration Manager, you can sync the new **Windows Sun Valley** product category and begin upgrading eligible devices. If you would like to validate Windows Sun Valley prior to release, you can sync the **Windows Insider Pre-release** category as well. -#### On-premises management +> [!NOTE] +> Configuration Manager will prompt you to accept the end user license agreement on behalf of the users in your organization. -- Windows Server Update Service (WSUS): Commercial customers using WSUS will need to sync the new **Windows Sun Valley** product category. Once you sync the product category you will see the feature update to SV. Please note that during deployment you will be prompted to agree to the license agreement on behalf of your end users. Additionally, you will note there is no x86 (32 bit?) payload for Windows Sun Valley as such is no longer supported on Windows Sun Valley going forward. -- MEM Configuration Manager: For customers using MEM Configuration Manager, you will easily be able to sync the new “Windows Sun Valley” Product category and begin upgrading eligible devices. Please note that Configuration Manager will prompt you to accept the end user license agreement on behalf of the users in your organization. If you would like to validate Windows Sun Valley prior to release, simply sync the **Windows Insider Pre-release** category as well. +#### Cloud-based solutions -#### Cloud management +- If you use Windows Update for Business Group Policy and Configuration Service Provider (CSP) policies, you will need to leverage the **Target Version** capability rather than feature update deferrals to upgrade from Windows 10 to Windows Sun Valley. Feature Update deferrals are great to move to newer versions of your current product, but do not enable you to move between products (Windows 10 to Windows Sun Valley). +- Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. This is true whether using Windows Update for Business, Microsoft Intune, or other management tools. +- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to leverage **Feature Update Deployments** to easily update devices from one release of Windows 10 to another, or to upgrade Wndows 10 devices to Windows Sun Valley. You can then continue using the same update experience controls to manage Windows 10 and Windows Sun Valley. -- Windows Update for Business (WUfB) Group Policy (GP) and Configuration Service Provider (CSP) policies: Commercial customers using WUfB will need to leverage the Target Version capability rather than feature update deferrals to move from Windows 10 to Windows Sun Valley. Feature Update deferrals are great to move to newer versions of your current product, but do not enable you to move between products (Windows 10 to Windows Sun Valley). Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. This is true whether using WUfB through Group Policy Management Console (GPMC), MEM Intune, or other 3rd party management tools. -- MEM Intune: For customers using MEM Intune with E3 licenses you will be able to leverage **Feature Update Deployments** to easily manage moving between Windows 10 versions or to Windows Sun Valley, version 21H2. You will be able to continue using the same update experience controls to manage the behavior of the device once updates are offered for either Windows 10, version 21H2 and Windows Sun Valley, version 21H2. +You'll also want to check with the providers of any non-Microsoft security and management solutions that you use to ensure compatibility with Windows Sun Valley, particularly those providing security or data loss prevention capabilities. -## Deploy Windows Sun Valley +## Cloud-based management -Since your familiar Windows 10 toolsets are meant to be used with Windows Sun Valley as well, then managing, securing, and deploying Windows Sun Valley devices will be well known procedures in the plan, prepare and deploy process. +If you aren’t already taking advantage of cloud-based management capabilities, like those available in [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), it's worth considering. Aside from consolidating device management and endpoint security into a single platform, it can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives, while protecting end user privacy. -Just as we recommend that broad deployment of new versions of Windows 10 begin with a pilot deployment phase, Windows Sun Valley is no different. Further, in your blended environment of Windows 10-capable devices and Windows 10 + SV-eligible devices, you will be poised to roll out an update to a select number of devices. Once you’ve gone through the checklist of pilot deployment tasks such as assigning the pilot devices from your prepare phase, implementing baseline and operations updates, testing and supporting the devices, and so forth, you can deploy to your test group. We recommend cloud-based deployment solutions such as Microsoft Endpoint Manager to fully take advantage of data-driven insights, though Configuration Manager works as well. +The following are some common use cases and the corresponding Microsoft Endpoint Manager capabilities that support them: -Using artifacts from your Plan and Prepare phase (such as security and configuration baselines, etc.) as well as data from your test deployment, will give you the confidence you seek to manage a broader rollout of Windows Sun Valley to increasingly larger rings of eligible devices. Desktop Analytics will help you ensure that your apps are scoped to only the pilot rings you designate. +- **Provision and pre-configure new Windows Sun Valley devices**: [Windows Autopilot](/mem/autopilot/windows-autopilot) enables you to deploy new Windows Sun Valley devices in a “business-ready” state that includes your desired applications, settings, and policies. It can also be used to change the edition of Windows. For example, you can upgrade from Pro to Enterprise edition and gain the use of advanced features. +- **Configure rules and control settings for users, apps, and devices for both Windows SV and Windows 10**: Devices that are enrolled in [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) provide administrators with full control over apps, settings, features, and security. You can also use app protection policies to require multi-factor authentication (MFA) for specific apps. +- **Streamlined, easy-to-manage devices for frontline, remote, and onsite workers**: Introduced with Windows 10, [cloud configuration](/mem/intune/fundamentals/cloud-configuration) is a standard, easy-to-manage, device configuration that is cloud-optimized for users with specific workflow needs. It can be deployed to devices running the Pro, Enterprise, and Education editions of Windows Sun Valley using Microsoft Endpoint Manager. -Though we’ve mentioned only a few, the tools and processes we have had in place for your previous 10 Windows deployment will be there for you with Windows Sun Valley as well. +If you are exclusively managing devices on-premises (for example, using Configuration Manager), you can still use the [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview), enable [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions), or enable [co-management](/mem/configmgr/comanage/overview) with Microsoft Intune, making it easier to keep devices secure and up-to-date. + + +## Review servicing approach and policies + +Microsoft is committed to supporting you through your migration to Windows Sun Valley, whether you are a fast adopter or will make the transition over the coming months or years. Every organization will transition to Windows Sun Valley at its own pace. However, thinking of operating system updates as an ongoing process improve your ability to deploy feature and quality updates, and enable you to stay current with less effort and impact on productivity. + +To begin, think about how you roll out Windows updates today: which devices, and at what pace. Next, craft a deployment plan for Windows Sun Valley that includes deployment groups, rings, users, or devices. There are no absolute rules for exactly how many rings to have for your deployments, but a common structure is: + +- Preview (first or canary): Planning and development +- Limited (fast or early adopters): Pilot and validation +- Broad (users or critical): Wide deployment + +For more information, see [Create a deployment plan](/windows/deployment/update/create-deployment-plan). + +#### Review policies + +Review deployment-related polices, taking into consideration your organization's security objectives, update compliance deadlines, and device activity. Apply changes where you can gain a clear improvement, particularly with regard to the speed of the update process or security. + +#### Validate apps and infrastructure + +To validate that your apps, infrastructure, and deployment processes are ready for Windows Sun Valley, join the [Windows Insider Program for Business](https://insider.windows.com/for-business-getting-started) and opt in to the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel). + +If you use Windows Server Update Services, you can deploy directly from the Windows Insider Pre-release category using one of the following: + +- Set **Manage Preview Builds** to **Release Preview** in Windows Update for Business. +- Leverage Azure Virtual Desktop and Azure Marketplace images . +- Download and deploy ISOs from Microsoft’s Windows Insider Program ISO Download page. + +Regardless of the method you choose, you have the benefit of free Microsoft support when validating pre-release builds. Free support is available to any commercial customer deploying Windows 10, version 21H2 or Windows Sun Valley, version 21H2 pre-release bits, once they become available through the Windows Insider Program. + +#### Analytics and assessment tools + +If you use Microsoft Endpoint Manager and have onboarded devices to Endpoint analytics, you will have access to a hardware readiness assessment later this year that enables you to quickly identify which of your managed devices are eligible for the Windows Sun Valley upgrade. + +For those that are ready to explore Windows Sun Valley readiness right away, you can take advantage of Microsoft's **hardware eligibility assessment script**. This script includes instructions on how to deploy and aggregate your assessment results using Microsoft Intune or Configuration Manager, so you can quickly determine how many of your devices meet the hardware requirements for Windows Sun Valley. + +## Prepare a pilot deployment + +A pilot deployment is a proof of concept that rolls out an upgrade to a select number of devices in production before deploying it broadly across the organization. + +At a high level, the tasks involved are: + +1. Assign a group of users or devices to receive the update. +2. Implement baseline updates. +3. Implement operational updates. +4. Validate the deployment process. +5. Deploy the upgrade to devices. +6. Test and support the pilot devices. +7. Determine broad deployment readiness based on the results of the pilot. + +## End user readiness + +To prepare an effective, enterprise-wide deployment of Windows Sun Valley, the importance of end user readiness should not be overlooked. Windows Sun Valley has a familiar design, but end users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows Sun Valley: + +- Create a communications schedule to ensure that you provide the right communications at the right time to the right groups of users based on when they will see the changes. +- Draft concise emails that inform users of what changes they can expect to see. Offer tips on how to use or customize their experience. Include information about support and help desk options. +- Update help desk manuals with screenshots of the new user interface, the out-of-box experience for new devices, and the upgrade experience for existing devices. + +## Learn more + +See the [Stay current with Windows 10 and Microsoft 365 Apps](/learn/paths/m365-stay-current/) learning path on Microsoft Learn. The learning path was created for Windows 10, but the basic principles and tasks outlined for the plan, prepare, and deploy phases also apply to your deployment of Windows Sun Valley. ## See also [Windows Sun Valley deployment planning](windows-sv-plan.md) - -• Windows release health: Windows release health offers the quickest way to stay up to date on update-related news, information, and best practices, including important lifecycle reminders and the status of known issues and safeguard holds. IT administrators have access to this information, plus additional details, within the health experience Microsoft 365 admin center. - -• Windows Tech Community: Offering technical professionals a place to discuss, share, troubleshoot, and learn around Windows, Tech Community is also the home of the Windows IT Pro Blog, our monthly Windows Office Hours events, and the Windows Video Hub. - -• Microsoft Learn: We are in the process of developing online learning paths and modules to help you and your organization effectively plan, prepare, and deploy Windows Sun Valley effectively. diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index 99d261a3d9..341495b506 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -27,7 +27,7 @@ This article lists the system requirements for Windows Sun Valley. Windows Sun V To install or upgrade to Windows Sun Valley, devices must meet the following minimum hardware requirements: -- Processor: 1 gigahertz (GHz) or faster with two or more cores on a [compatible 64-bit processor](http://aka.ms/CPUlist) or system on a chip (SoC) +- Processor: 1 gigahertz (GHz) or faster with two or more cores on a [compatible 64-bit processor](https://aka.ms/CPUlist) or system on a chip (SoC) - RAM: 4 gigabytes (GB) or greater - Storage: 64GB or greater available storage is required to install Windows Sun Valley - Additional storage space might be required to download updates and enable specific features diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index 31c967b779..86cffe9e8f 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -38,7 +38,7 @@ This release is built on the same foundation as Windows 10, so the investments y ## How to get Windows Sun Valley -Windows Sun Valley will be delivered as an upgrade to eligible devices running Windows 10, beginning in the last quarter of the 2021 calendar year. Windows Sun Valley will also be available on new, eligible devices. +Windows Sun Valley will be delivered as an upgrade to eligible devices running Windows 10, beginning later in the 2021 calendar year. Windows Sun Valley will also be available on eligible new devices. For administrators managing devices on behalf of their organization, Windows Sun Valley will be available through the same, familiar channels that you utilize today for Windows 10 feature updates. You will be able to use existing deployment and management tools, such as Windows Update for Business, Microsoft Endpoint Management, and Windows Autopilot. For more information, see [Plan for Windows Sun Valley](windows-sv-plan.md). @@ -70,7 +70,7 @@ Windows Sun Valley is built on the same foundation as Windows 10, so generally y #### Servicing Windows Sun Valley -Like Windows 10, Windows Sun Valley will receive monthly quality updates. However, it will have an annual feature update cadence. When Windows Sun Valley reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the Windows release health hub. Monthly release notes will available via a consolidated Windows SV update history page at that time as well. For more information, see [Windows Sun Valley servicing](windows-sv-plan.md#windows-sun-valley-servicing). +Like Windows 10, Windows Sun Valley will receive monthly quality updates. However, it will have an annual feature update cadence. When Windows Sun Valley reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the Windows release health hub. Monthly release notes will available via a consolidated Windows SV update history page at that time as well. For more information, see [Servicing and support](windows-sv-plan.md#servicing-and-support). ## Next steps From bd2ceade13af7d98a2b51b3f0dd5d3f01e855109 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Mon, 21 Jun 2021 16:09:53 -0700 Subject: [PATCH 191/370] draft of final2 --- windows/whats-new/windows-sv-prepare.md | 1 - windows/whats-new/windows-sv.md | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index 238373f36b..71e51fe64f 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -60,7 +60,6 @@ The following are some common use cases and the corresponding Microsoft Endpoint If you are exclusively managing devices on-premises (for example, using Configuration Manager), you can still use the [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview), enable [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions), or enable [co-management](/mem/configmgr/comanage/overview) with Microsoft Intune, making it easier to keep devices secure and up-to-date. - ## Review servicing approach and policies Microsoft is committed to supporting you through your migration to Windows Sun Valley, whether you are a fast adopter or will make the transition over the coming months or years. Every organization will transition to Windows Sun Valley at its own pace. However, thinking of operating system updates as an ongoing process improve your ability to deploy feature and quality updates, and enable you to stay current with less effort and impact on productivity. diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index 86cffe9e8f..6a44007c98 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -62,7 +62,7 @@ Microsoft 365 licenses that include Windows 10 licenses will permit you to run W Most accessories and associated drivers that worked with Windows 10 are expected to work with Windows Sun Valley. Check with your accessory manufacturer for specific details. -Windows Sun Valley preserves the application compatibility promise made with Windows 10 and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Microsoft 365 customers can continue to use programs such as App Assure and FastTrack to support IT efforts to adopt and maintain Windows Sun Valley. For more information, see [Application compatibility](windows-sv-prepare.md#application-compatibility). +Windows Sun Valley preserves the application compatibility promise made with Windows 10 and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Microsoft 365 customers can continue to use programs such as App Assure and FastTrack to support IT efforts to adopt and maintain Windows Sun Valley. For more information, see [Application compatibility](windows-sv-plan.md#application-compatibility). #### Familiar processes From 9e9e77eeec912044aaf4f1eda89dc110adbdb2b9 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Mon, 21 Jun 2021 16:43:46 -0700 Subject: [PATCH 192/370] draft of final3 --- windows/whats-new/windows-sv.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index 6a44007c98..3aca95c50b 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -27,12 +27,12 @@ This article provides an introduction and answers some frequently asked question Also see the following articles to learn more about Windows Sun Valley: - [Windows Sun Valley requirements](windows-sv-requirements.md): Requirements to deploy Windows Sun Valley. -- [Planning for Windows Sun Valley](windows-sv-plan.md): Information to help you plan for Windows Sun Valley in your organizatioin. +- [Plan for Windows Sun Valley](windows-sv-plan.md): Information to help you plan for Windows Sun Valley in your organizatioin. - [Prepare for Windows Sun Valley](windows-sv-prepare.md): Procedures to ensure readiness to deploy Windows Sun Valley. ## Introduction -Windows Sun Valley is the next evolution of Windows; the most significant update to the Windows operating system since Windows 10. It offers many innovations focused on enhancing end user productivity in a fresh experience that is flexible and fluid. Windows Sun Valley is designed to support today's hybrid work environment, and intended to be the most reliable, secure, connected, and performant Windows OS ever. +Windows Sun Valley is the next evolution of Windows; the most significant update to the Windows operating system since Windows 10. It offers many innovations focused on enhancing end user productivity in a fresh experience that is flexible and fluid. Windows Sun Valley is designed to support today's hybrid work environment, and intended to be the most reliable, secure, connected, and performant Windows operating system ever. This release is built on the same foundation as Windows 10, so the investments you have made in tools for update and device management are carried forward. Windows Sun Valley also sustains the application compatibility promise made with Windows 10, supplemented by programs like App Assure. For Microsoft 365 customers seeking further assistance, FastTrack will continue to be available to support your efforts to adopt Windows Sun Valley. From 665bbb05d938f640924b6f83e18e5dbc65f781f7 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Tue, 22 Jun 2021 16:03:34 +0100 Subject: [PATCH 193/370] Update policy-csp-system.md --- windows/client-management/mdm/policy-csp-system.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 641739b466..276a6d4d84 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -286,6 +286,14 @@ When these policies are configured, Windows diagnostic data collected from the d If you disable or do not configure this policy setting, devices will not appear in Desktop Analytics. +The following list shows the supported values: + +- 0 (default) – Disabled. +- 2 – Allowed. + + + +
From 012e0b3338d2ec20be7a95aa5852c7d4523cdffa Mon Sep 17 00:00:00 2001 From: Brian Delaney <68655382+briandelmsft@users.noreply.github.com> Date: Tue, 22 Jun 2021 11:52:02 -0400 Subject: [PATCH 194/370] Update event-4627.md resizing image to max the text to its right easier to read --- windows/security/threat-protection/auditing/event-4627.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-4627.md b/windows/security/threat-protection/auditing/event-4627.md index ff63c0c122..cf25e61624 100644 --- a/windows/security/threat-protection/auditing/event-4627.md +++ b/windows/security/threat-protection/auditing/event-4627.md @@ -21,7 +21,7 @@ ms.technology: mde - Windows Server 2016 -Event 4627 illustration +Event 4627 illustration ***Subcategory:*** [Audit Group Membership](audit-group-membership.md) From b2087ddf915607b1f00bc132598694ba6f7cac51 Mon Sep 17 00:00:00 2001 From: Brian Delaney <68655382+briandelmsft@users.noreply.github.com> Date: Tue, 22 Jun 2021 11:55:18 -0400 Subject: [PATCH 195/370] Update event-4627.md Updating image size to max text on its right easier to read and consistent with other events --- windows/security/threat-protection/auditing/event-4627.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-4627.md b/windows/security/threat-protection/auditing/event-4627.md index cf25e61624..0ae5e51990 100644 --- a/windows/security/threat-protection/auditing/event-4627.md +++ b/windows/security/threat-protection/auditing/event-4627.md @@ -21,7 +21,7 @@ ms.technology: mde - Windows Server 2016 -Event 4627 illustration +Event 4627 illustration ***Subcategory:*** [Audit Group Membership](audit-group-membership.md) From b56593cebea82935ccd06883cea9646c5ce6edd6 Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Tue, 22 Jun 2021 10:48:28 -0700 Subject: [PATCH 196/370] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...system-components-to-microsoft-services.md | 42 +++++++------------ 1 file changed, 14 insertions(+), 28 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 822869ba60..f9382b3938 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -604,34 +604,20 @@ For a complete list of the Microsoft Edge policies, see [Microsoft Edge and priv | Policy | Group Policy Path | Registry Path | |----------------------------------|--------------------|---------------------------------------------| -| **SearchSuggestEnabled** | Computer Configuration/Administrative Templates/Windows Component/Microsoft Edge - Enable search suggestions | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | -| | **Set to Disabled**| **REG_DWORD name: SearchSuggestEnabled Set to 0** | -| **AutofillAddressEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Enable AutoFill for addresses | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | -| | **Set to Disabled**| **REG_DWORD name: AutofillAddressEnabled Set to 0** | -| **AutofillCreditCardEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Enable AutoFill for credit cards | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | -| | **Set to Disabled**| **REG_DWORD name: AutofillCreditCardEnabled Set to 0** | -| **ConfigureDoNotTrack** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Configure Do Not Track | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | -| | **Set to Enabled**| **REG_DWORD name: ConfigureDoNotTrack Set to 1** | -| **PasswordManagerEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Password manager and protection-Enable saving passwords to the password manager | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | -| | **Set to Disabled**| **REG_DWORD name: PasswordManagerEnabled Set to 0** | -| **DefaultSearchProviderEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Default search provider-Enable the default search provider | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | -| | **Set to Disabled**| **REG_DWORD name: DefaultSearchProviderEnabled Set to 0** | -| **HideFirstRunExperience** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Hide the First-run experience and splash screen | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | -| | **Set to Enabled**| **REG_DWORD name: HideFirstRunExperience Set to 1** | -| **SmartScreenEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/SmartScreen settings-Configure Microsoft Defender SmartScreen | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | -| | **Set to Disabled**| **REG_DWORD name: SmartScreenEnabled Set to 0** | -| **NewTabPageLocation** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Configure the new tab page URL | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | -| | **Set to Enabled-Value “about:blank”**| **REG_SZ name: NewTabPageLocation Set to about:blank** | -| **RestoreOnStartup** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Action to take on startup | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | -| | **Set to Disabled**| **REG_DWORD name: RestoreOnStartup Set to 5** | -| **RestoreOnStartupURLs** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Sites to open when the browser starts | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\RestoreOnStartupURLs | -| | **Set to Disabled**| **REG_SZ name: 1 Set to about:blank** | -| **UpdateDefault** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Applications-Update policy override default | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate | -| | **Set to Enabled - 'Updates disabled'**| **REG_DWORD name: UpdateDefault Set to 0** | -| **AutoUpdateCheckPeriodMinutes** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Preferences- Auto-update check period override | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate | -| | **Set to Enabled - Set Value for Minutes between update checks to 0**| **REG_DWORD name: AutoUpdateCheckPeriodMinutes Set to 0** | -| **Experimentation and Configuration Service** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Preferences- Auto-update check period override | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate | -| | **Set to RestrictedMode**| **REG_DWORD name: ExperimentationAndConfigurationServiceControl Set to 0** | +| **SearchSuggestEnabled** | Computer Configuration/Administrative Templates/Windows Component/Microsoft Edge - Enable search suggestions
**Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge
**REG_DWORD name: SearchSuggestEnabled Set to 0**| +| **AutofillAddressEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Enable AutoFill for addresses
**Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge
**REG_DWORD name: AutofillAddressEnabled Set to 0**| +| **AutofillCreditCardEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Enable AutoFill for credit cards
**Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge
**REG_DWORD name: AutofillCreditCardEnabled Set to 0**| +| **ConfigureDoNotTrack** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Configure Do Not Track
**Set to Enabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge
**REG_DWORD name: ConfigureDoNotTrack Set to 1** | +| **PasswordManagerEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Password manager and protection-Enable saving passwords to the password manager
**Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge
**REG_DWORD name: PasswordManagerEnabled Set to 0**| +| **DefaultSearchProviderEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Default search provider-Enable the default search provider
**Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge
**REG_DWORD name: DefaultSearchProviderEnabled Set to 0**| +| **HideFirstRunExperience** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Hide the First-run experience and splash screen
**Set to Enabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge
**REG_DWORD name: HideFirstRunExperience Set to 1**| +| **SmartScreenEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/SmartScreen settings-Configure Microsoft Defender SmartScreen
**Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge
**REG_DWORD name: SmartScreenEnabled Set to 0**| +| **NewTabPageLocation** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Configure the new tab page URL
**Set to Enabled-Value “about:blank”**| HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge
**REG_SZ name: NewTabPageLocation Set to about:blank**| +| **RestoreOnStartup** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Action to take on startup
**Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge
**REG_DWORD name: RestoreOnStartup Set to 5**| +| **RestoreOnStartupURLs** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Sites to open when the browser starts
**Set to Disabled**| HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\RestoreOnStartupURLs
**REG_SZ name: 1 Set to about:blank**| +| **UpdateDefault** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Applications-Update policy override default
**Set to Enabled - 'Updates disabled'** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate
**REG_DWORD name: UpdateDefault Set to 0**| +| **AutoUpdateCheckPeriodMinutes** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Preferences- Auto-update check period override
**Set to Enabled - Set Value for Minutes between update checks to 0**| HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate
**REG_DWORD name: AutoUpdateCheckPeriodMinutes Set to 0**| +|**Experimentation and Configuration Service** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Preferences- Auto-update check period override
**Set to RestrictedMode**| HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate
**REG_DWORD name: ExperimentationAndConfigurationServiceControl Set to 0**| ||| ### 14. Network Connection Status Indicator From bddcb1af8601cb8bd0b2bf74cce24e70d42631fa Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 22 Jun 2021 11:22:53 -0700 Subject: [PATCH 197/370] close to final --- windows/whats-new/windows-sv-plan.md | 26 +++++++------------- windows/whats-new/windows-sv-prepare.md | 11 +++++---- windows/whats-new/windows-sv-requirements.md | 6 ++--- windows/whats-new/windows-sv.md | 9 +++++-- 4 files changed, 25 insertions(+), 27 deletions(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index 3f6adedbbd..81e3281c7d 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -24,7 +24,7 @@ ms.topic: article This article provides guidance to help you plan for Windows Sun Valley in your organization. -Since Windows Sun Valley is built on the same foundation as Windows 10, you can utilize the same deployment capabilities, scenarios, and tools—as well as the same basic deployment and servicing strategy. At a high level, this strategy should include the following steps: +Since Windows Sun Valley is built on the same foundation as Windows 10, you can utilize the same deployment capabilities, scenarios, and tools—as well as the same basic deployment strategy. You will need to review and update your servicing strategy to adjust for changes in [Servicing and support](#servicing-and-support) that are in place for Windows Sun Valley. At a high level, this strategy should include the following steps: - [Create a deployment plan](/windows/deployment/update/create-deployment-plan) - [Define readiness criteria](/windows/deployment/update/plan-define-readiness) - [Evaluate infrastructure and tools](/windows/deployment/update/eval-infra-tools) @@ -35,11 +35,11 @@ If you are looking for ways to optimize your approach to deploying Windows Sun V ## Determine eligibility -As a first step, you will need to know which of your current devices meet the Windows Sun Valley hardware requirements. Detailed requirements can be found at [Windows Sun Valley requirements](windows-sv-requirements.md). In general, you should expect that a device purchased in the last 18-24 months will be able to run Windows Sun Valley. +As a first step, you will need to know which of your current devices meet the Windows Sun Valley hardware requirements. The majority of devices purchased in the last 18-24 months will be compatible with Windows Sun Valley. Verify that your device meets or exceeds [Windows Sun Valley requirements](windows-sv-requirements.md) to ensure it is compatible. Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows Sun Valley hardware requirements. When Windows Sun Valley reaches general availability, end users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the **PC Health Check** app to determine their eligibility for Windows Sun Valley. End users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.  -Enterprise organizations looking to evaluate device readiness in their environments can expect this capability to be integrated into existing Microsoft tools, such as Endpoint Analytics and Update Compliance. This capability will be available when Windows Sun Valley is generally available. Microsoft is also working with software vendor partners to facilitate Windows Sun Valley device readiness into their solutions. +Enterprise organizations looking to evaluate device readiness in their environments can expect this capability to be integrated into existing Microsoft tools, such as Endpoint analytics and Update Compliance. This capability will be available when Windows Sun Valley is generally available. Microsoft is also working with software vendor partners to facilitate Windows Sun Valley device readiness into their solutions. ## Windows Sun Valley availability @@ -49,7 +49,7 @@ Windows Sun Valley will be offered to eligible Windows 10 devices beginning late Managed devices are devices that are under organization control. For example: devices managed by Microsoft Endpoint Manager (Microsoft Intune or Microsoft Endpoint Configuration Manager) or another endpoint management solution. -If you manage devices on behalf of your organization, you will be able to upgrade eligible devices to Windows Sun Valley using your existing deployment and management tools when the upgrade reaches general availability. Organizations that use Windows Update for Business will have additional benefits, such as: +If you manage devices on behalf of your organization, you will be able to upgrade eligible devices to Windows Sun Valley using your existing deployment and management tools at no cost when the upgrade reaches general availability. Organizations that use Windows Update for Business will have additional benefits, such as: - Blocking the upgrade on non-eligible devices. - Additional insight into safeguard holds. While safeguard holds will function for Windows Sun Valley devices just as they do for Windows 10 today, administrators using Windows Update for Business will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. @@ -58,13 +58,6 @@ If you manage devices on behalf of your organization, you will be able to upgrad > If you use WUfB to manage feature update deployments today, you will need to leverage the **Target Version** policy rather than **Feature Update deferrals** to move from Windows 10 to Windows Sun Valley. Deferrals are great for quality updates or to move to newer version of the same product (Windows 10 to Windows 10), but they cannot migrate a device between products (Windows 10 to Windows Sun Valley).
> Additionally, Windows Sun Valley has a new end user license agreement. If you are deploying with Windows Update for Business **Target Version** or with Windows Server Update Services, you are accepting this new end user license agreements on behalf of the end users within your organization. -Additional considerations: - -- Devices running Windows 10 Pro or higher can upgrade for free using existing management tools. -- Devices running S mode will first need to switch out of S mode because it is not supported on Windows Sun Valley. -- Downgrade rights are available with Windows Sun Valley Pro OEM licensed devices and with Microsoft Volume Licensing, where the licensing agreement permits it. -- You can downgrade to any version of Windows Pro that has not reached its end of support date. - ##### Unmanaged devices Unmanaged devices are those that are not managed by an IT administrator on behalf of an organization. For operating system (OS) deployment, these devices are not subject to organizational policies that manage upgrades or updates. @@ -95,14 +88,13 @@ The introduction of Windows Sun Valley is also a good time to review your hardwa Along with end user experience and security improvements, Windows Sun Valley introduces enhancements to Microsoft's servicing approach based on your suggestions and feedback. -Windows Sun Valley and Windows 10 devices will receive regular monthly quality updates to provide security updates and bug fixes. However, Windows Sun Valley devices will receive a single feature update annually, targeted for release in the second half of each calendar year. -- Home, Pro, Pro for Workstations, and Pro for Education editions of Windows Sun Valley will receive 24 months of support from the date of release. -- Enterprise and Education editions of Windows Sun Valley will be supported for 36 months from the date of release. +Windows Sun Valley and Windows 10 devices will receive regular monthly quality updates to provide security updates and bug fixes. However, Microsoft will provide a single feature update annually, targeted for release in the second half of each calendar year. +- Home, Pro, Pro for Workstations, and Pro for Education editions of Windows Sun Valley will receive 24 months of support from the availability date. +- Enterprise and Education editions of Windows Sun Valley will be supported for 36 months from the availabily date. When Windows Sun Valley reaches general availability, a consolidated Windows Sun Valley update history will be available on support.microsoft.com, similar to what is [available today for Windows 10](https://support.microsoft.com/topic/windows-10-update-history-1b6aac92-bf01-42b5-b158-f80c6d93eb11). Similarly, the [Windows release health](/windows/release-health/) hub will offer quick access to Windows Sun Valley servicing announcements, known issues, and safeguard holds. - -It is important that organizations have adequate time to plan for Windows Sun Valley. Microsoft also recognizes that many organizations will have a mix of Windows Sun Valley and Windows 10 devices across their ecosystem. Devices on in-service versions of Windows 10 that do not meet Windows Sun Valley hardware requirements will continue to receive monthly Windows 10 security updates through 2025, as well as incremental improvements to Windows 10 to support ongoing Microsoft 365 deployments. For more information, see the [Windows 10 release information](/windows/release-health/release-information) page, which offers information about Windows 10 semi-annual channel and LTSC releases. +It is important that organizations have adequate time to plan for Windows Sun Valley. Microsoft also recognizes that many organizations will have a mix of Windows Sun Valley and Windows 10 devices across their ecosystem. Devices on in-service versions of Windows 10 will continue to receive monthly Windows 10 security updates through 2025, as well as incremental improvements to Windows 10 to support ongoing Microsoft 365 deployments. For more information, see the [Windows 10 release information](/windows/release-health/release-information) page, which offers information about Windows 10 semi-annual channel and LTSC releases. ## Application compatibility @@ -114,7 +106,7 @@ If you run into compatibility issues or want to ensure that your organization's With enrollment in the [App Assure](/windows/compatibility/app-assure) service, if you find any problems with an existing application as you migrate to Windows Sun Valley, Microsoft will help you remedy those application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. -For software vendors and systems integrators, [Test Base for Microsoft 365](https://www.microsoft.com/testbase) (currently in public preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software vendors for participation by completing a short form. +For software vendors, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://www.microsoft.com/testbase) (currently in public preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software vendors for participation by completing a short form. You might already be using App Assure and Test Base in your Windows 10 environment. Both of these tools will continue to function with Windows Sun Valley. diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index 71e51fe64f..da5759ab4b 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -26,7 +26,10 @@ After you evaluate your hardware to see if it meets [requirements](windows-sv-re ## Infrastructure and tools -The tools that you use for heavy lifting during Windows 10 deployments can still be leveraged for Windows Sun Valley. Aa few nuanced differences are described below: +The tools that you use for heavy lifting during Windows 10 deployments can still be leveraged for Windows Sun Valley. A few nuanced differences are described below. + +> [!IMPORTANT] +> Be sure to check with the providers of any non-Microsoft solutions that you use. Verify compatibility of these tools with Windows Sun Valley, particularly if they provide security or data loss prevention capabilities. #### On-premises solutions @@ -46,8 +49,6 @@ The tools that you use for heavy lifting during Windows 10 deployments can still - Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. This is true whether using Windows Update for Business, Microsoft Intune, or other management tools. - If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to leverage **Feature Update Deployments** to easily update devices from one release of Windows 10 to another, or to upgrade Wndows 10 devices to Windows Sun Valley. You can then continue using the same update experience controls to manage Windows 10 and Windows Sun Valley. -You'll also want to check with the providers of any non-Microsoft security and management solutions that you use to ensure compatibility with Windows Sun Valley, particularly those providing security or data loss prevention capabilities. - ## Cloud-based management If you aren’t already taking advantage of cloud-based management capabilities, like those available in [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), it's worth considering. Aside from consolidating device management and endpoint security into a single platform, it can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives, while protecting end user privacy. @@ -64,7 +65,7 @@ If you are exclusively managing devices on-premises (for example, using Configur Microsoft is committed to supporting you through your migration to Windows Sun Valley, whether you are a fast adopter or will make the transition over the coming months or years. Every organization will transition to Windows Sun Valley at its own pace. However, thinking of operating system updates as an ongoing process improve your ability to deploy feature and quality updates, and enable you to stay current with less effort and impact on productivity. -To begin, think about how you roll out Windows updates today: which devices, and at what pace. Next, craft a deployment plan for Windows Sun Valley that includes deployment groups, rings, users, or devices. There are no absolute rules for exactly how many rings to have for your deployments, but a common structure is: +To begin, think about how you roll out Windows feature updates today: which devices, and at what pace. Next, craft a deployment plan for Windows Sun Valley that includes deployment groups, rings, users, or devices. There are no absolute rules for exactly how many rings to have for your deployments, but a common structure is: - Preview (first or canary): Planning and development - Limited (fast or early adopters): Pilot and validation @@ -100,7 +101,7 @@ A pilot deployment is a proof of concept that rolls out an upgrade to a select n At a high level, the tasks involved are: -1. Assign a group of users or devices to receive the update. +1. Assign a group of users or devices to receive the upgrade. 2. Implement baseline updates. 3. Implement operational updates. 4. Validate the deployment process. diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index 341495b506..a1ae360f30 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -46,7 +46,7 @@ For the best Windows Sun Valley upgrade experience, eligible devices should be r > [!NOTE] > S mode is not supported on Windows Sun Valley. -> If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading. Switching a device out of Windows 10 in S mode also requires internet connectivity. +> If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading. Switching a device out of Windows 10 in S mode also requires internet connectivity. If you switch out of S mode, you cannot switch back to S mode later. ## Feature-specific requirements @@ -56,7 +56,7 @@ Some features in Windows Sun Valley have requirements beyond those listed above. - **Auto HDR** requires an HDR monitor. - **BitLocker to Go** requires a USB flash drive. This feature is available in Windows Pro and above editions. - **Client Hyper-V** requires a processor with second level address translation (SLAT) capabilities. This feature is available in Windows Pro editions and above. -- **Cortana** requires a microphone and speaker and is currently available on Windows 11 for the Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, Mexico, Spain, United Kingdom, and United States +- **Cortana** requires a microphone and speaker and is currently available on Windows Sun Valley for Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, Mexico, Spain, United Kingdom, and United States - **DirectStorage** requires 1TB or greater NVMe SSD to store and run games that uses the "Standard NVM Express Controller" driver and a DirectX12 Ultimate GPU - **DirectX 12 Ultimate** is available with supported games and graphics chips - **Presence** requires sensor that can detect human distance from device or intent to interact with device @@ -71,7 +71,7 @@ Some features in Windows Sun Valley have requirements beyond those listed above. - **Voice Typing** requires a PC with a microphone - **Wake on Voice** requires Modern Standby power model and microphone - **Wi-Fi 6E** requires new WLAN IHV hardware and driver and a Wi-Fi 6E capable AP/router -- **Windows Hello** requires a camera configured for near infrared (IR) imaging or fingerprint reader for biometric authentication. Devices without biometric sensors can use Windows Hello with a PIN or portable Microsoft compatible security key +- **Windows Hello** requires a camera configured for near infrared (IR) imaging or fingerprint reader for biometric authentication. Devices without biometric sensors can use Windows Hello with a PIN or portable Microsoft compatible security key. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). - **Windows Projection** requires a display adapter which supports Windows Display Driver Model (WDDM) 2.0 and a Wi-Fi adapter that supports Wi-Fi Direct - **Xbox** app requires an Xbox Live account, which is not available in all regions. Please go to the Xbox Live Countries and Regions page for the most up-to-date information on availability. Some features in the Xbox app will require an active Xbox Game Pass subscription. See https://www.xbox.com/xbox-game-pass to learn more about the pass. diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index 3aca95c50b..fcbf1043e9 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -60,13 +60,18 @@ Microsoft 365 licenses that include Windows 10 licenses will permit you to run W #### Compatibility -Most accessories and associated drivers that worked with Windows 10 are expected to work with Windows Sun Valley. Check with your accessory manufacturer for specific details. +Most accessories and associated drivers that work with Windows 10 are expected to work with Windows Sun Valley. Check with your accessory manufacturer for specific details. Windows Sun Valley preserves the application compatibility promise made with Windows 10 and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Microsoft 365 customers can continue to use programs such as App Assure and FastTrack to support IT efforts to adopt and maintain Windows Sun Valley. For more information, see [Application compatibility](windows-sv-plan.md#application-compatibility). #### Familiar processes -Windows Sun Valley is built on the same foundation as Windows 10, so generally you can use the same tools and solutions you use today to deploy, manage, and secure Windows Sun Valley. Your current management tools and processes will work to manage monthly quality updates for both Windows 10 and Windows Sun Valley. For more information, see [Prepare for Windows Sun Valley](windows-sv-prepare.md). +Windows Sun Valley is built on the same foundation as Windows 10, so generally you can use the same tools and solutions you use today to deploy, manage, and secure Windows Sun Valley. Your current management tools and processes will work to manage monthly quality updates for both Windows 10 and Windows Sun Valley. If you use non-Microsoft tools, check with your vendor to verify compatibility. + +> [!IMPORTANT] +> Check with the providers of any non-Microsoft security and management solutions that you use to ensure compatibility with Windows Sun Valley, particularly those providing security or data loss prevention capabilities. + +For more information, see [Prepare for Windows Sun Valley](windows-sv-prepare.md). #### Servicing Windows Sun Valley From e33525fcf0047aef686fcf0daa502645c0f017b7 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 22 Jun 2021 11:40:51 -0700 Subject: [PATCH 198/370] remove extraneous --- .../windows-sv-app-manage.md | 17 - windows/client-management/sv-manage.md | 67 ---- .../client-management/windows-sv-manage.md | 19 - windows/configuration/sv-configure.md | 329 ------------------ windows/configuration/windows-sv-configure.md | 17 - windows/deployment/index.yml | 2 +- windows/hub/index.yml | 4 +- windows/sv/TOC.yml | 33 +- windows/sv/breadcrumb/toc.yml | 50 --- windows/sv/docfx.json | 4 +- windows/sv/index.md | 0 windows/sv/index.yml | 61 ---- windows/sv/placeholder.md | 22 -- windows/sv/windows-sv-get-started.md | 36 -- windows/sv/windows-sv-lifecycle.md | 21 -- windows/sv/windows-sv-overview.md | 94 ----- windows/sv/windows-sv-requirements.md | 53 --- 17 files changed, 8 insertions(+), 821 deletions(-) delete mode 100644 windows/application-management/windows-sv-app-manage.md delete mode 100644 windows/client-management/sv-manage.md delete mode 100644 windows/client-management/windows-sv-manage.md delete mode 100644 windows/configuration/sv-configure.md delete mode 100644 windows/configuration/windows-sv-configure.md create mode 100644 windows/sv/index.md delete mode 100644 windows/sv/index.yml delete mode 100644 windows/sv/placeholder.md delete mode 100644 windows/sv/windows-sv-get-started.md delete mode 100644 windows/sv/windows-sv-lifecycle.md delete mode 100644 windows/sv/windows-sv-overview.md delete mode 100644 windows/sv/windows-sv-requirements.md diff --git a/windows/application-management/windows-sv-app-manage.md b/windows/application-management/windows-sv-app-manage.md deleted file mode 100644 index 86ee8a28c0..0000000000 --- a/windows/application-management/windows-sv-app-manage.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -title: Manage applications in Windows Sun Valley -ms.reviewer: -manager: dansimp -description: Use this article to understand the different types of apps that run on Windows Sun Valley, such as UWP and Win32 apps. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: mobile -ms.author: greglin -author: greg-lindsay -ms.localizationpriority: medium -ms.topic: article ---- -# Manage applications in Windows Sun Valley - ->Applies to: Windows Sun Valley diff --git a/windows/client-management/sv-manage.md b/windows/client-management/sv-manage.md deleted file mode 100644 index 4fc41d68c1..0000000000 --- a/windows/client-management/sv-manage.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -title: Manage corporate devices (Windows 10) -description: You can use the same management tools to manage all device types running Windows 10 desktops, laptops, tablets, and phones. -ms.assetid: 62D6710C-E59C-4077-9C7E-CE0A92DFC05D -ms.reviewer: -manager: dansimp -ms.author: dansimp -keywords: ["MDM", "device management"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: devices -author: dansimp -ms.localizationpriority: medium -ms.date: 09/21/2017 -ms.topic: article ---- - -# Manage corporate devices - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -You can use the same management tools to manage all device types running Windows 10 : desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, System Center tools, and so on, will continue to work for Windows 10. - -## In this section - -| Topic | Description | -| --- | --- | -| [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment | -| [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) | How to use Remote Desktop Connection to connect to an Azure AD-joined PC | -| [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions) | Options to manage user experiences to provide a consistent and predictable experience for employees | -| [New policies for Windows 10](new-policies-for-windows-10.md) | New Group Policy settings added in Windows 10 | -| [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) | Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education | -| [Changes to Group Policy settings for Start in Windows 10](/windows/configuration/changes-to-start-policies-in-windows-10) | Changes to the Group Policy settings that you use to manage Start | -| [Introduction to configuration service providers (CSPs) for IT pros](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) | How IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 and Windows 10 Mobile in their organizations | - - -## Learn more - -[How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Endpoint Configuration Manager](/mem/configmgr/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm) - -[Azure AD, Microsoft Intune and Windows 10 - Using the cloud to modernize enterprise mobility](https://blogs.technet.microsoft.com/enterprisemobility/2015/06/12/azure-ad-microsoft-intune-and-windows-10-using-the-cloud-to-modernize-enterprise-mobility/) - -[Microsoft Intune End User Enrollment Guide](/samples/browse/?redirectedfrom=TechNet-Gallery) - -[Azure AD Join on Windows 10 devices](https://go.microsoft.com/fwlink/p/?LinkId=616791) - -[Azure AD support for Windows 10](https://go.microsoft.com/fwlink/p/?LinkID=615765) - -[Windows 10 and Azure Active Directory: Embracing the Cloud](https://go.microsoft.com/fwlink/p/?LinkId=615768) - -[How to manage Windows 10 devices using Intune](https://go.microsoft.com/fwlink/p/?LinkId=613620) - -[Using Intune alone and with Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=613207) - -Microsoft Virtual Academy course: [System Center 2012 R2 Configuration Manager & Windows Intune](/learn/) - - - - - - -  \ No newline at end of file diff --git a/windows/client-management/windows-sv-manage.md b/windows/client-management/windows-sv-manage.md deleted file mode 100644 index 22704843bd..0000000000 --- a/windows/client-management/windows-sv-manage.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Manage Windows Sun Valley in your organization -description: This topic offers strategies for deploying and managing Windows Sun Valley, including deploying Windows Sun Valley in a mixed environment. -keywords: ["MDM", "device management", "group policy", "Azure Active Directory"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: devices -author: dansimp -ms.localizationpriority: medium -ms.date: 04/26/2018 -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article ---- - -# Manage Windows Sun Valley in your organization - diff --git a/windows/configuration/sv-configure.md b/windows/configuration/sv-configure.md deleted file mode 100644 index 15407ebc50..0000000000 --- a/windows/configuration/sv-configure.md +++ /dev/null @@ -1,329 +0,0 @@ ---- -title: Configure Windows 10 taskbar (Windows 10) -description: Administrators can pin additional apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file. -keywords: ["taskbar layout","pin apps"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.author: greglin -ms.topic: article -ms.localizationpriority: medium -ms.date: 01/18/2018 -ms.reviewer: -manager: dansimp ---- -# Configure Windows 10 taskbar - -Starting in Windows 10, version 1607, administrators can pin additional apps to the taskbar and remove default pinned apps from the taskbar by adding a `` section to a layout modification XML file. This method never removes user-pinned apps from the taskbar. - -> [!NOTE] -> The only aspect of the taskbar that can currently be configured by the layout modification XML file is the layout. - -You can specify different taskbar configurations based on device locale and region. There is no limit on the number of apps that you can pin. You specify apps using the [Application User Model ID (AUMID)](./find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path (the local path to the application). - -If you specify an app to be pinned that is not provisioned for the user on the computer, the pinned icon won't appear on the taskbar. - -The order of apps in the XML file dictates the order of pinned apps on the taskbar from left to right, to the right of any existing apps pinned by the user. - -> [!NOTE] -> In operating systems configured to use a right-to-left language, the taskbar order will be reversed. - -The following example shows how apps will be pinned: Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using the XML file to the right (green square). - -![Windows left, user center, enterprise to the right](images/taskbar-generic.png) - - -## Configure taskbar (general) - -**To configure the taskbar:** - -1. Create the XML file. - * If you are also [customizing the Start layout](customize-and-export-start-layout.md), use `Export-StartLayout` to create the XML, and then add the `` section from [the following sample](#sample-taskbar-configuration-added-to-start-layout-xml-file) to the file. - * If you are only configuring the taskbar, use [the following sample](#sample-taskbar-configuration-xml-file) to create a layout modification XML file. -2. Edit and save the XML file. You can use [AUMID](./find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path to identify the apps to pin to the taskbar. - * Add `xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"` to the first line of the file, before the closing \>. - * Use `` and [AUMID](./find-the-application-user-model-id-of-an-installed-app.md) to pin Universal Windows Platform apps. - * Use `` and Desktop Application Link Path to pin desktop applications. -3. Apply the layout modification XML file to devices using [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) or a [provisioning package created in Windows Imaging and Configuration Designer (Windows ICD)](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md). - ->[!IMPORTANT] ->If you use a provisioning package or import-startlayout to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user then unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration that allows users to make changes that will persist, apply your configuration by using Group Policy. -> ->If you use Group Policy and your configuration only contains a taskbar layout, the default Windows tile layout will be applied and cannot be changed by users. If you use Group Policy and your configuration includes taskbar and a full Start layout, users can only make changes to the taskbar. If you use Group Policy and your configuration includes taskbar and a [partial Start layout](.//customize-and-export-start-layout.md#configure-a-partial-start-layout), users can make changes to the taskbar and to tile groups not defined in the partial Start layout. - -### Tips for finding AUMID and Desktop Application Link Path - -In the layout modification XML file, you will need to add entries for applications in the XML markup. In order to pin an application, you need either its AUMID or Desktop Application Link Path. - -The easiest way to find this data for an application is to: -1. Pin the application to the Start menu on a reference or testing PC. -2. Open Windows PowerShell and run the `Export-StartLayout` cmdlet. -3. Open the generated XML file. -4. Look for an entry corresponding to the app you pinned. -5. Look for a property labeled `AppUserModelID` or `DesktopApplicationLinkPath`. - - -### Sample taskbar configuration XML file - -```xml - - - - - - - - - - - -``` -### Sample taskbar configuration added to Start layout XML file - -```xml - - - - - - - - - - - - - - - - - - - - - - - -``` - -## Keep default apps and add your own - -The `` section will append listed apps to the taskbar by default. The following sample keeps the default apps pinned and adds pins for Paint, Microsoft Reader, and a command prompt. - -```xml - - - - - - - - - - - - -``` -**Before:** - -![default apps pinned to taskbar](images/taskbar-default.png) - -**After:** - - ![additional apps pinned to taskbar](images/taskbar-default-plus.png) - -## Remove default apps and add your own - -By adding `PinListPlacement="Replace"` to ``, you remove all default pinned apps; only the apps that you specify will be pinned to the taskbar. - -If you only want to remove some of the default pinned apps, you would use this method to remove all default pinned apps and then include the default app that you want to keep in your list of pinned apps. - -```xml - - - - - - - - - - - - -``` -**Before:** - -![Taskbar with default apps](images/taskbar-default.png) - -**After:** - -![Taskbar with default apps removed](images/taskbar-default-removed.png) - -## Remove default apps - -By adding `PinListPlacement="Replace"` to ``, you remove all default pinned apps. - - -```xml - - - - - - - - - - -``` - -## Configure taskbar by country or region - -The following example shows you how to configure taskbars by country or region. When the layout is applied to a computer, if there is no `` node with a region tag for the current region, the first `` node that has no specified region will be applied. When you specify one or more countries or regions in a `` node, the specified apps are pinned on computers configured for any of the specified countries or regions. - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -``` - -When the preceding example XML file is applied, the resulting taskbar for computers in the US or UK: - -![taskbar for US and UK locale](images/taskbar-region-usuk.png) - -The resulting taskbar for computers in Germany or France: - -![taskbar for DE and FR locale](images/taskbar-region-defr.png) - -The resulting taskbar for computers in any other country region: - -![taskbar for all other regions](images/taskbar-region-other.png) - - -> [!NOTE] -> [Look up country and region codes (use the ISO Short column)](/previous-versions/commerce-server/ee799297(v=cs.20)) - - - - -## Layout Modification Template schema definition - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -``` - -## Related topics - -- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) -- [Customize and export Start layout](customize-and-export-start-layout.md) -- [Add image for secondary tiles](start-secondary-tiles.md) -- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) -- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) -- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) -- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) -- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) \ No newline at end of file diff --git a/windows/configuration/windows-sv-configure.md b/windows/configuration/windows-sv-configure.md deleted file mode 100644 index 2a7ccf17d1..0000000000 --- a/windows/configuration/windows-sv-configure.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -title: Configure Windows Sun Valley -description: Administrators can pin additional apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file. -keywords: ["taskbar layout","pin apps"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.author: greglin -ms.topic: article -ms.localizationpriority: medium -ms.date: 01/18/2018 -ms.reviewer: -manager: dansimp ---- -# Configure Windows Sun Valley - diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index ef58977660..eda7ab8577 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -67,7 +67,7 @@ landingContent: - text: What's new in Windows deployment url: deploy-whats-new.md - text: Windows Sun Valley overview - url: /windows/whats-new/windows-sv-overview.md + url: /windows/whats-new/windows-sv.md - text: Windows client deployment scenarios url: windows-10-deployment-scenarios.md - text: Basics of Windows updates, channels, and tools diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 60a1b71261..c745cb605b 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -30,8 +30,10 @@ landingContent: url: /windows/whats-new/windows-sv - text: Windows Sun Valley requirements url: /windows/whats-new/windows-sv-requirements - - text: Plan to deploy Windows Sun Valley + - text: Plan for Windows Sun Valley url: /windows/whats-new/windows-sv-plan + - text: Prepare for Windows Sun Valley + url: /windows/whats-new/windows-sv-prepare - text: What's new in Windows 10, version 21H2 url: /windows/whats-new/whats-new-windows-10-version-21H1 - text: Windows release information diff --git a/windows/sv/TOC.yml b/windows/sv/TOC.yml index f0ec3588a7..01da3e1c0a 100644 --- a/windows/sv/TOC.yml +++ b/windows/sv/TOC.yml @@ -1,34 +1,5 @@ -- name: Windows Sun Valley - href: index.yml - items: - - name: Get started - items: - - name: Windows Sun Valley overview - href: windows-sv-overview.md - - name: Windows Sun Valley requirements - href: windows-sv-requirements.md - - - name: Deploy and Manage Windows Sun Valley - items: - - name: Plan to deploy Windows Sun Valley - href: /windows/deployment/windows-sv-plan - - name: Prepare for Windows Sun Valley - href: /windows/deployment/windows-sv-prepare.md - - name: Deploy Windows Sun Valley - href: /windows/deployment/windows-sv-deploy.md - - name: Configure Windows Sun Valley - href: /windows/configuration/windows-sv-configure.md - - name: Manage Windows Sun Valley - href: /windows/client-management/windows-sv-manage.md - - name: Windows Sun Valley application readiness - href: /windows/application-management/windows-sv-app-readiness.md - - - name: Support - items: - - name: Windows Sun Valley lifecycle - href: windows-sv-lifecycle.md - - name: Windows Sun Valley release information - href: /windows/release-health +- name: Index + href: index.md diff --git a/windows/sv/breadcrumb/toc.yml b/windows/sv/breadcrumb/toc.yml index e2971f2d84..48236190f9 100644 --- a/windows/sv/breadcrumb/toc.yml +++ b/windows/sv/breadcrumb/toc.yml @@ -1,53 +1,3 @@ - name: Docs tocHref: / topicHref: / - items: - - name: Windows - tocHref: /windows - topicHref: /windows/windows-10 - items: - - name: What's new - tocHref: /windows/whats-new/ - topicHref: /windows/whats-new/index - - name: Configuration - tocHref: /windows/configuration/ - topicHref: /windows/configuration/index - - name: Deployment - tocHref: /windows/deployment/ - topicHref: /windows/deployment/index - - name: Application management - tocHref: /windows/application-management/ - topicHref: /windows/application-management/index - - name: Client management - tocHref: /windows/client-management/ - topicHref: /windows/client-management/index - items: - - name: Mobile Device Management - tocHref: /windows/client-management/mdm/ - topicHref: /windows/client-management/mdm/index - - name: Release information - tocHref: /windows/release-information/ - topicHref: /windows/release-health/release-information - - name: Privacy - tocHref: /windows/privacy/ - topicHref: /windows/privacy/index - - name: Security - tocHref: /windows/security/ - topicHref: /windows/security/index - items: - - name: Identity and access protection - tocHref: /windows/security/identity-protection/ - topicHref: /windows/security/identity-protection/index - items: - - name: Windows Hello for Business - tocHref: /windows/security/identity-protection/hello-for-business - topicHref: /windows/security/identity-protection/hello-for-business/hello-identity-verification - - name: Threat protection - tocHref: /windows/security/threat-protection/ - topicHref: /windows/security/threat-protection/index - - name: Information protection - tocHref: /windows/security/information-protection/ - topicHref: /windows/security/information-protection/index - - name: Hardware-based protection - tocHref: /windows/security/hardware-protection/ - topicHref: /windows/security/hardware-protection/index diff --git a/windows/sv/docfx.json b/windows/sv/docfx.json index e7955464fe..fe874614d1 100644 --- a/windows/sv/docfx.json +++ b/windows/sv/docfx.json @@ -39,13 +39,13 @@ "overwrite": [], "externalReference": [], "globalMetadata": { - "breadcrumb_path": "/windows/windows-11/breadcrumb/toc.json", + "breadcrumb_path": "/windows/windows-sv/breadcrumb/toc.json", "extendBreadcrumb": true, "feedback_system": "None" }, "fileMetadata": {}, "template": [], - "dest": "windows-11", + "dest": "windows-sv", "markdownEngineName": "markdig" } } \ No newline at end of file diff --git a/windows/sv/index.md b/windows/sv/index.md new file mode 100644 index 0000000000..e69de29bb2 diff --git a/windows/sv/index.yml b/windows/sv/index.yml deleted file mode 100644 index 6f30d77869..0000000000 --- a/windows/sv/index.yml +++ /dev/null @@ -1,61 +0,0 @@ -### YamlMime:Landing - -title: Windows Sun Valley # < 60 chars -summary: Find out about Windows Windows Sun Valley. # < 160 chars - -metadata: - title: Windows SV # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Learn about the administrative tools, tasks and best practices for managing Windows SV across your enterprise. # Required; article description that is displayed in search results. < 160 chars. - services: windows-10 - ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. - ms.subservice: subservice - ms.topic: landing-page # Required - ms.collection: windows-10 - author: greg-lindsay #Required; your GitHub user alias, with correct capitalization. - ms.author: greglin #Required; microsoft alias of author; optional team alias. - ms.date: 05/07/2021 #Required; mm/dd/yyyy format. - localization_priority: medium - -# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new - -landingContent: -# Cards and links should be based on top customer tasks or top subjects -# Start card title with a verb - # Card (optional) - - title: Get started - linkLists: - - linkListType: overview - links: - - text: Windows Sun Valley overview - url: windows-sv-overview.md - - text: Windows Sun Valley requirements - url: windows-sv-requirements.md - - # Card (optional) - - title: Deploy Windows Sun Valley - linkLists: - - linkListType: overview - links: - - text: Plan to deploy Windows Windows Sun Valley - url: /windows/deployment/windows-sv-plan.md - - text: Prepare for Windows Windows Sun Valley - url: /windows/deployment/windows-sv-prepare.md - - text: Deploy Windows Windows Sun Valley - url: /windows/deployment/windows-sv-deploy.md - - text: Configure Windows Windows Sun Valley - url: /windows/configuration/sv-configure.md - - text: Manage Windows Windows Sun Valley - url: /windows/client-management/windows-sv-manage.md - - text: Windows Windows Sun Valley application readiness - url: /windows/application-management/windows-sv-app-readiness.md - - # Card (optional) - - title: Support information - linkLists: - - linkListType: overview - links: - - text: Windows Windows Sun Valley lifecycle - url: placeholder.md - - text: Windows Windows Sun Valley release information - url: /windows/release-health - diff --git a/windows/sv/placeholder.md b/windows/sv/placeholder.md deleted file mode 100644 index fecfe94a8e..0000000000 --- a/windows/sv/placeholder.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -title: Placeholder -description: PH -ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C -ms.reviewer: -manager: laurawi -ms.audience: itpro -author: greg-lindsay -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: medium -audience: itpro -ms.topic: article -ms.custom: seo-marvel-apr2020 ---- - -# Placeholder - -Placeholder text. - diff --git a/windows/sv/windows-sv-get-started.md b/windows/sv/windows-sv-get-started.md deleted file mode 100644 index 25b0d9e99c..0000000000 --- a/windows/sv/windows-sv-get-started.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -title: Get started with Windows Sun Valley -description: Learn about features, review requirements, and plan your deployment of Windows Sun Valley, including IT Pro content, release information, and history. -keywords: ["get started", "windows sun valley"] -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.author: greglin -ms.date: 10/16/2017 -ms.reviewer: -manager: laurawi -ms.localizationpriority: high -ms.topic: article ---- - -# Get started with Windows Sun Valley - -**Applies to** - -- Windows Sun Valley - -## Deployment planning - -Consider using the following process to deploy Windows Sun Valley to existing devices: -1. Preview Windows Sun Valley and create a deployment plan. -2. Test critical applications and management policies. -3. Update devices to the latest release of Windows 10. -4. Verify that devices meet the minimum hardware requirements for Windows Sun Valley. -5. Update deployment tools and infrastructure. -6. Update qualifying devices to Windows Sun Valley. - - -## See also - -[Windows Sun Valley deployment planning](/windows/deployment/windows-sv-deploy) diff --git a/windows/sv/windows-sv-lifecycle.md b/windows/sv/windows-sv-lifecycle.md deleted file mode 100644 index fab8fda180..0000000000 --- a/windows/sv/windows-sv-lifecycle.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -title: Lifecycle -description: Lifecycle information for Windows 11 -ms.reviewer: -manager: laurawi -ms.audience: itpro -author: greg-lindsay -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: medium -audience: itpro -ms.topic: article -ms.custom: seo-marvel-apr2020 ---- - -# Windows 11 lifecycle - -Windows 11 lifecycle. - diff --git a/windows/sv/windows-sv-overview.md b/windows/sv/windows-sv-overview.md deleted file mode 100644 index 2407048dbc..0000000000 --- a/windows/sv/windows-sv-overview.md +++ /dev/null @@ -1,94 +0,0 @@ ---- -title: Windows Sun Valley overview -description: Overview of Windows Sun Valley -ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C -ms.reviewer: -manager: laurawi -ms.audience: itpro -author: greg-lindsay -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: medium -audience: itpro -ms.topic: article -ms.custom: seo-marvel-apr2020 ---- - -# Windows Sun Valley overview - -**Applies to** -- Windows Sun Valley - -This article provides an introduction and answers some frequently asked questions about Windows Sun Valley, the next client release of Windows. - -Windows Sun Valley is a newly designed Windows client operating system due to be released later in 2021. It is fresh and light, yet familiar to those who use Windows today. The goal of this release is to be the most reliable, secure, connected, and performant OS release ever. - -## How to get Windows Sun Valley - -Windows Sun Valley will delivered as an upgrade to devices running Windows 10 beginning in the first half of 2022. All upgrades to Windows Sun Valley from Windows 10 will be free. Windows Sun Valley will also be available on new devices that meet the hardware requirements. - -You must be running a current version of Windows 10 and meet the minimum hardware specifications to be eligible to upgrade. For more information, see [Windows Sun Valley requirements](windows-sv-requirements.md). - -Not all eligible Windows 10 PCs will be offered the upgrade at the same time. To see if your PC is eligible, download the PC Health Check app (link). The app will check that your devices meets hardware and software requirements to perform an upgrade to Windows Sun Valley. You can also check the status of your device by navigating to **Windows Update** in **Settings**. Once the upgrade rollout has started and the upgrade has been tested and validated for your PC's hardware, Windows Update will indicate that the upgrade is ready for installation. - -You can get early access to test Windows Sun Valley by joining the [Windows Insider Program](https://insider.windows.com), or by enabling pre-release Windows 10 feature updates in Configuration Manager or Windows Server Update Services (WSUS). - -## Windows Sun Valley lifecycle - -### Updates - -Windows Sun Valley feature updates will be released once per year in the second half of the year. Quality updates will be released each month on the second Tuesday of the month. - -Microsoft will continue to provide one cumulative package that includes all latest cumulative updates (LCUs) and servicing stack updates (SSUs), if applicable, for Windows Sun Valley. This will be provided as a single package to Windows Server Update Services (WSUS) and Catalog, and have them orchestrated on the device. This capability is also the default for devices using Windows Update. - -### Servicing - -Windows Sun Valley annual releases are supported for 24 months for the following editions: -- Home -- Pro -- Pro for Workstations -- Pro Education - -Windows Sun Valley annual releases are supported for 36 months for the following editions: -- Enterprise -- Education - -### Features and applications - -Most features and applications that are included with Windows 10 will be available on Windows Sun Valley. For information about features that are deprecated or work differently on Windows Sun Valley, see [article link here]. - -## Windows 10 lifecycle - -Starting with Windows 10, version 21H2, Windows 10 will receive only quality updates on the second Tuesday of the month. - -Windows 10 will be supported with security updates until October 2025. - -## Management and tools - -Windows Sun Valley is based on the same foundation as Windows 10. You can use your current management tools and processes to manage quality updates for both Windows 10 and Windows Sun Valley, in addition to using them to move between the two products. - -## Hardware compatibility - -Most accessories and associated software that worked with Windows 10 are expected to work with Windows Sun Valley. Check with your accessory manufacturer for specific details. - -## Application compatibility - -Microsoft is committed to ensuring your Windows 10 applications work on Windows Sun Valley. If you have [App Assure](https://www.microsoft.com/fasttrack/microsoft-365/app-assure), Microsoft will help you fix any issues at no cost. App Assure is free for organizations with 150 or more seats. For more information on eligibility requirements, see [Products and Capabilities: App Assure](https://docs.microsoft.com/fasttrack/products-and-capabilities#app-assure). - -## Licensing - -There are no unique licensing requirements for Windows Sun Valley beyond what is required for Windows 10 devices. - -Microsoft 365 licenses that include Windows licenses will permit you to run Windows Sun Valley on supported devices. - -If you have a volume license, it will equally cover Windows Sun Valley and Windows 10 devices before and after upgrade. - -## Rollback - -After you have upgraded to Windows Sun Valley, you have 10 days to use the rollback function if you wish to move back to Windows 10 while keeping your files and data. After the 10 day grace period, you will need to back up your data and perform a clean install to move back to Windows 10. - -## See also - -[Get started with Windows Sun Valley](windows-sv-get-started.md) diff --git a/windows/sv/windows-sv-requirements.md b/windows/sv/windows-sv-requirements.md deleted file mode 100644 index ddb8bf84c1..0000000000 --- a/windows/sv/windows-sv-requirements.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -title: Windows Sun Valley requirements -description: Hardware requirements to deploy Windows Sun Valley -ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C -ms.reviewer: -manager: laurawi -ms.audience: itpro -author: greg-lindsay -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: medium -audience: itpro -ms.topic: article -ms.custom: seo-marvel-apr2020 ---- - -# Windows Sun Valley requirements - -This article lists the sotware and physical hardware requirements to run Windows Sun Valley. Windows Sun Valley can also be run on Virtual Machines (VMs). - -## Software requirements - -The upgrade to Sun Valley is available for devices running Windows 10, version 20H1 or newer, on eligible hardware. - -## Hardware requirements - -To install Windows Sun Valley, devices must meet the following specifications: - -Processor -- Intel 8th generation, Intel Celeron N4000, Pentium N5000 -- AMD Ryzen gen 2 (Zen+), AMD 3xxx -- Qualcomm 7c, 8c, 8cx -- 64bit architecture -- 1Ghz clock speed -- 2 cores - -Hardware -- 64GB drive -- 4GB RAM -- UEFI, Secure Boot capable & TPM 2.0 -- Monitor size 9” or more with HD Resolution -- DirectX 12 compatible graphics / WDDM 2.x - -## Network requirements - -Internet connectivity is required for the Home Edition - -## See also - -[Windows Sun Valley overview](windows-sv-overview.md) - From 36c589b9e5d96f87f935bde4729dacf959f2fb41 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 22 Jun 2021 12:18:22 -0700 Subject: [PATCH 199/370] acrolinx --- .../sv-app-readiness.md | 183 ------------------ windows/sv/index.md | 1 + windows/whats-new/windows-sv-plan.md | 16 +- windows/whats-new/windows-sv-prepare.md | 20 +- windows/whats-new/windows-sv-requirements.md | 36 ++-- windows/whats-new/windows-sv.md | 12 +- 6 files changed, 43 insertions(+), 225 deletions(-) delete mode 100644 windows/application-management/sv-app-readiness.md diff --git a/windows/application-management/sv-app-readiness.md b/windows/application-management/sv-app-readiness.md deleted file mode 100644 index d8cddab78d..0000000000 --- a/windows/application-management/sv-app-readiness.md +++ /dev/null @@ -1,183 +0,0 @@ ---- -title: Windows 10 - Apps -ms.reviewer: -manager: dansimp -description: Use this article to understand the different types of apps that run on Windows 10, such as UWP and Win32 apps. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: mobile -ms.author: greglin -author: greg-lindsay -ms.localizationpriority: medium -ms.topic: article ---- -# Understand the different apps included in Windows 10 - ->Applies to: Windows 10 - -The following types of apps run on Windows 10: -- Windows apps - introduced in Windows 8, primarily installed from the Store app. -- Universal Windows Platform (UWP) apps - designed to work across platforms, can be installed on multiple platforms including Windows client, Windows Phone, and Xbox. All UWP apps are also Windows apps, but not all Windows apps are UWP apps. -- "Win32" apps - traditional Windows applications. - -Digging into the Windows apps, there are two categories: -- Apps - All other apps, installed in C:\Program Files\WindowsApps. There are two classes of apps: - - Provisioned: Installed in user account the first time you sign in with a new user account. - - Installed: Installed as part of the OS. -- System apps - Apps that are installed in the C:\Windows\* directory. These apps are integral to the OS. - -The following tables list the system apps, installed Windows apps, and provisioned Windows apps in a standard Windows 10 Enterprise installation. (If you have a custom image, your specific apps might differ.) The tables list the app, the full name, show the app's status in Windows 10 version 1709, 1803, and 1809 and indicate whether an app can be uninstalled through the UI. - -Some of the apps show up in multiple tables - that's because their status changed between versions. Make sure to check the version column for the version you are currently running. - -## Provisioned Windows apps - -You can list all provisioned Windows apps with this PowerShell command: - -```Powershell -Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName -``` - -Here are the provisioned Windows apps in Windows 10 versions 1803, 1809, 1903, 1909, and 2004. - -| Package name | App name | 1803 | 1809 | 1903 | 1909 | 2004 | Uninstall through UI? | -|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:----:|:---------------------:| -| Microsoft.3DBuilder | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | | | | | | Yes | -| Microsoft.BingWeather | [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | x | x | Yes | -| Microsoft.DesktopAppInstaller | [App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | x | x | Via Settings App | -| Microsoft.GetHelp | [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.Getstarted | [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.HEIFImageExtension | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | | x | x | x | x | No | -| Microsoft.Messaging | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.Microsoft3DViewer | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.MicrosoftOfficeHub | [Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | x | Yes | -| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | x | x | Yes | -| Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | x | x | x | x | No | -| Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.Office.OneNote | [OneNote for Windows 10](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | x | Yes | -| Microsoft.OneConnect | [Mobile Plans](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.Outlook.DesktopIntegrationServices | | | | | x | x | | -| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.ScreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | x | x | x | x | No | -| Microsoft.SkypeApp | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | x | x | No | -| Microsoft.StorePurchaseApp | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.VP9VideoExtensions | | | x | x | x | x | No | -| Microsoft.Wallet | [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.WebMediaExtensions | [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.WebpImageExtension | [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe) | | x | x | x | x | No | -| Microsoft.Windows.Photos | [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.WindowsAlarms | [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.WindowsCalculator | [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.WindowsCamera | [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | x | x | No | -| microsoft.windowscommunicationsapps | [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.WindowsFeedbackHub | [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.WindowsMaps | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.WindowsSoundRecorder | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.WindowsStore | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.Xbox.TCUI | [Xbox Live in-game experience](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.XboxApp | [Xbox Console Companion](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.XboxGameOverlay | [Xbox Game Bar Plugin](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.XboxGamingOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.XboxIdentityProvider | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.XboxSpeechToTextOverlay | | x | x | x | x | x | No | -| Microsoft.YourPhone | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | | x | x | x | x | No | -| Microsoft.ZuneMusic | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.ZuneVideo | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | x | x | No | - ->[!NOTE] ->The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it. - -## System apps - -System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1709, 1803, and 1809. - -You can list all system apps with this PowerShell command: - -```Powershell -Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation -``` - -| Name | Package Name | 1709 | 1803 | 1809 |Uninstall through UI? | -|----------------------------------|---------------------------------------------|:-----:|:----:|:----:|-----------------------| -| File Picker | 1527c705-839a-4832-9118-54d4Bd6a0c89 | | x | x | No | -| File Explorer | c5e2524a-ea46-4f67-841f-6a9465d9d515 | | x | x | No | -| App Resolver UX | E2A4F912-2574-4A75-9BB0-0D023378592B | | x | x | No | -| Add Suggested Folders To Library | F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE | | x | x | No | -| | InputApp | x | x | x | No | -| Microsoft.AAD.Broker.Plugin | Microsoft.AAD.Broker.Plugin | x | x | x | No | -| Microsoft.AccountsControl | Microsoft.AccountsControl | x | x | x | No | -| Microsoft.AsyncTextService | Microsoft.AsyncTextService | | x | x | No | -| Hello setup UI | Microsoft.BioEnrollment | x | x | x | No | -| | Microsoft.CredDialogHost | x | x | x | No | -| | Microsoft.ECApp | x | x | x | No | -| | Microsoft.LockApp | x | x | x | No | -| Microsoft Edge | Microsoft.MicrosoftEdge | x | x | x | No | -| | Microsoft.MicrosoftEdgeDevToolsClient | | x | x | No | -| | Microsoft.PPIProjection | x | x | x | No | -| | Microsoft.Win32WebViewHost | | x | x | No | -| | Microsoft.Windows.Apprep.ChxApp | x | x | x | No | -| | Microsoft.Windows.AssignedAccessLockApp | x | x | x | No | -| | Microsoft.Windows.CapturePicker | | x | x | No | -| | Microsoft.Windows.CloudExperienceHost | x | x | x | No | -| | Microsoft.Windows.ContentDeliveryManager | x | x | x | No | -| Cortana | Microsoft.Windows.Cortana | x | x | x | No | -| | Microsoft.Windows.Holographic.FirstRun | x | x | | No | -| | Microsoft.Windows.OOBENetworkCaptivePort | x | x | x | No | -| | Microsoft.Windows.OOBENetworkConnectionFlow | x | x | x | No | -| | Microsoft.Windows.ParentalControls | x | x | x | No | -| People Hub | Microsoft.Windows.PeopleExperienceHost | x | x | x | No | -| | Microsoft.Windows.PinningConfirmationDialog | x | x | x | No | -| | Microsoft.Windows.SecHealthUI | x | x | x | No | -| | Microsoft.Windows.SecondaryTileExperience | x | | | No | -| | Microsoft.Windows.SecureAssessmentBrowser | x | x | x | No | -| Start | Microsoft.Windows.ShellExperienceHost | x | x | x | No | -| Windows Feedback | Microsoft.WindowsFeedback | * | | | No | -| | Microsoft.XboxGameCallableUI | x | x | x | No | -| | Windows.CBSPreview | | x | x | No | -| Contact Support* | Windows.ContactSupport | * | | | Via Settings App | -| Settings | Windows.immersivecontrolpanel | x | x | x | No | -| Print 3D | Windows.Print3D | | x | x | Yes | -| Print UI | Windows.PrintDialog | x | x | x | No | - - -> [!NOTE] -> The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support). - -## Installed Windows apps - -Here are the typical installed Windows apps in Windows 10 versions 1709, 1803, and 1809. - - -| Name | Full name | 1709 | 1803 | 1809 | Uninstall through UI? | -|-----------------------|------------------------------------------|:----:|:----:|:----:|:---------------------:| -| Remote Desktop | Microsoft.RemoteDesktop | x | | x | Yes | -| Code Writer | ActiproSoftwareLLC.562882FEEB491 | x | x | | Yes | -| Eclipse Manager | 46928bounde.EclipseManager | x | x | | Yes | -| Pandora | PandoraMediaInc.29680B314EFC2 | x | x | | Yes | -| Photoshop Express | AdobeSystemIncorporated. AdobePhotoshop | x | x | | Yes | -| Duolingo | D5EA27B7.Duolingo- LearnLanguagesforFree | x | x | | Yes | -| Network Speed Test | Microsoft.NetworkSpeedTest | x | x | x | Yes | -| News | Microsoft.BingNews | x | x | x | Yes | -| Sway | Microsoft.Office.Sway | x | x | x | Yes | -| Microsoft.Advertising | Microsoft.Advertising.Xaml | x | x | x | Yes | -| | Microsoft.NET.Native.Framework.1.2 | x | x | | Yes | -| | Microsoft.NET.Native.Framework.1.3 | x | x | | Yes | -| | Microsoft.NET.Native.Framework.1.6 | x | x | x | Yes | -| | Microsoft.NET.Native.Framework.1.7 | | x | x | Yes | -| | Microsoft.NET.Native.Framework.2.0 | x | x | | Yes | -| | Microsoft.NET.Native.Runtime.1.1 | x | x | | Yes | -| | Microsoft.NET.Native.Runtime.1.3 | x | | | Yes | -| | Microsoft.NET.Native.Runtime.1.4 | x | x | | Yes | -| | Microsoft.NET.Native.Runtime.1.6 | x | x | x | Yes | -| | Microsoft.NET.Native.Runtime.1.7 | x | x | x | Yes | -| | Microsoft.NET.Native.Runtime.2.0 | x | x | | Yes | -| | Microsoft.Services.Store.Engagement | x | x | | Yes | -| | Microsoft.VCLibs.120.00 | x | x | | Yes | -| | Microsoft.VCLibs.140.00 | x | x | x | Yes | -| | Microsoft.VCLibs.120.00.Universal | x | | | Yes | -| | Microsoft.VCLibs.140.00.UWPDesktop | | x | | Yes | - ---- diff --git a/windows/sv/index.md b/windows/sv/index.md index e69de29bb2..9796fd78a1 100644 --- a/windows/sv/index.md +++ b/windows/sv/index.md @@ -0,0 +1 @@ +# Welcome to sv \ No newline at end of file diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index 81e3281c7d..45080d69f4 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -35,11 +35,11 @@ If you are looking for ways to optimize your approach to deploying Windows Sun V ## Determine eligibility -As a first step, you will need to know which of your current devices meet the Windows Sun Valley hardware requirements. The majority of devices purchased in the last 18-24 months will be compatible with Windows Sun Valley. Verify that your device meets or exceeds [Windows Sun Valley requirements](windows-sv-requirements.md) to ensure it is compatible. +As a first step, you will need to know which of your current devices meet the Windows Sun Valley hardware requirements. Most devices purchased in the last 18-24 months will be compatible with Windows Sun Valley. Verify that your device meets or exceeds [Windows Sun Valley requirements](windows-sv-requirements.md) to ensure it is compatible. -Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows Sun Valley hardware requirements. When Windows Sun Valley reaches general availability, end users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the **PC Health Check** app to determine their eligibility for Windows Sun Valley. End users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.  +Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows Sun Valley hardware requirements. When Windows Sun Valley reaches general availability, end-users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the **PC Health Check** app to determine their eligibility for Windows Sun Valley. End-users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.  -Enterprise organizations looking to evaluate device readiness in their environments can expect this capability to be integrated into existing Microsoft tools, such as Endpoint analytics and Update Compliance. This capability will be available when Windows Sun Valley is generally available. Microsoft is also working with software vendor partners to facilitate Windows Sun Valley device readiness into their solutions. +Enterprise organizations looking to evaluate device readiness in their environments can expect this capability to be integrated into existing Microsoft tools, such as Endpoint analytics and Update Compliance. This capability will be available when Windows Sun Valley is generally available. Microsoft is also working with software publisher partners to facilitate Windows Sun Valley device readiness into their solutions. ## Windows Sun Valley availability @@ -56,7 +56,7 @@ If you manage devices on behalf of your organization, you will be able to upgrad > [!NOTE] > If you use WUfB to manage feature update deployments today, you will need to leverage the **Target Version** policy rather than **Feature Update deferrals** to move from Windows 10 to Windows Sun Valley. Deferrals are great for quality updates or to move to newer version of the same product (Windows 10 to Windows 10), but they cannot migrate a device between products (Windows 10 to Windows Sun Valley).
-> Additionally, Windows Sun Valley has a new end user license agreement. If you are deploying with Windows Update for Business **Target Version** or with Windows Server Update Services, you are accepting this new end user license agreements on behalf of the end users within your organization. +> Additionally, Windows Sun Valley has a new end-user license agreement. If you are deploying with Windows Update for Business **Target Version** or with Windows Server Update Services, you are accepting this new end-user license agreements on behalf of the end-users within your organization. ##### Unmanaged devices @@ -86,15 +86,15 @@ The introduction of Windows Sun Valley is also a good time to review your hardwa ## Servicing and support -Along with end user experience and security improvements, Windows Sun Valley introduces enhancements to Microsoft's servicing approach based on your suggestions and feedback. +Along with end-user experience and security improvements, Windows Sun Valley introduces enhancements to Microsoft's servicing approach based on your suggestions and feedback. Windows Sun Valley and Windows 10 devices will receive regular monthly quality updates to provide security updates and bug fixes. However, Microsoft will provide a single feature update annually, targeted for release in the second half of each calendar year. - Home, Pro, Pro for Workstations, and Pro for Education editions of Windows Sun Valley will receive 24 months of support from the availability date. -- Enterprise and Education editions of Windows Sun Valley will be supported for 36 months from the availabily date. +- Enterprise and Education editions of Windows Sun Valley will be supported for 36 months from the availability date. When Windows Sun Valley reaches general availability, a consolidated Windows Sun Valley update history will be available on support.microsoft.com, similar to what is [available today for Windows 10](https://support.microsoft.com/topic/windows-10-update-history-1b6aac92-bf01-42b5-b158-f80c6d93eb11). Similarly, the [Windows release health](/windows/release-health/) hub will offer quick access to Windows Sun Valley servicing announcements, known issues, and safeguard holds. -It is important that organizations have adequate time to plan for Windows Sun Valley. Microsoft also recognizes that many organizations will have a mix of Windows Sun Valley and Windows 10 devices across their ecosystem. Devices on in-service versions of Windows 10 will continue to receive monthly Windows 10 security updates through 2025, as well as incremental improvements to Windows 10 to support ongoing Microsoft 365 deployments. For more information, see the [Windows 10 release information](/windows/release-health/release-information) page, which offers information about Windows 10 semi-annual channel and LTSC releases. +It is important that organizations have adequate time to plan for Windows Sun Valley. Microsoft also recognizes that many organizations will have a mix of Windows Sun Valley and Windows 10 devices across their ecosystem. Devices on in-service versions of Windows 10 will continue to receive monthly Windows 10 security updates through 2025, as well as incremental improvements to Windows 10 to support ongoing Microsoft 365 deployments. For more information, see the [Windows 10 release information](/windows/release-health/release-information) page, which offers information about Windows 10 Semi-Annual Channel and LTSC releases. ## Application compatibility @@ -106,7 +106,7 @@ If you run into compatibility issues or want to ensure that your organization's With enrollment in the [App Assure](/windows/compatibility/app-assure) service, if you find any problems with an existing application as you migrate to Windows Sun Valley, Microsoft will help you remedy those application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. -For software vendors, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://www.microsoft.com/testbase) (currently in public preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software vendors for participation by completing a short form. +For software publishers, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://www.microsoft.com/testbase) (currently in public preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software publishers for participation by completing a short form. You might already be using App Assure and Test Base in your Windows 10 environment. Both of these tools will continue to function with Windows Sun Valley. diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index da5759ab4b..ee5d8fea7d 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -33,30 +33,30 @@ The tools that you use for heavy lifting during Windows 10 deployments can still #### On-premises solutions -- If you use Windows Server Update Service (WSUS), you will need to sync the new **Windows Sun Valley** product category. Once you sync the product category you will see Windows Sun Valley offered as an option. +- If you use Windows Server Update Service (WSUS), you will need to sync the new **Windows Sun Valley** product category. Once you sync the product category, you will see Windows Sun Valley offered as an option. > [!NOTE] -> During deployment, you will be prompted to agree to the license agreement on behalf of your end users. Additionally, you will not see an x86 option because Windows Sun Valley is not supported on 32-bit architecture. +> During deployment, you will be prompted to agree to the license agreement on behalf of your end-users. Additionally, you will not see an x86 option because Windows Sun Valley is not supported on 32-bit architecture. - If you use Microsoft Endpoint Configuration Manager, you can sync the new **Windows Sun Valley** product category and begin upgrading eligible devices. If you would like to validate Windows Sun Valley prior to release, you can sync the **Windows Insider Pre-release** category as well. > [!NOTE] -> Configuration Manager will prompt you to accept the end user license agreement on behalf of the users in your organization. +> Configuration Manager will prompt you to accept the end-user license agreement on behalf of the users in your organization. #### Cloud-based solutions - If you use Windows Update for Business Group Policy and Configuration Service Provider (CSP) policies, you will need to leverage the **Target Version** capability rather than feature update deferrals to upgrade from Windows 10 to Windows Sun Valley. Feature Update deferrals are great to move to newer versions of your current product, but do not enable you to move between products (Windows 10 to Windows Sun Valley). - Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. This is true whether using Windows Update for Business, Microsoft Intune, or other management tools. -- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to leverage **Feature Update Deployments** to easily update devices from one release of Windows 10 to another, or to upgrade Wndows 10 devices to Windows Sun Valley. You can then continue using the same update experience controls to manage Windows 10 and Windows Sun Valley. +- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to leverage **Feature Update Deployments** to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows Sun Valley. You can then continue using the same update experience controls to manage Windows 10 and Windows Sun Valley. ## Cloud-based management -If you aren’t already taking advantage of cloud-based management capabilities, like those available in [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), it's worth considering. Aside from consolidating device management and endpoint security into a single platform, it can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives, while protecting end user privacy. +If you aren’t already taking advantage of cloud-based management capabilities, like those available in [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), it's worth considering. Aside from consolidating device management and endpoint security into a single platform, it can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives, while protecting end-user privacy. The following are some common use cases and the corresponding Microsoft Endpoint Manager capabilities that support them: - **Provision and pre-configure new Windows Sun Valley devices**: [Windows Autopilot](/mem/autopilot/windows-autopilot) enables you to deploy new Windows Sun Valley devices in a “business-ready” state that includes your desired applications, settings, and policies. It can also be used to change the edition of Windows. For example, you can upgrade from Pro to Enterprise edition and gain the use of advanced features. -- **Configure rules and control settings for users, apps, and devices for both Windows SV and Windows 10**: Devices that are enrolled in [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) provide administrators with full control over apps, settings, features, and security. You can also use app protection policies to require multi-factor authentication (MFA) for specific apps. +- **Configure rules and control settings for users, apps, and devices**: Devices that are enrolled in [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) provide administrators with full control over apps, settings, features, and security for both Windows Sun Valley and Windows 10. You can also use app protection policies to require multi-factor authentication (MFA) for specific apps. - **Streamlined, easy-to-manage devices for frontline, remote, and onsite workers**: Introduced with Windows 10, [cloud configuration](/mem/intune/fundamentals/cloud-configuration) is a standard, easy-to-manage, device configuration that is cloud-optimized for users with specific workflow needs. It can be deployed to devices running the Pro, Enterprise, and Education editions of Windows Sun Valley using Microsoft Endpoint Manager. If you are exclusively managing devices on-premises (for example, using Configuration Manager), you can still use the [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview), enable [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions), or enable [co-management](/mem/configmgr/comanage/overview) with Microsoft Intune, making it easier to keep devices secure and up-to-date. @@ -84,7 +84,7 @@ To validate that your apps, infrastructure, and deployment processes are ready f If you use Windows Server Update Services, you can deploy directly from the Windows Insider Pre-release category using one of the following: - Set **Manage Preview Builds** to **Release Preview** in Windows Update for Business. -- Leverage Azure Virtual Desktop and Azure Marketplace images . +- Leverage Azure Virtual Desktop and Azure Marketplace images. - Download and deploy ISOs from Microsoft’s Windows Insider Program ISO Download page. Regardless of the method you choose, you have the benefit of free Microsoft support when validating pre-release builds. Free support is available to any commercial customer deploying Windows 10, version 21H2 or Windows Sun Valley, version 21H2 pre-release bits, once they become available through the Windows Insider Program. @@ -93,7 +93,7 @@ Regardless of the method you choose, you have the benefit of free Microsoft supp If you use Microsoft Endpoint Manager and have onboarded devices to Endpoint analytics, you will have access to a hardware readiness assessment later this year that enables you to quickly identify which of your managed devices are eligible for the Windows Sun Valley upgrade. -For those that are ready to explore Windows Sun Valley readiness right away, you can take advantage of Microsoft's **hardware eligibility assessment script**. This script includes instructions on how to deploy and aggregate your assessment results using Microsoft Intune or Configuration Manager, so you can quickly determine how many of your devices meet the hardware requirements for Windows Sun Valley. +If you are ready to explore Windows Sun Valley readiness right away, you can take advantage of Microsoft's [hardware eligibility assessment script](https://aka.ms/HWReadinessScript). This script includes instructions on how to deploy and aggregate your assessment results using Microsoft Intune or Configuration Manager, so you can quickly determine how many of your devices meet the hardware requirements for Windows Sun Valley. For more information, see [Understanding Windows Sun Valley readiness in your organization with Microsoft Endpoint Manager](https://aka.ms/HWReadinessBlog). ## Prepare a pilot deployment @@ -109,9 +109,9 @@ At a high level, the tasks involved are: 6. Test and support the pilot devices. 7. Determine broad deployment readiness based on the results of the pilot. -## End user readiness +## End-user readiness -To prepare an effective, enterprise-wide deployment of Windows Sun Valley, the importance of end user readiness should not be overlooked. Windows Sun Valley has a familiar design, but end users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows Sun Valley: +To prepare an effective, enterprise-wide deployment of Windows Sun Valley, the importance of end-user readiness should not be overlooked. Windows Sun Valley has a familiar design, but end-users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows Sun Valley: - Create a communications schedule to ensure that you provide the right communications at the right time to the right groups of users based on when they will see the changes. - Draft concise emails that inform users of what changes they can expect to see. Offer tips on how to use or customize their experience. Include information about support and help desk options. diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index a1ae360f30..d3b9ece9e5 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -29,7 +29,7 @@ To install or upgrade to Windows Sun Valley, devices must meet the following min - Processor: 1 gigahertz (GHz) or faster with two or more cores on a [compatible 64-bit processor](https://aka.ms/CPUlist) or system on a chip (SoC) - RAM: 4 gigabytes (GB) or greater -- Storage: 64GB or greater available storage is required to install Windows Sun Valley +- Storage: 64 GB or greater available storage is required to install Windows Sun Valley - Additional storage space might be required to download updates and enable specific features - Graphics card: Compatible with DirectX 12 or later with WDDM 2.0 driver - System firmware: UEFI, Secure Boot capable @@ -55,24 +55,24 @@ Some features in Windows Sun Valley have requirements beyond those listed above. - **5G support** requires 5G capable modem. - **Auto HDR** requires an HDR monitor. - **BitLocker to Go** requires a USB flash drive. This feature is available in Windows Pro and above editions. -- **Client Hyper-V** requires a processor with second level address translation (SLAT) capabilities. This feature is available in Windows Pro editions and above. -- **Cortana** requires a microphone and speaker and is currently available on Windows Sun Valley for Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, Mexico, Spain, United Kingdom, and United States -- **DirectStorage** requires 1TB or greater NVMe SSD to store and run games that uses the "Standard NVM Express Controller" driver and a DirectX12 Ultimate GPU -- **DirectX 12 Ultimate** is available with supported games and graphics chips -- **Presence** requires sensor that can detect human distance from device or intent to interact with device -- **Intelligent Video Conferencing** requires video camera, microphone and speaker (audio output) -- **Multiple Voice Assistant** requires a microphone and speaker -- **Snap** three column layouts require a screen that is 1920 effective pixels or greater in width -- **Mute** and **unmute** from Taskbar requires video camera, microphone, and speaker (audio output). App must be compatible with feature to enable global mute/unmute -- **Spatial Sound** requires supporting hardware and software -- **Microsoft Teams** requires video camera, microphone and speaker (audio output) -- **Touch** requires a screen or monitor that supports multi-touch -- **Two-factor authentication** requires use of PIN, biometric (fingerprint reader or illuminated infrared camera), or a phone with Wi-Fi or Bluetooth capabilities -- **Voice Typing** requires a PC with a microphone -- **Wake on Voice** requires Modern Standby power model and microphone -- **Wi-Fi 6E** requires new WLAN IHV hardware and driver and a Wi-Fi 6E capable AP/router +- **Client Hyper-V** requires a processor with second-level address translation (SLAT) capabilities. This feature is available in Windows Pro editions and above. +- **Cortana** requires a microphone and speaker and is currently available on Windows Sun Valley for Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, Mexico, Spain, United Kingdom, and United States. +- **DirectStorage** requires 1 TB or greater NVMe SSD to store and run games that use the "Standard NVM Express Controller" driver and a DirectX12 Ultimate GPU. +- **DirectX 12 Ultimate** is available with supported games and graphics chips. +- **Presence** requires sensor that can detect human distance from device or intent to interact with device. +- **Intelligent Video Conferencing** requires video camera, microphone, and speaker (audio output) +- **Multiple Voice Assistant** requires a microphone and speaker. +- **Snap** three column layouts require a screen that is 1920 effective pixels or greater in width. +- **Mute** and **unmute** from Taskbar requires video camera, microphone, and speaker (audio output). App must be compatible with feature to enable global mute/unmute. +- **Spatial Sound** requires supporting hardware and software. +- **Microsoft Teams** requires video camera, microphone, and speaker (audio output). +- **Touch** requires a screen or monitor that supports multi-touch. +- **Two-factor authentication** requires use of PIN, biometric (fingerprint reader or illuminated infrared camera), or a phone with Wi-Fi or Bluetooth capabilities. +- **Voice Typing** requires a PC with a microphone. +- **Wake on Voice** requires Modern Standby power model and microphone. +- **Wi-Fi 6E** requires new WLAN IHV hardware and driver and a Wi-Fi 6E capable AP/router. - **Windows Hello** requires a camera configured for near infrared (IR) imaging or fingerprint reader for biometric authentication. Devices without biometric sensors can use Windows Hello with a PIN or portable Microsoft compatible security key. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). -- **Windows Projection** requires a display adapter which supports Windows Display Driver Model (WDDM) 2.0 and a Wi-Fi adapter that supports Wi-Fi Direct +- **Windows Projection** requires a display adapter which supports Windows Display Driver Model (WDDM) 2.0 and a Wi-Fi adapter that supports Wi-Fi Direct. - **Xbox** app requires an Xbox Live account, which is not available in all regions. Please go to the Xbox Live Countries and Regions page for the most up-to-date information on availability. Some features in the Xbox app will require an active Xbox Game Pass subscription. See https://www.xbox.com/xbox-game-pass to learn more about the pass. diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index fcbf1043e9..8c2564672a 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -22,17 +22,17 @@ ms.custom: seo-marvel-apr2020 - Windows Sun Valley, version 21H2 -This article provides an introduction and answers some frequently asked questions about Windows Sun Valley, the next Windows client operating systgem release. +This article provides an introduction and answers some frequently asked questions about Windows Sun Valley, the next Windows client operating system release. Also see the following articles to learn more about Windows Sun Valley: - [Windows Sun Valley requirements](windows-sv-requirements.md): Requirements to deploy Windows Sun Valley. -- [Plan for Windows Sun Valley](windows-sv-plan.md): Information to help you plan for Windows Sun Valley in your organizatioin. +- [Plan for Windows Sun Valley](windows-sv-plan.md): Information to help you plan for Windows Sun Valley in your organization. - [Prepare for Windows Sun Valley](windows-sv-prepare.md): Procedures to ensure readiness to deploy Windows Sun Valley. ## Introduction -Windows Sun Valley is the next evolution of Windows; the most significant update to the Windows operating system since Windows 10. It offers many innovations focused on enhancing end user productivity in a fresh experience that is flexible and fluid. Windows Sun Valley is designed to support today's hybrid work environment, and intended to be the most reliable, secure, connected, and performant Windows operating system ever. +Windows Sun Valley is the next evolution of Windows; the most significant update to the Windows operating system since Windows 10. It offers many innovations focused on enhancing end-user productivity in a fresh experience that is flexible and fluid. Windows Sun Valley is designed to support today's hybrid work environment, and intended to be the most reliable, secure, connected, and performant Windows operating system ever. This release is built on the same foundation as Windows 10, so the investments you have made in tools for update and device management are carried forward. Windows Sun Valley also sustains the application compatibility promise made with Windows 10, supplemented by programs like App Assure. For Microsoft 365 customers seeking further assistance, FastTrack will continue to be available to support your efforts to adopt Windows Sun Valley. @@ -46,11 +46,11 @@ For eligible PCs that are not managed by an organization, the Windows Sun Valley For more information about device eligibility, see [Windows Sun Valley requirements](windows-sv-requirements.md). -For those interested in testing Windows Sun Valley before general availability, you can join the [Windows Insider Program](https://insider.windows.com) or [Windows Insider Program for Business](https://insider.windows.com/for-business). You can also preview Windows Sun Valley by enabling pre-release Windows 10 feature updates in [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/servers/manage/pre-release-features) or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS). +If you are interested in testing Windows Sun Valley before general availability, you can join the [Windows Insider Program](https://insider.windows.com) or [Windows Insider Program for Business](https://insider.windows.com/for-business). You can also preview Windows Sun Valley by enabling pre-release Windows 10 feature updates in [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/servers/manage/pre-release-features) or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS). ## Before you begin -Many organizations will have a mixed environment of Windows Sun Valley and Windows 10 devices. The following is a quick summary of licensing, compatibility, management, and servicing considerations. +Many organizations will have a mixed environment of Windows Sun Valley and Windows 10 devices. The following sections provide a quick summary of licensing, compatibility, management, and servicing considerations. #### Licensing @@ -75,7 +75,7 @@ For more information, see [Prepare for Windows Sun Valley](windows-sv-prepare.md #### Servicing Windows Sun Valley -Like Windows 10, Windows Sun Valley will receive monthly quality updates. However, it will have an annual feature update cadence. When Windows Sun Valley reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the Windows release health hub. Monthly release notes will available via a consolidated Windows SV update history page at that time as well. For more information, see [Servicing and support](windows-sv-plan.md#servicing-and-support). +Like Windows 10, Windows Sun Valley will receive monthly quality updates. However, it will have an annual feature update cadence. When Windows Sun Valley reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the Windows release health hub. Monthly release notes will available from a consolidated Windows Sun Valley update history page at that time as well. For more information, see [Servicing and support](windows-sv-plan.md#servicing-and-support). ## Next steps From c251aec0540803ac99ae0c0522123ad3054e4383 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Tue, 22 Jun 2021 12:26:53 -0700 Subject: [PATCH 200/370] Fixed the link to Managed Installer EA --- .../select-types-of-rules-to-create.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 99f5695221..2b7538b891 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -121,7 +121,7 @@ To create the WDAC policy, they build a reference server on their standard hardw As part of normal operations, they will eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they will not need to update their WDAC policy. If the unsigned, internal application is updated, they must also update the WDAC policy to allow the new version. ## File rule precedence order -WDAC has a built-in file rule conflict logic that translates to precedence order. It will first processes all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deploy-wdac-policies-with-managed-installer.md). Lastly, if none of these exists, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md). +WDAC has a built-in file rule conflict logic that translates to precedence order. It will first processes all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deployment/deploy-wdac-policies-with-memcm.md). Lastly, if none of these exists, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md). ## More information about filepath rules From ff368163501f4e9af127c97ffec4a515b6c021cf Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 22 Jun 2021 12:28:02 -0700 Subject: [PATCH 201/370] fixes --- windows/sv/index.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/sv/index.md b/windows/sv/index.md index 9796fd78a1..2217e6e08d 100644 --- a/windows/sv/index.md +++ b/windows/sv/index.md @@ -1 +1,5 @@ -# Welcome to sv \ No newline at end of file +--- +title: SV +author: greg-lindsay +ms.author: greglin +--- \ No newline at end of file From 98f5f95120a757da1ff7d3dfedfe44efc4ce8115 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 22 Jun 2021 12:53:07 -0700 Subject: [PATCH 202/370] acrolinx --- windows/hub/index.yml | 2 +- windows/whats-new/windows-sv-prepare.md | 8 ++++---- windows/whats-new/windows-sv-requirements.md | 18 +++++++++--------- windows/whats-new/windows-sv.md | 2 +- 4 files changed, 15 insertions(+), 15 deletions(-) diff --git a/windows/hub/index.yml b/windows/hub/index.yml index c745cb605b..0eeef6aed5 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -5,7 +5,7 @@ summary: Plan, deploy, secure, and manage devices running Windows 10 and Windows metadata: title: Windows client documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Evaluate, plan, deploy, secure and manage devices running Windows 10 and Windows Sun Valley. # Required; article description that is displayed in search results. < 160 chars. + description: Evaluate, plan, deploy, secure, and manage devices running Windows 10 and Windows Sun Valley. # Required; article description that is displayed in search results. < 160 chars. services: windows-10 ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. ms.subservice: subservice diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index ee5d8fea7d..4abb0e142c 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -75,13 +75,13 @@ For more information, see [Create a deployment plan](/windows/deployment/update/ #### Review policies -Review deployment-related polices, taking into consideration your organization's security objectives, update compliance deadlines, and device activity. Apply changes where you can gain a clear improvement, particularly with regard to the speed of the update process or security. +Review deployment-related policies, taking into consideration your organization's security objectives, update compliance deadlines, and device activity. Apply changes where you can gain a clear improvement, particularly with regard to the speed of the update process or security. #### Validate apps and infrastructure -To validate that your apps, infrastructure, and deployment processes are ready for Windows Sun Valley, join the [Windows Insider Program for Business](https://insider.windows.com/for-business-getting-started) and opt in to the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel). +To validate that your apps, infrastructure, and deployment processes are ready for Windows Sun Valley, join the [Windows Insider Program for Business](https://insider.windows.com/for-business-getting-started), and opt in to the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel). -If you use Windows Server Update Services, you can deploy directly from the Windows Insider Pre-release category using one of the following: +If you use Windows Server Update Services, you can deploy directly from the Windows Insider Pre-release category using one of the following processes: - Set **Manage Preview Builds** to **Release Preview** in Windows Update for Business. - Leverage Azure Virtual Desktop and Azure Marketplace images. @@ -111,7 +111,7 @@ At a high level, the tasks involved are: ## End-user readiness -To prepare an effective, enterprise-wide deployment of Windows Sun Valley, the importance of end-user readiness should not be overlooked. Windows Sun Valley has a familiar design, but end-users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows Sun Valley: +To prepare an effective, enterprise-wide deployment of Windows Sun Valley, the importance of end-user readiness should not be overlooked. Windows Sun Valley has a familiar design, but your users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows Sun Valley: - Create a communications schedule to ensure that you provide the right communications at the right time to the right groups of users based on when they will see the changes. - Draft concise emails that inform users of what changes they can expect to see. Offer tips on how to use or customize their experience. Include information about support and help desk options. diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index d3b9ece9e5..bcb173bfe8 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -27,14 +27,14 @@ This article lists the system requirements for Windows Sun Valley. Windows Sun V To install or upgrade to Windows Sun Valley, devices must meet the following minimum hardware requirements: -- Processor: 1 gigahertz (GHz) or faster with two or more cores on a [compatible 64-bit processor](https://aka.ms/CPUlist) or system on a chip (SoC) -- RAM: 4 gigabytes (GB) or greater -- Storage: 64 GB or greater available storage is required to install Windows Sun Valley - - Additional storage space might be required to download updates and enable specific features -- Graphics card: Compatible with DirectX 12 or later with WDDM 2.0 driver -- System firmware: UEFI, Secure Boot capable -- TPM: Trusted Platform Module (TPM) version 2.0 -- Display: High definition (720p) display, 9" or greater monitor, 8 bits per color channel +- Processor: 1 gigahertz (GHz) or faster with two or more cores on a [compatible 64-bit processor](https://aka.ms/CPUlist) or system on a chip (SoC). +- RAM: 4 gigabytes (GB) or greater. +- Storage: 64 GB or greater available storage is required to install Windows Sun Valley. + - Additional storage space might be required to download updates and enable specific features. +- Graphics card: Compatible with DirectX 12 or later with WDDM 2.0 driver. +- System firmware: UEFI, Secure Boot capable. +- TPM: Trusted Platform Module (TPM) version 2.0. +- Display: High definition (720p) display, 9" or greater monitor, 8 bits per color channel. - Internet connection: Internet connectivity is necessary to perform updates and to download and take advantage of some features. - Windows Sun Valley Home edition requires an Internet connection and a Microsoft Account to complete device setup on first use. @@ -62,7 +62,7 @@ Some features in Windows Sun Valley have requirements beyond those listed above. - **Presence** requires sensor that can detect human distance from device or intent to interact with device. - **Intelligent Video Conferencing** requires video camera, microphone, and speaker (audio output) - **Multiple Voice Assistant** requires a microphone and speaker. -- **Snap** three column layouts require a screen that is 1920 effective pixels or greater in width. +- **Snap** three-column layouts require a screen that is 1920 effective pixels or greater in width. - **Mute** and **unmute** from Taskbar requires video camera, microphone, and speaker (audio output). App must be compatible with feature to enable global mute/unmute. - **Spatial Sound** requires supporting hardware and software. - **Microsoft Teams** requires video camera, microphone, and speaker (audio output). diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index 8c2564672a..ae6a0260d0 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -75,7 +75,7 @@ For more information, see [Prepare for Windows Sun Valley](windows-sv-prepare.md #### Servicing Windows Sun Valley -Like Windows 10, Windows Sun Valley will receive monthly quality updates. However, it will have an annual feature update cadence. When Windows Sun Valley reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the Windows release health hub. Monthly release notes will available from a consolidated Windows Sun Valley update history page at that time as well. For more information, see [Servicing and support](windows-sv-plan.md#servicing-and-support). +Like Windows 10, Windows Sun Valley will receive monthly quality updates. However, it will have an annual feature update cadence. When Windows Sun Valley reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the Windows release health hub. Monthly release notes will be available from a consolidated Windows Sun Valley update history page at that time as well. For more information, see [Servicing and support](windows-sv-plan.md#servicing-and-support). ## Next steps From 19ecc31a67c25c3c85f87993e789552d8d8b7114 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 22 Jun 2021 13:03:50 -0700 Subject: [PATCH 203/370] acrolinx --- windows/sv/index.md | 5 ++++- windows/whats-new/windows-sv-plan.md | 10 +++++----- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/windows/sv/index.md b/windows/sv/index.md index 2217e6e08d..6f48df996d 100644 --- a/windows/sv/index.md +++ b/windows/sv/index.md @@ -1,5 +1,8 @@ --- title: SV +md.prod: w10 author: greg-lindsay ms.author: greglin ---- \ No newline at end of file +--- + +# \ No newline at end of file diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index 45080d69f4..6cae30fc07 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -24,14 +24,14 @@ ms.topic: article This article provides guidance to help you plan for Windows Sun Valley in your organization. -Since Windows Sun Valley is built on the same foundation as Windows 10, you can utilize the same deployment capabilities, scenarios, and tools—as well as the same basic deployment strategy. You will need to review and update your servicing strategy to adjust for changes in [Servicing and support](#servicing-and-support) that are in place for Windows Sun Valley. At a high level, this strategy should include the following steps: +Since Windows Sun Valley is built on the same foundation as Windows 10, you can utilize the same deployment capabilities, scenarios, and tools—as well as the same basic deployment strategy. You will need to review and update your servicing strategy to adjust for changes in [Servicing and support](#servicing-and-support) for Windows Sun Valley. At a high level, this strategy should include the following steps: - [Create a deployment plan](/windows/deployment/update/create-deployment-plan) - [Define readiness criteria](/windows/deployment/update/plan-define-readiness) - [Evaluate infrastructure and tools](/windows/deployment/update/eval-infra-tools) - [Determine application readiness](/windows/deployment/update/plan-determine-app-readiness) - [Define your servicing strategy](/windows/deployment/update/plan-define-strategy) -If you are looking for ways to optimize your approach to deploying Windows Sun Valley, or if deploying a new version of an operating system is not a familiar process for you, some additional items to consider are provided below. +If you are looking for ways to optimize your approach to deploying Windows Sun Valley, or if deploying a new version of an operating system is not a familiar process for you, some items to consider are provided below. ## Determine eligibility @@ -49,7 +49,7 @@ Windows Sun Valley will be offered to eligible Windows 10 devices beginning late Managed devices are devices that are under organization control. For example: devices managed by Microsoft Endpoint Manager (Microsoft Intune or Microsoft Endpoint Configuration Manager) or another endpoint management solution. -If you manage devices on behalf of your organization, you will be able to upgrade eligible devices to Windows Sun Valley using your existing deployment and management tools at no cost when the upgrade reaches general availability. Organizations that use Windows Update for Business will have additional benefits, such as: +If you manage devices on behalf of your organization, you will be able to upgrade eligible devices to Windows Sun Valley using your existing deployment and management tools at no cost when the upgrade reaches general availability. Organizations that use Windows Update for Business will have added benefits, such as: - Blocking the upgrade on non-eligible devices. - Additional insight into safeguard holds. While safeguard holds will function for Windows Sun Valley devices just as they do for Windows 10 today, administrators using Windows Update for Business will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. @@ -60,7 +60,7 @@ If you manage devices on behalf of your organization, you will be able to upgrad ##### Unmanaged devices -Unmanaged devices are those that are not managed by an IT administrator on behalf of an organization. For operating system (OS) deployment, these devices are not subject to organizational policies that manage upgrades or updates. +Unmanaged devices are devices that are not managed by an IT administrator on behalf of an organization. For operating system (OS) deployment, these devices are not subject to organizational policies that manage upgrades or updates. Unmanaged eligible devices running Windows 10 that were purchased after June 2021 will be offered the Windows Sun Valley upgrade in the last quarter of the 2021 calendar year. Messaging on new devices will vary by PC manufacturer, but users will see labels such as **This PC will upgrade to Windows Sun Valley once available** on products that are available for purchase. @@ -69,7 +69,7 @@ Unmanaged eligible devices running Windows 10 that were purchased after June 202 The Windows Sun Valley upgrade will be available initially on eligible, unmanaged devices to users who manually seek the upgrade through Windows Update. As with all Microsoft Update managed devices, the **Windows Update Settings** page will confirm when a device is eligible, and users can upgrade if they choose to. -Just like Windows 10, the machine learning based [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860) process will be leveraged when rolling out upgrades. Machine learning uses a combination of testing, close partner engagement, feedback, diagnostic data, and real-life insights to manage quality. This improves the update experience and ensures that devices first nominated for updates are those likely to have a seamless experience. Devices that might have compatibility issues with the upgrade get the benefit of resolving these issues before the upgrade is offered. +Just like Windows 10, the machine learning based [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860) process will be leveraged when rolling out upgrades. Machine learning uses a combination of testing, close partner engagement, feedback, diagnostic data, and real-life insights to manage quality. This process improves the update experience and ensures that devices first nominated for updates are the devices likely to have a seamless experience. Devices that might have compatibility issues with the upgrade get the benefit of resolving these issues before the upgrade is offered. ## Windows Sun Valley readiness considerations From a16c12781777c3e34e91a8e1811422139e3a9f47 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 22 Jun 2021 14:01:55 -0700 Subject: [PATCH 204/370] some edits --- windows/whats-new/windows-sv-plan.md | 16 ++++-- windows/whats-new/windows-sv-prepare.md | 46 ++++++++-------- windows/whats-new/windows-sv-requirements.md | 55 ++++++++++---------- windows/whats-new/windows-sv.md | 12 +++-- 4 files changed, 71 insertions(+), 58 deletions(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index 6cae30fc07..d1e4c7dbec 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -24,7 +24,9 @@ ms.topic: article This article provides guidance to help you plan for Windows Sun Valley in your organization. -Since Windows Sun Valley is built on the same foundation as Windows 10, you can utilize the same deployment capabilities, scenarios, and tools—as well as the same basic deployment strategy. You will need to review and update your servicing strategy to adjust for changes in [Servicing and support](#servicing-and-support) for Windows Sun Valley. At a high level, this strategy should include the following steps: +Since Windows Sun Valley is built on the same foundation as Windows 10, you can utilize the same deployment capabilities, scenarios, and tools—as well as the same basic deployment strategy that you use today for Windows 10. You will need to review and update your servicing strategy to adjust for changes in [Servicing and support](#servicing-and-support) for Windows Sun Valley. + +At a high level, this strategy should include the following steps: - [Create a deployment plan](/windows/deployment/update/create-deployment-plan) - [Define readiness criteria](/windows/deployment/update/plan-define-readiness) - [Evaluate infrastructure and tools](/windows/deployment/update/eval-infra-tools) @@ -88,13 +90,17 @@ The introduction of Windows Sun Valley is also a good time to review your hardwa Along with end-user experience and security improvements, Windows Sun Valley introduces enhancements to Microsoft's servicing approach based on your suggestions and feedback. -Windows Sun Valley and Windows 10 devices will receive regular monthly quality updates to provide security updates and bug fixes. However, Microsoft will provide a single feature update annually, targeted for release in the second half of each calendar year. +**Quality updates**: Windows Sun Valley and Windows 10 devices will receive regular monthly quality updates to provide security updates and bug fixes. + +**Feature updates**: Microsoft will provide a single feature update annually, targeted for release in the second half of each calendar year. + +**Lifecycle**: - Home, Pro, Pro for Workstations, and Pro for Education editions of Windows Sun Valley will receive 24 months of support from the availability date. - Enterprise and Education editions of Windows Sun Valley will be supported for 36 months from the availability date. When Windows Sun Valley reaches general availability, a consolidated Windows Sun Valley update history will be available on support.microsoft.com, similar to what is [available today for Windows 10](https://support.microsoft.com/topic/windows-10-update-history-1b6aac92-bf01-42b5-b158-f80c6d93eb11). Similarly, the [Windows release health](/windows/release-health/) hub will offer quick access to Windows Sun Valley servicing announcements, known issues, and safeguard holds. -It is important that organizations have adequate time to plan for Windows Sun Valley. Microsoft also recognizes that many organizations will have a mix of Windows Sun Valley and Windows 10 devices across their ecosystem. Devices on in-service versions of Windows 10 will continue to receive monthly Windows 10 security updates through 2025, as well as incremental improvements to Windows 10 to support ongoing Microsoft 365 deployments. For more information, see the [Windows 10 release information](/windows/release-health/release-information) page, which offers information about Windows 10 Semi-Annual Channel and LTSC releases. +It is important that organizations have adequate time to plan for Windows Sun Valley. Microsoft also recognizes that many organizations will have a mix of Windows Sun Valley and Windows 10 devices across their ecosystem. Devices on in-service versions of Windows 10 will continue to receive monthly Windows 10 security updates through 2025, as well as incremental improvements to Windows 10 to support ongoing Microsoft 365 deployments. For more information, see the [Windows 10 release information](/windows/release-health/release-information) page, which offers information about the Windows 10 Semi-Annual Channel and Long-term Servicing Channel (LTSC) releases. ## Application compatibility @@ -104,9 +110,9 @@ Microsoft's compatibility promise for Windows 10 is maintained for Windows Sun V If you run into compatibility issues or want to ensure that your organization's applications are compatible from day one, App Assure and Test Base for Microsoft 365 can help. -With enrollment in the [App Assure](/windows/compatibility/app-assure) service, if you find any problems with an existing application as you migrate to Windows Sun Valley, Microsoft will help you remedy those application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. +**App Assure**: With enrollment in the [App Assure](/windows/compatibility/app-assure) service, any app compatibility issues that you find with Windows Sun Valley can be resolved. Microsoft will help you remedy application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. -For software publishers, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://www.microsoft.com/testbase) (currently in public preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software publishers for participation by completing a short form. +**Test Base for Microsoft 365**: For software publishers, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://www.microsoft.com/testbase) (currently in public preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software publishers for participation by completing a short form. You might already be using App Assure and Test Base in your Windows 10 environment. Both of these tools will continue to function with Windows Sun Valley. diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index 4abb0e142c..5220b153c3 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -20,58 +20,59 @@ ms.topic: article - Windows Sun Valley, version 21H2 -Windows 10 and Windows Sun Valley are designed to coexist, so that you can use the same familiar tools and process to manage both operating systems. One common management infrastructure that supports common applications across both Windows 10 and Windows Sun Valley helps to simplify the migration process. You can analyze endpoints, determine application compatibility, and manage Windows Sun Valley deployments in the same way that you do with Windows 10. +Windows 10 and Windows Sun Valley are designed to coexist, so that you can use the same familiar tools and process to manage both operating systems. One management infrastructure that supports common applications across both Windows 10 and Windows Sun Valley helps to simplify the migration process. You can analyze endpoints, determine application compatibility, and manage Windows Sun Valley deployments in the same way that you do with Windows 10. -After you evaluate your hardware to see if it meets [requirements](windows-sv-requirements.md) for Windows Sun Valley, it's also a good time to review your deployment infrastructure, tools, and overall endpoint and update management processes and look for opportunities to simplify and optimize. +After you evaluate your hardware to see if it meets [requirements](windows-sv-requirements.md) for Windows Sun Valley, it's also a good time to review your deployment infrastructure, tools, and overall endpoint and update management processes and look for opportunities to simplify and optimize. This article provides some helpful guidance to accomplish these tasks. ## Infrastructure and tools The tools that you use for heavy lifting during Windows 10 deployments can still be leveraged for Windows Sun Valley. A few nuanced differences are described below. -> [!IMPORTANT] -> Be sure to check with the providers of any non-Microsoft solutions that you use. Verify compatibility of these tools with Windows Sun Valley, particularly if they provide security or data loss prevention capabilities. + > [!IMPORTANT] + > Be sure to check with the providers of any non-Microsoft solutions that you use. Verify compatibility of these tools with Windows Sun Valley, particularly if they provide security or data loss prevention capabilities. #### On-premises solutions - If you use Windows Server Update Service (WSUS), you will need to sync the new **Windows Sun Valley** product category. Once you sync the product category, you will see Windows Sun Valley offered as an option. -> [!NOTE] -> During deployment, you will be prompted to agree to the license agreement on behalf of your end-users. Additionally, you will not see an x86 option because Windows Sun Valley is not supported on 32-bit architecture. + > [!NOTE] + > During deployment, you will be prompted to agree to the end-user license agreement on behalf of your users. Additionally, you will not see an x86 option because Windows Sun Valley is not supported on 32-bit architecture. - If you use Microsoft Endpoint Configuration Manager, you can sync the new **Windows Sun Valley** product category and begin upgrading eligible devices. If you would like to validate Windows Sun Valley prior to release, you can sync the **Windows Insider Pre-release** category as well. -> [!NOTE] -> Configuration Manager will prompt you to accept the end-user license agreement on behalf of the users in your organization. + > [!NOTE] + > Configuration Manager will prompt you to accept the end-user license agreement on behalf of the users in your organization. #### Cloud-based solutions -- If you use Windows Update for Business Group Policy and Configuration Service Provider (CSP) policies, you will need to leverage the **Target Version** capability rather than feature update deferrals to upgrade from Windows 10 to Windows Sun Valley. Feature Update deferrals are great to move to newer versions of your current product, but do not enable you to move between products (Windows 10 to Windows Sun Valley). -- Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. This is true whether using Windows Update for Business, Microsoft Intune, or other management tools. -- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to leverage **Feature Update Deployments** to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows Sun Valley. You can then continue using the same update experience controls to manage Windows 10 and Windows Sun Valley. +- If you use Windows Update for Business Group Policy and Configuration Service Provider (CSP) policies, you will need to leverage the **Target Version** capability rather than feature update deferrals to upgrade from Windows 10 to Windows Sun Valley. Feature Update deferrals are great to move to newer versions of your current product (Windows 10, version 20H2 to 21H1), but do not enable you to move between products (Windows 10 to Windows Sun Valley). +- Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. This is true whether you are using Windows Update for Business, Microsoft Intune, or other management tools. +- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use **Feature Update Deployments** to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows Sun Valley. You can also continue using the same update experience controls to manage Windows 10 and Windows Sun Valley. ## Cloud-based management -If you aren’t already taking advantage of cloud-based management capabilities, like those available in [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), it's worth considering. Aside from consolidating device management and endpoint security into a single platform, it can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives, while protecting end-user privacy. +If you aren’t already taking advantage of cloud-based management capabilities, like those available in [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), it's worth considering. In addition to consolidating device management and endpoint security into a single platform, it can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives, while protecting end-user privacy. The following are some common use cases and the corresponding Microsoft Endpoint Manager capabilities that support them: - **Provision and pre-configure new Windows Sun Valley devices**: [Windows Autopilot](/mem/autopilot/windows-autopilot) enables you to deploy new Windows Sun Valley devices in a “business-ready” state that includes your desired applications, settings, and policies. It can also be used to change the edition of Windows. For example, you can upgrade from Pro to Enterprise edition and gain the use of advanced features. - **Configure rules and control settings for users, apps, and devices**: Devices that are enrolled in [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) provide administrators with full control over apps, settings, features, and security for both Windows Sun Valley and Windows 10. You can also use app protection policies to require multi-factor authentication (MFA) for specific apps. -- **Streamlined, easy-to-manage devices for frontline, remote, and onsite workers**: Introduced with Windows 10, [cloud configuration](/mem/intune/fundamentals/cloud-configuration) is a standard, easy-to-manage, device configuration that is cloud-optimized for users with specific workflow needs. It can be deployed to devices running the Pro, Enterprise, and Education editions of Windows Sun Valley using Microsoft Endpoint Manager. +- **Streamlined, easy-to-manage devices for frontline, remote, and onsite workers**: Introduced with Windows 10, [cloud configuration](/mem/intune/fundamentals/cloud-configuration) is a standard, easy-to-manage, device configuration that is cloud-optimized for users with specific workflow needs. It can be deployed to devices running the Pro, Enterprise, and Education editions of Windows Sun Valley by using Microsoft Endpoint Manager. -If you are exclusively managing devices on-premises (for example, using Configuration Manager), you can still use the [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview), enable [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions), or enable [co-management](/mem/configmgr/comanage/overview) with Microsoft Intune, making it easier to keep devices secure and up-to-date. +If you are exclusively managing devices on-premise (for example, using Configuration Manager), you can still use the [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview), enable [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions), or enable [co-management](/mem/configmgr/comanage/overview) with Microsoft Intune, making it easier to keep devices secure and up-to-date. ## Review servicing approach and policies -Microsoft is committed to supporting you through your migration to Windows Sun Valley, whether you are a fast adopter or will make the transition over the coming months or years. Every organization will transition to Windows Sun Valley at its own pace. However, thinking of operating system updates as an ongoing process improve your ability to deploy feature and quality updates, and enable you to stay current with less effort and impact on productivity. +Every organization will transition to Windows Sun Valley at its own pace. Microsoft is committed to supporting you through your migration to Windows Sun Valley, whether you are a fast adopter or will make the transition over the coming months or years. -To begin, think about how you roll out Windows feature updates today: which devices, and at what pace. Next, craft a deployment plan for Windows Sun Valley that includes deployment groups, rings, users, or devices. There are no absolute rules for exactly how many rings to have for your deployments, but a common structure is: +When you think of operating system updates as an ongoing process, you will automatically improve your ability to deploy updates. This enables you to stay current with less effort and impact on productivity. To begin, think about how you roll out Windows feature updates today: which devices, and at what pace. +Next, craft a deployment plan for Windows Sun Valley that includes deployment groups, rings, users, or devices. There are no absolute rules for exactly how many rings to have for your deployments, but a common structure is: - Preview (first or canary): Planning and development - Limited (fast or early adopters): Pilot and validation - Broad (users or critical): Wide deployment -For more information, see [Create a deployment plan](/windows/deployment/update/create-deployment-plan). +For detailed information, see [Create a deployment plan](/windows/deployment/update/create-deployment-plan). #### Review policies @@ -91,13 +92,15 @@ Regardless of the method you choose, you have the benefit of free Microsoft supp #### Analytics and assessment tools -If you use Microsoft Endpoint Manager and have onboarded devices to Endpoint analytics, you will have access to a hardware readiness assessment later this year that enables you to quickly identify which of your managed devices are eligible for the Windows Sun Valley upgrade. +If you use Microsoft Endpoint Manager and have onboarded devices to Endpoint analytics, you will have access to a hardware readiness assessment later this year. This tool enables you to quickly identify which of your managed devices are eligible for the Windows Sun Valley upgrade. -If you are ready to explore Windows Sun Valley readiness right away, you can take advantage of Microsoft's [hardware eligibility assessment script](https://aka.ms/HWReadinessScript). This script includes instructions on how to deploy and aggregate your assessment results using Microsoft Intune or Configuration Manager, so you can quickly determine how many of your devices meet the hardware requirements for Windows Sun Valley. For more information, see [Understanding Windows Sun Valley readiness in your organization with Microsoft Endpoint Manager](https://aka.ms/HWReadinessBlog). +If you are ready to explore Windows Sun Valley readiness right away, you can take advantage of Microsoft's [hardware eligibility assessment script](https://aka.ms/HWReadinessScript). This script includes instructions on how to deploy and aggregate your assessment results using Microsoft Intune or Configuration Manager, so you can quickly determine how many of your devices meet the hardware requirements for Windows Sun Valley. + +For more information, see [Understanding Windows Sun Valley readiness in your organization with Microsoft Endpoint Manager](https://aka.ms/HWReadinessBlog). ## Prepare a pilot deployment -A pilot deployment is a proof of concept that rolls out an upgrade to a select number of devices in production before deploying it broadly across the organization. +A pilot deployment is a proof of concept that rolls out an upgrade to a select number of devices in production, before deploying it broadly across the organization. At a high level, the tasks involved are: @@ -112,8 +115,7 @@ At a high level, the tasks involved are: ## End-user readiness To prepare an effective, enterprise-wide deployment of Windows Sun Valley, the importance of end-user readiness should not be overlooked. Windows Sun Valley has a familiar design, but your users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows Sun Valley: - -- Create a communications schedule to ensure that you provide the right communications at the right time to the right groups of users based on when they will see the changes. +- Create a communications schedule to ensure that you provide the right message at the right time to the right groups of users, based on when they will see the changes. - Draft concise emails that inform users of what changes they can expect to see. Offer tips on how to use or customize their experience. Include information about support and help desk options. - Update help desk manuals with screenshots of the new user interface, the out-of-box experience for new devices, and the upgrade experience for existing devices. diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index bcb173bfe8..f32476c8f3 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -31,14 +31,14 @@ To install or upgrade to Windows Sun Valley, devices must meet the following min - RAM: 4 gigabytes (GB) or greater. - Storage: 64 GB or greater available storage is required to install Windows Sun Valley. - Additional storage space might be required to download updates and enable specific features. -- Graphics card: Compatible with DirectX 12 or later with WDDM 2.0 driver. +- Graphics card: Compatible with DirectX 12 or later, with a WDDM 2.0 driver. - System firmware: UEFI, Secure Boot capable. - TPM: Trusted Platform Module (TPM) version 2.0. - Display: High definition (720p) display, 9" or greater monitor, 8 bits per color channel. -- Internet connection: Internet connectivity is necessary to perform updates and to download and take advantage of some features. +- Internet connection: Internet connectivity is necessary to perform updates, download, and use some features. - Windows Sun Valley Home edition requires an Internet connection and a Microsoft Account to complete device setup on first use. -For additional guidance, see [Determine eligibility](windows-sv-plan.md#determine-eligibility). +For information about tools to evaluate readiness, see [Determine eligibility](windows-sv-plan.md#determine-eligibility). ## Operating system requirements @@ -46,34 +46,35 @@ For the best Windows Sun Valley upgrade experience, eligible devices should be r > [!NOTE] > S mode is not supported on Windows Sun Valley. -> If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading. Switching a device out of Windows 10 in S mode also requires internet connectivity. If you switch out of S mode, you cannot switch back to S mode later. +> If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading.
+> Switching a device out of Windows 10 in S mode also requires internet connectivity. If you switch out of S mode, you cannot switch back to S mode later. ## Feature-specific requirements -Some features in Windows Sun Valley have requirements beyond those listed above. See the following list: +Some features in Windows Sun Valley have requirements beyond those listed above. See the following list of features and associated requirements. -- **5G support** requires 5G capable modem. -- **Auto HDR** requires an HDR monitor. -- **BitLocker to Go** requires a USB flash drive. This feature is available in Windows Pro and above editions. -- **Client Hyper-V** requires a processor with second-level address translation (SLAT) capabilities. This feature is available in Windows Pro editions and above. -- **Cortana** requires a microphone and speaker and is currently available on Windows Sun Valley for Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, Mexico, Spain, United Kingdom, and United States. -- **DirectStorage** requires 1 TB or greater NVMe SSD to store and run games that use the "Standard NVM Express Controller" driver and a DirectX12 Ultimate GPU. -- **DirectX 12 Ultimate** is available with supported games and graphics chips. -- **Presence** requires sensor that can detect human distance from device or intent to interact with device. -- **Intelligent Video Conferencing** requires video camera, microphone, and speaker (audio output) -- **Multiple Voice Assistant** requires a microphone and speaker. -- **Snap** three-column layouts require a screen that is 1920 effective pixels or greater in width. -- **Mute** and **unmute** from Taskbar requires video camera, microphone, and speaker (audio output). App must be compatible with feature to enable global mute/unmute. -- **Spatial Sound** requires supporting hardware and software. -- **Microsoft Teams** requires video camera, microphone, and speaker (audio output). -- **Touch** requires a screen or monitor that supports multi-touch. -- **Two-factor authentication** requires use of PIN, biometric (fingerprint reader or illuminated infrared camera), or a phone with Wi-Fi or Bluetooth capabilities. -- **Voice Typing** requires a PC with a microphone. -- **Wake on Voice** requires Modern Standby power model and microphone. -- **Wi-Fi 6E** requires new WLAN IHV hardware and driver and a Wi-Fi 6E capable AP/router. -- **Windows Hello** requires a camera configured for near infrared (IR) imaging or fingerprint reader for biometric authentication. Devices without biometric sensors can use Windows Hello with a PIN or portable Microsoft compatible security key. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). -- **Windows Projection** requires a display adapter which supports Windows Display Driver Model (WDDM) 2.0 and a Wi-Fi adapter that supports Wi-Fi Direct. -- **Xbox** app requires an Xbox Live account, which is not available in all regions. Please go to the Xbox Live Countries and Regions page for the most up-to-date information on availability. Some features in the Xbox app will require an active Xbox Game Pass subscription. See https://www.xbox.com/xbox-game-pass to learn more about the pass. +- **5G support**: requires 5G capable modem. +- **Auto HDR**: requires an HDR monitor. +- **BitLocker to Go**: requires a USB flash drive. This feature is available in Windows Pro and above editions. +- **Client Hyper-V**: requires a processor with second-level address translation (SLAT) capabilities. This feature is available in Windows Pro editions and above. +- **Cortana**: requires a microphone and speaker and is currently available on Windows Sun Valley for Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, Mexico, Spain, United Kingdom, and United States. +- **DirectStorage**: requires 1 TB or greater NVMe SSD to store and run games that use the "Standard NVM Express Controller" driver and a DirectX12 Ultimate GPU. +- **DirectX 12 Ultimate**: is available with supported games and graphics chips. +- **Presence**: requires sensor that can detect human distance from device or intent to interact with device. +- **Intelligent Video Conferencing**: requires video camera, microphone, and speaker (audio output) +- **Multiple Voice Assistant**: requires a microphone and speaker. +- **Snap**: three-column layouts require a screen that is 1920 effective pixels or greater in width. +- **Mute** and **unmute**: from Taskbar requires video camera, microphone, and speaker (audio output). App must be compatible with feature to enable global mute/unmute. +- **Spatial Sound**: requires supporting hardware and software. +- **Microsoft Teams**: requires video camera, microphone, and speaker (audio output). +- **Touch**: requires a screen or monitor that supports multi-touch. +- **Two-factor authentication**: requires use of PIN, biometric (fingerprint reader or illuminated infrared camera), or a phone with Wi-Fi or Bluetooth capabilities. +- **Voice Typing**: requires a PC with a microphone. +- **Wake on Voice**: requires Modern Standby power model and microphone. +- **Wi-Fi 6E**: requires new WLAN IHV hardware and driver and a Wi-Fi 6E capable AP/router. +- **Windows Hello**: requires a camera configured for near infrared (IR) imaging or fingerprint reader for biometric authentication. Devices without biometric sensors can use Windows Hello with a PIN or portable Microsoft compatible security key. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). +- **Windows Projection**: requires a display adapter which supports Windows Display Driver Model (WDDM) 2.0 and a Wi-Fi adapter that supports Wi-Fi Direct. +- **Xbox app**: requires an Xbox Live account, which is not available in all regions. Please go to the Xbox Live Countries and Regions page for the most up-to-date information on availability. Some features in the Xbox app will require an active Xbox Game Pass subscription. See https://www.xbox.com/xbox-game-pass to learn more about the pass. ## Next steps diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index ae6a0260d0..335297ca86 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -36,6 +36,8 @@ Windows Sun Valley is the next evolution of Windows; the most significant update This release is built on the same foundation as Windows 10, so the investments you have made in tools for update and device management are carried forward. Windows Sun Valley also sustains the application compatibility promise made with Windows 10, supplemented by programs like App Assure. For Microsoft 365 customers seeking further assistance, FastTrack will continue to be available to support your efforts to adopt Windows Sun Valley. +After Windows Sun Valley is generally available, it is expected that many organizations will have a mixed environment of Windows Sun Valley and Windows 10 devices. The guidance provided here can help you to manage this hybrid environment. + ## How to get Windows Sun Valley Windows Sun Valley will be delivered as an upgrade to eligible devices running Windows 10, beginning later in the 2021 calendar year. Windows Sun Valley will also be available on eligible new devices. @@ -50,7 +52,7 @@ If you are interested in testing Windows Sun Valley before general availability, ## Before you begin -Many organizations will have a mixed environment of Windows Sun Valley and Windows 10 devices. The following sections provide a quick summary of licensing, compatibility, management, and servicing considerations. +The following sections provide a quick summary of licensing, compatibility, management, and servicing considerations to help you get started with Windows Sun Valley. #### Licensing @@ -62,11 +64,11 @@ Microsoft 365 licenses that include Windows 10 licenses will permit you to run W Most accessories and associated drivers that work with Windows 10 are expected to work with Windows Sun Valley. Check with your accessory manufacturer for specific details. -Windows Sun Valley preserves the application compatibility promise made with Windows 10 and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Microsoft 365 customers can continue to use programs such as App Assure and FastTrack to support IT efforts to adopt and maintain Windows Sun Valley. For more information, see [Application compatibility](windows-sv-plan.md#application-compatibility). +Windows Sun Valley preserves the application compatibility promise made with Windows 10, and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Microsoft 365 customers can continue to use programs such as App Assure and FastTrack to support IT efforts to adopt and maintain Windows Sun Valley. For more information, see [Application compatibility](windows-sv-plan.md#application-compatibility). #### Familiar processes -Windows Sun Valley is built on the same foundation as Windows 10, so generally you can use the same tools and solutions you use today to deploy, manage, and secure Windows Sun Valley. Your current management tools and processes will work to manage monthly quality updates for both Windows 10 and Windows Sun Valley. If you use non-Microsoft tools, check with your vendor to verify compatibility. +Windows Sun Valley is built on the same foundation as Windows 10. Typically, you can use the same tools and solutions you use today to deploy, manage, and secure Windows Sun Valley. Your current management tools and processes will also work to manage monthly quality updates for both Windows 10 and Windows Sun Valley. > [!IMPORTANT] > Check with the providers of any non-Microsoft security and management solutions that you use to ensure compatibility with Windows Sun Valley, particularly those providing security or data loss prevention capabilities. @@ -75,7 +77,9 @@ For more information, see [Prepare for Windows Sun Valley](windows-sv-prepare.md #### Servicing Windows Sun Valley -Like Windows 10, Windows Sun Valley will receive monthly quality updates. However, it will have an annual feature update cadence. When Windows Sun Valley reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the Windows release health hub. Monthly release notes will be available from a consolidated Windows Sun Valley update history page at that time as well. For more information, see [Servicing and support](windows-sv-plan.md#servicing-and-support). +Like Windows 10, Windows Sun Valley will receive monthly quality updates. However, it will have a new feature update cadence. Windows Sun Valley feature updates will be released once per year. + +When Windows Sun Valley reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the Windows release health hub. Monthly release notes will also be available from a consolidated Windows Sun Valley update history page at that time. For more information, see [Servicing and support](windows-sv-plan.md#servicing-and-support). ## Next steps From 5e7dcbac9d78e94a8c48259b510b325eecb28160 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 22 Jun 2021 14:20:10 -0700 Subject: [PATCH 205/370] some edits --- windows/deployment/deploy-whats-new.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index 03d5ce122e..583e4392a1 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -20,14 +20,13 @@ ms.custom: seo-marvel-apr2020 **Applies to:** - Windows 10 -- Windows 11 ## In this topic This topic provides an overview of new solutions and online content related to deploying Windows client in your organization. - For an all-up overview of new features in Windows 10, see [What's new in Windows 10](/windows/whats-new/index). -- For an all-up overview of new features in Windows 11, see [What's new in Windows 11](/windows/whats-new/index). +- For an overview of Windows Sun Valley, see [What's new in Windows Sun Valley](/windows/whats-new/windows-sv). ## Latest news From 68bd4770c1ef05350b32668dc394d3e14db2c1c2 Mon Sep 17 00:00:00 2001 From: v-miegge <49650192+v-miegge@users.noreply.github.com> Date: Wed, 23 Jun 2021 08:27:38 -0700 Subject: [PATCH 206/370] Matt Palko edits --- .../hello-aad-join-cloud-only-deploy.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index b5aa653cdc..b195744150 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 06/03/2021 +ms.date: 06/23/2021 ms.reviewer: --- # Azure AD Joined Cloud Only Deployment @@ -25,15 +25,15 @@ When you Azure Active Directory (Azure AD) join a Windows 10 device, the system You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. Instructions on how to disable Windows Hello for Business enrollment in a cloud only environment are included below. > [!NOTE] -> During the out-of-box experience (OOBE) flow of an Azure AD (AAD) join, you will see a provisioning PIN when you don’t have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts. +> During the out-of-box experience (OOBE) flow of an Azure AD join, you will see a provisioning PIN when you don’t have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts. ## Prerequisites -This cloud only deployment will use AAD multi-factor authentication (MFA) during the Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in AAD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business deployment enrollment process. +Cloud only deployments will use Azure AD multi-factor authentication (MFA) during Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in Azure AD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business enrollment process. The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#cloud-only-deployment). -Also note that it's possible for federated domains to enable the “Supports MFA” flag in your federated domain settings. This flag tells AAD that the federated IDP will perform the MFA challenge. +Also note that it's possible for federated domains to enable the “Supports MFA” flag in your federated domain settings. This flag tells Azure AD that the federated IDP will perform the MFA challenge. Check and view this setting with the following MSOnline PowerShell command: @@ -53,9 +53,9 @@ If you use this Supports MFA switch with value **True**, you must verify that yo We recommend that you disable or manage Windows Hello for Business provisioning behavior through an Intune policy using the steps in [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello). -However, not everyone uses Intune. The following method explains how to disable Windows Hello for Business enrollment without Intune, or through a third-party mobile device management (MDM). If you aren't running Intune in your organization, you can disable Windows Hello for Business via the registry. We have provided the underlying registry subkeys for disabling Windows Hello for Business. +However, not everyone uses Intune. The following method explains how to disable Windows Hello for Business enrollment without Intune, or through a third-party mobile device management (MDM). If you aren't using Intune in your organization, you can disable Windows Hello for Business via the registry. We have provided the underlying registry subkeys for disabling Windows Hello for Business. -## Create a Windows Hello for Business Enrollment policy +## Disable Windows Hello for Business using Intune Enrollment policy 1. Sign into the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) admin center. 2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens. @@ -72,11 +72,11 @@ The information below can be pushed out to the devices through a third-party MDM Because these systems are Azure AD Joined only, and not domain joined, these settings could be made in the registry on the device(s) when Intune isn't used. -Here are the registry settings an Intune policy would set. If you aren't using Intune, it's recommended to use the Intune Device Policy registry settings manually to disable Windows Hello For Business enrollment. +Here are the registry settings an Intune policy would set. Intune Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\Device\Policies** -To find the Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) +To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) These registry settings are pushed from Intune for user policies for your reference. @@ -91,7 +91,7 @@ For your reference, these registry settings can be applied from Local or Group P - DWORD: **Enabled** - Value = **0** for Disable or Value = **1** for Enable -If there's a conflicting Device policy and User policy, the device policy or computer policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. This conflict could lead to unexpected results. +If there's a conflicting Device policy and User policy, the User policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. This conflict could lead to unexpected results. ## Related reference documents for Azure AD join scenarios From 6cb449cb45de2824e6d0aa0a1a240a5914441e5b Mon Sep 17 00:00:00 2001 From: v-miegge <49650192+v-miegge@users.noreply.github.com> Date: Wed, 23 Jun 2021 08:49:57 -0700 Subject: [PATCH 207/370] Coded the reg strings --- .../hello-aad-join-cloud-only-deploy.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index b195744150..379f033684 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -74,20 +74,20 @@ Because these systems are Azure AD Joined only, and not domain joined, these set Here are the registry settings an Intune policy would set. -Intune Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\Device\Policies** +Intune Device Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\Device\Policies`** To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) These registry settings are pushed from Intune for user policies for your reference. -- Intune User Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\UserSid\Policies** +- Intune User Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\UserSid\Policies`** - DWORD: **UsePassportForWork** - Value = **0** for Disable, or Value = **1** for Enable For your reference, these registry settings can be applied from Local or Group Policies. -- Local/GPO User Policy: **HKEY_USERS\UserSID\SOFTWARE\Policies\Microsoft\PassportForWork** -- Local/GPO Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork** +- Local/GPO User Policy: **`HKEY_USERS\UserSID\SOFTWARE\Policies\Microsoft\PassportForWork`** +- Local/GPO Device Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork`** - DWORD: **Enabled** - Value = **0** for Disable or Value = **1** for Enable From c2a85c0c718ddde7cdeee43e37171045d0b81a38 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Wed, 23 Jun 2021 09:05:44 -0700 Subject: [PATCH 208/370] Update Language-pack-management-csp.md --- .../mdm/Language-pack-management-csp.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 755472b5af..85fe76af37 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -1,6 +1,6 @@ --- title: Language Pack Management CSP -description: Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. +description: Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10. ms.reviewer: manager: dansimp ms.author: dansimp @@ -8,17 +8,16 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nimishasatapathy -ms.date: 03/12/2021 +ms.date: 06/22/2021 --- # Language Pack Management CSP -Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. A separate CSP exists to allow provisioning of optional FODs (Handwriting recognition, Text-to-speech etc.) associated with a language. MDMs like Intune can use management commands remotely to devices to configure language related settings. - +Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10. A separate CSP exists to allow provisioning of optional Features On Demand (FOD) which include handwriting recognition, text-to-speech, etc. associated with a language. device management tools like Intune can use management commands remotely to devices to configure language related settings. Device context -1. Enumerate installed languages with GET command on the "InstalledLanguges" node +1. Enumerate installed languages with GET command on the "InstalledLanguges" node: Sample command **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages** @@ -30,10 +29,11 @@ The nodes under “InstalledLanguages” are the language tags of the installed 2. Install language pack features with EXECUTE command on the "StartInstall" node of the language Sample command + **ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/** **EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation** -The installation is an asynchronous operation. IT admin can query the ‘Status’ node using +The installation is an asynchronous operation. IT admin can query the ‘Status’ node by using the following commands: **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status** **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode** From a9ac94ea0da7023a22d9e049af7095cbd79363ec Mon Sep 17 00:00:00 2001 From: Thomas Raya Date: Wed, 23 Jun 2021 11:07:01 -0700 Subject: [PATCH 209/370] Update select-types-of-rules-to-create.md --- .../select-types-of-rules-to-create.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 05468dd64e..ee556ecef8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -121,7 +121,8 @@ To create the WDAC policy, they build a reference server on their standard hardw As part of normal operations, they will eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they will not need to update their WDAC policy. If the unsigned, internal application is updated, they must also update the WDAC policy to allow the new version. ## File rule precedence order -WDAC has a built-in file rule conflict logic that translates to precedence order. It will first process all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deploy-wdac-policies-with-managed-installer.md). Lastly, if none of these exists, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md). + +WDAC has a built-in file rule conflict logic that translates to precedence order. It will first processes all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deployment/deploy-wdac-policies-with-memcm.md). Lastly, if none of these exists, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md). ## More information about filepath rules From 67e7fb72ae34de3b0b10f7ee2aca1037f5565cc3 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Wed, 23 Jun 2021 11:35:43 -0700 Subject: [PATCH 210/370] Applied suggested edits --- .../select-types-of-rules-to-create.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 5f12576ef7..42fcb69ab3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -121,8 +121,8 @@ To create the WDAC policy, they build a reference server on their standard hardw As part of normal operations, they will eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they will not need to update their WDAC policy. If the unsigned, internal application is updated, they must also update the WDAC policy to allow the new version. ## File rule precedence order -<<<<<<< HEAD -WDAC has a built-in file rule conflict logic that translates to precedence order. It will first processes all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deployment/deploy-wdac-policies-with-memcm.md). Lastly, if none of these exists, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md). + +WDAC has a built-in file rule conflict logic that translates to precedence order. It will first process all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deployment/deploy-wdac-policies-with-memcm.md). Lastly, if none of these exists, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md). ## More information about filepath rules From c8d156c7354b04770d47904928c4d89e59d8e30e Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Wed, 23 Jun 2021 13:19:59 -0700 Subject: [PATCH 211/370] Update configuration-service-provider-reference.md fixing relative link --- .../mdm/configuration-service-provider-reference.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 2f152af35b..8d54b43c2b 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -1109,7 +1109,7 @@ Additional lists: +Only for mobile application management (MAM) @@ -2843,4 +2843,4 @@ The following list shows the CSPs supported in HoloLens devices: - 7 - Added in Windows 10, version 1909. - 8 - Added in Windows 10, version 2004. - 9 - Added in Windows 10 Team 2020 Update -- 10 - Added in [Windows Holographic, version 20H2](https://docs.microsoft.com/hololens/hololens-release-notes#windows-holographic-version-20h2) +- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2) From 5185eba0fd5749e0a4ab5f5b8b6c4a98cc1735ec Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Wed, 23 Jun 2021 13:27:32 -0700 Subject: [PATCH 212/370] Updated Note for Disabled:Script Enforcment to select-types-of-rules-to-create and wdac-wizard-create-base-policy files. --- .../select-types-of-rules-to-create.md | 2 +- .../wdac-wizard-create-base-policy.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 42fcb69ab3..4fd6f8105d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -61,7 +61,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru | **8 Required:EV Signers** | This rule requires that drivers must be WHQL signed and have been submitted by a partner with an Extended Verification (EV) certificate. All Windows 10 and later drivers will meet this requirement. | | **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. | | **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. | -| **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is supported on 1709, 1803, and 1809 builds with the 2019 10C LCU or higher, and on devices with the Windows 10 May 2019 Update (1903) and higher. Using it on versions of Windows 10 without the proper update may have unintended results. | +| **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes) NOTE: This option is required to run HTA files, and is supported on 1709, 1803, and 1809 builds with the 2019 10C LCU or higher, and on devices with the Windows 10 May 2019 Update (1903) and higher. Using it on versions of Windows 10 without the proper update may have unintended results. | | **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. | | **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) | | **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). | diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md index 91ba9aeac7..2c5382e43b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md @@ -59,7 +59,7 @@ A description of each policy rule, beginning with the left-most column, is provi |------------ | ----------- | | **Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. | | **Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. | -| **Disable Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is only supported with the Windows 10 May 2019 Update (1903) and higher. Using it on earlier versions of Windows 10 is not supported and may have unintended results. | +| **Disable Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is required to run HTA files, and is only supported with the Windows 10 May 2019 Update (1903) and higher. Using it on earlier versions of Windows 10 is not supported and may have unintended results. | |**[Hypervisor-protected code integrity (HVCI)](../device-guard/enable-virtualization-based-protection-of-code-integrity.md)**| When enabled, policy enforcement uses virtualization-based security to run the code integrity service inside a secure environment. HVCI provides stronger protections against kernel malware.| | **Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). | | **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, that has been defined as a managed installer. | From 769114b7494120e57e068de280a77cb18b49c4d9 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Wed, 23 Jun 2021 13:28:04 -0700 Subject: [PATCH 213/370] Update Language-pack-management-csp.md --- .../mdm/Language-pack-management-csp.md | 42 ++++++++++++------- 1 file changed, 27 insertions(+), 15 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 85fe76af37..2e9d2f4140 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -14,43 +14,55 @@ ms.date: 06/22/2021 # Language Pack Management CSP -Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10. A separate CSP exists to allow provisioning of optional Features On Demand (FOD) which include handwriting recognition, text-to-speech, etc. associated with a language. device management tools like Intune can use management commands remotely to devices to configure language related settings. +The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10. A separate CSP exists to provision optional Features On Demand (FOD) which include handwriting recognition, text-to-speech, etc. associated with a language. Device management tools such as Intune can use management commands remotely to devices to configure language related settings. -Device context -1. Enumerate installed languages with GET command on the "InstalledLanguges" node: +1. List the installed languages with GET command on the "InstalledLanguges" node. For example: -Sample command -**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages** -**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN/Providers** -**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /ja-JP/Providers** +``` +GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages +GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN/Providers +GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /ja-JP/Providers +``` -The nodes under “InstalledLanguages” are the language tags of the installed languages. The “providers” node under language tag is the bit map representation of either "language pack (features)" or "LXPs". 1 indicates the language pack installed is a System Language Pack (non-LXP), “2” stands for LXPs installed. “3” stands for both installed. +The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either **language pack (features)** or **LXPs**. The value of **1** indicates the language pack installed is a System Language Pack (non-LXP), **2** indidcates that the LXP is installed. **3** indicates that both are installed. -2. Install language pack features with EXECUTE command on the "StartInstall" node of the language - -Sample command +2. Install language pack features with the EXECUTE command on the **StartInstall** node of the language. For example, +``` **ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/** **EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation** +``` -The installation is an asynchronous operation. IT admin can query the ‘Status’ node by using the following commands: +The installation is an asynchronous operation. You can query the **Status** node by using the following commands: +``` **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status** **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode** +``` + +Return value definitions are: + +- 0 – Not started +- 1 – In process +- 2 – Succeeded +- 3 – Failed. ErrorCode is a HRESULT that could help you diagnose the issue and why installation failed -Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed > [!NOTE] -> If the IT administration has not set the policy of blocking cleanup of unused language packs, then this command will fail. +> If the IT administrator has not set the policy of blocking cleanup of unused language packs, then this command will fail. -3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. +3. Delete installed Language with the DELETE command on the installed language tag. The deletion will run in background, and admins can query the installed language later and resend the command if needed. Sample command +``` **DELETE ./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN (Delete command)** +``` 4. Get/Set System Preferred UI Language with GET or REPLACE command on the "SystemPreferredUILanguages" Node Sample command +``` **./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages** +``` From 6c92cd3cdbba8167b1fef020426b49f0b1d58710 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Wed, 23 Jun 2021 13:54:22 -0700 Subject: [PATCH 214/370] incorp changes --- windows/hub/index.yml | 2 +- windows/whats-new/windows-sv-plan.md | 39 ++++++++--------- windows/whats-new/windows-sv-prepare.md | 45 +++++++++----------- windows/whats-new/windows-sv-requirements.md | 18 ++++---- windows/whats-new/windows-sv.md | 16 +++---- 5 files changed, 57 insertions(+), 63 deletions(-) diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 0eeef6aed5..846ee4e900 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -34,7 +34,7 @@ landingContent: url: /windows/whats-new/windows-sv-plan - text: Prepare for Windows Sun Valley url: /windows/whats-new/windows-sv-prepare - - text: What's new in Windows 10, version 21H2 + - text: What's new in Windows 10, version 21H1 url: /windows/whats-new/whats-new-windows-10-version-21H1 - text: Windows release information url: /windows/release-health/release-information diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index d1e4c7dbec..11aa8a3ddc 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -18,13 +18,13 @@ ms.topic: article **Applies to** -- Windows Sun Valley, version 21H2 +- Windows Sun Valley ## Deployment planning This article provides guidance to help you plan for Windows Sun Valley in your organization. -Since Windows Sun Valley is built on the same foundation as Windows 10, you can utilize the same deployment capabilities, scenarios, and tools—as well as the same basic deployment strategy that you use today for Windows 10. You will need to review and update your servicing strategy to adjust for changes in [Servicing and support](#servicing-and-support) for Windows Sun Valley. +Since Windows Sun Valley is built on the same foundation as Windows 10, you can use the same deployment capabilities, scenarios, and tools—as well as the same basic deployment strategy that you use today for Windows 10. You will need to review and update your servicing strategy to adjust for changes in [Servicing and support](#servicing-and-support) for Windows Sun Valley. At a high level, this strategy should include the following steps: - [Create a deployment plan](/windows/deployment/update/create-deployment-plan) @@ -39,48 +39,45 @@ If you are looking for ways to optimize your approach to deploying Windows Sun V As a first step, you will need to know which of your current devices meet the Windows Sun Valley hardware requirements. Most devices purchased in the last 18-24 months will be compatible with Windows Sun Valley. Verify that your device meets or exceeds [Windows Sun Valley requirements](windows-sv-requirements.md) to ensure it is compatible. -Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows Sun Valley hardware requirements. When Windows Sun Valley reaches general availability, end-users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the **PC Health Check** app to determine their eligibility for Windows Sun Valley. End-users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.  +Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows Sun Valley hardware requirements. When Windows Sun Valley reaches general availability, end-users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the **PC Health Check** app to determine their eligibility for Windows Sun Valley. end-users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.  -Enterprise organizations looking to evaluate device readiness in their environments can expect this capability to be integrated into existing Microsoft tools, such as Endpoint analytics and Update Compliance. This capability will be available when Windows Sun Valley is generally available. Microsoft is also working with software publisher partners to facilitate Windows Sun Valley device readiness into their solutions. +Enterprise organizations looking to evaluate device readiness in their environments can expect this capability to be integrated into existing Microsoft tools, such as Endpoint analytics and Update Compliance. This capability will be available when Windows Sun Valley is generally available. Microsoft is also working with software publishing partners to facilitate adding Windows Sun Valley device support into their solutions. ## Windows Sun Valley availability -Windows Sun Valley will be offered to eligible Windows 10 devices beginning later in the 2021 calendar year. The availability of Windows Sun Valley will vary according to a device's hardware and whether or not the device receives updates directly or from a management solution that is maintained by an IT administrator. +The availability of Windows Sun Valley will vary according to a device's hardware and whether the device receives updates directly, or from a management solution that is maintained by an IT administrator. ##### Managed devices -Managed devices are devices that are under organization control. For example: devices managed by Microsoft Endpoint Manager (Microsoft Intune or Microsoft Endpoint Configuration Manager) or another endpoint management solution. +Managed devices are devices that are under organization control. Managed devices include those managed by Microsoft Intune, Microsoft Endpoint Configuration Manager, or other endpoint management solutions. If you manage devices on behalf of your organization, you will be able to upgrade eligible devices to Windows Sun Valley using your existing deployment and management tools at no cost when the upgrade reaches general availability. Organizations that use Windows Update for Business will have added benefits, such as: -- Blocking the upgrade on non-eligible devices. +- Ensuring that devices that don't meet the minimum hardware requirements are not automatically offered the Windows Sun Valley upgrade. - Additional insight into safeguard holds. While safeguard holds will function for Windows Sun Valley devices just as they do for Windows 10 today, administrators using Windows Update for Business will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. > [!NOTE] -> If you use WUfB to manage feature update deployments today, you will need to leverage the **Target Version** policy rather than **Feature Update deferrals** to move from Windows 10 to Windows Sun Valley. Deferrals are great for quality updates or to move to newer version of the same product (Windows 10 to Windows 10), but they cannot migrate a device between products (Windows 10 to Windows Sun Valley).
-> Additionally, Windows Sun Valley has a new end-user license agreement. If you are deploying with Windows Update for Business **Target Version** or with Windows Server Update Services, you are accepting this new end-user license agreements on behalf of the end-users within your organization. +> If you use Windows Update for Business to manage feature update deployments today, you will need to leverage the **Target Version** policy rather than **Feature Update deferrals** to move from Windows 10 to Windows Sun Valley. Deferrals are great for quality updates or to move to newer version of the same product (from example, from Windows 10, version 20H2 to 21H1), but they cannot migrate a device between products (from Windows 10 to Windows Sun Valley).
+> Additionally, Windows Sun Valley has a new End User License Agreement. If you are deploying with Windows Update for Business **Target Version** or with Windows Server Update Services, you are accepting this new End User License Agreement on behalf of the end-users within your organization. ##### Unmanaged devices Unmanaged devices are devices that are not managed by an IT administrator on behalf of an organization. For operating system (OS) deployment, these devices are not subject to organizational policies that manage upgrades or updates. -Unmanaged eligible devices running Windows 10 that were purchased after June 2021 will be offered the Windows Sun Valley upgrade in the last quarter of the 2021 calendar year. Messaging on new devices will vary by PC manufacturer, but users will see labels such as **This PC will upgrade to Windows Sun Valley once available** on products that are available for purchase. +Windows Sun Valley will be offered to eligible Windows 10 devices beginning later in the 2021 calendar year. Messaging on new devices will vary by PC manufacturer, but users will see labels such as **This PC will upgrade to Windows Sun Valley once available** on products that are available for purchase. -> [!NOTE] -> New devices purchased after October 2021 will see the Windows Sun Valley offer during the out of box experience (OOBE), or they will already be upgraded to Windows Sun Valley. - -The Windows Sun Valley upgrade will be available initially on eligible, unmanaged devices to users who manually seek the upgrade through Windows Update. As with all Microsoft Update managed devices, the **Windows Update Settings** page will confirm when a device is eligible, and users can upgrade if they choose to. +The Windows Sun Valley upgrade will be available initially on eligible, unmanaged devices to users who manually seek the upgrade through Windows Update. As with all Windows Update managed devices, the **Windows Update Settings** page will confirm when a device is eligible, and users can upgrade if they choose to. Just like Windows 10, the machine learning based [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860) process will be leveraged when rolling out upgrades. Machine learning uses a combination of testing, close partner engagement, feedback, diagnostic data, and real-life insights to manage quality. This process improves the update experience and ensures that devices first nominated for updates are the devices likely to have a seamless experience. Devices that might have compatibility issues with the upgrade get the benefit of resolving these issues before the upgrade is offered. ## Windows Sun Valley readiness considerations -The recommended method for organizations to determine if their infrastructure, deployment processes, and management tools are ready for Windows Sun Valley is to join the [Windows Insider Program for Business](https://insider.windows.com/for-business). As a participant in the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel), you can validate that your devices and applications work as expected, and explore new features in details. +The recommended method to determine if your infrastructure, deployment processes, and management tools are ready for Windows Sun Valley is to join the [Windows Insider Program for Business](https://insider.windows.com/for-business). As a participant in the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel), you can validate that your devices and applications work as expected, and explore new features. As you plan your endpoint management strategy for Windows Sun Valley, consider moving to cloud-based mobile device management (MDM), such as [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). If a cloud-only approach isn't right for your organization just yet, you can still modernize and streamline essential pieces of your endpoint management strategy as follows: - Create a [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview) (CMG) to manage Configuration Manager clients over the internet. - Attach your existing Configuration Management estate to the cloud with [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions) so you can manage all devices from within the Microsoft Endpoint Manager admin center. -- Use [co-management](/mem/configmgr/comanage/overview) to concurrently manage devices using both Configuration Manager and Microsoft Intune, allowing you to take advantage of cloud-powered capabilities like [Conditional Access](/azure/active-directory/conditional-access/overview). +- Use [co-management](/mem/configmgr/comanage/overview) to concurrently manage devices using both Configuration Manager and Microsoft Intune. This allows you to take advantage of cloud-powered capabilities like [Conditional Access](/azure/active-directory/conditional-access/overview). For more information on the benefits of these approaches, see [Cloud Attach Your Future: The Big 3](https://techcommunity.microsoft.com/t5/configuration-manager-blog/cloud-attach-your-future-part-ii-quot-the-big-3-quot/ba-p/1750664). @@ -92,11 +89,11 @@ Along with end-user experience and security improvements, Windows Sun Valley int **Quality updates**: Windows Sun Valley and Windows 10 devices will receive regular monthly quality updates to provide security updates and bug fixes. -**Feature updates**: Microsoft will provide a single feature update annually, targeted for release in the second half of each calendar year. +**Feature updates**: Microsoft will provide a single Windows Sun Valley feature update annually, targeted for release in the second half of each calendar year. **Lifecycle**: -- Home, Pro, Pro for Workstations, and Pro for Education editions of Windows Sun Valley will receive 24 months of support from the availability date. -- Enterprise and Education editions of Windows Sun Valley will be supported for 36 months from the availability date. +- Home, Pro, Pro for Workstations, and Pro for Education editions of Windows Sun Valley will receive 24 months of support from the general availability date. +- Enterprise and Education editions of Windows Sun Valley will be supported for 36 months from the general availability date. When Windows Sun Valley reaches general availability, a consolidated Windows Sun Valley update history will be available on support.microsoft.com, similar to what is [available today for Windows 10](https://support.microsoft.com/topic/windows-10-update-history-1b6aac92-bf01-42b5-b158-f80c6d93eb11). Similarly, the [Windows release health](/windows/release-health/) hub will offer quick access to Windows Sun Valley servicing announcements, known issues, and safeguard holds. @@ -104,7 +101,7 @@ It is important that organizations have adequate time to plan for Windows Sun Va ## Application compatibility -Microsoft's compatibility promise for Windows 10 is maintained for Windows Sun Valley. Data from the App Assure program shows that Windows 10 compatibility rates are over 99.7% for enterprise organizations, including line of business (LOB) apps. Microsoft remains committed to ensuring that the apps you rely upon continue to work as expected when you upgrade. Windows Sun Valley is subject to the same app compatibility validation requirements that are in place for Windows 10 today, and it is passing these requirements. +Microsoft's compatibility promise for Windows 10 is maintained for Windows Sun Valley. Data from the App Assure program shows that Windows 10 compatibility rates are over 99.7% for enterprise organizations, including line of business (LOB) apps. Microsoft remains committed to ensuring that the apps you rely upon continue to work as expected when you upgrade. Windows Sun Valley is subject to the same app compatibility validation requirements that are in place for Windows 10 today, for both feature and quality updates. #### App Assure and Test Base for Microsoft 365 @@ -122,4 +119,4 @@ You might already be using App Assure and Test Base in your Windows 10 environme ## Also see -Learning module +[Plan to deploy updates for Windows 10 and Microsoft 365 Apps](/learn/modules/windows-plan/) diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index 5220b153c3..dfca52badf 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -18,54 +18,54 @@ ms.topic: article **Applies to** -- Windows Sun Valley, version 21H2 +- Windows Sun Valley -Windows 10 and Windows Sun Valley are designed to coexist, so that you can use the same familiar tools and process to manage both operating systems. One management infrastructure that supports common applications across both Windows 10 and Windows Sun Valley helps to simplify the migration process. You can analyze endpoints, determine application compatibility, and manage Windows Sun Valley deployments in the same way that you do with Windows 10. +Windows 10 and Windows Sun Valley are designed to coexist, so that you can use the same familiar tools and process to manage both operating systems. Using a single management infrastructure that supports common applications across both Windows 10 and Windows Sun Valley helps to simplify the migration process. You can analyze endpoints, determine application compatibility, and manage Windows Sun Valley deployments in the same way that you do with Windows 10. -After you evaluate your hardware to see if it meets [requirements](windows-sv-requirements.md) for Windows Sun Valley, it's also a good time to review your deployment infrastructure, tools, and overall endpoint and update management processes and look for opportunities to simplify and optimize. This article provides some helpful guidance to accomplish these tasks. +After you evaluate your hardware to see if it meets [requirements](windows-sv-requirements.md) for Windows Sun Valley, it's a good time to review your deployment infrastructure, tools, and overall endpoint and update management processes and look for opportunities to simplify and optimize. This article provides some helpful guidance to accomplish these tasks. ## Infrastructure and tools -The tools that you use for heavy lifting during Windows 10 deployments can still be leveraged for Windows Sun Valley. A few nuanced differences are described below. +The tools that you use for core workloads during Windows 10 deployments can still be leveraged for Windows Sun Valley. A few nuanced differences are described below. > [!IMPORTANT] > Be sure to check with the providers of any non-Microsoft solutions that you use. Verify compatibility of these tools with Windows Sun Valley, particularly if they provide security or data loss prevention capabilities. -#### On-premises solutions +#### On-premise solutions -- If you use Windows Server Update Service (WSUS), you will need to sync the new **Windows Sun Valley** product category. Once you sync the product category, you will see Windows Sun Valley offered as an option. +- If you use Windows Server Update Service (WSUS), you will need to sync the new **Windows Sun Valley** product category. After you sync the product category, you will see Windows Sun Valley offered as an option. If you would like to validate Windows Sun Valley prior to release, you can sync the Windows Insider Pre-release category as well. > [!NOTE] - > During deployment, you will be prompted to agree to the end-user license agreement on behalf of your users. Additionally, you will not see an x86 option because Windows Sun Valley is not supported on 32-bit architecture. + > During deployment, you will be prompted to agree to the End User License Agreement on behalf of your users. Additionally, you will not see an x86 option because Windows Sun Valley is not supported on 32-bit architecture. - If you use Microsoft Endpoint Configuration Manager, you can sync the new **Windows Sun Valley** product category and begin upgrading eligible devices. If you would like to validate Windows Sun Valley prior to release, you can sync the **Windows Insider Pre-release** category as well. > [!NOTE] - > Configuration Manager will prompt you to accept the end-user license agreement on behalf of the users in your organization. + > Configuration Manager will prompt you to accept the End User License Agreement on behalf of the users in your organization. #### Cloud-based solutions -- If you use Windows Update for Business Group Policy and Configuration Service Provider (CSP) policies, you will need to leverage the **Target Version** capability rather than feature update deferrals to upgrade from Windows 10 to Windows Sun Valley. Feature Update deferrals are great to move to newer versions of your current product (Windows 10, version 20H2 to 21H1), but do not enable you to move between products (Windows 10 to Windows Sun Valley). -- Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. This is true whether you are using Windows Update for Business, Microsoft Intune, or other management tools. +- If you use Windows Update for Business Group Policy or Configuration Service Provider (CSP) policies, you will need to leverage the **Target Version** capability rather than feature update deferrals to upgrade from Windows 10 to Windows Sun Valley. Feature Update deferrals are great to move to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1), but do not enable you to move between products (Windows 10 to Windows Sun Valley). +- Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. This is true regardless of which management tool you use to configure Windows Update for Business policies. - If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use **Feature Update Deployments** to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows Sun Valley. You can also continue using the same update experience controls to manage Windows 10 and Windows Sun Valley. ## Cloud-based management -If you aren’t already taking advantage of cloud-based management capabilities, like those available in [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), it's worth considering. In addition to consolidating device management and endpoint security into a single platform, it can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives, while protecting end-user privacy. +If you aren’t already taking advantage of cloud-based management capabilities, like those available in [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), it's worth considering. In addition to consolidating device management and endpoint security into a single platform, Microsoft Endpoint Manager can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives, while protecting end-user privacy. The following are some common use cases and the corresponding Microsoft Endpoint Manager capabilities that support them: - **Provision and pre-configure new Windows Sun Valley devices**: [Windows Autopilot](/mem/autopilot/windows-autopilot) enables you to deploy new Windows Sun Valley devices in a “business-ready” state that includes your desired applications, settings, and policies. It can also be used to change the edition of Windows. For example, you can upgrade from Pro to Enterprise edition and gain the use of advanced features. -- **Configure rules and control settings for users, apps, and devices**: Devices that are enrolled in [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) provide administrators with full control over apps, settings, features, and security for both Windows Sun Valley and Windows 10. You can also use app protection policies to require multi-factor authentication (MFA) for specific apps. -- **Streamlined, easy-to-manage devices for frontline, remote, and onsite workers**: Introduced with Windows 10, [cloud configuration](/mem/intune/fundamentals/cloud-configuration) is a standard, easy-to-manage, device configuration that is cloud-optimized for users with specific workflow needs. It can be deployed to devices running the Pro, Enterprise, and Education editions of Windows Sun Valley by using Microsoft Endpoint Manager. +- **Configure rules and control settings for users, apps, and devices**: When you enroll devices in [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), administrators have full control over apps, settings, features, and security for both Windows Sun Valley and Windows 10. You can also use app protection policies to require multi-factor authentication (MFA) for specific apps. +- **Streamline device management for frontline, remote, and onsite workers**: Introduced with Windows 10, [cloud configuration](/mem/intune/fundamentals/cloud-configuration) is a standard, easy-to-manage, device configuration that is cloud-optimized for users with specific workflow needs. It can be deployed to devices running the Pro, Enterprise, and Education editions of Windows Sun Valley by using Microsoft Endpoint Manager. -If you are exclusively managing devices on-premise (for example, using Configuration Manager), you can still use the [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview), enable [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions), or enable [co-management](/mem/configmgr/comanage/overview) with Microsoft Intune, making it easier to keep devices secure and up-to-date. +If you are exclusively using an on-premise device management solution (for example, Configuration Manager), you can still use the [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview), enable [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions), or enable [co-management](/mem/configmgr/comanage/overview) with Microsoft Intune. These solutions can make it easier to keep devices secure and up-to-date. ## Review servicing approach and policies Every organization will transition to Windows Sun Valley at its own pace. Microsoft is committed to supporting you through your migration to Windows Sun Valley, whether you are a fast adopter or will make the transition over the coming months or years. -When you think of operating system updates as an ongoing process, you will automatically improve your ability to deploy updates. This enables you to stay current with less effort and impact on productivity. To begin, think about how you roll out Windows feature updates today: which devices, and at what pace. +When you think of operating system updates as an ongoing process, you will automatically improve your ability to deploy updates. This approach enables you to stay current with less effort, and less impact on productivity. To begin, think about how you roll out Windows feature updates today: which devices, and at what pace. Next, craft a deployment plan for Windows Sun Valley that includes deployment groups, rings, users, or devices. There are no absolute rules for exactly how many rings to have for your deployments, but a common structure is: - Preview (first or canary): Planning and development @@ -88,15 +88,11 @@ If you use Windows Server Update Services, you can deploy directly from the Wind - Leverage Azure Virtual Desktop and Azure Marketplace images. - Download and deploy ISOs from Microsoft’s Windows Insider Program ISO Download page. -Regardless of the method you choose, you have the benefit of free Microsoft support when validating pre-release builds. Free support is available to any commercial customer deploying Windows 10, version 21H2 or Windows Sun Valley, version 21H2 pre-release bits, once they become available through the Windows Insider Program. +Regardless of the method you choose, you have the benefit of free Microsoft support when validating pre-release builds. Free support is available to any commercial customer deploying Windows 10 or Windows Sun Valley Preview Builds, once they become available through the Windows Insider Program. #### Analytics and assessment tools -If you use Microsoft Endpoint Manager and have onboarded devices to Endpoint analytics, you will have access to a hardware readiness assessment later this year. This tool enables you to quickly identify which of your managed devices are eligible for the Windows Sun Valley upgrade. - -If you are ready to explore Windows Sun Valley readiness right away, you can take advantage of Microsoft's [hardware eligibility assessment script](https://aka.ms/HWReadinessScript). This script includes instructions on how to deploy and aggregate your assessment results using Microsoft Intune or Configuration Manager, so you can quickly determine how many of your devices meet the hardware requirements for Windows Sun Valley. - -For more information, see [Understanding Windows Sun Valley readiness in your organization with Microsoft Endpoint Manager](https://aka.ms/HWReadinessBlog). +If you use Microsoft Endpoint Manager and have onboarded devices to Endpoint analytics, you will have access to a hardware readiness assessment later this year. This tool enables you to quickly identify which of your managed devices are eligible for the Windows Sun Valley upgrade. ## Prepare a pilot deployment @@ -112,9 +108,9 @@ At a high level, the tasks involved are: 6. Test and support the pilot devices. 7. Determine broad deployment readiness based on the results of the pilot. -## End-user readiness +## end-user readiness -To prepare an effective, enterprise-wide deployment of Windows Sun Valley, the importance of end-user readiness should not be overlooked. Windows Sun Valley has a familiar design, but your users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows Sun Valley: +Do not overlook the importance of end-user readiness to deliver an effective, enterprise-wide deployment of Windows Sun Valley. Windows Sun Valley has a familiar design, but your users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows Sun Valley: - Create a communications schedule to ensure that you provide the right message at the right time to the right groups of users, based on when they will see the changes. - Draft concise emails that inform users of what changes they can expect to see. Offer tips on how to use or customize their experience. Include information about support and help desk options. - Update help desk manuals with screenshots of the new user interface, the out-of-box experience for new devices, and the upgrade experience for existing devices. @@ -125,4 +121,5 @@ See the [Stay current with Windows 10 and Microsoft 365 Apps](/learn/paths/m365- ## See also -[Windows Sun Valley deployment planning](windows-sv-plan.md) +[Plan for Windows Sun Valley](windows-sv-plan.md)
+[Windows help & learning](https://support.microsoft.com/windows) diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index f32476c8f3..75dffa0e7b 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -19,7 +19,7 @@ ms.custom: seo-marvel-apr2020 **Applies to** -- Windows Sun Valley, version 21H2 +- Windows Sun Valley This article lists the system requirements for Windows Sun Valley. Windows Sun Valley is also supported on a virtual machine (VM). @@ -29,15 +29,17 @@ To install or upgrade to Windows Sun Valley, devices must meet the following min - Processor: 1 gigahertz (GHz) or faster with two or more cores on a [compatible 64-bit processor](https://aka.ms/CPUlist) or system on a chip (SoC). - RAM: 4 gigabytes (GB) or greater. -- Storage: 64 GB or greater available storage is required to install Windows Sun Valley. +- Storage: 64 GB\* or greater available storage is required to install Windows Sun Valley. - Additional storage space might be required to download updates and enable specific features. - Graphics card: Compatible with DirectX 12 or later, with a WDDM 2.0 driver. - System firmware: UEFI, Secure Boot capable. -- TPM: Trusted Platform Module (TPM) version 2.0. +- TPM: [Trusted Platform Module](/windows/security/information-protection/tpm/trusted-platform-module-overview) (TPM) version 2.0. - Display: High definition (720p) display, 9" or greater monitor, 8 bits per color channel. -- Internet connection: Internet connectivity is necessary to perform updates, download, and use some features. +- Internet connection: Internet connectivity is necessary to perform updates, and to download and use some features. - Windows Sun Valley Home edition requires an Internet connection and a Microsoft Account to complete device setup on first use. +\* There might be additional requirements over time for updates, and to enable specific features within the operating system. For more information, see [Keeping Windows Sun Valley up-to-date](https://www.microsoft.com/windows/windows-10-specifications#primaryR5). + For information about tools to evaluate readiness, see [Determine eligibility](windows-sv-plan.md#determine-eligibility). ## Operating system requirements @@ -46,7 +48,7 @@ For the best Windows Sun Valley upgrade experience, eligible devices should be r > [!NOTE] > S mode is not supported on Windows Sun Valley. -> If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading.
+> If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading.
 
> Switching a device out of Windows 10 in S mode also requires internet connectivity. If you switch out of S mode, you cannot switch back to S mode later. ## Feature-specific requirements @@ -59,7 +61,7 @@ Some features in Windows Sun Valley have requirements beyond those listed above. - **Client Hyper-V**: requires a processor with second-level address translation (SLAT) capabilities. This feature is available in Windows Pro editions and above. - **Cortana**: requires a microphone and speaker and is currently available on Windows Sun Valley for Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, Mexico, Spain, United Kingdom, and United States. - **DirectStorage**: requires 1 TB or greater NVMe SSD to store and run games that use the "Standard NVM Express Controller" driver and a DirectX12 Ultimate GPU. -- **DirectX 12 Ultimate**: is available with supported games and graphics chips. +- **DirectX 12 Ultimate**: available with supported games and graphics chips. - **Presence**: requires sensor that can detect human distance from device or intent to interact with device. - **Intelligent Video Conferencing**: requires video camera, microphone, and speaker (audio output) - **Multiple Voice Assistant**: requires a microphone and speaker. @@ -74,12 +76,12 @@ Some features in Windows Sun Valley have requirements beyond those listed above. - **Wi-Fi 6E**: requires new WLAN IHV hardware and driver and a Wi-Fi 6E capable AP/router. - **Windows Hello**: requires a camera configured for near infrared (IR) imaging or fingerprint reader for biometric authentication. Devices without biometric sensors can use Windows Hello with a PIN or portable Microsoft compatible security key. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). - **Windows Projection**: requires a display adapter which supports Windows Display Driver Model (WDDM) 2.0 and a Wi-Fi adapter that supports Wi-Fi Direct. -- **Xbox app**: requires an Xbox Live account, which is not available in all regions. Please go to the Xbox Live Countries and Regions page for the most up-to-date information on availability. Some features in the Xbox app will require an active Xbox Game Pass subscription. See https://www.xbox.com/xbox-game-pass to learn more about the pass. +- **Xbox app**: requires an Xbox Live account, which is not available in all regions. Please go to the Xbox Live Countries and Regions page for the most up-to-date information on availability. Some features in the Xbox app will require an active [Xbox Game Pass](https://www.xbox.com/xbox-game-pass) subscription. ## Next steps -[Plan to deploy Windows Sun Valley](windows-sv-plan.md)
+[Plan for Windows Sun Valley](windows-sv-plan.md)
[Prepare for Windows Sun Valley](windows-sv-prepare.md) ## See also diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index 335297ca86..392951b9ff 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -20,9 +20,9 @@ ms.custom: seo-marvel-apr2020 **Applies to** -- Windows Sun Valley, version 21H2 +- Windows Sun Valley -This article provides an introduction and answers some frequently asked questions about Windows Sun Valley, the next Windows client operating system release. +This article provides an introduction to Windows Sun Valley, and answers some frequently asked questions. Also see the following articles to learn more about Windows Sun Valley: @@ -32,19 +32,17 @@ Also see the following articles to learn more about Windows Sun Valley: ## Introduction -Windows Sun Valley is the next evolution of Windows; the most significant update to the Windows operating system since Windows 10. It offers many innovations focused on enhancing end-user productivity in a fresh experience that is flexible and fluid. Windows Sun Valley is designed to support today's hybrid work environment, and intended to be the most reliable, secure, connected, and performant Windows operating system ever. +Windows Sun Valley is the next evolution of Windows; it is the most significant update to the Windows operating system since Windows 10. It offers many innovations focused on enhancing end-user productivity in a fresh experience that is flexible and fluid. Windows Sun Valley is designed to support today's hybrid work environment, and intended to be the most reliable, secure, connected, and performant Windows operating system ever. -This release is built on the same foundation as Windows 10, so the investments you have made in tools for update and device management are carried forward. Windows Sun Valley also sustains the application compatibility promise made with Windows 10, supplemented by programs like App Assure. For Microsoft 365 customers seeking further assistance, FastTrack will continue to be available to support your efforts to adopt Windows Sun Valley. - -After Windows Sun Valley is generally available, it is expected that many organizations will have a mixed environment of Windows Sun Valley and Windows 10 devices. The guidance provided here can help you to manage this hybrid environment. +Windows Sun Valley is built on the same foundation as Windows 10, so the investments you have made in tools for update and device management are carried forward. Windows Sun Valley also sustains the application compatibility promise made with Windows 10, supplemented by programs like App Assure. For Microsoft 365 customers seeking further assistance, FastTrack will continue to be available to support your efforts to adopt Windows Sun Valley. ## How to get Windows Sun Valley Windows Sun Valley will be delivered as an upgrade to eligible devices running Windows 10, beginning later in the 2021 calendar year. Windows Sun Valley will also be available on eligible new devices. -For administrators managing devices on behalf of their organization, Windows Sun Valley will be available through the same, familiar channels that you utilize today for Windows 10 feature updates. You will be able to use existing deployment and management tools, such as Windows Update for Business, Microsoft Endpoint Management, and Windows Autopilot. For more information, see [Plan for Windows Sun Valley](windows-sv-plan.md). +For administrators managing devices on behalf of their organization, Windows Sun Valley will be available through the same, familiar channels that you use today for Windows 10 feature updates. You will be able to use existing deployment and management tools, such as Windows Update for Business, Microsoft Endpoint Manager, and Windows Autopilot. For more information, see [Plan for Windows Sun Valley](windows-sv-plan.md). -For eligible PCs that are not managed by an organization, the Windows Sun Valley upgrade will be offered through Windows Update using Microsoft's intelligent rollout process to ensure a smooth upgrade experience. Windows Sun Valley will initially be offered to Windows 10 devices purchased after June 2021 that meet or exceed the minimum hardware requirements. +For devices that are not managed by an organization, the Windows Sun Valley upgrade will be offered to eligible Windows 10 devices through Windows Update using Microsoft's intelligent rollout process to ensure a smooth upgrade experience. For more information about device eligibility, see [Windows Sun Valley requirements](windows-sv-requirements.md). @@ -79,7 +77,7 @@ For more information, see [Prepare for Windows Sun Valley](windows-sv-prepare.md Like Windows 10, Windows Sun Valley will receive monthly quality updates. However, it will have a new feature update cadence. Windows Sun Valley feature updates will be released once per year. -When Windows Sun Valley reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the Windows release health hub. Monthly release notes will also be available from a consolidated Windows Sun Valley update history page at that time. For more information, see [Servicing and support](windows-sv-plan.md#servicing-and-support). +When Windows Sun Valley reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the [Windows release health](https://aka.ms/windowsreleasehealth) hub. Monthly release notes will also be available from a consolidated Windows Sun Valley update history page at that time. For more information, see [Servicing and support](windows-sv-plan.md#servicing-and-support). ## Next steps From b840943cb4adfc4afc0d6d867f1ef1d721f64cb1 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Wed, 23 Jun 2021 13:58:33 -0700 Subject: [PATCH 215/370] warning --- windows/sv/index.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/sv/index.md b/windows/sv/index.md index 6f48df996d..6918ab9666 100644 --- a/windows/sv/index.md +++ b/windows/sv/index.md @@ -1,8 +1,11 @@ --- title: SV +description: SV md.prod: w10 +manager: laurawi +ms.topic: article author: greg-lindsay ms.author: greglin --- -# \ No newline at end of file +# . \ No newline at end of file From 37adc674590200f58a76dfcd24a24eb5790ee2ad Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Wed, 23 Jun 2021 14:06:58 -0700 Subject: [PATCH 216/370] final --- windows/sv/index.md | 2 +- windows/whats-new/windows-sv-prepare.md | 4 ++-- windows/whats-new/windows-sv-requirements.md | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/sv/index.md b/windows/sv/index.md index 6918ab9666..7a31c42d39 100644 --- a/windows/sv/index.md +++ b/windows/sv/index.md @@ -1,7 +1,7 @@ --- title: SV description: SV -md.prod: w10 +ms.prod: w10 manager: laurawi ms.topic: article author: greg-lindsay diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index dfca52badf..e6f48a1037 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -26,7 +26,7 @@ After you evaluate your hardware to see if it meets [requirements](windows-sv-re ## Infrastructure and tools -The tools that you use for core workloads during Windows 10 deployments can still be leveraged for Windows Sun Valley. A few nuanced differences are described below. +The tools that you use for core workloads during Windows 10 deployments can still be used for Windows Sun Valley. A few nuanced differences are described below. > [!IMPORTANT] > Be sure to check with the providers of any non-Microsoft solutions that you use. Verify compatibility of these tools with Windows Sun Valley, particularly if they provide security or data loss prevention capabilities. @@ -45,7 +45,7 @@ The tools that you use for core workloads during Windows 10 deployments can stil #### Cloud-based solutions -- If you use Windows Update for Business Group Policy or Configuration Service Provider (CSP) policies, you will need to leverage the **Target Version** capability rather than feature update deferrals to upgrade from Windows 10 to Windows Sun Valley. Feature Update deferrals are great to move to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1), but do not enable you to move between products (Windows 10 to Windows Sun Valley). +- If you use Windows Update for Business Group Policy or Configuration Service Provider (CSP) policies, you will need to use the **Target Version** capability rather than feature update deferrals to upgrade from Windows 10 to Windows Sun Valley. Feature Update deferrals are great to move to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1), but do not enable you to move between products (Windows 10 to Windows Sun Valley). - Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. This is true regardless of which management tool you use to configure Windows Update for Business policies. - If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use **Feature Update Deployments** to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows Sun Valley. You can also continue using the same update experience controls to manage Windows 10 and Windows Sun Valley. diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index 75dffa0e7b..eb25e65a86 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -75,7 +75,7 @@ Some features in Windows Sun Valley have requirements beyond those listed above. - **Wake on Voice**: requires Modern Standby power model and microphone. - **Wi-Fi 6E**: requires new WLAN IHV hardware and driver and a Wi-Fi 6E capable AP/router. - **Windows Hello**: requires a camera configured for near infrared (IR) imaging or fingerprint reader for biometric authentication. Devices without biometric sensors can use Windows Hello with a PIN or portable Microsoft compatible security key. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). -- **Windows Projection**: requires a display adapter which supports Windows Display Driver Model (WDDM) 2.0 and a Wi-Fi adapter that supports Wi-Fi Direct. +- **Windows Projection**: requires a display adapter that supports Windows Display Driver Model (WDDM) 2.0 and a Wi-Fi adapter that supports Wi-Fi Direct. - **Xbox app**: requires an Xbox Live account, which is not available in all regions. Please go to the Xbox Live Countries and Regions page for the most up-to-date information on availability. Some features in the Xbox app will require an active [Xbox Game Pass](https://www.xbox.com/xbox-game-pass) subscription. From d84deb14fe354539e2cfc5dd6135d30f1e1f08d5 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 23 Jun 2021 15:14:07 -0700 Subject: [PATCH 217/370] Update defender-csp.md --- windows/client-management/mdm/defender-csp.md | 73 ++++++++++++++++++- 1 file changed, 71 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index eeb53adf0b..3916a1550a 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -10,7 +10,7 @@ ms.prod: w10 ms.technology: windows author: dansimp ms.localizationpriority: medium -ms.date: 06/02/2021 +ms.date: 06/23/2021 --- # Defender CSP @@ -59,6 +59,9 @@ Defender --------TamperProtection (Added in Windows 10, version 1903) --------EnableFileHashComputation (Added in Windows 10, version 1903) --------SupportLogLocation (Added in the next major release of Windows 10) +--------PlatformUpdatesChannel (Added with the 4.18.2106.5 Defender platform release) +--------EngineUpdatesChannel (Added with the 4.18.2106.5 Defender platform release) +--------SignaturesUpdatesChannel (Added with the 4.18.2106.5 Defender platform release) ----Scan ----UpdateSignature ----OfflineScan (Added in Windows 10 version 1803) @@ -518,9 +521,75 @@ When enabled or disabled exists on the client and admin moves the setting to not More details: -- [Microsoft Defender AV diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data) +- [Microsoft Defender Antivirus diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data) - [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices) +**Configuration/PlatformUpdatesChannel** + +Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. + +Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. + +Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. + +Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). + +Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). + +If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. + +The data type is integer. + +Supported operations are Add, Delete, Get, Replace. + +Valid values are: +- 0: Not configured (Default) +- 1: Beta Channel - Prerelease +- 2: Current Channel (Preview) +- 3: Current Channel (Staged) +- 4: Current Channel (Broad) + +**Configuration/EngineUpdatesChannel** + +Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. + +Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. + +Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. + +Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). + +Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). + +If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. + +The data type is integer. + +Supported operations are Add, Delete, Get, Replace. + +Valid values are: +- 0 - Not configured (Default) +- 1 - Beta Channel - Prerelease +- 2 - Current Channel (Preview) +- 3 - Current Channel (Staged) +- 4 - Current Channel (Broad) + +**Configuration/DefinitionUpdatesChannel** + +Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout. + +Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). + +If you disable or do not configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices. + +The data type is integer. +Supported operations are Add, Delete, Get, Replace. + +Valid Values are: +- 0: Not configured (Default) +- 3: Current Channel (Staged) +- 4: Current Channel (Broad) + **Scan** Node that can be used to start a Windows Defender scan on a device. From 9f21e81e112a2c816c10ec7a8f0dab73b3723e36 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 23 Jun 2021 15:21:45 -0700 Subject: [PATCH 218/370] Update defender-csp.md --- windows/client-management/mdm/defender-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 3916a1550a..97561119e4 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -574,7 +574,7 @@ Valid values are: - 3 - Current Channel (Staged) - 4 - Current Channel (Broad) -**Configuration/DefinitionUpdatesChannel** +**Configuration/SignaturesUpdatesChannel** Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout. From 051dd31f47d60f5b74e9cceaef1ca96a84b432b8 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 24 Jun 2021 01:00:11 -0700 Subject: [PATCH 219/370] 11 --- windows/application-management/index.yml | 2 +- windows/deployment/TOC.yml | 12 +- windows/deployment/deploy-whats-new.md | 2 +- windows/deployment/index.yml | 4 +- windows/hub/TOC.yml | 4 +- windows/hub/index.yml | 20 +-- windows/sv/docfx.json | 4 +- windows/whats-new/TOC.yml | 18 +-- windows/whats-new/index.yml | 24 ++-- windows/whats-new/windows-11-plan.md | 122 ++++++++++++++++++ ...ws-sv-prepare.md => windows-11-prepare.md} | 52 ++++---- ...irements.md => windows-11-requirements.md} | 34 ++--- windows/whats-new/windows-11.md | 86 ++++++++++++ windows/whats-new/windows-sv-plan.md | 122 ------------------ windows/whats-new/windows-sv.md | 86 ------------ 15 files changed, 296 insertions(+), 296 deletions(-) create mode 100644 windows/whats-new/windows-11-plan.md rename windows/whats-new/{windows-sv-prepare.md => windows-11-prepare.md} (60%) rename windows/whats-new/{windows-sv-requirements.md => windows-11-requirements.md} (76%) create mode 100644 windows/whats-new/windows-11.md delete mode 100644 windows/whats-new/windows-sv-plan.md delete mode 100644 windows/whats-new/windows-sv.md diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml index dc786fd289..d3a95df0d0 100644 --- a/windows/application-management/index.yml +++ b/windows/application-management/index.yml @@ -5,7 +5,7 @@ summary: Learn about managing applications in Windows client, including how to r metadata: title: Windows application management # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Learn about managing applications in Windows 10 and Windows Sun Valley. # Required; article description that is displayed in search results. < 160 chars. + description: Learn about managing applications in Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars. services: windows-10 ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. ms.subservice: subservice diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index e3fcfca9e0..cafdf97782 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -5,8 +5,8 @@ items: - name: What's new href: deploy-whats-new.md - - name: Windows Sun Valley deployment overview - href: /windows/whats-new/windows-sv-overview.md + - name: Windows 11 deployment overview + href: /windows/whats-new/windows-11-overview.md - name: Windows client deployment scenarios href: windows-10-deployment-scenarios.md - name: What is Windows as a service? @@ -35,8 +35,8 @@ - name: Plan items: - - name: Windows Sun Valley deployment planning - href: /windows/whats-new/windows-sv-plan.md + - name: Windows 11 deployment planning + href: /windows/whats-new/windows-11-plan.md - name: Create a deployment plan href: update/create-deployment-plan.md - name: Define readiness criteria @@ -71,8 +71,8 @@ - name: Prepare items: - - name: Prepare to deploy Windows Sun Valley - href: /windows/whats-new/windows-sv-prepare.md + - name: Prepare to deploy Windows 11 + href: /windows/whats-new/windows-11-prepare.md - name: Prepare to deploy Windows 10 updates href: update/prepare-deploy-windows.md - name: Evaluate and update infrastructure diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index 583e4392a1..fa8ca9e964 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -26,7 +26,7 @@ ms.custom: seo-marvel-apr2020 This topic provides an overview of new solutions and online content related to deploying Windows client in your organization. - For an all-up overview of new features in Windows 10, see [What's new in Windows 10](/windows/whats-new/index). -- For an overview of Windows Sun Valley, see [What's new in Windows Sun Valley](/windows/whats-new/windows-sv). +- For an overview of Windows 11, see [What's new in Windows 11](/windows/whats-new/windows-11). ## Latest news diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index eda7ab8577..d938c4922b 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -66,8 +66,8 @@ landingContent: links: - text: What's new in Windows deployment url: deploy-whats-new.md - - text: Windows Sun Valley overview - url: /windows/whats-new/windows-sv.md + - text: Windows 11 overview + url: /windows/whats-new/windows-11.md - text: Windows client deployment scenarios url: windows-10-deployment-scenarios.md - text: Basics of Windows updates, channels, and tools diff --git a/windows/hub/TOC.yml b/windows/hub/TOC.yml index 1752028577..a199923b84 100644 --- a/windows/hub/TOC.yml +++ b/windows/hub/TOC.yml @@ -6,8 +6,8 @@ items: - name: What's new in Windows href: /windows/whats-new - - name: Windows Sun Valley - href: /windows/whats-new/windows-sv + - name: Windows 11 + href: /windows/whats-new/windows-11 - name: Release information href: /windows/release-health - name: Deployment diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 846ee4e900..f61c3a9861 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -1,11 +1,11 @@ ### YamlMime:Landing title: Windows client resources and documentation for IT Pros # < 60 chars -summary: Plan, deploy, secure, and manage devices running Windows 10 and Windows Sun Valley. # < 160 chars +summary: Plan, deploy, secure, and manage devices running Windows 10 and Windows 11. # < 160 chars metadata: title: Windows client documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Evaluate, plan, deploy, secure, and manage devices running Windows 10 and Windows Sun Valley. # Required; article description that is displayed in search results. < 160 chars. + description: Evaluate, plan, deploy, secure, and manage devices running Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars. services: windows-10 ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. ms.subservice: subservice @@ -26,14 +26,14 @@ landingContent: linkLists: - linkListType: overview links: - - text: Windows Sun Valley overview - url: /windows/whats-new/windows-sv - - text: Windows Sun Valley requirements - url: /windows/whats-new/windows-sv-requirements - - text: Plan for Windows Sun Valley - url: /windows/whats-new/windows-sv-plan - - text: Prepare for Windows Sun Valley - url: /windows/whats-new/windows-sv-prepare + - text: Windows 11 overview + url: /windows/whats-new/windows-11 + - text: Windows 11 requirements + url: /windows/whats-new/windows-11-requirements + - text: Plan for Windows 11 + url: /windows/whats-new/windows-11-plan + - text: Prepare for Windows 11 + url: /windows/whats-new/windows-11-prepare - text: What's new in Windows 10, version 21H1 url: /windows/whats-new/whats-new-windows-10-version-21H1 - text: Windows release information diff --git a/windows/sv/docfx.json b/windows/sv/docfx.json index fe874614d1..e7955464fe 100644 --- a/windows/sv/docfx.json +++ b/windows/sv/docfx.json @@ -39,13 +39,13 @@ "overwrite": [], "externalReference": [], "globalMetadata": { - "breadcrumb_path": "/windows/windows-sv/breadcrumb/toc.json", + "breadcrumb_path": "/windows/windows-11/breadcrumb/toc.json", "extendBreadcrumb": true, "feedback_system": "None" }, "fileMetadata": {}, "template": [], - "dest": "windows-sv", + "dest": "windows-11", "markdownEngineName": "markdig" } } \ No newline at end of file diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml index 71e18303ee..a9ae9e12ba 100644 --- a/windows/whats-new/TOC.yml +++ b/windows/whats-new/TOC.yml @@ -1,16 +1,16 @@ - name: What's new in Windows href: index.yml -- name: Windows Sun Valley +- name: Windows 11 expanded: true items: - - name: Windows Sun Valley overview - href: windows-sv.md - - name: Windows Sun Valley requirements - href: windows-sv-requirements.md - - name: Plan for Windows Sun Valley - href: windows-sv-plan.md - - name: Prepare for Windows Sun Valley - href: windows-sv-prepare.md + - name: Windows 11 overview + href: windows-11.md + - name: Windows 11 requirements + href: windows-11-requirements.md + - name: Plan for Windows 11 + href: windows-11-plan.md + - name: Prepare for Windows 11 + href: windows-11-prepare.md - name: Windows 10 expanded: true items: diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml index fbea14e982..375f946870 100644 --- a/windows/whats-new/index.yml +++ b/windows/whats-new/index.yml @@ -1,11 +1,11 @@ ### YamlMime:Landing title: What's new in Windows # < 60 chars -summary: Find out about new features and capabilities in the latest release of Windows 10 and Windows Sun Valley. # < 160 chars +summary: Find out about new features and capabilities in the latest release of Windows 10 and Windows 11. # < 160 chars metadata: title: What's new in Windows # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Find out about new features and capabilities in the latest release of Windows 10 and Windows Sun Valley. # Required; article description that is displayed in search results. < 160 chars. + description: Find out about new features and capabilities in the latest release of Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars. services: windows-10 ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. ms.subservice: subservice @@ -13,7 +13,7 @@ metadata: ms.collection: windows-10 author: greg-lindsay #Required; your GitHub user alias, with correct capitalization. ms.author: greglin #Required; microsoft alias of author; optional team alias. - ms.date: 06/02/2021 #Required; mm/dd/yyyy format. + ms.date: 06/24/2021 #Required; mm/dd/yyyy format. localization_priority: medium # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new @@ -23,18 +23,18 @@ landingContent: # Start card title with a verb # Card (optional) - - title: Windows Sun Valley + - title: Windows 11 linkLists: - linkListType: overview links: - - text: Windows Sun Valley Overview - url: windows-sv.md - - text: Windows Sun Valley requirements - url: windows-sv-requirements.md - - text: Plan for Windows Sun Valley - url: windows-sv-plan.md - - text: Prepare for Windows Sun Valley - url: windows-sv-prepare.md + - text: Windows 11 overview + url: windows-11.md + - text: Windows 11 requirements + url: windows-11-requirements.md + - text: Plan for Windows 11 + url: windows-11-plan.md + - text: Prepare for Windows 11 + url: windows-11-prepare.md - title: Windows 10 linkLists: diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md new file mode 100644 index 0000000000..ad68e1ebfa --- /dev/null +++ b/windows/whats-new/windows-11-plan.md @@ -0,0 +1,122 @@ +--- +title: Plan for Windows 11 +description: Windows 11 deployment planning, IT Pro content. +keywords: ["get started", "windows 11", "plan"] +ms.prod: w11 +ms.mktglfcycl: deploy +ms.sitesec: library +author: greg-lindsay +ms.author: greglin +ms.date: 06/24/2021 +ms.reviewer: +manager: laurawi +ms.localizationpriority: high +ms.topic: article +--- + +# Plan for Windows 11 + +**Applies to** + +- Windows 11 + +## Deployment planning + +This article provides guidance to help you plan for Windows 11 in your organization. + +Since Windows 11 is built on the same foundation as Windows 10, you can use the same deployment capabilities, scenarios, and tools—as well as the same basic deployment strategy that you use today for Windows 10. You will need to review and update your servicing strategy to adjust for changes in [Servicing and support](#servicing-and-support) for Windows 11. + +At a high level, this strategy should include the following steps: +- [Create a deployment plan](/windows/deployment/update/create-deployment-plan) +- [Define readiness criteria](/windows/deployment/update/plan-define-readiness) +- [Evaluate infrastructure and tools](/windows/deployment/update/eval-infra-tools) +- [Determine application readiness](/windows/deployment/update/plan-determine-app-readiness) +- [Define your servicing strategy](/windows/deployment/update/plan-define-strategy) + +If you are looking for ways to optimize your approach to deploying Windows 11, or if deploying a new version of an operating system is not a familiar process for you, some items to consider are provided below. + +## Determine eligibility + +As a first step, you will need to know which of your current devices meet the Windows 11 hardware requirements. Most devices purchased in the last 18-24 months will be compatible with Windows 11. Verify that your device meets or exceeds [Windows 11 requirements](windows-11-requirements.md) to ensure it is compatible. + +Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows 11 hardware requirements. When Windows 11 reaches general availability, end-users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the **PC Health Check** app to determine their eligibility for Windows 11. end-users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.  + +Enterprise organizations looking to evaluate device readiness in their environments can expect this capability to be integrated into existing Microsoft tools, such as Endpoint analytics and Update Compliance. This capability will be available when Windows 11 is generally available. Microsoft is also working with software publishing partners to facilitate adding Windows 11 device support into their solutions. + +## Windows 11 availability + +The availability of Windows 11 will vary according to a device's hardware and whether the device receives updates directly, or from a management solution that is maintained by an IT administrator. + +##### Managed devices + +Managed devices are devices that are under organization control. Managed devices include those managed by Microsoft Intune, Microsoft Endpoint Configuration Manager, or other endpoint management solutions. + +If you manage devices on behalf of your organization, you will be able to upgrade eligible devices to Windows 11 using your existing deployment and management tools at no cost when the upgrade reaches general availability. Organizations that use Windows Update for Business will have added benefits, such as: + +- Ensuring that devices that don't meet the minimum hardware requirements are not automatically offered the Windows 11 upgrade. +- Additional insight into safeguard holds. While safeguard holds will function for Windows 11 devices just as they do for Windows 10 today, administrators using Windows Update for Business will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows 11. + +> [!NOTE] +> If you use Windows Update for Business to manage feature update deployments today, you will need to leverage the **Target Version** policy rather than **Feature Update deferrals** to move from Windows 10 to Windows 11. Deferrals are great for quality updates or to move to newer version of the same product (from example, from Windows 10, version 20H2 to 21H1), but they cannot migrate a device between products (from Windows 10 to Windows 11).
+> Additionally, Windows 11 has a new End User License Agreement. If you are deploying with Windows Update for Business **Target Version** or with Windows Server Update Services, you are accepting this new End User License Agreement on behalf of the end-users within your organization. + +##### Unmanaged devices + +Unmanaged devices are devices that are not managed by an IT administrator on behalf of an organization. For operating system (OS) deployment, these devices are not subject to organizational policies that manage upgrades or updates. + +Windows 11 will be offered to eligible Windows 10 devices beginning later in the 2021 calendar year. Messaging on new devices will vary by PC manufacturer, but users will see labels such as **This PC will upgrade to Windows 11 once available** on products that are available for purchase. + +The Windows 11 upgrade will be available initially on eligible, unmanaged devices to users who manually seek the upgrade through Windows Update. As with all Windows Update managed devices, the **Windows Update Settings** page will confirm when a device is eligible, and users can upgrade if they choose to. + +Just like Windows 10, the machine learning based [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860) process will be leveraged when rolling out upgrades. Machine learning uses a combination of testing, close partner engagement, feedback, diagnostic data, and real-life insights to manage quality. This process improves the update experience and ensures that devices first nominated for updates are the devices likely to have a seamless experience. Devices that might have compatibility issues with the upgrade get the benefit of resolving these issues before the upgrade is offered. + +## Windows 11 readiness considerations + +The recommended method to determine if your infrastructure, deployment processes, and management tools are ready for Windows 11 is to join the [Windows Insider Program for Business](https://insider.windows.com/for-business). As a participant in the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel), you can validate that your devices and applications work as expected, and explore new features. + +As you plan your endpoint management strategy for Windows 11, consider moving to cloud-based mobile device management (MDM), such as [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). If a cloud-only approach isn't right for your organization just yet, you can still modernize and streamline essential pieces of your endpoint management strategy as follows: +- Create a [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview) (CMG) to manage Configuration Manager clients over the internet. +- Attach your existing Configuration Management estate to the cloud with [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions) so you can manage all devices from within the Microsoft Endpoint Manager admin center. +- Use [co-management](/mem/configmgr/comanage/overview) to concurrently manage devices using both Configuration Manager and Microsoft Intune. This allows you to take advantage of cloud-powered capabilities like [Conditional Access](/azure/active-directory/conditional-access/overview). + +For more information on the benefits of these approaches, see [Cloud Attach Your Future: The Big 3](https://techcommunity.microsoft.com/t5/configuration-manager-blog/cloud-attach-your-future-part-ii-quot-the-big-3-quot/ba-p/1750664). + +The introduction of Windows 11 is also a good time to review your hardware refresh plans and prioritize eligible devices to ensure an optimal experience for your users. + +## Servicing and support + +Along with end-user experience and security improvements, Windows 11 introduces enhancements to Microsoft's servicing approach based on your suggestions and feedback. + +**Quality updates**: Windows 11 and Windows 10 devices will receive regular monthly quality updates to provide security updates and bug fixes. + +**Feature updates**: Microsoft will provide a single Windows 11 feature update annually, targeted for release in the second half of each calendar year. + +**Lifecycle**: +- Home, Pro, Pro for Workstations, and Pro for Education editions of Windows 11 will receive 24 months of support from the general availability date. +- Enterprise and Education editions of Windows 11 will be supported for 36 months from the general availability date. + +When Windows 11 reaches general availability, a consolidated Windows 11 update history will be available on support.microsoft.com, similar to what is [available today for Windows 10](https://support.microsoft.com/topic/windows-10-update-history-1b6aac92-bf01-42b5-b158-f80c6d93eb11). Similarly, the [Windows release health](/windows/release-health/) hub will offer quick access to Windows 11 servicing announcements, known issues, and safeguard holds. + +It is important that organizations have adequate time to plan for Windows 11. Microsoft also recognizes that many organizations will have a mix of Windows 11 and Windows 10 devices across their ecosystem. Devices on in-service versions of Windows 10 will continue to receive monthly Windows 10 security updates through 2025, as well as incremental improvements to Windows 10 to support ongoing Microsoft 365 deployments. For more information, see the [Windows 10 release information](/windows/release-health/release-information) page, which offers information about the Windows 10 Semi-Annual Channel and Long-term Servicing Channel (LTSC) releases. + +## Application compatibility + +Microsoft's compatibility promise for Windows 10 is maintained for Windows 11. Data from the App Assure program shows that Windows 10 compatibility rates are over 99.7% for enterprise organizations, including line of business (LOB) apps. Microsoft remains committed to ensuring that the apps you rely upon continue to work as expected when you upgrade. Windows 11 is subject to the same app compatibility validation requirements that are in place for Windows 10 today, for both feature and quality updates. + +#### App Assure and Test Base for Microsoft 365 + +If you run into compatibility issues or want to ensure that your organization's applications are compatible from day one, App Assure and Test Base for Microsoft 365 can help. + +**App Assure**: With enrollment in the [App Assure](/windows/compatibility/app-assure) service, any app compatibility issues that you find with Windows 11 can be resolved. Microsoft will help you remedy application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. + +**Test Base for Microsoft 365**: For software publishers, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://www.microsoft.com/testbase) (currently in public preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software publishers for participation by completing a short form. + +You might already be using App Assure and Test Base in your Windows 10 environment. Both of these tools will continue to function with Windows 11. + +## Next steps + +[Prepare for Windows 11](windows-11-prepare.md) + +## Also see + +[Plan to deploy updates for Windows 10 and Microsoft 365 Apps](/learn/modules/windows-plan/) diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-11-prepare.md similarity index 60% rename from windows/whats-new/windows-sv-prepare.md rename to windows/whats-new/windows-11-prepare.md index e6f48a1037..3ef63328a5 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -1,7 +1,7 @@ --- -title: Prepare for Windows Sun Valley -description: Prepare your infrastructure and tools to deploy Windows Sun Valley, IT Pro content. -keywords: ["get started", "windows sun valley"] +title: Prepare for Windows 11 +description: Prepare your infrastructure and tools to deploy Windows 11, IT Pro content. +keywords: ["get started", "windows 11"] ms.prod: w11 ms.mktglfcycl: deploy ms.sitesec: library @@ -14,40 +14,40 @@ ms.localizationpriority: high ms.topic: article --- -# Prepare for Windows Sun Valley +# Prepare for Windows 11 **Applies to** -- Windows Sun Valley +- Windows 11 -Windows 10 and Windows Sun Valley are designed to coexist, so that you can use the same familiar tools and process to manage both operating systems. Using a single management infrastructure that supports common applications across both Windows 10 and Windows Sun Valley helps to simplify the migration process. You can analyze endpoints, determine application compatibility, and manage Windows Sun Valley deployments in the same way that you do with Windows 10. +Windows 10 and Windows 11 are designed to coexist, so that you can use the same familiar tools and process to manage both operating systems. Using a single management infrastructure that supports common applications across both Windows 10 and Windows 11 helps to simplify the migration process. You can analyze endpoints, determine application compatibility, and manage Windows 11 deployments in the same way that you do with Windows 10. -After you evaluate your hardware to see if it meets [requirements](windows-sv-requirements.md) for Windows Sun Valley, it's a good time to review your deployment infrastructure, tools, and overall endpoint and update management processes and look for opportunities to simplify and optimize. This article provides some helpful guidance to accomplish these tasks. +After you evaluate your hardware to see if it meets [requirements](windows-11-requirements.md) for Windows 11, it's a good time to review your deployment infrastructure, tools, and overall endpoint and update management processes and look for opportunities to simplify and optimize. This article provides some helpful guidance to accomplish these tasks. ## Infrastructure and tools -The tools that you use for core workloads during Windows 10 deployments can still be used for Windows Sun Valley. A few nuanced differences are described below. +The tools that you use for core workloads during Windows 10 deployments can still be used for Windows 11. A few nuanced differences are described below. > [!IMPORTANT] - > Be sure to check with the providers of any non-Microsoft solutions that you use. Verify compatibility of these tools with Windows Sun Valley, particularly if they provide security or data loss prevention capabilities. + > Be sure to check with the providers of any non-Microsoft solutions that you use. Verify compatibility of these tools with Windows 11, particularly if they provide security or data loss prevention capabilities. #### On-premise solutions -- If you use Windows Server Update Service (WSUS), you will need to sync the new **Windows Sun Valley** product category. After you sync the product category, you will see Windows Sun Valley offered as an option. If you would like to validate Windows Sun Valley prior to release, you can sync the Windows Insider Pre-release category as well. +- If you use Windows Server Update Service (WSUS), you will need to sync the new **Windows 11** product category. After you sync the product category, you will see Windows 11 offered as an option. If you would like to validate Windows 11 prior to release, you can sync the Windows Insider Pre-release category as well. > [!NOTE] - > During deployment, you will be prompted to agree to the End User License Agreement on behalf of your users. Additionally, you will not see an x86 option because Windows Sun Valley is not supported on 32-bit architecture. + > During deployment, you will be prompted to agree to the End User License Agreement on behalf of your users. Additionally, you will not see an x86 option because Windows 11 is not supported on 32-bit architecture. -- If you use Microsoft Endpoint Configuration Manager, you can sync the new **Windows Sun Valley** product category and begin upgrading eligible devices. If you would like to validate Windows Sun Valley prior to release, you can sync the **Windows Insider Pre-release** category as well. +- If you use Microsoft Endpoint Configuration Manager, you can sync the new **Windows 11** product category and begin upgrading eligible devices. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well. > [!NOTE] > Configuration Manager will prompt you to accept the End User License Agreement on behalf of the users in your organization. #### Cloud-based solutions -- If you use Windows Update for Business Group Policy or Configuration Service Provider (CSP) policies, you will need to use the **Target Version** capability rather than feature update deferrals to upgrade from Windows 10 to Windows Sun Valley. Feature Update deferrals are great to move to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1), but do not enable you to move between products (Windows 10 to Windows Sun Valley). -- Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. This is true regardless of which management tool you use to configure Windows Update for Business policies. -- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use **Feature Update Deployments** to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows Sun Valley. You can also continue using the same update experience controls to manage Windows 10 and Windows Sun Valley. +- If you use Windows Update for Business Group Policy or Configuration Service Provider (CSP) policies, you will need to use the **Target Version** capability rather than feature update deferrals to upgrade from Windows 10 to Windows 11. Feature Update deferrals are great to move to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1), but do not enable you to move between products (Windows 10 to Windows 11). +- Quality update deferrals will continue to work the same across both Windows 10 and Windows 11. This is true regardless of which management tool you use to configure Windows Update for Business policies. +- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use **Feature Update Deployments** to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. ## Cloud-based management @@ -55,19 +55,19 @@ If you aren’t already taking advantage of cloud-based management capabilities, The following are some common use cases and the corresponding Microsoft Endpoint Manager capabilities that support them: -- **Provision and pre-configure new Windows Sun Valley devices**: [Windows Autopilot](/mem/autopilot/windows-autopilot) enables you to deploy new Windows Sun Valley devices in a “business-ready” state that includes your desired applications, settings, and policies. It can also be used to change the edition of Windows. For example, you can upgrade from Pro to Enterprise edition and gain the use of advanced features. -- **Configure rules and control settings for users, apps, and devices**: When you enroll devices in [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), administrators have full control over apps, settings, features, and security for both Windows Sun Valley and Windows 10. You can also use app protection policies to require multi-factor authentication (MFA) for specific apps. -- **Streamline device management for frontline, remote, and onsite workers**: Introduced with Windows 10, [cloud configuration](/mem/intune/fundamentals/cloud-configuration) is a standard, easy-to-manage, device configuration that is cloud-optimized for users with specific workflow needs. It can be deployed to devices running the Pro, Enterprise, and Education editions of Windows Sun Valley by using Microsoft Endpoint Manager. +- **Provision and pre-configure new Windows 11 devices**: [Windows Autopilot](/mem/autopilot/windows-autopilot) enables you to deploy new Windows 11 devices in a “business-ready” state that includes your desired applications, settings, and policies. It can also be used to change the edition of Windows. For example, you can upgrade from Pro to Enterprise edition and gain the use of advanced features. +- **Configure rules and control settings for users, apps, and devices**: When you enroll devices in [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), administrators have full control over apps, settings, features, and security for both Windows 11 and Windows 10. You can also use app protection policies to require multi-factor authentication (MFA) for specific apps. +- **Streamline device management for frontline, remote, and onsite workers**: Introduced with Windows 10, [cloud configuration](/mem/intune/fundamentals/cloud-configuration) is a standard, easy-to-manage, device configuration that is cloud-optimized for users with specific workflow needs. It can be deployed to devices running the Pro, Enterprise, and Education editions of Windows 11 by using Microsoft Endpoint Manager. If you are exclusively using an on-premise device management solution (for example, Configuration Manager), you can still use the [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview), enable [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions), or enable [co-management](/mem/configmgr/comanage/overview) with Microsoft Intune. These solutions can make it easier to keep devices secure and up-to-date. ## Review servicing approach and policies -Every organization will transition to Windows Sun Valley at its own pace. Microsoft is committed to supporting you through your migration to Windows Sun Valley, whether you are a fast adopter or will make the transition over the coming months or years. +Every organization will transition to Windows 11 at its own pace. Microsoft is committed to supporting you through your migration to Windows 11, whether you are a fast adopter or will make the transition over the coming months or years. When you think of operating system updates as an ongoing process, you will automatically improve your ability to deploy updates. This approach enables you to stay current with less effort, and less impact on productivity. To begin, think about how you roll out Windows feature updates today: which devices, and at what pace. -Next, craft a deployment plan for Windows Sun Valley that includes deployment groups, rings, users, or devices. There are no absolute rules for exactly how many rings to have for your deployments, but a common structure is: +Next, craft a deployment plan for Windows 11 that includes deployment groups, rings, users, or devices. There are no absolute rules for exactly how many rings to have for your deployments, but a common structure is: - Preview (first or canary): Planning and development - Limited (fast or early adopters): Pilot and validation - Broad (users or critical): Wide deployment @@ -80,7 +80,7 @@ Review deployment-related policies, taking into consideration your organization' #### Validate apps and infrastructure -To validate that your apps, infrastructure, and deployment processes are ready for Windows Sun Valley, join the [Windows Insider Program for Business](https://insider.windows.com/for-business-getting-started), and opt in to the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel). +To validate that your apps, infrastructure, and deployment processes are ready for Windows 11, join the [Windows Insider Program for Business](https://insider.windows.com/for-business-getting-started), and opt in to the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel). If you use Windows Server Update Services, you can deploy directly from the Windows Insider Pre-release category using one of the following processes: @@ -88,11 +88,11 @@ If you use Windows Server Update Services, you can deploy directly from the Wind - Leverage Azure Virtual Desktop and Azure Marketplace images. - Download and deploy ISOs from Microsoft’s Windows Insider Program ISO Download page. -Regardless of the method you choose, you have the benefit of free Microsoft support when validating pre-release builds. Free support is available to any commercial customer deploying Windows 10 or Windows Sun Valley Preview Builds, once they become available through the Windows Insider Program. +Regardless of the method you choose, you have the benefit of free Microsoft support when validating pre-release builds. Free support is available to any commercial customer deploying Windows 10 or Windows 11 Preview Builds, once they become available through the Windows Insider Program. #### Analytics and assessment tools -If you use Microsoft Endpoint Manager and have onboarded devices to Endpoint analytics, you will have access to a hardware readiness assessment later this year. This tool enables you to quickly identify which of your managed devices are eligible for the Windows Sun Valley upgrade. +If you use Microsoft Endpoint Manager and have onboarded devices to Endpoint analytics, you will have access to a hardware readiness assessment later this year. This tool enables you to quickly identify which of your managed devices are eligible for the Windows 11 upgrade. ## Prepare a pilot deployment @@ -110,16 +110,16 @@ At a high level, the tasks involved are: ## end-user readiness -Do not overlook the importance of end-user readiness to deliver an effective, enterprise-wide deployment of Windows Sun Valley. Windows Sun Valley has a familiar design, but your users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows Sun Valley: +Do not overlook the importance of end-user readiness to deliver an effective, enterprise-wide deployment of Windows 11. Windows 11 has a familiar design, but your users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows 11: - Create a communications schedule to ensure that you provide the right message at the right time to the right groups of users, based on when they will see the changes. - Draft concise emails that inform users of what changes they can expect to see. Offer tips on how to use or customize their experience. Include information about support and help desk options. - Update help desk manuals with screenshots of the new user interface, the out-of-box experience for new devices, and the upgrade experience for existing devices. ## Learn more -See the [Stay current with Windows 10 and Microsoft 365 Apps](/learn/paths/m365-stay-current/) learning path on Microsoft Learn. The learning path was created for Windows 10, but the basic principles and tasks outlined for the plan, prepare, and deploy phases also apply to your deployment of Windows Sun Valley. +See the [Stay current with Windows 10 and Microsoft 365 Apps](/learn/paths/m365-stay-current/) learning path on Microsoft Learn. The learning path was created for Windows 10, but the basic principles and tasks outlined for the plan, prepare, and deploy phases also apply to your deployment of Windows 11. ## See also -[Plan for Windows Sun Valley](windows-sv-plan.md)
+[Plan for Windows 11](windows-11-plan.md)
[Windows help & learning](https://support.microsoft.com/windows) diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-11-requirements.md similarity index 76% rename from windows/whats-new/windows-sv-requirements.md rename to windows/whats-new/windows-11-requirements.md index eb25e65a86..2fbeeb8490 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -1,6 +1,6 @@ --- -title: Windows Sun Valley requirements -description: Hardware requirements to deploy Windows Sun Valley +title: Windows 11 requirements +description: Hardware requirements to deploy Windows 11 ms.reviewer: manager: laurawi ms.audience: itpro @@ -15,51 +15,51 @@ ms.topic: article ms.custom: seo-marvel-apr2020 --- -# Windows Sun Valley requirements +# Windows 11 requirements **Applies to** -- Windows Sun Valley +- Windows 11 -This article lists the system requirements for Windows Sun Valley. Windows Sun Valley is also supported on a virtual machine (VM). +This article lists the system requirements for Windows 11. Windows 11 is also supported on a virtual machine (VM). ## Hardware requirements -To install or upgrade to Windows Sun Valley, devices must meet the following minimum hardware requirements: +To install or upgrade to Windows 11, devices must meet the following minimum hardware requirements: - Processor: 1 gigahertz (GHz) or faster with two or more cores on a [compatible 64-bit processor](https://aka.ms/CPUlist) or system on a chip (SoC). - RAM: 4 gigabytes (GB) or greater. -- Storage: 64 GB\* or greater available storage is required to install Windows Sun Valley. +- Storage: 64 GB\* or greater available storage is required to install Windows 11. - Additional storage space might be required to download updates and enable specific features. - Graphics card: Compatible with DirectX 12 or later, with a WDDM 2.0 driver. - System firmware: UEFI, Secure Boot capable. - TPM: [Trusted Platform Module](/windows/security/information-protection/tpm/trusted-platform-module-overview) (TPM) version 2.0. - Display: High definition (720p) display, 9" or greater monitor, 8 bits per color channel. - Internet connection: Internet connectivity is necessary to perform updates, and to download and use some features. - - Windows Sun Valley Home edition requires an Internet connection and a Microsoft Account to complete device setup on first use. + - Windows 11 Home edition requires an Internet connection and a Microsoft Account to complete device setup on first use. -\* There might be additional requirements over time for updates, and to enable specific features within the operating system. For more information, see [Keeping Windows Sun Valley up-to-date](https://www.microsoft.com/windows/windows-10-specifications#primaryR5). +\* There might be additional requirements over time for updates, and to enable specific features within the operating system. For more information, see [Keeping Windows 11 up-to-date](https://www.microsoft.com/windows/windows-10-specifications#primaryR5). -For information about tools to evaluate readiness, see [Determine eligibility](windows-sv-plan.md#determine-eligibility). +For information about tools to evaluate readiness, see [Determine eligibility](windows-11-plan.md#determine-eligibility). ## Operating system requirements -For the best Windows Sun Valley upgrade experience, eligible devices should be running Windows 10, version 20H1 or later. +For the best Windows 11 upgrade experience, eligible devices should be running Windows 10, version 20H1 or later. > [!NOTE] -> S mode is not supported on Windows Sun Valley. +> S mode is not supported on Windows 11. > If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading.
 
> Switching a device out of Windows 10 in S mode also requires internet connectivity. If you switch out of S mode, you cannot switch back to S mode later. ## Feature-specific requirements -Some features in Windows Sun Valley have requirements beyond those listed above. See the following list of features and associated requirements. +Some features in Windows 11 have requirements beyond those listed above. See the following list of features and associated requirements. - **5G support**: requires 5G capable modem. - **Auto HDR**: requires an HDR monitor. - **BitLocker to Go**: requires a USB flash drive. This feature is available in Windows Pro and above editions. - **Client Hyper-V**: requires a processor with second-level address translation (SLAT) capabilities. This feature is available in Windows Pro editions and above. -- **Cortana**: requires a microphone and speaker and is currently available on Windows Sun Valley for Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, Mexico, Spain, United Kingdom, and United States. +- **Cortana**: requires a microphone and speaker and is currently available on Windows 11 for Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, Mexico, Spain, United Kingdom, and United States. - **DirectStorage**: requires 1 TB or greater NVMe SSD to store and run games that use the "Standard NVM Express Controller" driver and a DirectX12 Ultimate GPU. - **DirectX 12 Ultimate**: available with supported games and graphics chips. - **Presence**: requires sensor that can detect human distance from device or intent to interact with device. @@ -81,10 +81,10 @@ Some features in Windows Sun Valley have requirements beyond those listed above. ## Next steps -[Plan for Windows Sun Valley](windows-sv-plan.md)
-[Prepare for Windows Sun Valley](windows-sv-prepare.md) +[Plan for Windows 11](windows-11-plan.md)
+[Prepare for Windows 11](windows-11-prepare.md) ## See also -[Windows Sun Valley overview](windows-sv.md) +[Windows 11 overview](windows-11.md) diff --git a/windows/whats-new/windows-11.md b/windows/whats-new/windows-11.md new file mode 100644 index 0000000000..260967a467 --- /dev/null +++ b/windows/whats-new/windows-11.md @@ -0,0 +1,86 @@ +--- +title: Windows 11 overview +description: Overview of Windows 11 +ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.localizationpriority: medium +audience: itpro +ms.topic: article +ms.custom: seo-marvel-apr2020 +--- + +# Windows 11 overview + +**Applies to** + +- Windows 11 + +This article provides an introduction to Windows 11, and answers some frequently asked questions. + +Also see the following articles to learn more about Windows 11: + +- [Windows 11 requirements](windows-11-requirements.md): Requirements to deploy Windows 11. +- [Plan for Windows 11](windows-11-plan.md): Information to help you plan for Windows 11 in your organization. +- [Prepare for Windows 11](windows-11-prepare.md): Procedures to ensure readiness to deploy Windows 11. + +## Introduction + +Windows 11 is the next evolution of Windows; it is the most significant update to the Windows operating system since Windows 10. It offers many innovations focused on enhancing end-user productivity in a fresh experience that is flexible and fluid. Windows 11 is designed to support today's hybrid work environment, and intended to be the most reliable, secure, connected, and performant Windows operating system ever. + +Windows 11 is built on the same foundation as Windows 10, so the investments you have made in tools for update and device management are carried forward. Windows 11 also sustains the application compatibility promise made with Windows 10, supplemented by programs like App Assure. For Microsoft 365 customers seeking further assistance, FastTrack will continue to be available to support your efforts to adopt Windows 11. + +## How to get Windows 11 + +Windows 11 will be delivered as an upgrade to eligible devices running Windows 10, beginning later in the 2021 calendar year. Windows 11 will also be available on eligible new devices. + +For administrators managing devices on behalf of their organization, Windows 11 will be available through the same, familiar channels that you use today for Windows 10 feature updates. You will be able to use existing deployment and management tools, such as Windows Update for Business, Microsoft Endpoint Manager, and Windows Autopilot. For more information, see [Plan for Windows 11](windows-11-plan.md). + +For devices that are not managed by an organization, the Windows 11 upgrade will be offered to eligible Windows 10 devices through Windows Update using Microsoft's intelligent rollout process to ensure a smooth upgrade experience. + +For more information about device eligibility, see [Windows 11 requirements](windows-11-requirements.md). + +If you are interested in testing Windows 11 before general availability, you can join the [Windows Insider Program](https://insider.windows.com) or [Windows Insider Program for Business](https://insider.windows.com/for-business). You can also preview Windows 11 by enabling pre-release Windows 10 feature updates in [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/servers/manage/pre-release-features) or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS). + +## Before you begin + +The following sections provide a quick summary of licensing, compatibility, management, and servicing considerations to help you get started with Windows 11. + +#### Licensing + +There are no unique licensing requirements for Windows 11 beyond what is required for Windows 10 devices. + +Microsoft 365 licenses that include Windows 10 licenses will permit you to run Windows 11 on supported devices. If you have a volume license, it will equally cover Windows 11 and Windows 10 devices before and after upgrade. + +#### Compatibility + +Most accessories and associated drivers that work with Windows 10 are expected to work with Windows 11. Check with your accessory manufacturer for specific details. + +Windows 11 preserves the application compatibility promise made with Windows 10, and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Microsoft 365 customers can continue to use programs such as App Assure and FastTrack to support IT efforts to adopt and maintain Windows 11. For more information, see [Application compatibility](windows-11-plan.md#application-compatibility). + +#### Familiar processes + +Windows 11 is built on the same foundation as Windows 10. Typically, you can use the same tools and solutions you use today to deploy, manage, and secure Windows 11. Your current management tools and processes will also work to manage monthly quality updates for both Windows 10 and Windows 11. + +> [!IMPORTANT] +> Check with the providers of any non-Microsoft security and management solutions that you use to ensure compatibility with Windows 11, particularly those providing security or data loss prevention capabilities. + +For more information, see [Prepare for Windows 11](windows-11-prepare.md). + +#### Servicing Windows 11 + +Like Windows 10, Windows 11 will receive monthly quality updates. However, it will have a new feature update cadence. Windows 11 feature updates will be released once per year. + +When Windows 11 reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the [Windows release health](https://aka.ms/windowsreleasehealth) hub. Monthly release notes will also be available from a consolidated Windows 11 update history page at that time. For more information, see [Servicing and support](windows-11-plan.md#servicing-and-support). + +## Next steps + +[Windows 11 requirements](windows-11-requirements.md)
+[Plan for Windows 11](windows-11-plan.md)
+[Prepare for Windows 11](windows-11-prepare.md) \ No newline at end of file diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md deleted file mode 100644 index 11aa8a3ddc..0000000000 --- a/windows/whats-new/windows-sv-plan.md +++ /dev/null @@ -1,122 +0,0 @@ ---- -title: Plan for Windows Sun Valley -description: Windows Sun Valley deployment planning, IT Pro content. -keywords: ["get started", "windows sun valley", "plan"] -ms.prod: w11 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.author: greglin -ms.date: 06/24/2021 -ms.reviewer: -manager: laurawi -ms.localizationpriority: high -ms.topic: article ---- - -# Plan for Windows Sun Valley - -**Applies to** - -- Windows Sun Valley - -## Deployment planning - -This article provides guidance to help you plan for Windows Sun Valley in your organization. - -Since Windows Sun Valley is built on the same foundation as Windows 10, you can use the same deployment capabilities, scenarios, and tools—as well as the same basic deployment strategy that you use today for Windows 10. You will need to review and update your servicing strategy to adjust for changes in [Servicing and support](#servicing-and-support) for Windows Sun Valley. - -At a high level, this strategy should include the following steps: -- [Create a deployment plan](/windows/deployment/update/create-deployment-plan) -- [Define readiness criteria](/windows/deployment/update/plan-define-readiness) -- [Evaluate infrastructure and tools](/windows/deployment/update/eval-infra-tools) -- [Determine application readiness](/windows/deployment/update/plan-determine-app-readiness) -- [Define your servicing strategy](/windows/deployment/update/plan-define-strategy) - -If you are looking for ways to optimize your approach to deploying Windows Sun Valley, or if deploying a new version of an operating system is not a familiar process for you, some items to consider are provided below. - -## Determine eligibility - -As a first step, you will need to know which of your current devices meet the Windows Sun Valley hardware requirements. Most devices purchased in the last 18-24 months will be compatible with Windows Sun Valley. Verify that your device meets or exceeds [Windows Sun Valley requirements](windows-sv-requirements.md) to ensure it is compatible. - -Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows Sun Valley hardware requirements. When Windows Sun Valley reaches general availability, end-users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the **PC Health Check** app to determine their eligibility for Windows Sun Valley. end-users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.  - -Enterprise organizations looking to evaluate device readiness in their environments can expect this capability to be integrated into existing Microsoft tools, such as Endpoint analytics and Update Compliance. This capability will be available when Windows Sun Valley is generally available. Microsoft is also working with software publishing partners to facilitate adding Windows Sun Valley device support into their solutions. - -## Windows Sun Valley availability - -The availability of Windows Sun Valley will vary according to a device's hardware and whether the device receives updates directly, or from a management solution that is maintained by an IT administrator. - -##### Managed devices - -Managed devices are devices that are under organization control. Managed devices include those managed by Microsoft Intune, Microsoft Endpoint Configuration Manager, or other endpoint management solutions. - -If you manage devices on behalf of your organization, you will be able to upgrade eligible devices to Windows Sun Valley using your existing deployment and management tools at no cost when the upgrade reaches general availability. Organizations that use Windows Update for Business will have added benefits, such as: - -- Ensuring that devices that don't meet the minimum hardware requirements are not automatically offered the Windows Sun Valley upgrade. -- Additional insight into safeguard holds. While safeguard holds will function for Windows Sun Valley devices just as they do for Windows 10 today, administrators using Windows Update for Business will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. - -> [!NOTE] -> If you use Windows Update for Business to manage feature update deployments today, you will need to leverage the **Target Version** policy rather than **Feature Update deferrals** to move from Windows 10 to Windows Sun Valley. Deferrals are great for quality updates or to move to newer version of the same product (from example, from Windows 10, version 20H2 to 21H1), but they cannot migrate a device between products (from Windows 10 to Windows Sun Valley).
-> Additionally, Windows Sun Valley has a new End User License Agreement. If you are deploying with Windows Update for Business **Target Version** or with Windows Server Update Services, you are accepting this new End User License Agreement on behalf of the end-users within your organization. - -##### Unmanaged devices - -Unmanaged devices are devices that are not managed by an IT administrator on behalf of an organization. For operating system (OS) deployment, these devices are not subject to organizational policies that manage upgrades or updates. - -Windows Sun Valley will be offered to eligible Windows 10 devices beginning later in the 2021 calendar year. Messaging on new devices will vary by PC manufacturer, but users will see labels such as **This PC will upgrade to Windows Sun Valley once available** on products that are available for purchase. - -The Windows Sun Valley upgrade will be available initially on eligible, unmanaged devices to users who manually seek the upgrade through Windows Update. As with all Windows Update managed devices, the **Windows Update Settings** page will confirm when a device is eligible, and users can upgrade if they choose to. - -Just like Windows 10, the machine learning based [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860) process will be leveraged when rolling out upgrades. Machine learning uses a combination of testing, close partner engagement, feedback, diagnostic data, and real-life insights to manage quality. This process improves the update experience and ensures that devices first nominated for updates are the devices likely to have a seamless experience. Devices that might have compatibility issues with the upgrade get the benefit of resolving these issues before the upgrade is offered. - -## Windows Sun Valley readiness considerations - -The recommended method to determine if your infrastructure, deployment processes, and management tools are ready for Windows Sun Valley is to join the [Windows Insider Program for Business](https://insider.windows.com/for-business). As a participant in the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel), you can validate that your devices and applications work as expected, and explore new features. - -As you plan your endpoint management strategy for Windows Sun Valley, consider moving to cloud-based mobile device management (MDM), such as [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). If a cloud-only approach isn't right for your organization just yet, you can still modernize and streamline essential pieces of your endpoint management strategy as follows: -- Create a [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview) (CMG) to manage Configuration Manager clients over the internet. -- Attach your existing Configuration Management estate to the cloud with [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions) so you can manage all devices from within the Microsoft Endpoint Manager admin center. -- Use [co-management](/mem/configmgr/comanage/overview) to concurrently manage devices using both Configuration Manager and Microsoft Intune. This allows you to take advantage of cloud-powered capabilities like [Conditional Access](/azure/active-directory/conditional-access/overview). - -For more information on the benefits of these approaches, see [Cloud Attach Your Future: The Big 3](https://techcommunity.microsoft.com/t5/configuration-manager-blog/cloud-attach-your-future-part-ii-quot-the-big-3-quot/ba-p/1750664). - -The introduction of Windows Sun Valley is also a good time to review your hardware refresh plans and prioritize eligible devices to ensure an optimal experience for your users. - -## Servicing and support - -Along with end-user experience and security improvements, Windows Sun Valley introduces enhancements to Microsoft's servicing approach based on your suggestions and feedback. - -**Quality updates**: Windows Sun Valley and Windows 10 devices will receive regular monthly quality updates to provide security updates and bug fixes. - -**Feature updates**: Microsoft will provide a single Windows Sun Valley feature update annually, targeted for release in the second half of each calendar year. - -**Lifecycle**: -- Home, Pro, Pro for Workstations, and Pro for Education editions of Windows Sun Valley will receive 24 months of support from the general availability date. -- Enterprise and Education editions of Windows Sun Valley will be supported for 36 months from the general availability date. - -When Windows Sun Valley reaches general availability, a consolidated Windows Sun Valley update history will be available on support.microsoft.com, similar to what is [available today for Windows 10](https://support.microsoft.com/topic/windows-10-update-history-1b6aac92-bf01-42b5-b158-f80c6d93eb11). Similarly, the [Windows release health](/windows/release-health/) hub will offer quick access to Windows Sun Valley servicing announcements, known issues, and safeguard holds. - -It is important that organizations have adequate time to plan for Windows Sun Valley. Microsoft also recognizes that many organizations will have a mix of Windows Sun Valley and Windows 10 devices across their ecosystem. Devices on in-service versions of Windows 10 will continue to receive monthly Windows 10 security updates through 2025, as well as incremental improvements to Windows 10 to support ongoing Microsoft 365 deployments. For more information, see the [Windows 10 release information](/windows/release-health/release-information) page, which offers information about the Windows 10 Semi-Annual Channel and Long-term Servicing Channel (LTSC) releases. - -## Application compatibility - -Microsoft's compatibility promise for Windows 10 is maintained for Windows Sun Valley. Data from the App Assure program shows that Windows 10 compatibility rates are over 99.7% for enterprise organizations, including line of business (LOB) apps. Microsoft remains committed to ensuring that the apps you rely upon continue to work as expected when you upgrade. Windows Sun Valley is subject to the same app compatibility validation requirements that are in place for Windows 10 today, for both feature and quality updates. - -#### App Assure and Test Base for Microsoft 365 - -If you run into compatibility issues or want to ensure that your organization's applications are compatible from day one, App Assure and Test Base for Microsoft 365 can help. - -**App Assure**: With enrollment in the [App Assure](/windows/compatibility/app-assure) service, any app compatibility issues that you find with Windows Sun Valley can be resolved. Microsoft will help you remedy application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. - -**Test Base for Microsoft 365**: For software publishers, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://www.microsoft.com/testbase) (currently in public preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software publishers for participation by completing a short form. - -You might already be using App Assure and Test Base in your Windows 10 environment. Both of these tools will continue to function with Windows Sun Valley. - -## Next steps - -[Prepare for Windows Sun Valley](windows-sv-prepare.md) - -## Also see - -[Plan to deploy updates for Windows 10 and Microsoft 365 Apps](/learn/modules/windows-plan/) diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md deleted file mode 100644 index 392951b9ff..0000000000 --- a/windows/whats-new/windows-sv.md +++ /dev/null @@ -1,86 +0,0 @@ ---- -title: Windows Sun Valley overview -description: Overview of Windows Sun Valley -ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C -ms.reviewer: -manager: laurawi -ms.audience: itpro -author: greg-lindsay -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: medium -audience: itpro -ms.topic: article -ms.custom: seo-marvel-apr2020 ---- - -# Windows Sun Valley overview - -**Applies to** - -- Windows Sun Valley - -This article provides an introduction to Windows Sun Valley, and answers some frequently asked questions. - -Also see the following articles to learn more about Windows Sun Valley: - -- [Windows Sun Valley requirements](windows-sv-requirements.md): Requirements to deploy Windows Sun Valley. -- [Plan for Windows Sun Valley](windows-sv-plan.md): Information to help you plan for Windows Sun Valley in your organization. -- [Prepare for Windows Sun Valley](windows-sv-prepare.md): Procedures to ensure readiness to deploy Windows Sun Valley. - -## Introduction - -Windows Sun Valley is the next evolution of Windows; it is the most significant update to the Windows operating system since Windows 10. It offers many innovations focused on enhancing end-user productivity in a fresh experience that is flexible and fluid. Windows Sun Valley is designed to support today's hybrid work environment, and intended to be the most reliable, secure, connected, and performant Windows operating system ever. - -Windows Sun Valley is built on the same foundation as Windows 10, so the investments you have made in tools for update and device management are carried forward. Windows Sun Valley also sustains the application compatibility promise made with Windows 10, supplemented by programs like App Assure. For Microsoft 365 customers seeking further assistance, FastTrack will continue to be available to support your efforts to adopt Windows Sun Valley. - -## How to get Windows Sun Valley - -Windows Sun Valley will be delivered as an upgrade to eligible devices running Windows 10, beginning later in the 2021 calendar year. Windows Sun Valley will also be available on eligible new devices. - -For administrators managing devices on behalf of their organization, Windows Sun Valley will be available through the same, familiar channels that you use today for Windows 10 feature updates. You will be able to use existing deployment and management tools, such as Windows Update for Business, Microsoft Endpoint Manager, and Windows Autopilot. For more information, see [Plan for Windows Sun Valley](windows-sv-plan.md). - -For devices that are not managed by an organization, the Windows Sun Valley upgrade will be offered to eligible Windows 10 devices through Windows Update using Microsoft's intelligent rollout process to ensure a smooth upgrade experience. - -For more information about device eligibility, see [Windows Sun Valley requirements](windows-sv-requirements.md). - -If you are interested in testing Windows Sun Valley before general availability, you can join the [Windows Insider Program](https://insider.windows.com) or [Windows Insider Program for Business](https://insider.windows.com/for-business). You can also preview Windows Sun Valley by enabling pre-release Windows 10 feature updates in [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/servers/manage/pre-release-features) or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS). - -## Before you begin - -The following sections provide a quick summary of licensing, compatibility, management, and servicing considerations to help you get started with Windows Sun Valley. - -#### Licensing - -There are no unique licensing requirements for Windows Sun Valley beyond what is required for Windows 10 devices. - -Microsoft 365 licenses that include Windows 10 licenses will permit you to run Windows Sun Valley on supported devices. If you have a volume license, it will equally cover Windows Sun Valley and Windows 10 devices before and after upgrade. - -#### Compatibility - -Most accessories and associated drivers that work with Windows 10 are expected to work with Windows Sun Valley. Check with your accessory manufacturer for specific details. - -Windows Sun Valley preserves the application compatibility promise made with Windows 10, and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Microsoft 365 customers can continue to use programs such as App Assure and FastTrack to support IT efforts to adopt and maintain Windows Sun Valley. For more information, see [Application compatibility](windows-sv-plan.md#application-compatibility). - -#### Familiar processes - -Windows Sun Valley is built on the same foundation as Windows 10. Typically, you can use the same tools and solutions you use today to deploy, manage, and secure Windows Sun Valley. Your current management tools and processes will also work to manage monthly quality updates for both Windows 10 and Windows Sun Valley. - -> [!IMPORTANT] -> Check with the providers of any non-Microsoft security and management solutions that you use to ensure compatibility with Windows Sun Valley, particularly those providing security or data loss prevention capabilities. - -For more information, see [Prepare for Windows Sun Valley](windows-sv-prepare.md). - -#### Servicing Windows Sun Valley - -Like Windows 10, Windows Sun Valley will receive monthly quality updates. However, it will have a new feature update cadence. Windows Sun Valley feature updates will be released once per year. - -When Windows Sun Valley reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the [Windows release health](https://aka.ms/windowsreleasehealth) hub. Monthly release notes will also be available from a consolidated Windows Sun Valley update history page at that time. For more information, see [Servicing and support](windows-sv-plan.md#servicing-and-support). - -## Next steps - -[Windows Sun Valley requirements](windows-sv-requirements.md)
-[Plan for Windows Sun Valley](windows-sv-plan.md)
-[Prepare for Windows Sun Valley](windows-sv-prepare.md) \ No newline at end of file From da5e83a1887db5401adf04d571724d1e0a31129b Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 24 Jun 2021 01:21:08 -0700 Subject: [PATCH 220/370] capitalization --- windows/whats-new/windows-11-prepare.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index 3ef63328a5..a1a45c11c6 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -33,7 +33,7 @@ The tools that you use for core workloads during Windows 10 deployments can stil #### On-premise solutions -- If you use Windows Server Update Service (WSUS), you will need to sync the new **Windows 11** product category. After you sync the product category, you will see Windows 11 offered as an option. If you would like to validate Windows 11 prior to release, you can sync the Windows Insider Pre-release category as well. +- If you use Windows Server Update Service (WSUS), you will need to sync the new **Windows 11** product category. After you sync the product category, you will see Windows 11 offered as an option. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well. > [!NOTE] > During deployment, you will be prompted to agree to the End User License Agreement on behalf of your users. Additionally, you will not see an x86 option because Windows 11 is not supported on 32-bit architecture. @@ -45,9 +45,9 @@ The tools that you use for core workloads during Windows 10 deployments can stil #### Cloud-based solutions -- If you use Windows Update for Business Group Policy or Configuration Service Provider (CSP) policies, you will need to use the **Target Version** capability rather than feature update deferrals to upgrade from Windows 10 to Windows 11. Feature Update deferrals are great to move to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1), but do not enable you to move between products (Windows 10 to Windows 11). +- If you use Windows Update for Business Group Policy or Configuration Service Provider (CSP) policies, you will need to use the **Target Version** capability rather than feature update deferrals to upgrade from Windows 10 to Windows 11. Feature update deferrals are great to move to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1), but do not enable you to move between products (Windows 10 to Windows 11). - Quality update deferrals will continue to work the same across both Windows 10 and Windows 11. This is true regardless of which management tool you use to configure Windows Update for Business policies. -- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use **Feature Update Deployments** to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. +- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use feature update deployments to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. ## Cloud-based management From a0f5e69c5d83903b287a0dd186e62b62cfcc9d89 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 24 Jun 2021 01:36:46 -0700 Subject: [PATCH 221/370] link fix --- windows/deployment/TOC.yml | 10 ++++------ windows/deployment/deploy-whats-new.md | 5 +++-- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index cafdf97782..1348d4e836 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -5,8 +5,6 @@ items: - name: What's new href: deploy-whats-new.md - - name: Windows 11 deployment overview - href: /windows/whats-new/windows-11-overview.md - name: Windows client deployment scenarios href: windows-10-deployment-scenarios.md - name: What is Windows as a service? @@ -35,8 +33,8 @@ - name: Plan items: - - name: Windows 11 deployment planning - href: /windows/whats-new/windows-11-plan.md + - name: Plan for Windows 11 + href: /windows/whats-new/windows-11-plan - name: Create a deployment plan href: update/create-deployment-plan.md - name: Define readiness criteria @@ -71,8 +69,8 @@ - name: Prepare items: - - name: Prepare to deploy Windows 11 - href: /windows/whats-new/windows-11-prepare.md + - name: Prepare for Windows 11 + href: /windows/whats-new/windows-11-prepare - name: Prepare to deploy Windows 10 updates href: update/prepare-deploy-windows.md - name: Evaluate and update infrastructure diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index fa8ca9e964..e3a0d81b25 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -16,20 +16,21 @@ ms.topic: article ms.custom: seo-marvel-apr2020 --- -# What's new in Windows 10 deployment +# What's new in Windows client deployment **Applies to:** - Windows 10 +- Windows 11 ## In this topic This topic provides an overview of new solutions and online content related to deploying Windows client in your organization. - For an all-up overview of new features in Windows 10, see [What's new in Windows 10](/windows/whats-new/index). -- For an overview of Windows 11, see [What's new in Windows 11](/windows/whats-new/windows-11). ## Latest news +Check out the [Overview of Windows 11](/windows/whats-new/windows-11). [SetupDiag](#setupdiag) is included with Windows 10, version 2004 and later.
The [Windows ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install) is available.
New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).
From f980c28e109ca579201859dd436635716942e944 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 24 Jun 2021 02:07:14 -0700 Subject: [PATCH 222/370] small edit --- windows/whats-new/windows-11-plan.md | 4 ++-- windows/whats-new/windows-11-prepare.md | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md index ad68e1ebfa..1227f3908d 100644 --- a/windows/whats-new/windows-11-plan.md +++ b/windows/whats-new/windows-11-plan.md @@ -58,7 +58,7 @@ If you manage devices on behalf of your organization, you will be able to upgrad > [!NOTE] > If you use Windows Update for Business to manage feature update deployments today, you will need to leverage the **Target Version** policy rather than **Feature Update deferrals** to move from Windows 10 to Windows 11. Deferrals are great for quality updates or to move to newer version of the same product (from example, from Windows 10, version 20H2 to 21H1), but they cannot migrate a device between products (from Windows 10 to Windows 11).
-> Additionally, Windows 11 has a new End User License Agreement. If you are deploying with Windows Update for Business **Target Version** or with Windows Server Update Services, you are accepting this new End User License Agreement on behalf of the end-users within your organization. +> Also, Windows 11 has a new End User License Agreement. If you are deploying with Windows Update for Business **Target Version** or with Windows Server Update Services, you are accepting this new End User License Agreement on behalf of the end-users within your organization. ##### Unmanaged devices @@ -68,7 +68,7 @@ Windows 11 will be offered to eligible Windows 10 devices beginning later in the The Windows 11 upgrade will be available initially on eligible, unmanaged devices to users who manually seek the upgrade through Windows Update. As with all Windows Update managed devices, the **Windows Update Settings** page will confirm when a device is eligible, and users can upgrade if they choose to. -Just like Windows 10, the machine learning based [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860) process will be leveraged when rolling out upgrades. Machine learning uses a combination of testing, close partner engagement, feedback, diagnostic data, and real-life insights to manage quality. This process improves the update experience and ensures that devices first nominated for updates are the devices likely to have a seamless experience. Devices that might have compatibility issues with the upgrade get the benefit of resolving these issues before the upgrade is offered. +Just like Windows 10, the machine learning based [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860) process will be used when rolling out upgrades. Machine learning uses a combination of testing, close partner engagement, feedback, diagnostic data, and real-life insights to manage quality. This process improves the update experience, and ensures that devices first nominated for updates are the devices likely to have a seamless experience. Devices that might have compatibility issues with the upgrade get the benefit of resolving these issues before the upgrade is offered. ## Windows 11 readiness considerations diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index a1a45c11c6..dda3e2c11d 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -108,7 +108,7 @@ At a high level, the tasks involved are: 6. Test and support the pilot devices. 7. Determine broad deployment readiness based on the results of the pilot. -## end-user readiness +## End-user readiness Do not overlook the importance of end-user readiness to deliver an effective, enterprise-wide deployment of Windows 11. Windows 11 has a familiar design, but your users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows 11: - Create a communications schedule to ensure that you provide the right message at the right time to the right groups of users, based on when they will see the changes. @@ -117,7 +117,8 @@ Do not overlook the importance of end-user readiness to deliver an effective, en ## Learn more -See the [Stay current with Windows 10 and Microsoft 365 Apps](/learn/paths/m365-stay-current/) learning path on Microsoft Learn. The learning path was created for Windows 10, but the basic principles and tasks outlined for the plan, prepare, and deploy phases also apply to your deployment of Windows 11. +See the [Stay current with Windows 10 and Microsoft 365 Apps](/learn/paths/m365-stay-current/) learning path on Microsoft Learn. +- The learning path was created for Windows 10, but the basic principles and tasks outlined for the plan, prepare, and deploy phases also apply to your deployment of Windows 11. ## See also From 3c0db3c4609ccb692a6394adce30440a37a130b3 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 24 Jun 2021 02:12:22 -0700 Subject: [PATCH 223/370] format fix --- windows/deployment/deploy-whats-new.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index e3a0d81b25..d2e0935b7d 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -30,7 +30,11 @@ This topic provides an overview of new solutions and online content related to d ## Latest news -Check out the [Overview of Windows 11](/windows/whats-new/windows-11). +Check out the following new articles about Windows 11: +- [Overview of Windows 11](/windows/whats-new/windows-11) +- [Plan for Windows 11](/windows/whats-new/windows-11-plan) +- [Prepare for Windows 11](/windows/whats-new/windows-11-prepare) + [SetupDiag](#setupdiag) is included with Windows 10, version 2004 and later.
The [Windows ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install) is available.
New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).
From b915fcd508c19e17ede088707e2fff4770a5c2ef Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Thu, 24 Jun 2021 10:55:29 +0100 Subject: [PATCH 224/370] Update policy-csp-system.md --- .../mdm/policy-csp-system.md | 96 ------------------- 1 file changed, 96 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 276a6d4d84..5437a4ae9e 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -125,10 +125,6 @@ manager: dansimp - - - - @@ -197,10 +193,6 @@ The following list shows the supported values: - - - - @@ -313,10 +305,6 @@ The following list shows the supported values: - - - - @@ -386,10 +374,6 @@ The following list shows the supported values: - - - - @@ -446,10 +430,6 @@ The following list shows the supported values: - - - - @@ -511,10 +491,6 @@ The following list shows the supported values: - - - - @@ -590,10 +566,6 @@ To verify if System/AllowFontProviders is set to true: - - - - @@ -686,10 +658,6 @@ If you disable this policy setting, devices may not appear in Microsoft Managed - - - - @@ -746,10 +714,6 @@ The following list shows the supported values: - - - - @@ -879,10 +843,6 @@ ADMX Info: - - - - @@ -957,10 +917,6 @@ The following list shows the supported values: - - - - @@ -1039,10 +995,6 @@ If you disable or do not configure this policy setting, devices enrolled to the - - - - @@ -1115,10 +1067,6 @@ ADMX Info: - - - - @@ -1189,10 +1137,6 @@ ADMX Info: - - - - @@ -1256,10 +1200,6 @@ The following list shows the supported values: - - - - @@ -1328,10 +1268,6 @@ The following list shows the supported values: - - - - @@ -1399,10 +1335,6 @@ ADMX Info: - - - - @@ -1470,10 +1402,6 @@ ADMX Info: - - - - @@ -1530,10 +1458,6 @@ ADMX Info: - - - - @@ -1612,10 +1536,6 @@ To validate on Desktop, do the following: - - - - @@ -1688,10 +1608,6 @@ ADMX Info: - - - - @@ -1746,10 +1662,6 @@ The following list shows the supported values: - - - - @@ -1820,10 +1732,6 @@ ADMX Info: - - - - @@ -1882,10 +1790,6 @@ ADMX Info: - - - - From 2cf7921e7559caccf3b41501d549254e522a586b Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Thu, 24 Jun 2021 11:00:58 +0100 Subject: [PATCH 225/370] Update policy-csp-system.md --- windows/client-management/mdm/policy-csp-system.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 5437a4ae9e..7b1b43d816 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -123,7 +123,7 @@ manager: dansimp - + @@ -191,7 +191,7 @@ The following list shows the supported values: - + @@ -1855,5 +1855,6 @@ Footnotes: - 8 - Available in Windows 10, version 2004. - 9 - Available in Windows 10, version 20H2. - 10 - Available in Windows 10, version 21H1. +- 11 - Also applies to Windows 10 Business. From dcb6afdeb3d9678cd3f309198fabefebce739a88 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Thu, 24 Jun 2021 11:12:11 +0100 Subject: [PATCH 226/370] Update policy-csp-system.md --- windows/client-management/mdm/policy-csp-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 7b1b43d816..2a6aaac456 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -191,7 +191,7 @@ The following list shows the supported values: - + From f20d6bcbb2669165ce231e35735dcd4defa8dd95 Mon Sep 17 00:00:00 2001 From: v-miegge <49650192+v-miegge@users.noreply.github.com> Date: Thu, 24 Jun 2021 07:15:42 -0700 Subject: [PATCH 227/370] CI 152135 - QA review --- .../hello-for-business/hello-aad-join-cloud-only-deploy.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index 379f033684..850b4b5214 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -16,7 +16,7 @@ localizationpriority: medium ms.date: 06/23/2021 ms.reviewer: --- -# Azure AD Joined Cloud Only Deployment +# Azure Active Directory join cloud only deployment ## Introduction @@ -59,9 +59,9 @@ However, not everyone uses Intune. The following method explains how to disable 1. Sign into the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) admin center. 2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens. -3. Select from the following options for **Configure Windows Hello for Business**: +3. If you don't want to enable Windows Hello for Business during device enrollment, select **Disabled** for **Configure Windows Hello for Business**. - 1. **Disabled**: If you don't want to enable Windows Hello for Business during device enrollment, select this option. When disabled, users cannot provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business. + When disabled, users cannot provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business. > [!NOTE] > This policy is only applied during new device enrollments. For currently enrolled devices, you can [set the same settings in a device configuration policy](hello-manage-in-organization.md). From 61d096380db60f3105e32860f97ca5ba51f09567 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Thu, 24 Jun 2021 16:35:12 +0100 Subject: [PATCH 228/370] Update windows-10-and-privacy-compliance.md --- windows/privacy/windows-10-and-privacy-compliance.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index b75beff331..22f9a75bed 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -89,7 +89,7 @@ The following table provides an overview of the privacy settings discussed earli | [Speech](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-speech) | Group Policy:
**Computer Configuration** > **Control Panel** > **Regional and Language Options** > **Allow users to enable online speech recognition services**

MDM: [Privacy/AllowInputPersonalization](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off | Off | | [Location](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location) | Group Policy:
**Computer Configuration** > **Windows Components** > **App Privacy** > **Let Windows apps access location**

MDM: [Privacy/LetAppsAccessLocation](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off (Windows 10, version 1903 and later) | Off | | [Find my device](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#find-my-device) | Group Policy:
**Computer Configuration** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device**

MDM: [Experience/AllFindMyDevice](/windows/client-management/mdm/policy-csp-experience#experience-allowfindmydevice) | Off | Off | -| [Diagnostic Data](configure-windows-diagnostic-data-in-your-organization.md#manage-enterprise-diagnostic-data) | Group Policy:
**Computer Configuration** > **Windows Components** > **Data Collection and Preview Builds** > **Allow Telemetry**

MDM: [System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)

**Note**: If you are planning to configure devices, using the Windows diagnostic data processor configuration option, the recommended state to minimize data collection is not applicable. See [Enabling the Windows diagnostic data processor configuration](#238-diagnostic-data-enabling-the-windows-diagnostic-data-processor-configuration) below for more information. | Required diagnostic data (Windows 10, version 1903 and later)

Server editions:
Enhanced diagnostic data | Security (Off) and block endpoints | +| [Diagnostic Data](configure-windows-diagnostic-data-in-your-organization.md#manage-enterprise-diagnostic-data) | Group Policy:
**Computer Configuration** > **Windows Components** > **Data Collection and Preview Builds** > **Allow Telemetry**

MDM: [System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)

**Note**: If you are planning to configure devices, using the Windows diagnostic data processor configuration option, the state to minimize data collection is not recommended. See [Enabling the Windows diagnostic data processor configuration](#238-diagnostic-data-enabling-the-windows-diagnostic-data-processor-configuration) below for more information. | Required diagnostic data (Windows 10, version 1903 and later)

Server editions:
Enhanced diagnostic data | Security (Off) and block endpoints | | [Inking and typing diagnostics](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-ink) | Group Policy:
**Computer Configuration** > **Windows Components** > **Text Input** > **Improve inking and typing recognition**

MDM: [TextInput/AllowLinguisticDataCollection](/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) | Off (Windows 10, version 1809 and later) | Off | | Tailored Experiences | Group Policy:
**User Configuration** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences**

MDM: [Experience/AllowTailoredExperiencesWithDiagnosticData](/windows/client-management/mdm/policy-csp-experience#experience-allowtailoredexperienceswithdiagnosticdata) | Off | Off | | Advertising ID | Group Policy:
**Computer Configuration** > **System** > **User Profile** > **Turn off the advertising Id**

MDM: [Privacy/DisableAdvertisingId](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) | Off | Off | @@ -161,7 +161,7 @@ An administrator can disable a user’s ability to delete their device’s diagn - Windows 10 Enterprise, Pro, Education editions, version 1809 with July 2021 update and newer -The Windows diagnostic data processor configuration enables IT administrators to be the controller, under the definition of the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows 10 devices that are Azure Active Directory (AAD) joined and meet the configuration requirements. For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) in [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). Diagnostic data does not include data processed by Microsoft with the use of essential services and connected experiences in Windows. +The Windows diagnostic data processor configuration enables IT administrators to be the controller, under the definition of the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows 10 devices that are Azure Active Directory (AAD) joined and meet the configuration requirements. For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) in [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). Windows diagnostic data does not include data processed by Microsoft in connection with providing the service based capabilities of essential services and connected experiences. The Windows diagnostic data collected from devices enabled with the Windows diagnostic data processor configuration may be associated with a specific AAD User ID or device ID. The Windows diagnostic data processor configuration provides you with controls that help respond to data subject requests (DSRs) to delete diagnostic data, at user account closure, for a specific AAD User ID. Additionally, you’re able to execute an export DSR for diagnostic data related to a specific AAD User ID. For more information, see [The process for exercising data subject rights](#3-the-process-for-exercising-data-subject-rights). Microsoft also will accommodate a tenant account closure, either because you decide to close your Azure or Azure AD tenant account, or because you decide you no longer wish to be the data controller for Windows diagnostic data, but still wish to remain an Azure customer. @@ -173,7 +173,7 @@ We recommend that IT administrators who have enabled the Windows diagnostic data >[!Note] >Tenant account closure will lead to the deletion of all data associated with that tenant. -Specific services that depend on Windows diagnostic data will also result in the enterprise becoming controllers of their Windows diagnostic data. These services include Update Compliance, Desktop Analytics, and Microsoft Managed Devices. For more information, see [Related Windows product considerations](#5-related-windows-product-considerations). +Specific services that depend on Windows diagnostic data will also result in the enterprise becoming controllers of their Windows diagnostic data. These services include Update Compliance, Desktop Analytics, Windows Update for Business, and Microsoft Managed Desktop. For more information, see [Related Windows product considerations](#5-related-windows-product-considerations). For more information on how Microsoft can help you honor rights and fulfill obligations under the GDPR when using Windows diagnostic data processor configurations, see [General Data Protection Regulation Summary](/compliance/regulatory/gdpr). From 4e9d6926b6e6f04c67c7638a648df8894f9fabd7 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Thu, 24 Jun 2021 17:00:27 +0100 Subject: [PATCH 229/370] Update windows-10-and-privacy-compliance.md --- windows/privacy/windows-10-and-privacy-compliance.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index 22f9a75bed..2b896c075b 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -115,7 +115,7 @@ You can use the following articles to learn more about Autopilot and how to use #### _2.3.2 Windows 10 connected experiences and essential services_ -Windows includes built-in apps, services, and features, that connect to the internet to provide enhanced experiences and additional capabilities. These are called “connected experiences”. For example, Microsoft Defender Antivirus is a connected experience that delivers updated protection to keep the devices in your organization secure. +Windows includes features that connect to the internet to provide enhanced experiences and additional service based capabilities. These are called “connected experiences”. For example, Microsoft Defender Antivirus is a connected experience that delivers updated protection to keep the devices in your organization secure. Connected experiences that are critical to the proper functioning of Windows are called “essential services”. For example, the Windows licensing service confirms that you are properly licensed to use Windows. From 632d4d4b2e038cdc35f91db05f400eb21831feb8 Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Thu, 24 Jun 2021 10:29:55 -0700 Subject: [PATCH 230/370] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md Replaced Windows Defender with Microsoft Defender Antivirus and added a GP section for Cloud Clipboard --- ...system-components-to-microsoft-services.md | 68 ++++++++++++------- 1 file changed, 42 insertions(+), 26 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 1dec9ad720..d046271409 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -27,13 +27,13 @@ ms.date: 5/21/2021 This article describes the network connections that Windows 10 components make to Microsoft and the Windows Settings, Group Policies and registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience. -Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly. +Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Microsoft Defender Antivirus are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly. > [!IMPORTANT] > - The downloadable Windows 10, version 1903 scripts/settings can be used on Windows 10, version 1909 devices. > - The Allowed Traffic endpoints are listed here: [Allowed Traffic](#bkmk-allowedtraffic) > - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign. -> - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Windows Defender. Accordingly, we do not recommend disabling any of these features. +> - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Microsoft Defender Antivirus. Accordingly, we do not recommend disabling any of these features. > - It is recommended that you restart a device after making configuration changes to it. > - The **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied. @@ -48,7 +48,7 @@ We are always striving to improve our documentation and welcome your feedback. Y ## Management options for each setting -The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections +The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Microsoft Defender Antivirus diagnostic data and MSRT reporting, and turn off all of these connections ### Settings for Windows 10 Enterprise edition @@ -103,7 +103,7 @@ The following table lists management options for each setting, beginning with Wi | [21. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [23. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [24. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | @@ -131,7 +131,7 @@ See the following table for a summary of the management settings for Windows Ser | [18. Settings > Privacy](#bkmk-settingssection) | | | | | [19. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [24. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [29. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | @@ -148,7 +148,7 @@ See the following table for a summary of the management settings for Windows Ser | [14. Network Connection Status Indicator](#bkmk-ncsi) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [19. Software Protection Platform](#bkmk-spp) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [22. Teredo](#bkmk-teredo) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [24. Windows Defender](#bkmk-defender) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [24. Microsoft Defender Antivirus](#bkmk-defender) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [29. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ### Settings for Windows Server 2016 Nano Server @@ -213,7 +213,7 @@ See the following table for a summary of the management settings for Windows Ser | [21. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [23. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [24. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) | @@ -291,7 +291,7 @@ You can also apply the Group Policies using the following registry keys: > [!IMPORTANT] > Using the Group Policy editor these steps are required for all supported versions of Windows 10, however they are not required for devices running Windows 10, version 1607 or Windows Server 2016. -1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Defender Firewall with Advanced Security** > **Windows Defender Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**. +1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Microsoft Defender Antivirus Firewall with Advanced Security** > **Microsoft Defender Antivirus Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**. 2. Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts. @@ -423,7 +423,7 @@ To turn off Insider Preview builds for Windows 10: | Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the Address Bar.
**Set Value to: Disabled**| | Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the Address Bar.
**Set Value to: Enabled**
You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.| | Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer.
**Set Value to: Enabled**| -| Prevent managing Windows Defender SmartScreen | Choose whether employees can manage the Windows Defender SmartScreen in Internet Explorer.
**Set Value to: Enabled** and then set **Select Windows Defender SmartScreen mode** to **Off**.| +| Prevent managing Microsoft Defender Antivirus SmartScreen | Choose whether employees can manage the Microsoft Defender Antivirus SmartScreen in Internet Explorer.
**Set Value to: Enabled** and then set **Select Microsoft Defender Antivirus SmartScreen mode** to **Off**.| | Registry Key | Registry path | @@ -432,7 +432,7 @@ To turn off Insider Preview builds for Windows 10: | Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer
REG_DWORD: AllowServicePoweredQSA
**Set Value to: 0**| | Turn off the auto-complete feature for web addresses |HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\CurrentVersion\\Explorer\\AutoComplete
REG_SZ: AutoSuggest
Set Value to: **no** | | Turn off browser geolocation | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation
REG_DWORD: PolicyDisableGeolocation
**Set Value to: 1** | -| Prevent managing Windows Defender SmartScreen | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\PhishingFilter
REG_DWORD: EnabledV9
**Set Value to: 0** | +| Prevent managing Microsoft Defender Antivirus SmartScreen | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\PhishingFilter
REG_DWORD: EnabledV9
**Set Value to: 0** | There are more Group Policy objects that are used by Internet Explorer: @@ -567,7 +567,7 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g | Configure Do Not Track | Choose whether employees can send Do Not Track headers.
**Set to Enabled** | | Configure Password Manager | Choose whether employees can save passwords locally on their devices.
**Set to Disabled** | | Configure search suggestions in Address Bar | Choose whether the Address Bar shows search suggestions.
**Set to Disabled** | -| Configure Windows Defender SmartScreen (Windows 10, version 1703) | Choose whether Windows Defender SmartScreen is turned on or off.
**Set to Disabled** | +| Configure Microsoft Defender Antivirus SmartScreen (Windows 10, version 1703) | Choose whether Microsoft Defender Antivirus SmartScreen is turned on or off.
**Set to Disabled** | | Allow web content on New Tab page | Choose whether a new tab page appears.
**Set to Disabled** | | Configure Start pages | Choose the Start page for domain-joined devices.
**Enabled** and **Set this to <>** | | Prevent the First Run webpage from opening on Microsoft Edge | Choose whether employees see the First Run webpage.
**Set to: Enable** | @@ -583,7 +583,7 @@ Alternatively, you can configure the following Registry keys as described: | Configure Do Not Track | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_DWORD name: DoNotTrack
REG_DWORD: **1** | | Configure Password Manager | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_SZ name: FormSuggest Passwords
REG_SZ: **No** | | Configure search suggestions in Address Bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes
REG_DWORD name: ShowSearchSuggestionsGlobal
Value: **0**| -| Configure Windows Defender SmartScreen (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter
REG_DWORD name: EnabledV9
Value: **0** | +| Configure Microsoft Defender Antivirus SmartScreen (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter
REG_DWORD name: EnabledV9
Value: **0** | | Allow web content on New Tab page | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI
REG_DWORD name: AllowWebContentOnNewTabPage
Value: **0** | | Configure corporate Home pages | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Internet Settings
REG_SZ name: ProvisionedHomePages
Value: **<>**| | Prevent the First Run webpage from opening on Microsoft Edge | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_DWORD name: PreventFirstRunPage
Value: **1**| @@ -594,13 +594,13 @@ For a complete list of the Microsoft Edge policies, see [Available policies for ### 13.2 Microsoft Edge Enterprise -For a complete list of the Microsoft Edge policies, see [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies). +For a complete list of the Microsoft Edge policies, see [Microsoft Edge and privacy: FAQ](https://docs.microsoft.com/en-us/microsoft-edge/deploy/available-policies). > [!Important] -> - The following settings are applicable to Microsoft Edge version 77 or later. -> - For details on supported Operating Systems, see [Microsoft Edge supported Operating Systems](/deployedge/microsoft-edge-supported-operating-systems). -> - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge, see [Configure Microsoft Edge policy settings on Windows](/deployedge/configure-microsoft-edge). -> - Devices must be domain joined for some of the policies to take effect. +> - The following settings are applicable to Microsoft Edge version 77 or later. +> - For details on supported Operating Systems see Microsoft Edge supported Operating Systems +> - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge see Configure Microsoft Edge policy settings on Windows +> - Devices must be domain joined for some of the policies to take effect. | Policy | Group Policy Path | Registry Path | |----------------------------------|--------------------|---------------------------------------------| @@ -913,7 +913,7 @@ To turn off **Let apps use my advertising ID for experiences across apps (turnin - Create a REG_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one). -To turn off **Turn on Windows Defender SmartScreen to check web content (URLs) that Microsoft Store apps use**: +To turn off **Turn on Microsoft Defender Antivirus SmartScreen to check web content (URLs) that Microsoft Store apps use**: - Turn off the feature in the UI. @@ -1616,13 +1616,13 @@ To turn off **Connect to suggested open hotspots** and **Connect to networks sha When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee. -### 24. Windows Defender +### 24. Microsoft Defender Antivirus You can disconnect from the Microsoft Antimalware Protection Service. > [!IMPORTANT] -> **Required Steps BEFORE setting the Windows Defender Group Policy or RegKey on Windows 10 version 1903** -> 1. Ensure Windows and Windows Defender are fully up to date. +> **Required Steps BEFORE setting the Microsoft Defender Antivirus Group Policy or RegKey on Windows 10 version 1903** +> 1. Ensure Windows and Microsoft Defender Antivirus are fully up to date. > 2. Search the Start menu for "Tamper Protection" by clicking on the search icon next to the Windows Start button. Then scroll down to the Tamper Protection toggle and turn it **Off**. This will allow you to modify the Registry key and allow the Group Policy to make the setting. Alternatively, you can go to **Windows Security Settings -> Virus & threat protection, click on Manage Settings** link and then scroll down to the Tamper Protection toggle to set it to **Off**. - **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MAPS** > **Join Microsoft MAPS** and then select **Disabled** from the drop-down box named **Join Microsoft MAPS** @@ -1687,21 +1687,21 @@ You can turn off **Enhanced Notifications** as follows: - Create a new REG_DWORD registry setting named **DisableEnhancedNotifications** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Reporting** and enter the decimal value **1**. -### 24.1 Windows Defender SmartScreen +### 24.1 Microsoft Defender Antivirus SmartScreen -To disable Windows Defender SmartScreen: +To disable Microsoft Defender Antivirus SmartScreen: In Group Policy, configure: -- **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure Windows Defender SmartScreen** to be **Disabled** +- **Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus SmartScreen > Explorer > Configure Microsoft Defender Antivirus SmartScreen** to be **Disabled** -and- -- **Computer Configuration > Administrative Templates > Windows Components > File Explorer > Configure Windows Defender SmartScreen** : **Disable** +- **Computer Configuration > Administrative Templates > Windows Components > File Explorer > Configure Microsoft Defender Antivirus SmartScreen** : **Disable** -and- -- **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure app install control** : **Enable**, and select **Turn off app recommendations** +- **Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus SmartScreen > Explorer > Configure app install control** : **Enable**, and select **Turn off app recommendations** -OR- @@ -1930,6 +1930,22 @@ For China releases of Windows 10 there is one additional Regkey to be set to pre - Add a REG_DWORD value named **HapDownloadEnabled** to **HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LexiconUpdate\\loc_0804** and set the **value to 0 (zero)**. +### 30. Cloud Clipboard + +Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access. Also, when this is allowed, a new clipboard item on the cloud is downloaded to a device so that user can paste on the device. + +Most restricted value is 0. + +ADMX Info: + +- GP English name: Allow Clipboard synchronization across devices
+- GP name: AllowCrossDeviceClipboard
+- GP path: System/OS Policies
+- GP ADMX file name: OSPolicy.admx
+ +The following list shows the supported values:
+0 – Not allowed. 1 (default) – Allowed.
+ ### Allowed traffic list for Windows Restricted Traffic Limited Functionality Baseline From 730d0f752c3ed9916cb428f8c13931e30862f9a3 Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Thu, 24 Jun 2021 10:53:50 -0700 Subject: [PATCH 231/370] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md Added Services Config section and Menu links. --- ...erating-system-components-to-microsoft-services.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index d046271409..a66e8d0a3a 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -109,6 +109,8 @@ The following table lists management options for each setting, beginning with Wi | [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [28. Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [29. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [30. Cloud Clipboard](#bkmk-clcp) | | ![Check mark](images/checkmark.png) | | +| [31. Services Configuration](#bkmk-svccfg) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ### Settings for Windows Server 2016 with Desktop Experience @@ -219,6 +221,8 @@ See the following table for a summary of the management settings for Windows Ser | [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) | | [28. Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [29. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [30. Cloud Clipboard](#bkmk-clcp) | | ![Check mark](images/checkmark.png) | | +| [31. Services Configuration](#bkmk-svccfg) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ## How to configure each setting @@ -1946,6 +1950,13 @@ ADMX Info: The following list shows the supported values:
0 – Not allowed. 1 (default) – Allowed.
+### 31. Services Configuration + +Services Configuration is used by Windows components and apps, such as the telemetry service, to dynamically update their configuration. If you turn off this service, apps using this service may stop working. + +You can turn off Services Configuration by setting the following registry entries: + +Add a REG_DWORD value named **DisableOneSettingsDownloads** to **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection** and set the value to **1**. ### Allowed traffic list for Windows Restricted Traffic Limited Functionality Baseline From 01af22fc75513dbe69c9bafa76e70e5c831cf8e7 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 24 Jun 2021 11:37:19 -0700 Subject: [PATCH 232/370] hook up article to TOC --- windows/deployment/TOC.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 1348d4e836..ae0fdee1a2 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -267,6 +267,8 @@ items: - name: How does Windows Update work? href: update/how-windows-update-works.md + - name: Windows 10 upgrade paths + href: upgrade/windows-10-upgrade-paths.md - name: Deploy Windows 10 with Microsoft 365 href: deploy-m365.md - name: Understanding the Unified Update Platform From d2ad0329efdd7535e79d3c84363e440bf9964527 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Thu, 24 Jun 2021 11:37:40 -0700 Subject: [PATCH 233/370] Add the missing period --- .../select-types-of-rules-to-create.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 4fd6f8105d..1652ad9cd5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -61,7 +61,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru | **8 Required:EV Signers** | This rule requires that drivers must be WHQL signed and have been submitted by a partner with an Extended Verification (EV) certificate. All Windows 10 and later drivers will meet this requirement. | | **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. | | **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. | -| **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes) NOTE: This option is required to run HTA files, and is supported on 1709, 1803, and 1809 builds with the 2019 10C LCU or higher, and on devices with the Windows 10 May 2019 Update (1903) and higher. Using it on versions of Windows 10 without the proper update may have unintended results. | +| **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is required to run HTA files, and is supported on 1709, 1803, and 1809 builds with the 2019 10C LCU or higher, and on devices with the Windows 10 May 2019 Update (1903) and higher. Using it on versions of Windows 10 without the proper update may have unintended results. | | **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. | | **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) | | **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). | From f25f4173932e00702c8aa4d9525c593a013ab649 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 24 Jun 2021 12:15:35 -0700 Subject: [PATCH 234/370] change testbase link --- windows/whats-new/windows-11-plan.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md index 1227f3908d..3df8ed3080 100644 --- a/windows/whats-new/windows-11-plan.md +++ b/windows/whats-new/windows-11-plan.md @@ -109,7 +109,7 @@ If you run into compatibility issues or want to ensure that your organization's **App Assure**: With enrollment in the [App Assure](/windows/compatibility/app-assure) service, any app compatibility issues that you find with Windows 11 can be resolved. Microsoft will help you remedy application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. -**Test Base for Microsoft 365**: For software publishers, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://www.microsoft.com/testbase) (currently in public preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software publishers for participation by completing a short form. +**Test Base for Microsoft 365**: For software publishers, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://aka.ms/testbase) (currently in public preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software publishers for participation by completing a short form. You might already be using App Assure and Test Base in your Windows 10 environment. Both of these tools will continue to function with Windows 11. From eefda074104c8536d027ddbe9b4a4736078b7cd7 Mon Sep 17 00:00:00 2001 From: John Flores Date: Thu, 24 Jun 2021 15:16:47 -0400 Subject: [PATCH 235/370] Update windows-11-prepare.md --- windows/whats-new/windows-11-prepare.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index dda3e2c11d..5ccbff2c5b 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -31,7 +31,7 @@ The tools that you use for core workloads during Windows 10 deployments can stil > [!IMPORTANT] > Be sure to check with the providers of any non-Microsoft solutions that you use. Verify compatibility of these tools with Windows 11, particularly if they provide security or data loss prevention capabilities. -#### On-premise solutions +#### On-premises solutions - If you use Windows Server Update Service (WSUS), you will need to sync the new **Windows 11** product category. After you sync the product category, you will see Windows 11 offered as an option. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well. @@ -59,7 +59,7 @@ The following are some common use cases and the corresponding Microsoft Endpoint - **Configure rules and control settings for users, apps, and devices**: When you enroll devices in [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), administrators have full control over apps, settings, features, and security for both Windows 11 and Windows 10. You can also use app protection policies to require multi-factor authentication (MFA) for specific apps. - **Streamline device management for frontline, remote, and onsite workers**: Introduced with Windows 10, [cloud configuration](/mem/intune/fundamentals/cloud-configuration) is a standard, easy-to-manage, device configuration that is cloud-optimized for users with specific workflow needs. It can be deployed to devices running the Pro, Enterprise, and Education editions of Windows 11 by using Microsoft Endpoint Manager. -If you are exclusively using an on-premise device management solution (for example, Configuration Manager), you can still use the [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview), enable [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions), or enable [co-management](/mem/configmgr/comanage/overview) with Microsoft Intune. These solutions can make it easier to keep devices secure and up-to-date. +If you are exclusively using an on-premises device management solution (for example, Configuration Manager), you can still use the [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview), enable [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions), or enable [co-management](/mem/configmgr/comanage/overview) with Microsoft Intune. These solutions can make it easier to keep devices secure and up-to-date. ## Review servicing approach and policies From 2b1f47e6f3dcc2a72d5965d1d6bf9a72bd72c896 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 24 Jun 2021 12:44:49 -0700 Subject: [PATCH 236/370] edit S mode requirements --- windows/whats-new/windows-11-requirements.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index 2fbeeb8490..2b48d9fb14 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -47,8 +47,8 @@ For information about tools to evaluate readiness, see [Determine eligibility](w For the best Windows 11 upgrade experience, eligible devices should be running Windows 10, version 20H1 or later. > [!NOTE] -> S mode is not supported on Windows 11. -> If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading.
 
+> S mode is only supported on the Home edition of Windows 11. +> If you are running a different edition of Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading.
 
> Switching a device out of Windows 10 in S mode also requires internet connectivity. If you switch out of S mode, you cannot switch back to S mode later. ## Feature-specific requirements From 6b4c4036a9753d7ae79f7b2891de7290bc70bf3f Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 24 Jun 2021 12:49:11 -0700 Subject: [PATCH 237/370] public to private for testbase --- windows/whats-new/windows-11-plan.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md index 3df8ed3080..17d61a7125 100644 --- a/windows/whats-new/windows-11-plan.md +++ b/windows/whats-new/windows-11-plan.md @@ -109,7 +109,7 @@ If you run into compatibility issues or want to ensure that your organization's **App Assure**: With enrollment in the [App Assure](/windows/compatibility/app-assure) service, any app compatibility issues that you find with Windows 11 can be resolved. Microsoft will help you remedy application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. -**Test Base for Microsoft 365**: For software publishers, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://aka.ms/testbase) (currently in public preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software publishers for participation by completing a short form. +**Test Base for Microsoft 365**: For software publishers, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://aka.ms/testbase) (currently in private preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software publishers for participation by completing a short form. You might already be using App Assure and Test Base in your Windows 10 environment. Both of these tools will continue to function with Windows 11. From 6747493aab97d69588473413beaf68978e48af4d Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 24 Jun 2021 13:13:28 -0700 Subject: [PATCH 238/370] update requirements --- windows/whats-new/windows-11-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index 2b48d9fb14..8c87b2c454 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -60,7 +60,7 @@ Some features in Windows 11 have requirements beyond those listed above. See the - **BitLocker to Go**: requires a USB flash drive. This feature is available in Windows Pro and above editions. - **Client Hyper-V**: requires a processor with second-level address translation (SLAT) capabilities. This feature is available in Windows Pro editions and above. - **Cortana**: requires a microphone and speaker and is currently available on Windows 11 for Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, Mexico, Spain, United Kingdom, and United States. -- **DirectStorage**: requires 1 TB or greater NVMe SSD to store and run games that use the "Standard NVM Express Controller" driver and a DirectX12 Ultimate GPU. +- **DirectStorage**: requires an NVMe SSD to store and run games that use the Standard NVM Express Controller driver and a DirectX12 GPU with Shader Model 6.0 support. - **DirectX 12 Ultimate**: available with supported games and graphics chips. - **Presence**: requires sensor that can detect human distance from device or intent to interact with device. - **Intelligent Video Conferencing**: requires video camera, microphone, and speaker (audio output) From 3919f4de32931580f92760397d6ec2390afa0dc8 Mon Sep 17 00:00:00 2001 From: Thomas Raya Date: Thu, 24 Jun 2021 16:34:43 -0700 Subject: [PATCH 239/370] Update docfx.json --- windows/whats-new/docfx.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json index 16f6364ce9..fe5bc2fe98 100644 --- a/windows/whats-new/docfx.json +++ b/windows/whats-new/docfx.json @@ -3,8 +3,8 @@ "content": [ { "files": [ - "**/*.md", - "**/*.yml" + "**/**/*.md", + "**/**/*.yml" ], "exclude": [ "**/obj/**", @@ -19,9 +19,9 @@ "resource": [ { "files": [ - "**/*.png", - "**/*.jpg", - "**/*.gif" + "**/**/*.png", + "**/**/*.jpg", + "**/**/*.gif" ], "exclude": [ "**/obj/**", From 7ea8c78d51c31642b527fccf283cb9b4a12f6eb9 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 25 Jun 2021 07:25:19 +0530 Subject: [PATCH 240/370] removed symbols and pre word. as per user report #9717 . so I removed special symbols nas pre word . --- windows/deployment/windows-10-subscription-activation.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 6861d74931..dfb7ea6b10 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -197,7 +197,7 @@ You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, a To change all of your Windows 10 Pro devices to Windows 10 Enterprise, run the following command on each computer: ```console -cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43 +cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43 ``` The command causes the OS to change to Windows 10 Enterprise and then seek out the KMS server to reactivate.  This key comes from [Appendix A: KMS Client Setup Keys](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v=ws.11)) in the Volume Activation guide.  It is also possible to inject the Windows 10 Pro key from this article if you wish to step back down from Enterprise to Pro. @@ -280,4 +280,4 @@ Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscr [Connect domain-joined devices to Azure AD for Windows 10 experiences](/azure/active-directory/devices/hybrid-azuread-join-plan)
[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
-[Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx)
\ No newline at end of file +[Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx)
From 01d51d82f1b559925c5b029fa959cea9aab20336 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Fri, 25 Jun 2021 08:54:28 -0700 Subject: [PATCH 241/370] Update .openpublishing.redirection.json --- .openpublishing.redirection.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 4afc122348..8dbea776cc 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -18919,6 +18919,11 @@ "source_path": "windows/security/threat-protection/device-control/device-control-report.md", "redirect_url": "/microsoft-365/security/defender-endpoint/device-control-report", "redirect_document_id": false - } + }, + { + "source_path": "windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md", + "redirect_url": "/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows", + "redirect_document_id": false + } ] } From 7d9be28bd3ac8285558ffc9248ba849c65f52a4c Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Fri, 25 Jun 2021 08:55:31 -0700 Subject: [PATCH 242/370] Delete system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md --- ...sed-root-of-trust-helps-protect-windows.md | 88 ------------------- 1 file changed, 88 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md deleted file mode 100644 index bb47f523e4..0000000000 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md +++ /dev/null @@ -1,88 +0,0 @@ ---- -title: How Windows Defender System Guard protect Windows 10 from firmware exploits -description: Windows Defender System Guard in Windows 10 uses a hardware-based root of trust to securely protect systems against firmware exploits. -ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.reviewer: -manager: dansimp -ms.author: deniseb -author: denisebmsft -search.appverid: met150 -ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -ms.date: 03/01/2019 -ms.custom: asr -ms.technology: mde ---- - - -# Windows Defender System Guard: How a hardware-based root of trust helps protect Windows 10 - -In order to protect critical resources such as the Windows authentication stack, single sign-on tokens, the Windows Hello biometric stack, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy. - -Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It's designed to make these security guarantees: - -- Protect and maintain the integrity of the system as it starts up -- Validate that system integrity has truly been maintained through local and remote attestation - -## Maintaining the integrity of the system as it starts - -### Static Root of Trust for Measurement (SRTM) - -With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system. -This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege. - -With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) a hardware-based root of trust helps ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader. -This hardware-based root of trust comes from the device’s Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI). -This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM). - -As there are thousands of PC vendors that produce numerous models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup. -Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a block list), or a list of known 'good' SRTM measurements (also known as an allow list). -Each option has a drawback: - -- A list of known 'bad' SRTM measurements allows a hacker to change just 1 bit in a component to create an entirely new SRTM hash that needs to be listed. This means that the SRTM flow is inherently brittle - a minor change can invalidate the entire chain of trust. -- A list of known 'good' SRTM measurements requires each new BIOS/PC combination measurement to be carefully added, which is slow. -In addition, a bug fix for UEFI code can take a long time to design, build, retest, validate, and redeploy. - -### Secure Launch—the Dynamic Root of Trust for Measurement (DRTM) - -Windows Defender System Guard Secure Launch, first introduced in Windows 10 version 1809, aims to alleviate these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM). -DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path. -This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state. - - -![System Guard Secure Launch](images/system-guard-secure-launch.png) - -Secure Launch simplifies management of SRTM measurements because the launch code is now unrelated to a specific hardware configuration. This means the number of valid code measurements is small, and future updates can be deployed more widely and quickly. - -### System Management Mode (SMM) protection - -System Management Mode (SMM) is a special-purpose CPU mode in x86 microcontrollers that handles power management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful. -Whenever one of these system operations is requested, a non-maskable interrupt (SMI) is invoked at runtime, which executes SMM code installed by the BIOS. -SMM code executes in the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity. Even if System Guard Secure Launch is used to late launch, SMM code can potentially access hypervisor memory and change the hypervisor. -To defend against this, two techniques are used: - -1. Paging protection to prevent inappropriate access to code and data -2. SMM hardware supervision and attestation - -Paging protection can be implemented to lock certain code tables to be read-only to prevent tampering. -This prevents access to any memory that has not been specifically assigned. - -A hardware-enforced processor feature known as a supervisor SMI handler can monitor the SMM and make sure it does not access any part of the address space that it is not supposed to. - -SMM protection is built on top of the Secure Launch technology and requires it to function. -In the future, Windows 10 will also measure this SMI Handler’s behavior and attest that no OS-owned memory has been tampered with. - -## Validating platform integrity after Windows is running (run time) - -While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. We should be able to trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. When it comes to platform integrity, we can’t just trust the platform, which potentially could be compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of technologies that enable remote analysis of the device’s integrity. - -As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device’s Trusted Platform Module 2.0 (TPM 2.0). System Guard Secure Launch will not support earlier TPM versions, such as TPM 1.2. This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device’s firmware, hardware configuration state, and Windows boot-related components, just to name a few. - - -![Boot time integrity](images/windows-defender-system-guard-boot-time-integrity.png) - -After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or Microsoft Endpoint Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources. - From 4a278d355423eb63947930bfda1eab44643500b1 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Fri, 25 Jun 2021 09:22:30 -0700 Subject: [PATCH 243/370] Update configuration-service-provider-reference.md --- .../mdm/configuration-service-provider-reference.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 3dad2ebf68..679a0aabe7 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -1036,7 +1036,6 @@ Additional lists: - From 1d0e4e99cc951f391c0527b9fe5b43de8ceadd2c Mon Sep 17 00:00:00 2001 From: Max Stein Date: Fri, 25 Jun 2021 12:02:25 -0700 Subject: [PATCH 244/370] Update devicestatus-csp.md Light formatting fixes. --- .../client-management/mdm/devicestatus-csp.md | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index 0dd72c26d2..f861b2d2e4 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -9,7 +9,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 04/30/2019 +ms.date: 06/25/2021 --- # DeviceStatus CSP @@ -150,8 +150,8 @@ Node for the compliance query. **DeviceStatus/Compliance/EncryptionCompliance** Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following: -- 0 - not encrypted -- 1 - encrypted +- 0 - Not encrypted +- 1 - Encrypted Supported operation is Get. @@ -179,8 +179,8 @@ Supported operation is Get. Added in Windows, version 1803. Read only node that specifies the device mode. Valid values: -- 0 - the device is in standard configuration -- 1 - the device is in S mode configuration +- 0 - The device is in standard configuration +- 1 - The device is in S mode configuration Supported operation is Get. @@ -211,10 +211,10 @@ Added in Windows, version 1607. Integer that specifies the status of the antivi Valid values: -- 0 – Antivirus is on and monitoring -- 1 – Antivirus is disabled -- 2 – Antivirus is not monitoring the device/PC or some options have been turned off -- 3 (default) – Antivirus is temporarily not completely monitoring the device/PC +- 0 – Antivirus is on and monitoring. +- 1 – Antivirus is disabled. +- 2 – Antivirus is not monitoring the device/PC or some options have been turned off. +- 3 (default) – Antivirus is temporarily not completely monitoring the device/PC. - 4 – Antivirus not applicable for this device. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.) Supported operation is Get. @@ -263,10 +263,10 @@ Added in Windows, version 1607. Integer that specifies the status of the firewa Valid values: -- 0 – Firewall is on and monitoring -- 1 – Firewall has been disabled -- 2 – Firewall is not monitoring all networks or some rules have been turned off -- 3 (default) – Firewall is temporarily not monitoring all networks +- 0 – Firewall is on and monitoring. +- 1 – Firewall has been disabled. +- 2 – Firewall is not monitoring all networks or some rules have been turned off. +- 3 (default) – Firewall is temporarily not monitoring all networks. - 4 – Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.) Supported operation is Get. @@ -331,8 +331,8 @@ Added in Windows, version 1709. Virtualization-based security status. Value is - 0 - Running - 1 - Reboot required - 2 - 64 bit architecture required -- 3 - not licensed -- 4 - not configured +- 3 - Not licensed +- 4 - Not configured - 5 - System doesn't meet hardware requirements - 42 – Other. Event logs in Microsoft-Windows-DeviceGuard have more details @@ -349,4 +349,4 @@ Added in Windows, version 1709. Local System Authority (LSA) credential guard s - 4 - VBS not running -Supported operation is Get. \ No newline at end of file +Supported operation is Get. From 4214f6193ad6590941d482a82942d27493561997 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Fri, 25 Jun 2021 12:56:06 -0700 Subject: [PATCH 245/370] update driver topic --- ...icrosoft-recommended-driver-block-rules.md | 161 +++++++++++++++++- 1 file changed, 154 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 887fc765be..44f0200b2e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -1,9 +1,9 @@ --- title: Microsoft recommended driver block rules (Windows 10) -description: View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community. -keywords: security, malware, kernel mode, driver +description: View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community. +keywords: security, malware, kernel mode, driver ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: m365-security +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,8 +14,7 @@ author: jgeurten ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 10/15/2020 -ms.technology: mde +ms.date: --- # Microsoft recommended driver block rules @@ -30,7 +29,7 @@ Microsoft has strict requirements for code running in kernel. Consequently, mali - Hypervisor-protected code integrity (HVCI) enabled devices - Windows 10 in S mode (S mode) devices -Microsoft recommends enabling [HVCI](../device-guard/enable-virtualization-based-protection-of-code-integrity.md) or S mode to protect your devices against security threats. If this is not possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It is recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. +Microsoft recommends enabling [HVCI](https://docs.microsoft.com/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this is not possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It is recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. > [!Note] > This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. It is recommended that this policy be first validated in audit mode before rolling the rules into enforcement mode. @@ -127,6 +126,80 @@ Microsoft recommends enabling [HVCI](../device-guard/enable-virtualization-based + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -352,6 +425,80 @@ Microsoft recommends enabling [HVCI](../device-guard/enable-virtualization-based + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -385,4 +532,4 @@ Microsoft recommends enabling [HVCI](../device-guard/enable-virtualization-based ## More information -- [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md) \ No newline at end of file +- [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md) From 8c7a9c164c557f35bc0bb73f1d9e25a87d3d8966 Mon Sep 17 00:00:00 2001 From: Nazmus Sakib Date: Fri, 25 Jun 2021 13:23:51 -0700 Subject: [PATCH 246/370] Add TPM2.0 recommendation Update additional details on TPM2.0 usage/recommendation in feature table --- .../tpm/tpm-recommendations.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md index 6179ba0c0a..6bde2d3d8d 100644 --- a/windows/security/information-protection/tpm/tpm-recommendations.md +++ b/windows/security/information-protection/tpm/tpm-recommendations.md @@ -111,21 +111,20 @@ The following table defines which Windows features require TPM support. Windows Features | TPM Required | Supports TPM 1.2 | Supports TPM 2.0 | Details | -|-|-|-|- - Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot + Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot. TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated. BitLocker | No | Yes | Yes | TPM 1.2 or 2.0 are supported but TPM 2.0 is recommended. [Automatic Device Encryption requires Modern Standby](../bitlocker/bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) including TPM 2.0 support Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0. Windows Defender Application Control (Device Guard) | No | Yes | Yes - Windows Defender System Guard | Yes | No | Yes - Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. - Device Health Attestation| Yes | Yes | Yes - Windows Hello/Windows Hello for Business| No | Yes | Yes | Azure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. + Windows Defender System Guard (DRTM) | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. + Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. Paired with Windows Defender System Guard, TPM 2.0 provides enhanced security for Credential Guard. Windows 11 requires TPM 2.0 by default to facilitate easier enablement of this enhanced security for customers. + Device Health Attestation| Yes | Yes | Yes | TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated. + Windows Hello/Windows Hello for Business| No | Yes | Yes | Azure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. TPM 2.0 is recommended over TPM 1.2 for better performance and security. Windows Hello as a FIDO platform authenticator will take advantage of TPM 2.0 for key storage. UEFI Secure Boot | No | Yes | Yes TPM Platform Crypto Provider Key Storage Provider| Yes | Yes | Yes Virtual Smart Card | Yes | Yes | Yes Certificate storage | No | Yes | Yes | TPM is only required when the certificate is stored in the TPM. Autopilot | No | N/A | Yes | If you intend to deploy a scenario which requires TPM (such as white glove and self-deploying mode), then TPM 2.0 and UEFI firmware are required. SecureBIO | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. - DRTM | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. ## OEM Status on TPM 2.0 system availability and certified parts @@ -133,4 +132,4 @@ Government customers and enterprise customers in regulated industries may have a ## Related topics -- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) \ No newline at end of file +- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) From 46f1dd1f676094fb8b63692ebfe2ecd4cb04e8a7 Mon Sep 17 00:00:00 2001 From: David Strome Date: Fri, 25 Jun 2021 13:34:41 -0700 Subject: [PATCH 247/370] Remove SV docset --- .openpublishing.publish.config.json | 14 -------- windows/sv/TOC.yml | 5 --- windows/sv/breadcrumb/toc.yml | 3 -- windows/sv/docfx.json | 51 ----------------------------- windows/sv/index.md | 11 ------- 5 files changed, 84 deletions(-) delete mode 100644 windows/sv/TOC.yml delete mode 100644 windows/sv/breadcrumb/toc.yml delete mode 100644 windows/sv/docfx.json delete mode 100644 windows/sv/index.md diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 32eb1b181b..f9ebdac192 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -129,20 +129,6 @@ "build_entry_point": "docs", "template_folder": "_themes" }, - { - "docset_name": "sv", - "build_source_folder": "windows/sv", - "build_output_subfolder": "sv", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, { "docset_name": "win-access-protection", "build_source_folder": "windows/access-protection", diff --git a/windows/sv/TOC.yml b/windows/sv/TOC.yml deleted file mode 100644 index 01da3e1c0a..0000000000 --- a/windows/sv/TOC.yml +++ /dev/null @@ -1,5 +0,0 @@ -- name: Index - href: index.md - - - diff --git a/windows/sv/breadcrumb/toc.yml b/windows/sv/breadcrumb/toc.yml deleted file mode 100644 index 48236190f9..0000000000 --- a/windows/sv/breadcrumb/toc.yml +++ /dev/null @@ -1,3 +0,0 @@ -- name: Docs - tocHref: / - topicHref: / diff --git a/windows/sv/docfx.json b/windows/sv/docfx.json deleted file mode 100644 index e7955464fe..0000000000 --- a/windows/sv/docfx.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "build": { - "content": [ - { - "files": [ - "**/*.md", - "**/*.yml" - ], - "exclude": [ - "**/obj/**", - "**/includes/**", - "_themes/**", - "_themes.pdf/**", - "**/docfx.json", - "_repo.en-us/**", - "README.md", - "LICENSE", - "LICENSE-CODE", - "ThirdPartyNotices.md" - ] - } - ], - "resource": [ - { - "files": [ - "**/*.png", - "**/*.jpg" - ], - "exclude": [ - "**/obj/**", - "**/includes/**", - "_themes/**", - "_themes.pdf/**", - "**/docfx.json", - "_repo.en-us/**" - ] - } - ], - "overwrite": [], - "externalReference": [], - "globalMetadata": { - "breadcrumb_path": "/windows/windows-11/breadcrumb/toc.json", - "extendBreadcrumb": true, - "feedback_system": "None" - }, - "fileMetadata": {}, - "template": [], - "dest": "windows-11", - "markdownEngineName": "markdig" - } -} \ No newline at end of file diff --git a/windows/sv/index.md b/windows/sv/index.md deleted file mode 100644 index 7a31c42d39..0000000000 --- a/windows/sv/index.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: SV -description: SV -ms.prod: w10 -manager: laurawi -ms.topic: article -author: greg-lindsay -ms.author: greglin ---- - -# . \ No newline at end of file From 270bf2a633662cd9a2f668a9d843010747381bec Mon Sep 17 00:00:00 2001 From: v-hearya Date: Sat, 26 Jun 2021 02:25:05 +0530 Subject: [PATCH 248/370] developer-faq.md converted into YML --- windows/security/threat-protection/TOC.yml | 2 +- .../threat-protection/intelligence/TOC.yml | 2 +- .../intelligence/developer-faq.md | 51 ---------------- .../intelligence/developer-faq.yml | 60 +++++++++++++++++++ .../intelligence/developer-resources.md | 2 +- 5 files changed, 63 insertions(+), 54 deletions(-) delete mode 100644 windows/security/threat-protection/intelligence/developer-faq.md create mode 100644 windows/security/threat-protection/intelligence/developer-faq.yml diff --git a/windows/security/threat-protection/TOC.yml b/windows/security/threat-protection/TOC.yml index 3c8e12e04c..e310d0d993 100644 --- a/windows/security/threat-protection/TOC.yml +++ b/windows/security/threat-protection/TOC.yml @@ -224,7 +224,7 @@ - name: Information for developers items: - name: Software developer FAQ - href: intelligence/developer-faq.md + href: intelligence/developer-faq.yml - name: Software developer resources href: intelligence/developer-resources.md - name: The Windows Security app diff --git a/windows/security/threat-protection/intelligence/TOC.yml b/windows/security/threat-protection/intelligence/TOC.yml index 6c1f372f77..eb239b51c5 100644 --- a/windows/security/threat-protection/intelligence/TOC.yml +++ b/windows/security/threat-protection/intelligence/TOC.yml @@ -55,6 +55,6 @@ - name: Information for developers items: - name: Software developer FAQ - href: developer-faq.md + href: developer-faq.yml - name: Software developer resources href: developer-resources.md diff --git a/windows/security/threat-protection/intelligence/developer-faq.md b/windows/security/threat-protection/intelligence/developer-faq.md deleted file mode 100644 index 73ca4ec48c..0000000000 --- a/windows/security/threat-protection/intelligence/developer-faq.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -title: Software developer FAQ -ms.reviewer: -description: This page provides answers to common questions we receive from software developers -keywords: wdsi, software, developer, faq, dispute, false-positive, classify, installer, software, bundler, blocking -search.product: eADQiWindows 10XVcnh -ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: dansimp -author: dansimp -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article -ms.technology: mde ---- - -# Software developer FAQ - -This page provides answers to common questions we receive from software developers. For general guidance about submitting malware or incorrectly detected files, read the submission guide. - -## Does Microsoft accept files for a known list or false-positive prevention program? - -No. We don't accept these requests from software developers. Signing your program's files in a consistent manner, with a digital certificate issued by a trusted root authority, helps our research team quickly identify the source of a program and apply previously gained knowledge. In some cases, this might result in your program being quickly added to the known list. Far less frequently, in will add your digital certificate to a list of trusted publishers. - -## How do I dispute the detection of my program? - -Submit the file in question as a software developer. Wait until your submission has a final determination. - -If you're not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We'll use the information you provide to investigate further if necessary. - -We encourage all software vendors and developers to read about [how Microsoft identifies malware and Potentially Unwanted Applications (PUA)](criteria.md). - -## Why is Microsoft asking for a copy of my program? - -Providing copies can help us with our analysis. Participants of the [Microsoft Active Protection Service (MAPS)](https://www.microsoft.com/msrc/mapp) may occasionally receive these requests. The requests will stop once our systems have received and processed the file. - -## Why does Microsoft classify my installer as a software bundler? - -It contains instructions to offer a program classified as unwanted software. You can review the [criteria](criteria.md) we use to check applications for behaviors that are considered unwanted. - -## Why is the Windows Defender Firewall blocking my program? - -Firewall blocks aren't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Windows Defender Firewall](../windows-firewall/windows-firewall-with-advanced-security.md). - -## Why does the Microsoft Defender Windows Defender SmartScreen say my program isn't commonly downloaded? - -This isn't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Microsoft Defender Windows Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/developer-faq.yml b/windows/security/threat-protection/intelligence/developer-faq.yml new file mode 100644 index 0000000000..04300736d9 --- /dev/null +++ b/windows/security/threat-protection/intelligence/developer-faq.yml @@ -0,0 +1,60 @@ +### YamlMime:FAQ +metadata: + title: Software developer FAQ + ms.reviewer: + description: This page provides answers to common questions we receive from software developers + keywords: wdsi, software, developer, faq, dispute, false-positive, classify, installer, software, bundler, blocking + search.product: eADQiWindows 10XVcnh + ms.prod: m365-security + ms.mktglfcycl: deploy + ms.sitesec: library + ms.pagetype: security + ms.author: dansimp + author: dansimp + ms.localizationpriority: medium + manager: dansimp + audience: ITPro + ms.collection: M365-security-compliance + ms.topic: article + ms.technology: mde + +title: Software developer FAQ +summary: This page provides answers to common questions we receive from software developers. For general guidance about submitting malware or incorrectly detected files, read the submission guide. + + +sections: + - name: Ignored + questions: + - question: | + Does Microsoft accept files for a known list or false-positive prevention program? + answer: | + No. We don't accept these requests from software developers. Signing your program's files in a consistent manner, with a digital certificate issued by a trusted root authority, helps our research team quickly identify the source of a program and apply previously gained knowledge. In some cases, this might result in your program being quickly added to the known list. Far less frequently, in will add your digital certificate to a list of trusted publishers. + + - question: | + How do I dispute the detection of my program? + answer: | + Submit the file in question as a software developer. Wait until your submission has a final determination. + + If you're not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We'll use the information you provide to investigate further if necessary. + + We encourage all software vendors and developers to read about [how Microsoft identifies malware and Potentially Unwanted Applications (PUA)](criteria.md). + + - question: | + Why is Microsoft asking for a copy of my program? + answer: | + Providing copies can help us with our analysis. Participants of the [Microsoft Active Protection Service (MAPS)](https://www.microsoft.com/msrc/mapp) may occasionally receive these requests. The requests will stop once our systems have received and processed the file. + + - question: | + Why does Microsoft classify my installer as a software bundler? + answer: | + It contains instructions to offer a program classified as unwanted software. You can review the [criteria](criteria.md) we use to check applications for behaviors that are considered unwanted. + + - question: | + Why is the Windows Defender Firewall blocking my program? + answer: | + Firewall blocks aren't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Windows Defender Firewall](../windows-firewall/windows-firewall-with-advanced-security.md). + + - question: | + Why does the Microsoft Defender Windows Defender SmartScreen say my program isn't commonly downloaded? + answer: | + This isn't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Microsoft Defender Windows Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) diff --git a/windows/security/threat-protection/intelligence/developer-resources.md b/windows/security/threat-protection/intelligence/developer-resources.md index 659eaad25b..3b7d080b28 100644 --- a/windows/security/threat-protection/intelligence/developer-resources.md +++ b/windows/security/threat-protection/intelligence/developer-resources.md @@ -37,7 +37,7 @@ To objectively identify malware and unidentified software, Microsoft applies a [ ### Developer questions -Find more guidance about the file submission and detection dispute process in our [FAQ for software developers](developer-faq.md). +Find more guidance about the file submission and detection dispute process in our [FAQ for software developers](developer-faq.yml). ### Scan your software From faeaeaddf09933dc0263f9b89e76065217129b2c Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Fri, 25 Jun 2021 14:17:28 -0700 Subject: [PATCH 249/370] Removed duplicate block events and file IOCs not intended to be blocked --- ...icrosoft-recommended-driver-block-rules.md | 68 +++++++++++++++++++ 1 file changed, 68 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 7d56cdbe9e..835c6da8f0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -126,6 +126,40 @@ Microsoft recommends enabling [HVCI](https://docs.microsoft.com/windows/security + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -351,6 +385,40 @@ Microsoft recommends enabling [HVCI](https://docs.microsoft.com/windows/security + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + From 8d5d5e2f5ad1cf5ec2d42c19692250213fa9a3cd Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 25 Jun 2021 16:20:23 -0700 Subject: [PATCH 250/370] Acrolinx "a existing" --- .../security/information-protection/tpm/tpm-recommendations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md index 6bde2d3d8d..2a29a3881a 100644 --- a/windows/security/information-protection/tpm/tpm-recommendations.md +++ b/windows/security/information-protection/tpm/tpm-recommendations.md @@ -95,7 +95,7 @@ For end consumers, TPM is behind the scenes but is still very relevant. TPM is u ### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) -- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features). +- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of an existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features). ### IoT Core From c163663490a9c6b53e407a7ea2145407739cac0d Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 25 Jun 2021 16:20:54 -0700 Subject: [PATCH 251/370] Fixed broken note --- .../security/information-protection/tpm/tpm-recommendations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md index 2a29a3881a..658a7d98d5 100644 --- a/windows/security/information-protection/tpm/tpm-recommendations.md +++ b/windows/security/information-protection/tpm/tpm-recommendations.md @@ -72,7 +72,7 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in > [!NOTE] > TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature. - +> > Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI. ## Discrete, Integrated or Firmware TPM? From f19fe3f304c3519cb505ea0a608ede95fd59bc9a Mon Sep 17 00:00:00 2001 From: Michael Howard Date: Sat, 26 Jun 2021 11:38:08 -0500 Subject: [PATCH 252/370] Fixed error in Principal Self SID --- .../identity-protection/access-control/special-identities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md index 0dc6406a6d..f0c84a4b48 100644 --- a/windows/security/identity-protection/access-control/special-identities.md +++ b/windows/security/identity-protection/access-control/special-identities.md @@ -282,7 +282,7 @@ This group implicitly includes all users who are logged on to the system through ## Principal Self -This identify is a placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal that is represented by the object. +This identity is a placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal that is represented by the object. | **Attribute** | **Value** | | :--: | :--: | From f3a48169fa776b759e5f8f8e5dd3d4fa6c113b4a Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Sun, 27 Jun 2021 15:03:31 +0530 Subject: [PATCH 253/370] Update Language-pack-management-csp.md --- windows/client-management/mdm/Language-pack-management-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 2e9d2f4140..d5266e8bf7 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -24,7 +24,7 @@ GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN/Provide GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /ja-JP/Providers ``` -The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either **language pack (features)** or **LXPs**. The value of **1** indicates the language pack installed is a System Language Pack (non-LXP), **2** indidcates that the LXP is installed. **3** indicates that both are installed. +The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either **language pack (features)** or **LXPs**. The value of **1** indicates the language pack installed is a System Language Pack (non-LXP), **2** indicates that the LXP is installed. **3** indicates that both are installed. 2. Install language pack features with the EXECUTE command on the **StartInstall** node of the language. For example, From 305560033d5d1e7ffb8db62e7b65ef3e963d4201 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Sun, 27 Jun 2021 17:01:16 +0530 Subject: [PATCH 254/370] Updated --- .../mdm/Language-pack-management-csp.md | 64 ++++++------------- .../policy-configuration-service-provider.md | 9 +++ 2 files changed, 29 insertions(+), 44 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index d5266e8bf7..3c7af93899 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -1,5 +1,5 @@ --- -title: Language Pack Management CSP +title: Language Pack Management CSP description: Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10. ms.reviewer: manager: dansimp @@ -14,64 +14,40 @@ ms.date: 06/22/2021 # Language Pack Management CSP -The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10. A separate CSP exists to provision optional Features On Demand (FOD) which include handwriting recognition, text-to-speech, etc. associated with a language. Device management tools such as Intune can use management commands remotely to devices to configure language related settings. +The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. A separate CSP exists to allow provisioning of [optional FODs](/windows-hardware/manufacture/desktop/features-on-demand-language-fod) (Handwriting recognition, Text-to-speech etc.) associated with a language. MDMs like Intune can use management commands remotely to devices to configure language related settings. -1. List the installed languages with GET command on the "InstalledLanguges" node. For example: +1. Enumerate installed languages with GET command on the "InstalledLanguages" node + + ***GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages** + **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN/Providers** + **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers*** -``` -GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages -GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN/Providers -GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /ja-JP/Providers -``` -The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either **language pack (features)** or **LXPs**. The value of **1** indicates the language pack installed is a System Language Pack (non-LXP), **2** indicates that the LXP is installed. **3** indicates that both are installed. + The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either [language pack (features)](/windows-hardware/manufacture/desktop/available-language-packs-for-windows) or [LXPs](https://www.microsoft.com/en-us/store/collections/localexperiencepacks?cat0=devices&rtc=1). The value of **1** indicates the language pack installed is a System Language Pack (non-LXP), **2** indicates that the LXP is installed. **3** indicates that both are installed. 2. Install language pack features with the EXECUTE command on the **StartInstall** node of the language. For example, -``` -**ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/** -**EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation** -``` + ***ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/** + **EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation*** -The installation is an asynchronous operation. You can query the **Status** node by using the following commands: + The installation is an asynchronous operation. You can query the **Status** node by using the following commands: -``` -**GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status** -**GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode** -``` + *****GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status**** + ***GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode*** -Return value definitions are: - -- 0 – Not started -- 1 – In process -- 2 – Succeeded -- 3 – Failed. ErrorCode is a HRESULT that could help you diagnose the issue and why installation failed + Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed. > [!NOTE] -> If the IT administrator has not set the policy of blocking cleanup of unused language packs, then this command will fail. +> If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail. -3. Delete installed Language with the DELETE command on the installed language tag. The deletion will run in background, and admins can query the installed language later and resend the command if needed. +3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. -Sample command -``` -**DELETE ./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN (Delete command)** -``` + + ***DELETE ./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN(Delete command)*** 4. Get/Set System Preferred UI Language with GET or REPLACE command on the "SystemPreferredUILanguages" Node -Sample command -``` -**./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages** -``` - - - - - - - - - - + **.*/Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages*** + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index fbe229c166..329281e328 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1371,6 +1371,7 @@ The following diagram shows the Policy configuration service provider in tree fo + ## ADMX_ICM policies
@@ -6781,6 +6782,14 @@ The following diagram shows the Policy configuration service provider in tree fo
+### Language Pack Management CSP policies + +
+
+ LanmanWorkstation/EnableInsecureGuestLogons +
+
+ ### Licensing policies
From 6b6be2cac41decb77f9ded8b594274a4956cc761 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Sun, 27 Jun 2021 23:45:45 +0530 Subject: [PATCH 255/370] Updated --- .../mdm/Language-pack-management-csp.md | 21 +++++++++++-------- ...onfiguration-service-provider-reference.md | 1 + 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 3c7af93899..f4a96bb39f 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -18,22 +18,25 @@ The Language Pack Management CSP allows a direct way to provision language packs 1. Enumerate installed languages with GET command on the "InstalledLanguages" node - ***GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages** + **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages** **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN/Providers** - **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers*** + **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers** - The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either [language pack (features)](/windows-hardware/manufacture/desktop/available-language-packs-for-windows) or [LXPs](https://www.microsoft.com/en-us/store/collections/localexperiencepacks?cat0=devices&rtc=1). The value of **1** indicates the language pack installed is a System Language Pack (non-LXP), **2** indicates that the LXP is installed. **3** indicates that both are installed. + The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either [language pack (features)](/windows-hardware/manufacture/desktop/available-language-packs-for-windows) or [LXPs](https://www.microsoft.com/en-us/store/collections/localexperiencepacks?cat0=devices&rtc=1). + - Indicates the language pack installed is a System Language Pack (non-LXP) + - Indicates that the LXP is installed. + - Indicates that both are installed. 2. Install language pack features with the EXECUTE command on the **StartInstall** node of the language. For example, - ***ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/** - **EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation*** + **ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/** + **EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation** The installation is an asynchronous operation. You can query the **Status** node by using the following commands: - *****GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status**** - ***GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode*** + **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status** + **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode** Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed. @@ -43,11 +46,11 @@ The Language Pack Management CSP allows a direct way to provision language packs 3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. - ***DELETE ./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN(Delete command)*** + **DELETE./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN(Delete command)** 4. Get/Set System Preferred UI Language with GET or REPLACE command on the "SystemPreferredUILanguages" Node - **.*/Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages*** + **./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages** \ No newline at end of file diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 679a0aabe7..4f9dd3d9da 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -1302,6 +1302,7 @@ Additional lists:
+
check mark -Only for mobile application management (MAM)check mark check markPro check mark
Businesscheck mark
Enterprise check markPro check mark6
Businesscheck mark6
Enterprise check mark6Pro check mark5
Businesscheck mark5
Enterprise check mark5Pro check mark
Businesscheck mark
Enterprise check markPro check mark
Businesscheck mark
Enterprise check markPro check mark2
Businesscheck mark2
Enterprise check mark2Pro check mark
Businesscheck mark
Enterprise check markPro check mark
Businesscheck mark
Enterprise check markPro check mark
Businesscheck mark
Enterprise check markPro check mark6
Businesscheck mark6
Enterprise check mark6Pro check mark
Businesscheck mark
Enterprise check markPro check mark
Businesscheck mark
Enterprise check markPro check mark5
Businesscheck mark5
Enterprise check mark5Pro check mark4
Businesscheck mark4
Enterprise check mark4Pro check mark4
Businesscheck mark4
Enterprise check mark4Pro check mark5
Businesscheck mark5
Enterprise check mark5Pro check mark5
Businesscheck mark5
Enterprise check mark5Pro check mark3
Businesscheck mark3
Enterprise check mark3Pro check mark2
Businesscheck mark2
Enterprise check mark2Pro check mark
Businesscheck mark
Enterprise check markPro check mark4
Businesscheck mark4
Enterprise check mark4Pro check mark3
Businesscheck mark3
Enterprise check mark3Pro check mark
Businesscheck mark
Enterprise check markPro check mark6
Businesscheck mark6
Enterprise check mark6
Procheck markcheck mark11
Enterprise
Procheck mark6check mark611
Enterprise
Procheck mark611check mark6 11
Enterprise
check mark Only for mobile application management (MAM)check mark check mark check markcheck mark check mark cross markcross mark
From 79aa1ec40fdb67558946ea5a0a45fe963b91e092 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 28 Jun 2021 00:02:45 +0530 Subject: [PATCH 256/370] Updated --- .../mdm/Language-pack-management-csp.md | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index f4a96bb39f..dab7171589 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -3,7 +3,7 @@ title: Language Pack Management CSP description: Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10. ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: v-nsatapathy ms.topic: article ms.prod: w10 ms.technology: windows @@ -14,16 +14,15 @@ ms.date: 06/22/2021 # Language Pack Management CSP -The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. A separate CSP exists to allow provisioning of [optional FODs](/windows-hardware/manufacture/desktop/features-on-demand-language-fod) (Handwriting recognition, Text-to-speech etc.) associated with a language. MDMs like Intune can use management commands remotely to devices to configure language related settings. +The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. A separate CSP exists to allow provisioning of [optional FODs](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-language-fod) (Handwriting recognition, Text-to-speech, and so on) associated with a language. MDMs like Intune can use management commands remotely to devices to configure language related settings. 1. Enumerate installed languages with GET command on the "InstalledLanguages" node - **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages** - **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN/Providers** - **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers** + **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages** + **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN/Providers** + **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers** - - The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either [language pack (features)](/windows-hardware/manufacture/desktop/available-language-packs-for-windows) or [LXPs](https://www.microsoft.com/en-us/store/collections/localexperiencepacks?cat0=devices&rtc=1). + The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either [language pack (feature)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/available-language-packs-for-windows) or [LXPs](https://www.microsoft.com/en-us/store/collections/localexperiencepacks?cat0=devices&rtc=1). - Indicates the language pack installed is a System Language Pack (non-LXP) - Indicates that the LXP is installed. - Indicates that both are installed. @@ -52,5 +51,3 @@ The Language Pack Management CSP allows a direct way to provision language packs **./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages** - - \ No newline at end of file From 127f9618472920da0a49c483a55b616a65dc73de Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 28 Jun 2021 00:08:19 +0530 Subject: [PATCH 257/370] Update Language-pack-management-csp.md --- windows/client-management/mdm/Language-pack-management-csp.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index dab7171589..4dbd9ec98a 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -14,7 +14,7 @@ ms.date: 06/22/2021 # Language Pack Management CSP -The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. A separate CSP exists to allow provisioning of [optional FODs](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-language-fod) (Handwriting recognition, Text-to-speech, and so on) associated with a language. MDMs like Intune can use management commands remotely to devices to configure language related settings. +The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. A separate CSP exists to allow provisioning of "optional FODs" (Handwriting recognition, Text-to-speech, and so on) associated with a language. MDMs like Intune can use management commands remotely to devices to configure language related settings. 1. Enumerate installed languages with GET command on the "InstalledLanguages" node @@ -22,7 +22,7 @@ The Language Pack Management CSP allows a direct way to provision language packs **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN/Providers** **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers** - The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either [language pack (feature)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/available-language-packs-for-windows) or [LXPs](https://www.microsoft.com/en-us/store/collections/localexperiencepacks?cat0=devices&rtc=1). + The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either "language pack (feature)" or [LXPs](https://www.microsoft.com/en-us/store/collections/localexperiencepacks?cat0=devices&rtc=1). - Indicates the language pack installed is a System Language Pack (non-LXP) - Indicates that the LXP is installed. - Indicates that both are installed. From 379dda9fe220ac586f1746d9999918b7b240cc28 Mon Sep 17 00:00:00 2001 From: Oscar Beaumont Date: Mon, 28 Jun 2021 13:22:01 +1000 Subject: [PATCH 258/370] fixed broken XML & improved readability of examples --- ...erated-authentication-device-enrollment.md | 70 ++++++++----------- 1 file changed, 30 insertions(+), 40 deletions(-) diff --git a/windows/client-management/mdm/federated-authentication-device-enrollment.md b/windows/client-management/mdm/federated-authentication-device-enrollment.md index 858a51a88b..fe3f5140fd 100644 --- a/windows/client-management/mdm/federated-authentication-device-enrollment.md +++ b/windows/client-management/mdm/federated-authentication-device-enrollment.md @@ -266,12 +266,10 @@ The following is an enrollment policy request example with a received security t https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC - + B64EncodedSampleBinarySecurityToken @@ -410,12 +408,9 @@ The following example shows the enrollment web service request for federated aut https://enrolltest.contoso.com:443/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC - + B64EncodedSampleBinarySecurityToken @@ -518,21 +513,18 @@ The following example shows the enrollment web service response. xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> - http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken + http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken - + + + ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc" + EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary" + xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> B64EncodedSampleBinarySecurityToken - 0 - + 0 @@ -558,12 +550,12 @@ The following code shows sample provisioning XML (presented in the preceding pac - - + + - + @@ -581,8 +573,7 @@ The following code shows sample provisioning XML (presented in the preceding pac - + @@ -598,25 +589,24 @@ The following code shows sample provisioning XML (presented in the preceding pac - - - - + + + + + - - - - - - + + + + + - + ``` @@ -627,4 +617,4 @@ The following code shows sample provisioning XML (presented in the preceding pac - Detailed descriptions of these settings are located in the [Enterprise settings, policies and app management](windows-mdm-enterprise-settings.md) section of this document. - The **PrivateKeyContainer** characteristic is required and must be present in the Enrollment provisioning XML by the enrollment. Other important settings are the **PROVIDER-ID**, **NAME**, and **ADDR** parameter elements, which need to contain the unique ID and NAME of your DM provider and the address where the device can connect for configuration provisioning. The ID and NAME can be arbitrary values, but they must be unique. - Also important is SSLCLIENTCERTSEARCHCRITERIA, which is used for selecting the certificate to be used for client authentication. The search is based on the subject attribute of the signed user certificate. -- CertificateStore/WSTEP enables certificate renewal. If the server does not support it, do not set it. \ No newline at end of file +- CertificateStore/WSTEP enables certificate renewal. If the server does not support it, do not set it. From d74f41201939238b63d3182185543bf9eb5daad9 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 28 Jun 2021 11:19:27 +0100 Subject: [PATCH 259/370] Update windows-diagnostic-data.md --- windows/privacy/windows-diagnostic-data.md | 36 +++++++++++----------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md index 68ebf78103..f80e09a6a4 100644 --- a/windows/privacy/windows-diagnostic-data.md +++ b/windows/privacy/windows-diagnostic-data.md @@ -28,7 +28,7 @@ Applies to: Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 20H2 required diagnostic events and fields](/windows/configuration/basic-level-windows-diagnostic-events-and-fields). -In addition, this article provides references to equivalent definitions for the data types and examples from [ISO/IEC 19944:2017 Information technology - Cloud computing - Cloud services and devices: Data flow, data categories, and data use](https://www.iso.org/standard/66674.html). Each data type also has a Data Use statement, for diagnostics and for Tailored experiences on the device, using the terms as defined by the standard. These Data Use statements define the purposes for which Microsoft processes each type of Windows diagnostic data, using a uniform set of definitions referenced at the end of this document and based on the ISO standard. Reference to the ISO standard provides additional clarity about the information collected, and allows easy comparison with other services or guidance that also references the standard. +In addition, this article provides references to equivalent definitions for the data types and examples from [ISO/IEC 19944-1:2020 Information technology - Cloud computing - Cloud services and devices: Data flow, data categories, and data use](https://www.iso.org/standard/79573.html). Each data type also has a Data Use statement, for diagnostics and for Tailored experiences on the device, using the terms as defined by the standard. These Data Use statements define the purposes for which Microsoft processes each type of Windows diagnostic data, using a uniform set of definitions referenced at the end of this document and based on the ISO standard. Reference to the ISO standard provides additional clarity about the information collected, and allows easy comparison with other services or guidance that also references the standard. The data covered in this article is grouped into the following types: @@ -41,7 +41,7 @@ The data covered in this article is grouped into the following types: - Inking, Typing, and Speech Utterance data ## Common data extensions -Most diagnostic events contain a header of common data. In each example, the info in parentheses provides the equivalent definition for ISO/IEC 19944:2017. +Most diagnostic events contain a header of common data. In each example, the info in parentheses provides the equivalent definition for ISO/IEC 19944-1:2020. **Data Use for Common data extensions** Header data supports the use of data associated with all diagnostic events. Therefore, Common data is used to [provide](#provide) Windows 10, and may be used to [improve](#improve), [personalize](#personalize), [recommend](#recommend), [offer](#offer), or [promote](#promote) Microsoft and third-party products and services, depending on the uses described in the **Data Use** statements for each data category. @@ -66,7 +66,7 @@ Information that is added to most diagnostic events, if relevant and available: ## Device, Connectivity, and Configuration data -This type of data includes details about the device, its configuration and connectivity capabilities, and status. Device, Connectivity, and Configuration data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.3 Connectivity data. +This type of data includes details about the device, its configuration and connectivity capabilities, and status. Device, Connectivity, and Configuration data is equivalent to ISO/IEC 19944-1:2020, 8.2.3.2.3 Connectivity data. ### Data Use for Device, Connectivity, and Configuration data @@ -178,7 +178,7 @@ If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseud - Hashed IP address ## Product and Service Usage data -This type of data includes details about the usage of the device, operating system, applications, and services. Product and Service Usage data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.4 Observed Usage of the Service Capability. +This type of data includes details about the usage of the device, operating system, applications, and services. Product and Service Usage data is equivalent to ISO/IEC 19944-1:2020, 8.2.3.2.4 Observed Usage of the Service Capability. ### Data Use for Product and Service Usage data @@ -242,7 +242,7 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud - Login sessions and state ## Product and Service Performance data -This type of data includes details about the health of the device, operating system, apps, and drivers. Product and Service Performance data is equivalent to ISO/IEC 19944:2017 8.2.3.2.2 EUII Telemetry data. +This type of data includes details about the health of the device, operating system, apps, and drivers. Product and Service Performance data is equivalent to ISO/IEC 19944-1:2020 8.2.3.2.2 EUII Telemetry data. ### Data Use for Product and Service Performance data @@ -355,7 +355,7 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud - License usage session ## Software Setup and Inventory data -This type of data includes software installation and update information on the device. Software Setup and Inventory Data is a subtype of ISO/IEC 19944:2017 8.2.3.2.4 Observed Usage of the Service Capability. +This type of data includes software installation and update information on the device. Software Setup and Inventory Data is a subtype of ISO/IEC 19944-1:2020 8.2.3.2.4 Observed Usage of the Service Capability. ### Data Use for Software Setup and Inventory data @@ -397,7 +397,7 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud - Windows Insider build details ## Browsing History data -This type of data includes details about web browsing in the Microsoft browsers. Browsing History data is equivalent to ISO/IEC 19944:2017 8.2.3.2.8 Client-side browsing history. +This type of data includes details about web browsing in the Microsoft browsers. Browsing History data is equivalent to ISO/IEC 19944-1:2020 8.2.3.2.8 Client-side browsing history. ### Data Use for Browsing History data @@ -429,7 +429,7 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud - Page title ## Inking Typing and Speech Utterance data -This type of data gathers details about the voice, inking, and typing input features on the device. Inking, Typing, and Speech Utterance data is a subtype of ISO/IEC 19944:2017 8.2.3.2.1 End User Identifiable information. +This type of data gathers details about the voice, inking, and typing input features on the device. Inking, Typing, and Speech Utterance data is a subtype of ISO/IEC 19944-1:2020 8.2.3.2.1 End User Identifiable information. ### Data Use for Inking, Typing, and Speech Utterance data @@ -462,31 +462,31 @@ This type of data gathers details about the voice, inking, and typing input feat - Whether user is known to be a child - Confidence and success or failure of speech recognition -## ISO/IEC 19944:2017-specific terminology +## ISO/IEC 19944-1:2020-specific terminology -This section provides the ISO/IEC 19944:2017-specific definitions for use and de-identification qualifiers used in this article. +This section provides the ISO/IEC 19944-1:2020-specific definitions for use and de-identification qualifiers used in this article. ### Provide -ISO/IEC 19944:2017 Reference: **9.3.2 Provide** +ISO/IEC 19944-1:2020 Reference: **9.3.2 Provide** Use of a specified data category by a Microsoft product or service to protect and provide the described service, including, (i) troubleshoot and fix issues with the product or service or (ii) provide product or service updates. ### Improve -ISO/IEC 19944:2017 Reference: **9.3.3 Improve** +ISO/IEC 19944-1:2020 Reference: **9.3.3 Improve** Use of a specified data category to improve or increase the quality of a Microsoft product or service. Those improvements may be available to end users. ### Personalize -ISO/IEC 19944:2017 Reference: **9.3.4 Personalize** +ISO/IEC 19944-1:2020 Reference: **9.3.4 Personalize** Use of the specified data categories to create a customized experience for the end user in any Microsoft product or service. ### Recommend -ISO/IEC 19944:2017 Reference: **9.3.4 Personalize** +ISO/IEC 19944-1:2020 Reference: **9.3.4 Personalize** “Recommend” means use of the specified data categories to Personalize (9.3.4) the end user’s experience by recommending Microsoft products or services that can be accessed without the need to make a purchase or pay money. @@ -494,7 +494,7 @@ Use of the specified data categories give recommendations about Microsoft produc ### Offer -ISO/IEC 19944:2017 Reference: **9.3.5 Offer upgrades or upsell** +ISO/IEC 19944-1:2020 Reference: **9.3.5 Offer upgrades or upsell** Implies that the source of the data is Microsoft products and services, and the upgrades offered come from Microsoft products and services that are relevant to the context of the current capability. The target audience for the offer is Microsoft customers. @@ -502,14 +502,14 @@ Specifically, use of the specified data categories to make an offer or upsell ne ### Promote -ISO/IEC 19944:2017 Reference: **9.3.6 Market/advertise/promote** +ISO/IEC 19944-1:2020 Reference: **9.3.6 Market/advertise/promote** Use of the specified data categories to promote a product or service in or on a first-party Microsoft product or service. ### Data identification qualifiers -Here are the data identification qualifiers and the ISO/IEC 19944:2017 reference: +Here are the data identification qualifiers and the ISO/IEC 19944-1:2020 reference: - **Pseudonymized Data** 8.3.3 Pseudonymized data. Microsoft usage notes are as defined. - **Anonymized Data** 8.3.5 Anonymized data. Microsoft usage notes are as defined. -- **Aggregated Data** 8.3.6 Aggregated data. Microsoft usage notes are as defined. \ No newline at end of file +- **Aggregated Data** 8.3.6 Aggregated data. Microsoft usage notes are as defined. From 425f096d8d91f3562919cbe29bcb985d4d8b1e6c Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 28 Jun 2021 18:34:23 +0530 Subject: [PATCH 260/370] corrected link as per user report issue #9742, so i corrected the link. all event ids 560, 562 , ....... all comes under **audit object access** --- .../audit-audit-the-access-of-global-system-objects.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md index 4015f85f3f..55abcdd744 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md +++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md @@ -79,7 +79,7 @@ All auditing capabilities are integrated in Group Policy. You can configure, dep To audit attempts to access global system objects, you can use one of two security audit policy settings: - [Audit Kernel Object](../auditing/audit-kernel-object.md) in Advanced Security Audit Policy Settings\\Object Access -- [Audit object access](../auditing/basic-audit-object-access.md) under Security Settings\\Local Policies\\Audit Policy +- [Audit Object Access](../auditing/basic-audit-object-access.md) under Security Settings\\Local Policies\\Audit Policy If possible, use the Advanced Security Audit Policy option to reduce the number of unrelated audit events that you generate. @@ -92,7 +92,7 @@ If the [Audit Kernel Object](../auditing/audit-kernel-object.md) setting is conf | 4661 | A handle to an object was requested. | | 4663 | An attempt was made to access an object. | -If the [Audit Kernel Object](../auditing/audit-kernel-object.md) setting is configured, the following events are generated: +If the [Audit Object Access](../auditing/basic-audit-object-access.md) setting is configured, the following events are generated: | Event ID | Event message | | - | - | From 3cc91638b91f73efcb650ff26887737485d41420 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 28 Jun 2021 15:43:30 +0100 Subject: [PATCH 261/370] Create essential-services-and-connected-experiences.md --- ...tial-services-and-connected-experiences.md | 301 ++++++++++++++++++ 1 file changed, 301 insertions(+) create mode 100644 windows/privacy/essential-services-and-connected-experiences.md diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md new file mode 100644 index 0000000000..b19454a5ab --- /dev/null +++ b/windows/privacy/essential-services-and-connected-experiences.md @@ -0,0 +1,301 @@ +--- +title: Essential Services and Connected Experiences for Windows 10 +description: This article provides information to help IT on the essential services and connected experiences for Windows 10. +keywords: privacy, GDPR, compliance +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: high +audience: ITPro +author: sosulli +ms.author: sosulli +manager: dansimp +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 28/06/2021 +--- + +# Essential Services and Connected Experiences for Windows 10 + +Applies to: + +- Windows 10, version 1903 and later + +Windows includes features that connect to the internet to provide enhanced experiences and additional service based capabilities. These are called “connected experiences”. For example, Microsoft Defender Antivirus is a connected experience that delivers updated protection to keep the devices in your organization secure. Required service data is collected to enables us provide these cloud-based connected experiences and it's crucial to help keep them secure, up to date and performing properly. Windows diagnostic data is separate from required service data.For more information on Windows diagnostic data see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). + +Connected experiences that are critical to the proper functioning of Windows are called “essential services”. For example, the Windows licensing service confirms that you are properly licensed to use Windows. + +While you can control many of the connected experiences that are available to you and your organization, we recommend that you carefully assess the impact of turning off essential services. + +Windows connected experiences and essential services transfer data to Microsoft network endpoints. The article [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) provides details about the different ways to control traffic to these endpoints. Where applicable, each connected experience or essential service includes a link to the specific details on how to control that traffic. + +>[!Note] +>The information in this article describes the most common connected experiences and essential services. We will continue to update our list of connected experiences over time as Windows evolves. + +## Windows 10 Essential Services + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Essential ServiceDescription
Authentication

The authentication service is required to enable sign in to work or school accounts. It validates a user’s identity and provides access to multiple apps and system components like OneDrive and activity history. Using a work or school account to sign in to Windows 10 enables Microsoft to provide a consistent experience across your devices. If the authentication service is turned off, many apps and components may lose functionality and users may not be able to sign in.

+

To turn it off, see Microsoft Account

Certificates

Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates that are publicly known to be fraudulent. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
+If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.

+

To turn it off, see Automatic Root Certificates Update

Configuration Service Services Configuration

Services Configuration is used by Windows components and apps, such as the telemetry service, to dynamically update their configuration. If you turn off this service, apps using this service may stop working.

+

To turn it off, see Services Configuration.

Date and Time

The Windows Time service is used to synchronize and maintain the most accurate date and time on your devices. It is installed by default and starts automatically on devices that are part of a domain. It can be started manually on other devices. If this service is stopped, date and time synchronization will be unavailable and any services that explicitly depend on it will fail to start.

+

To turn it off, see Date and Time

Licensing

Licensing services are used for the activation of Windows, and apps purchased from the Microsoft Store. If you disable the Windows License Manager Service or the Software Protection Platform Service, it may prevent activation of genuine Windows as well as store applications.

+

To turn it off, see License Manager and Software Protection Platform.

Networking

Networking in Windows provides connectivity to and from your devices to the local intranet and internet. If you turn off networking, Windows 10 devices will lose network connectivity.

+

To turn off Network Adapters, see Disable-NetAdapter

Setup Service Device setup

The first time a user sets up a new device, the Windows out-of-box experience (OOBE) guides the user through the steps to accept the license agreement, connect to the internet, sign in to (or sign up for) a Microsoft account, and takes care of other important tasks. Most settings can also be changed after setup is completed.

+

To customize the initial setup experience, see Customize Setup

Telemetry

Microsoft collects diagnostic data including error data about your device with the help of the telemetry service. Diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 behaves in the real world, focus on user priorities, find, and fix problems, and improve services. This data allows Microsoft to improve the Windows experience. Setting diagnostic data to off means important information to help fix issues and improve quality will not be available to Microsoft.

+

To turn it off, see Telemetry Services.

Windows Update

Windows Update ensures devices are kept up to date and secure by downloading the latest updates and security patches for Windows. This service also enables users download apps from the Microsoft Store and keep them up to date.

+

Turning off Windows Update will potentially leave your Windows devices in a vulnerable state and more prone to security threats.

+

To turn it off, see Windows Update

+ +**Windows 10 Connected Experiences** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Connected ExperienceDescription
Device metadata retrieval

When Windows 10 detects a new device, it queries an online service called the Windows Metadata and Internet Services (WMIS) for a metadata package for the device. If a device metadata package is available on WMIS, the Device Metadata Retrieval Client (DMRC) that runs on the local device downloads and installs the package.

+

To turn it off, see Device Metadata Retrieval.

Delivery optimization

Delivery Optimization is a cloud-managed, peer-to-peer client and a downloader service for Windows updates, upgrades, and applications to an organization's networked devices. Delivery Optimization allows devices to download updates from alternate sources (such as other peers on the network), in addition to Microsoft servers. This helps when you have a limited or unreliable Internet connection and reduces the bandwidth needed to keep all your organization's devices up to date.

+

If you have Delivery Optimization Peer-to-Peer option turned on, devices on your network may send and receive updates and apps to other devices on your local network, if you choose, or to devices on the Internet.

+

By default, devices running Windows 10 will only use Delivery Optimization to get and receive updates for devices and apps on your local network.

+

To turn it off, see Delivery Optimization.

Speech Recognition

Microsoft provides a cloud-based (online) speech recognition technology that allows users to write text by speaking or interact with this system using your voice. It functions by converting speech audio into transcribed text. Turning on the online speech recognition setting enables the use of Microsoft cloud-based speech recognition in Cortana, the Mixed Reality Portal, dictation in Windows from the software keyboard, supported Microsoft Store apps, and in other parts of Windows 10.

+

To turn it off, see Speech Recognition.

Find My Device

Find My Device is a feature that can help users locate their Windows 10 device if it's lost or stolen. This feature only works if a Microsoft account is used to logon to the device, the user is an administrator on the device and when location is turned on for the device. Users can find their device by logging in to https://account.microsoft.com/devices under the Find My Device tab.

+

To turn it off, see Find My Device.

Windows Insider Program

The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to releases of Windows 10. Once you've registered for the program, you can run Insider Preview builds on as many devices as you want, each in the channel of your choice. Learn how to join the Windows Insider program by visiting the program’s website.

+

To turn it off, see Windows Insider Program.

Location services

The device location setting enables certain Windows features such as auto setting the time zone or Find My Device to function properly. When the device location setting is enabled, the Microsoft location service will use a combination of global positioning service (GPS), nearby wireless access points, cell towers, and IP address to determine the device’s location. Depending on the capabilities of the device, its location can be determined with varying degrees of accuracy and may in some cases be determined precisely.

+

To turn it off, see Location Services.

Microsoft Store

Microsoft Store enables users to purchase and download apps, games, and digital content. The Store also enables the developers of these apps to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to store apps in a power-efficient and dependable way. The Store can also revoke malicious apps.

+

To turn it off, see Microsoft Store.

Microsoft Defender Antivirus

Microsoft Defender Antivirus provides cloud-delivered protection against new and emerging threats for the devices in your organization.

+

Turning off Microsoft Defender Antivirus will potentially leave your Windows devices in a vulnerable state and more prone to security threats.

+

To turn it off, see Microsoft Defender Antivirus.

Microsoft Defender SmartScreen

Microsoft Defender SmartScreen is a feature of Windows, Internet Explorer, and Microsoft Edge. It helps protect users against phishing or malware websites and applications, and the downloading of potentially malicious files.

+

Turning off Microsoft Defender SmartScreen means you cannot block a website or warn users they may be accessing a malicious site.

+

To turn it off, see Microsoft Defender SmartScreen.

Windows Search

Windows Search lets users use the search box on the taskbar to find what they are looking for, whether it’s on their device, in the cloud, or on the web. Windows Search can provide results for items from the device (including apps, settings, and files), the users account(including OneDrive, SharePoint, and other Microsoft services), and the internet.

+

To turn it off, see Windows Search.

Windows Spotlight

Windows Spotlight displays new background images on the lock screen each day. Additionally, it provides feature suggestions, fun facts, and tips on the lock screen background.

+

Administrators can turn off Windows Spotlight features to prevent users from using the Windows Spotlight background.

+

To turn it off, see Windows Spotlight.

Activity History

Activity History shows a history of activities a user has performed and can even synchronize activities across multiple devices for the same user.

+

Synchronization across devices only works when a user signs in with the same account.

+

To turn it off, see Activity History.

Settings Synchronization

With settings synchronization is turned on, a user's settings are synced across all Windows 10 devices when they sign in with the same account.

+

To turn it off, see Sync Your Settings

Cloud Clipboard

Cloud Clipboard enables users to copy images and text across all Windows 10 devices when they sign in with the same account. Users can paste from their clipboard history and also pin items.

+

To turn it off, see Cloud Clipboard

OneDrive

OneDrive is a cloud storage system that allows you to save your files and photos, and access them from any device, anywhere.

+

To turn off OneDrive, see OneDrive.

Font Streaming

Font Streaming enables Windows 10 devices to download fonts that are included in Windows but that are not stored on the local device on demand.

+

To turn it off, see Font Streaming.

+ +**Edge Essential Services and Connected Experiences** + +Windows ships with Microsoft Edge and Internet Explorer on Windows 10 devices. Microsoft Edge is the default browser and is recommended for the best web browsing experience. + +You can find details on all of Edge's connected experiences and essential services [here](https://docs.microsoft.com/en-us/microsoft-edge/privacy-whitepaper/). + +To turn off specific Edge feature, see [Microsoft Edge](https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#13-microsoft-edge). + +**IE Essential Services and Connected Experiences** + +Internet Explorer shares many of the Windows essential services listed above. The following table provides more details on the essential services and connected experiences specific to Internet Explorer. + +Note: Apart from ActiveX Filtering, which is an essential service, all other features listed below are connected experiences. To turn off specific connected experiences, see [Internet Explorer](https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#8-internet-explorer). + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Connected ExperiencesDescription
ActiveX Filtering

ActiveX controls are small apps that allow websites to provide content such as videos and games, and let users interact with controls like toolbars and stock tickers. However, these apps can sometimes malfunction, and in some cases, they might be used to collect information from user devices, install software without a user's agreement, or be used to control a device remotely without user's permission.

+

ActiveX Filtering in Internet Explorer prevents sites from installing and using these apps. This can help keep users safer as they browse, but it can also affect the user experience of certain sites as interactive content might not work when ActiveX Filtering is on.

+

To further enhance security, Internet Explorer also allows you to block out-of-date ActiveX controls.

Suggested SitesSuggested Sites is an online experience that recommends websites, images, or videos a user might be interested in. When Suggested Sites is turned on, a user’s web browsing history is periodically sent to Microsoft.
Address Bar and Search suggestionsWith search suggestions enabled, users will be offered suggested search terms as they type in the Address Bar. As users type information it will be sent to the default search provider.
Auto-complete feature for web addressesThe auto-complete feature suggests possible matches when users are typing web addresses in the browser address bar.
Compatibility loggingThis feature is designed for use by developers and IT professionals to determine the compatibility of their websites with Internet Explorer. It is disabled by default and needs to be enabled to start logging Internet Explorer events in the Windows Event Viewer. These events describe failures that might have happened on the site and can include information about specific controls and webpages that failed.
Compatibility ViewCompatibility View helps make websites designed for older browsers look better when viewed in Internet Explorer. The compatibility view setting allows you to choose whether an employee can fix website display problems they encounter while browsing.
Flip aheadFlip ahead enables your users to flip through web content quickly by swiping across the page or by clicking forward. When flip ahead is turned on, web browsing history is periodically sent to Microsoft. If you turn off this setting your users will no longer be able swipe across a screen or click forward to go to the next pre-loaded page of a website.
Web SlicesA Web Slice enables users to subscribe to and automatically receive updates to content directly within a Web page. Disabling the RSS Feeds setting will turn off background synchronization for feeds and Web Slices.
Accelerators

Accelerators are menu options in Internet Explorer that help automate common browser-related tasks. In Internet Explorer, when you right-click selected text, Accelerators appear in the list of available options.

+

For example, if you select a word, you can use the "Translate with Bing" Accelerator to obtain a translation of that word.

Pinning websites to StartWhen a user pins a website to the Start menu, it displays as a tile similar to the way apps are displayed. Like Microsoft Store apps, website tiles might display updates if the website has been designed to do so. For example, an online email website might send updates to the tile indicating how many new messages a user has.
+ +**Related links** + +[Manage connections from Windows 10 operating system components to Microsoft services](https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services) + +[Connected Experiences in Office.](https://docs.microsoft.com/en-us/deployoffice/privacy/connected-experiences) + +[Essential Services in Office.](https://docs.microsoft.com/en-us/deployoffice/privacy/essential-services) + +To view endpoints for Windows 10 Enterprise, see: + +- + +- [Manage connection endpoints for Windows 10, version 20H2](https://docs.microsoft.com/en-us/windows/privacy/manage-windows-20h2-endpoints)[Manage connection endpoints for Windows 10, version 1909](https://docs.microsoft.com/en-us/windows/privacy/manage-windows-1909-endpoints) + +- [Manage connection endpoints for Windows 10, version 1903](https://docs.microsoft.com/en-us/windows/privacy/manage-windows-1903-endpoints) + +- [Manage connection endpoints for Windows 10, version 1809](https://docs.microsoft.com/en-us/windows/privacy/manage-windows-1809-endpoints) + +- [Manage connection endpoints for Windows 10, version 1803](https://docs.microsoft.com/en-us/windows/privacy/manage-windows-1803-endpoints) + +- [Manage connection endpoints for Windows 10, version 1709](https://docs.microsoft.com/en-us/windows/privacy/manage-windows-1709-endpoints) + +To view endpoints for non-Enterprise Windows 10 editions, see: + +- Windows 10, version 20H2, connection endpoints for non-Enterprise editions + +- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](https://docs.microsoft.com/en-us/windows/privacy/windows-endpoints-1909-non-enterprise-editions) + +- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](https://docs.microsoft.com/en-us/windows/privacy/windows-endpoints-1903-non-enterprise-editions) + +- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](https://docs.microsoft.com/en-us/windows/privacy/windows-endpoints-1809-non-enterprise-editions) + +- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](https://docs.microsoft.com/en-us/windows/privacy/windows-endpoints-1803-non-enterprise-editions) + +- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](https://docs.microsoft.com/en-us/windows/privacy/windows-endpoints-1709-non-enterprise-editions) From 32b7cf8dbc6f55f3891acf7c5c0d695c4f4933ef Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 28 Jun 2021 15:58:53 +0100 Subject: [PATCH 262/370] Update essential-services-and-connected-experiences.md --- ...tial-services-and-connected-experiences.md | 100 +++++++++--------- 1 file changed, 50 insertions(+), 50 deletions(-) diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md index b19454a5ab..ae5024d5d3 100644 --- a/windows/privacy/essential-services-and-connected-experiences.md +++ b/windows/privacy/essential-services-and-connected-experiences.md @@ -8,12 +8,12 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: high audience: ITPro -author: sosulli -ms.author: sosulli +author: siosulli +ms.author: siosulli manager: dansimp ms.collection: M365-security-compliance ms.topic: article -ms.date: 28/06/2021 +ms.date: 6/28/2021 --- # Essential Services and Connected Experiences for Windows 10 @@ -46,54 +46,54 @@ Windows connected experiences and essential services transfer data to Microsoft Authentication

The authentication service is required to enable sign in to work or school accounts. It validates a user’s identity and provides access to multiple apps and system components like OneDrive and activity history. Using a work or school account to sign in to Windows 10 enables Microsoft to provide a consistent experience across your devices. If the authentication service is turned off, many apps and components may lose functionality and users may not be able to sign in.

-

To turn it off, see Microsoft Account

+

To turn it off, see Microsoft Account

Certificates

Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates that are publicly known to be fraudulent. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.

-

To turn it off, see Automatic Root Certificates Update

+

To turn it off, see Automatic Root Certificates Update

Configuration Service Services Configuration

Services Configuration is used by Windows components and apps, such as the telemetry service, to dynamically update their configuration. If you turn off this service, apps using this service may stop working.

-

To turn it off, see Services Configuration.

+

To turn it off, see Services Configuration.

Date and Time

The Windows Time service is used to synchronize and maintain the most accurate date and time on your devices. It is installed by default and starts automatically on devices that are part of a domain. It can be started manually on other devices. If this service is stopped, date and time synchronization will be unavailable and any services that explicitly depend on it will fail to start.

-

To turn it off, see Date and Time

+

To turn it off, see Date and Time

Licensing

Licensing services are used for the activation of Windows, and apps purchased from the Microsoft Store. If you disable the Windows License Manager Service or the Software Protection Platform Service, it may prevent activation of genuine Windows as well as store applications.

-

To turn it off, see License Manager and Software Protection Platform.

+

To turn it off, see License Manager and Software Protection Platform.

Networking

Networking in Windows provides connectivity to and from your devices to the local intranet and internet. If you turn off networking, Windows 10 devices will lose network connectivity.

-

To turn off Network Adapters, see Disable-NetAdapter

+

To turn off Network Adapters, see Disable-NetAdapter

Setup Service Device setup

The first time a user sets up a new device, the Windows out-of-box experience (OOBE) guides the user through the steps to accept the license agreement, connect to the internet, sign in to (or sign up for) a Microsoft account, and takes care of other important tasks. Most settings can also be changed after setup is completed.

-

To customize the initial setup experience, see Customize Setup

+

To customize the initial setup experience, see Customize Setup

Telemetry

Microsoft collects diagnostic data including error data about your device with the help of the telemetry service. Diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 behaves in the real world, focus on user priorities, find, and fix problems, and improve services. This data allows Microsoft to improve the Windows experience. Setting diagnostic data to off means important information to help fix issues and improve quality will not be available to Microsoft.

-

To turn it off, see Telemetry Services.

+

To turn it off, see Telemetry Services.

Windows Update

Windows Update ensures devices are kept up to date and secure by downloading the latest updates and security patches for Windows. This service also enables users download apps from the Microsoft Store and keep them up to date.

Turning off Windows Update will potentially leave your Windows devices in a vulnerable state and more prone to security threats.

-

To turn it off, see Windows Update

+

To turn it off, see Windows Update

-**Windows 10 Connected Experiences** +## Windows 10 Connected Experiences @@ -106,105 +106,105 @@ If automatic updates are turned off, applications and websites may stop working +

To turn it off, see Device Metadata Retrieval.

+

To turn it off, see Delivery Optimization.

+

To turn it off, see Speech Recognition.

+

To turn it off, see Find My Device.

+

To turn it off, see Windows Insider Program.

+

To turn it off, see Location Services.

+

To turn it off, see Microsoft Store.

+

To turn it off, see Microsoft Defender Antivirus.

+

To turn it off, see Microsoft Defender SmartScreen.

+

To turn it off, see Windows Search.

+

To turn it off, see Windows Spotlight.

+

To turn it off, see Activity History.

+

To turn it off, see Sync Your Settings

+

To turn it off, see Cloud Clipboard

+

To turn off OneDrive, see OneDrive.

+

To turn it off, see Font Streaming.

Device metadata retrieval

When Windows 10 detects a new device, it queries an online service called the Windows Metadata and Internet Services (WMIS) for a metadata package for the device. If a device metadata package is available on WMIS, the Device Metadata Retrieval Client (DMRC) that runs on the local device downloads and installs the package.

-

To turn it off, see Device Metadata Retrieval.
Delivery optimization

Delivery Optimization is a cloud-managed, peer-to-peer client and a downloader service for Windows updates, upgrades, and applications to an organization's networked devices. Delivery Optimization allows devices to download updates from alternate sources (such as other peers on the network), in addition to Microsoft servers. This helps when you have a limited or unreliable Internet connection and reduces the bandwidth needed to keep all your organization's devices up to date.

If you have Delivery Optimization Peer-to-Peer option turned on, devices on your network may send and receive updates and apps to other devices on your local network, if you choose, or to devices on the Internet.

By default, devices running Windows 10 will only use Delivery Optimization to get and receive updates for devices and apps on your local network.

-

To turn it off, see Delivery Optimization.
Speech Recognition

Microsoft provides a cloud-based (online) speech recognition technology that allows users to write text by speaking or interact with this system using your voice. It functions by converting speech audio into transcribed text. Turning on the online speech recognition setting enables the use of Microsoft cloud-based speech recognition in Cortana, the Mixed Reality Portal, dictation in Windows from the software keyboard, supported Microsoft Store apps, and in other parts of Windows 10.

-

To turn it off, see Speech Recognition.
Find My Device

Find My Device is a feature that can help users locate their Windows 10 device if it's lost or stolen. This feature only works if a Microsoft account is used to logon to the device, the user is an administrator on the device and when location is turned on for the device. Users can find their device by logging in to https://account.microsoft.com/devices under the Find My Device tab.

-

To turn it off, see Find My Device.
Windows Insider Program

The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to releases of Windows 10. Once you've registered for the program, you can run Insider Preview builds on as many devices as you want, each in the channel of your choice. Learn how to join the Windows Insider program by visiting the program’s website.

-

To turn it off, see Windows Insider Program.
Location services

The device location setting enables certain Windows features such as auto setting the time zone or Find My Device to function properly. When the device location setting is enabled, the Microsoft location service will use a combination of global positioning service (GPS), nearby wireless access points, cell towers, and IP address to determine the device’s location. Depending on the capabilities of the device, its location can be determined with varying degrees of accuracy and may in some cases be determined precisely.

-

To turn it off, see Location Services.
Microsoft Store

Microsoft Store enables users to purchase and download apps, games, and digital content. The Store also enables the developers of these apps to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to store apps in a power-efficient and dependable way. The Store can also revoke malicious apps.

-

To turn it off, see Microsoft Store.
Microsoft Defender Antivirus

Microsoft Defender Antivirus provides cloud-delivered protection against new and emerging threats for the devices in your organization.

Turning off Microsoft Defender Antivirus will potentially leave your Windows devices in a vulnerable state and more prone to security threats.

-

To turn it off, see Microsoft Defender Antivirus.
Microsoft Defender SmartScreen

Microsoft Defender SmartScreen is a feature of Windows, Internet Explorer, and Microsoft Edge. It helps protect users against phishing or malware websites and applications, and the downloading of potentially malicious files.

Turning off Microsoft Defender SmartScreen means you cannot block a website or warn users they may be accessing a malicious site.

-

To turn it off, see Microsoft Defender SmartScreen.
Windows Search

Windows Search lets users use the search box on the taskbar to find what they are looking for, whether it’s on their device, in the cloud, or on the web. Windows Search can provide results for items from the device (including apps, settings, and files), the users account(including OneDrive, SharePoint, and other Microsoft services), and the internet.

-

To turn it off, see Windows Search.
Windows Spotlight

Windows Spotlight displays new background images on the lock screen each day. Additionally, it provides feature suggestions, fun facts, and tips on the lock screen background.

Administrators can turn off Windows Spotlight features to prevent users from using the Windows Spotlight background.

-

To turn it off, see Windows Spotlight.
Activity History

Activity History shows a history of activities a user has performed and can even synchronize activities across multiple devices for the same user.

Synchronization across devices only works when a user signs in with the same account.

-

To turn it off, see Activity History.
Settings Synchronization

With settings synchronization is turned on, a user's settings are synced across all Windows 10 devices when they sign in with the same account.

-

To turn it off, see Sync Your Settings
Cloud Clipboard

Cloud Clipboard enables users to copy images and text across all Windows 10 devices when they sign in with the same account. Users can paste from their clipboard history and also pin items.

-

To turn it off, see Cloud Clipboard
OneDrive

OneDrive is a cloud storage system that allows you to save your files and photos, and access them from any device, anywhere.

-

To turn off OneDrive, see OneDrive.
Font Streaming

Font Streaming enables Windows 10 devices to download fonts that are included in Windows but that are not stored on the local device on demand.

-

To turn it off, see Font Streaming.
-**Edge Essential Services and Connected Experiences** +## Edge Essential Services and Connected Experiences Windows ships with Microsoft Edge and Internet Explorer on Windows 10 devices. Microsoft Edge is the default browser and is recommended for the best web browsing experience. -You can find details on all of Edge's connected experiences and essential services [here](https://docs.microsoft.com/en-us/microsoft-edge/privacy-whitepaper/). +You can find details on all of Edge's connected experiences and essential services [here](/microsoft-edge/privacy-whitepaper/). -To turn off specific Edge feature, see [Microsoft Edge](https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#13-microsoft-edge). +To turn off specific Edge feature, see [Microsoft Edge](manage-connections-from-windows-operating-system-components-to-microsoft-services#13-microsoft-edge). -**IE Essential Services and Connected Experiences** +## IE Essential Services and Connected Experiences Internet Explorer shares many of the Windows essential services listed above. The following table provides more details on the essential services and connected experiences specific to Internet Explorer. -Note: Apart from ActiveX Filtering, which is an essential service, all other features listed below are connected experiences. To turn off specific connected experiences, see [Internet Explorer](https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#8-internet-explorer). +Note: Apart from ActiveX Filtering, which is an essential service, all other features listed below are connected experiences. To turn off specific connected experiences, see [Internet Explorer](manage-connections-from-windows-operating-system-components-to-microsoft-services#8-internet-explorer). @@ -264,38 +264,38 @@ Note: Apart from ActiveX Filtering, which is an essential service, all other fea
-**Related links** +## Related links -[Manage connections from Windows 10 operating system components to Microsoft services](https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services) +- [Manage connections from Windows 10 operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services) -[Connected Experiences in Office.](https://docs.microsoft.com/en-us/deployoffice/privacy/connected-experiences) +- [Connected Experiences in Office.](/deployoffice/privacy/connected-experiences) -[Essential Services in Office.](https://docs.microsoft.com/en-us/deployoffice/privacy/essential-services) +- [Essential Services in Office.](/deployoffice/privacy/essential-services) To view endpoints for Windows 10 Enterprise, see: -- +- [Manage connection endpoints for Windows 10, version 20H2](manage-windows-20h2-endpoints) -- [Manage connection endpoints for Windows 10, version 20H2](https://docs.microsoft.com/en-us/windows/privacy/manage-windows-20h2-endpoints)[Manage connection endpoints for Windows 10, version 1909](https://docs.microsoft.com/en-us/windows/privacy/manage-windows-1909-endpoints) +- [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints) -- [Manage connection endpoints for Windows 10, version 1903](https://docs.microsoft.com/en-us/windows/privacy/manage-windows-1903-endpoints) +- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints) -- [Manage connection endpoints for Windows 10, version 1809](https://docs.microsoft.com/en-us/windows/privacy/manage-windows-1809-endpoints) +- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints) -- [Manage connection endpoints for Windows 10, version 1803](https://docs.microsoft.com/en-us/windows/privacy/manage-windows-1803-endpoints) +- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints) -- [Manage connection endpoints for Windows 10, version 1709](https://docs.microsoft.com/en-us/windows/privacy/manage-windows-1709-endpoints) +- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints) To view endpoints for non-Enterprise Windows 10 editions, see: -- Windows 10, version 20H2, connection endpoints for non-Enterprise editions +- Windows 10, version 20H2, connection endpoints for non-Enterprise editions -- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](https://docs.microsoft.com/en-us/windows/privacy/windows-endpoints-1909-non-enterprise-editions) +- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions) -- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](https://docs.microsoft.com/en-us/windows/privacy/windows-endpoints-1903-non-enterprise-editions) +- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions) -- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](https://docs.microsoft.com/en-us/windows/privacy/windows-endpoints-1809-non-enterprise-editions) +- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions) -- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](https://docs.microsoft.com/en-us/windows/privacy/windows-endpoints-1803-non-enterprise-editions) +- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions) -- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](https://docs.microsoft.com/en-us/windows/privacy/windows-endpoints-1709-non-enterprise-editions) +- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions) From 920a6be5544faecf7c71b35fcc58abb9d9d391fc Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 28 Jun 2021 16:13:09 +0100 Subject: [PATCH 263/370] Update essential-services-and-connected-experiences.md --- ...tial-services-and-connected-experiences.md | 48 ++++++++----------- 1 file changed, 21 insertions(+), 27 deletions(-) diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md index ae5024d5d3..a6f49de021 100644 --- a/windows/privacy/essential-services-and-connected-experiences.md +++ b/windows/privacy/essential-services-and-connected-experiences.md @@ -198,13 +198,13 @@ Windows ships with Microsoft Edge and Internet Explorer on Windows 10 devices. M You can find details on all of Edge's connected experiences and essential services [here](/microsoft-edge/privacy-whitepaper/). -To turn off specific Edge feature, see [Microsoft Edge](manage-connections-from-windows-operating-system-components-to-microsoft-services#13-microsoft-edge). +To turn off specific Edge feature, see [Microsoft Edge](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge). ## IE Essential Services and Connected Experiences Internet Explorer shares many of the Windows essential services listed above. The following table provides more details on the essential services and connected experiences specific to Internet Explorer. -Note: Apart from ActiveX Filtering, which is an essential service, all other features listed below are connected experiences. To turn off specific connected experiences, see [Internet Explorer](manage-connections-from-windows-operating-system-components-to-microsoft-services#8-internet-explorer). +Note: Apart from ActiveX Filtering, which is an essential service, all other features listed below are connected experiences. To turn off specific connected experiences, see [Internet Explorer](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#8-internet-explorer). @@ -266,36 +266,30 @@ Note: Apart from ActiveX Filtering, which is an essential service, all other fea ## Related links -- [Manage connections from Windows 10 operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services) +- [Manage connections from Windows 10 operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) -- [Connected Experiences in Office.](/deployoffice/privacy/connected-experiences) +- [Connected Experiences in Office.](/deployoffice/privacy/connected-experiences.md) -- [Essential Services in Office.](/deployoffice/privacy/essential-services) +- [Essential Services in Office.](/deployoffice/privacy/essential-services.md) + +## Other Windows 10 editions To view endpoints for Windows 10 Enterprise, see: -- [Manage connection endpoints for Windows 10, version 20H2](manage-windows-20h2-endpoints) - -- [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints) - -- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints) - -- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints) - -- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints) - -- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints) +- [Manage connection endpoints for Windows 10, version 20H2](manage-windows-20h2-endpoints.md) +- [Manage connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) To view endpoints for non-Enterprise Windows 10 editions, see: -- Windows 10, version 20H2, connection endpoints for non-Enterprise editions - -- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions) - -- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions) - -- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions) - -- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions) - -- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions) +- [Windows 10, version 20H2, connection endpoints for non-Enterprise editions](manage-windows-20h2-endpoints.md) +- [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md.md) +- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md) +- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md) +- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) +- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) +- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) From f23a81195983e60ab45ed29453efc575f44485ea Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 28 Jun 2021 16:29:50 +0100 Subject: [PATCH 264/370] Update essential-services-and-connected-experiences.md --- .../essential-services-and-connected-experiences.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md index a6f49de021..effda1cdb9 100644 --- a/windows/privacy/essential-services-and-connected-experiences.md +++ b/windows/privacy/essential-services-and-connected-experiences.md @@ -46,28 +46,28 @@ Windows connected experiences and essential services transfer data to Microsoft +

To turn it off, see Microsoft Account

+

To turn it off, see Automatic Root Certificates Update

+

To turn it off, see Services Configuration.

+

To turn it off, see Date and Time

+

To turn it off, see License Manager and Software Protection Platform.

@@ -77,7 +77,7 @@ If automatic updates are turned off, applications and websites may stop working +

To customize the initial setup experience, see Customize Setup

From 4497fee51b2b1d8d1176a86ce303d395849492cc Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Mon, 28 Jun 2021 09:34:58 -0600 Subject: [PATCH 265/370] Apply suggestions from code review --- windows/client-management/mdm/Language-pack-management-csp.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 4dbd9ec98a..40b8e8546f 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -22,7 +22,7 @@ The Language Pack Management CSP allows a direct way to provision language packs **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN/Providers** **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers** - The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either "language pack (feature)" or [LXPs](https://www.microsoft.com/en-us/store/collections/localexperiencepacks?cat0=devices&rtc=1). + The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either "language pack (feature)" or [LXPs](https://www.microsoft.com/store/collections/localexperiencepacks?cat0=devices&rtc=1). - Indicates the language pack installed is a System Language Pack (non-LXP) - Indicates that the LXP is installed. - Indicates that both are installed. @@ -40,7 +40,7 @@ The Language Pack Management CSP allows a direct way to provision language packs Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed. > [!NOTE] -> If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail. + > If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail. 3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. From 14e116c6ffe6f80bd2ef37c544854d76a84dd00f Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 28 Jun 2021 16:35:40 +0100 Subject: [PATCH 266/370] Update essential-services-and-connected-experiences.md --- ...tial-services-and-connected-experiences.md | 40 +++++++++---------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md index effda1cdb9..eeb9953de7 100644 --- a/windows/privacy/essential-services-and-connected-experiences.md +++ b/windows/privacy/essential-services-and-connected-experiences.md @@ -46,13 +46,13 @@ Windows connected experiences and essential services transfer data to Microsoft +

To turn it off, see Microsoft Account

+

To turn it off, see Automatic Root Certificates Update

@@ -82,13 +82,13 @@ If automatic updates are turned off, applications and websites may stop working +

To turn it off, see Telemetry Services.

+

To turn it off, see Windows Update

Authentication

The authentication service is required to enable sign in to work or school accounts. It validates a user’s identity and provides access to multiple apps and system components like OneDrive and activity history. Using a work or school account to sign in to Windows 10 enables Microsoft to provide a consistent experience across your devices. If the authentication service is turned off, many apps and components may lose functionality and users may not be able to sign in.

-

To turn it off, see Microsoft Account
Certificates

Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates that are publicly known to be fraudulent. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.

-

To turn it off, see Automatic Root Certificates Update
Configuration Service Services Configuration

Services Configuration is used by Windows components and apps, such as the telemetry service, to dynamically update their configuration. If you turn off this service, apps using this service may stop working.

-

To turn it off, see Services Configuration.
Date and Time

The Windows Time service is used to synchronize and maintain the most accurate date and time on your devices. It is installed by default and starts automatically on devices that are part of a domain. It can be started manually on other devices. If this service is stopped, date and time synchronization will be unavailable and any services that explicitly depend on it will fail to start.

-

To turn it off, see Date and Time
Licensing

Licensing services are used for the activation of Windows, and apps purchased from the Microsoft Store. If you disable the Windows License Manager Service or the Software Protection Platform Service, it may prevent activation of genuine Windows as well as store applications.

-

To turn it off, see License Manager and Software Protection Platform.
Networking
Setup Service Device setup

The first time a user sets up a new device, the Windows out-of-box experience (OOBE) guides the user through the steps to accept the license agreement, connect to the internet, sign in to (or sign up for) a Microsoft account, and takes care of other important tasks. Most settings can also be changed after setup is completed.

-

To customize the initial setup experience, see Customize Setup
Telemetry
Authentication

The authentication service is required to enable sign in to work or school accounts. It validates a user’s identity and provides access to multiple apps and system components like OneDrive and activity history. Using a work or school account to sign in to Windows 10 enables Microsoft to provide a consistent experience across your devices. If the authentication service is turned off, many apps and components may lose functionality and users may not be able to sign in.

-

To turn it off, see Microsoft Account
Certificates

Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates that are publicly known to be fraudulent. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.

-

To turn it off, see Automatic Root Certificates Update
Configuration Service Services Configuration
Telemetry

Microsoft collects diagnostic data including error data about your device with the help of the telemetry service. Diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 behaves in the real world, focus on user priorities, find, and fix problems, and improve services. This data allows Microsoft to improve the Windows experience. Setting diagnostic data to off means important information to help fix issues and improve quality will not be available to Microsoft.

-

To turn it off, see Telemetry Services.
Windows Update

Windows Update ensures devices are kept up to date and secure by downloading the latest updates and security patches for Windows. This service also enables users download apps from the Microsoft Store and keep them up to date.

Turning off Windows Update will potentially leave your Windows devices in a vulnerable state and more prone to security threats.

-

To turn it off, see Windows Update
@@ -106,88 +106,88 @@ If automatic updates are turned off, applications and websites may stop working Device metadata retrieval

When Windows 10 detects a new device, it queries an online service called the Windows Metadata and Internet Services (WMIS) for a metadata package for the device. If a device metadata package is available on WMIS, the Device Metadata Retrieval Client (DMRC) that runs on the local device downloads and installs the package.

-

To turn it off, see Device Metadata Retrieval.

+

To turn it off, see Device Metadata Retrieval.

Delivery optimization

Delivery Optimization is a cloud-managed, peer-to-peer client and a downloader service for Windows updates, upgrades, and applications to an organization's networked devices. Delivery Optimization allows devices to download updates from alternate sources (such as other peers on the network), in addition to Microsoft servers. This helps when you have a limited or unreliable Internet connection and reduces the bandwidth needed to keep all your organization's devices up to date.

If you have Delivery Optimization Peer-to-Peer option turned on, devices on your network may send and receive updates and apps to other devices on your local network, if you choose, or to devices on the Internet.

By default, devices running Windows 10 will only use Delivery Optimization to get and receive updates for devices and apps on your local network.

-

To turn it off, see Delivery Optimization.

+

To turn it off, see Delivery Optimization.

Speech Recognition

Microsoft provides a cloud-based (online) speech recognition technology that allows users to write text by speaking or interact with this system using your voice. It functions by converting speech audio into transcribed text. Turning on the online speech recognition setting enables the use of Microsoft cloud-based speech recognition in Cortana, the Mixed Reality Portal, dictation in Windows from the software keyboard, supported Microsoft Store apps, and in other parts of Windows 10.

-

To turn it off, see Speech Recognition.

+

To turn it off, see Speech Recognition.

Find My Device

Find My Device is a feature that can help users locate their Windows 10 device if it's lost or stolen. This feature only works if a Microsoft account is used to logon to the device, the user is an administrator on the device and when location is turned on for the device. Users can find their device by logging in to https://account.microsoft.com/devices under the Find My Device tab.

-

To turn it off, see Find My Device.

+

To turn it off, see Find My Device.

Windows Insider Program

The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to releases of Windows 10. Once you've registered for the program, you can run Insider Preview builds on as many devices as you want, each in the channel of your choice. Learn how to join the Windows Insider program by visiting the program’s website.

-

To turn it off, see Windows Insider Program.

+

To turn it off, see Windows Insider Program.

Location services

The device location setting enables certain Windows features such as auto setting the time zone or Find My Device to function properly. When the device location setting is enabled, the Microsoft location service will use a combination of global positioning service (GPS), nearby wireless access points, cell towers, and IP address to determine the device’s location. Depending on the capabilities of the device, its location can be determined with varying degrees of accuracy and may in some cases be determined precisely.

-

To turn it off, see Location Services.

+

To turn it off, see Location Services.

Microsoft Store

Microsoft Store enables users to purchase and download apps, games, and digital content. The Store also enables the developers of these apps to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to store apps in a power-efficient and dependable way. The Store can also revoke malicious apps.

-

To turn it off, see Microsoft Store.

+

To turn it off, see Microsoft Store.

Microsoft Defender Antivirus

Microsoft Defender Antivirus provides cloud-delivered protection against new and emerging threats for the devices in your organization.

Turning off Microsoft Defender Antivirus will potentially leave your Windows devices in a vulnerable state and more prone to security threats.

-

To turn it off, see Microsoft Defender Antivirus.

+

To turn it off, see Microsoft Defender Antivirus.

Microsoft Defender SmartScreen

Microsoft Defender SmartScreen is a feature of Windows, Internet Explorer, and Microsoft Edge. It helps protect users against phishing or malware websites and applications, and the downloading of potentially malicious files.

Turning off Microsoft Defender SmartScreen means you cannot block a website or warn users they may be accessing a malicious site.

-

To turn it off, see Microsoft Defender SmartScreen.

+

To turn it off, see Microsoft Defender SmartScreen.

Windows Search

Windows Search lets users use the search box on the taskbar to find what they are looking for, whether it’s on their device, in the cloud, or on the web. Windows Search can provide results for items from the device (including apps, settings, and files), the users account(including OneDrive, SharePoint, and other Microsoft services), and the internet.

-

To turn it off, see Windows Search.

+

To turn it off, see Windows Search.

Windows Spotlight

Windows Spotlight displays new background images on the lock screen each day. Additionally, it provides feature suggestions, fun facts, and tips on the lock screen background.

Administrators can turn off Windows Spotlight features to prevent users from using the Windows Spotlight background.

-

To turn it off, see Windows Spotlight.

+

To turn it off, see Windows Spotlight.

Activity History

Activity History shows a history of activities a user has performed and can even synchronize activities across multiple devices for the same user.

Synchronization across devices only works when a user signs in with the same account.

-

To turn it off, see Activity History.

+

To turn it off, see Activity History.

Settings Synchronization

With settings synchronization is turned on, a user's settings are synced across all Windows 10 devices when they sign in with the same account.

-

To turn it off, see Sync Your Settings

+

To turn it off, see Sync Your Settings

Cloud Clipboard

Cloud Clipboard enables users to copy images and text across all Windows 10 devices when they sign in with the same account. Users can paste from their clipboard history and also pin items.

-

To turn it off, see Cloud Clipboard

+

To turn it off, see Cloud Clipboard

OneDrive

OneDrive is a cloud storage system that allows you to save your files and photos, and access them from any device, anywhere.

-

To turn off OneDrive, see OneDrive.

+

To turn off OneDrive, see OneDrive.

Font Streaming

Font Streaming enables Windows 10 devices to download fonts that are included in Windows but that are not stored on the local device on demand.

-

To turn it off, see Font Streaming.

+

To turn it off, see Font Streaming.

From b20ff81b07a24be019f09cc0aad92c4462c4f700 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 28 Jun 2021 08:38:48 -0700 Subject: [PATCH 267/370] Update windows/client-management/mdm/Language-pack-management-csp.md Co-authored-by: Diana Hanson --- windows/client-management/mdm/Language-pack-management-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 40b8e8546f..0a1e9f72a4 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -39,7 +39,7 @@ The Language Pack Management CSP allows a direct way to provision language packs Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed. -> [!NOTE] + > [!NOTE] > If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail. 3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. From acbcb2af334d511dc268af19e4df7e533063b797 Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Mon, 28 Jun 2021 09:40:57 -0600 Subject: [PATCH 268/370] Pencil edit indenting note --- windows/client-management/mdm/Language-pack-management-csp.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 0a1e9f72a4..ab539346d8 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -39,8 +39,8 @@ The Language Pack Management CSP allows a direct way to provision language packs Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed. - > [!NOTE] - > If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail. + > [!NOTE] + > If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail. 3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. From a8a6c1e53d2a0314b4d7c60e8f47b8d809c74d6f Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Mon, 28 Jun 2021 09:45:44 -0600 Subject: [PATCH 269/370] Pencil edit indent note more --- windows/client-management/mdm/Language-pack-management-csp.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index ab539346d8..0a1e9f72a4 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -39,8 +39,8 @@ The Language Pack Management CSP allows a direct way to provision language packs Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed. - > [!NOTE] - > If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail. + > [!NOTE] + > If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail. 3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. From 9463ad848deeff7a0933e11584528a307f57f1a5 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 28 Jun 2021 16:49:51 +0100 Subject: [PATCH 270/370] Update essential-services-and-connected-experiences.md --- .../essential-services-and-connected-experiences.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md index eeb9953de7..c0255242e2 100644 --- a/windows/privacy/essential-services-and-connected-experiences.md +++ b/windows/privacy/essential-services-and-connected-experiences.md @@ -72,8 +72,8 @@ If automatic updates are turned off, applications and websites may stop working Networking

Networking in Windows provides connectivity to and from your devices to the local intranet and internet. If you turn off networking, Windows 10 devices will lose network connectivity.

-

To turn off Network Adapters, see Disable-NetAdapter

- +

To turn off Network Adapters, see Disable-NetAdapter

+ Setup Service Device setup

The first time a user sets up a new device, the Windows out-of-box experience (OOBE) guides the user through the steps to accept the license agreement, connect to the internet, sign in to (or sign up for) a Microsoft account, and takes care of other important tasks. Most settings can also be changed after setup is completed.

@@ -167,7 +167,7 @@ If automatic updates are turned off, applications and websites may stop working Activity History

Activity History shows a history of activities a user has performed and can even synchronize activities across multiple devices for the same user.

Synchronization across devices only works when a user signs in with the same account.

-

To turn it off, see Activity History.

+

To turn it off, see Activity History.

Settings Synchronization @@ -287,7 +287,7 @@ To view endpoints for Windows 10 Enterprise, see: To view endpoints for non-Enterprise Windows 10 editions, see: - [Windows 10, version 20H2, connection endpoints for non-Enterprise editions](manage-windows-20h2-endpoints.md) -- [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md.md) +- [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md) - [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md) - [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md) - [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) From ac723009ef483f88684707563a95f415dc7d7b1a Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 28 Jun 2021 08:49:57 -0700 Subject: [PATCH 271/370] term updates --- windows/client-management/mdm/policy-csp-admx-printing.md | 6 +++--- windows/client-management/windows-10-mobile-and-mdm.md | 2 +- .../deployment/upgrade/upgrade-windows-phone-8-1-to-10.md | 2 +- windows/security/threat-protection/auditing/event-4624.md | 2 +- windows/security/threat-protection/auditing/event-4648.md | 2 +- windows/security/threat-protection/auditing/event-4688.md | 2 +- windows/security/threat-protection/auditing/event-4696.md | 2 +- windows/security/threat-protection/auditing/event-4703.md | 2 +- windows/security/threat-protection/auditing/event-4704.md | 2 +- windows/security/threat-protection/auditing/event-4705.md | 2 +- windows/security/threat-protection/auditing/event-4717.md | 2 +- windows/security/threat-protection/auditing/event-4718.md | 2 +- windows/security/threat-protection/auditing/event-4732.md | 2 +- windows/security/threat-protection/auditing/event-4733.md | 2 +- windows/security/threat-protection/auditing/event-4751.md | 2 +- windows/security/threat-protection/auditing/event-4752.md | 2 +- windows/security/threat-protection/auditing/event-4768.md | 2 +- windows/security/threat-protection/auditing/event-4771.md | 2 +- windows/security/threat-protection/auditing/event-4776.md | 2 +- windows/security/threat-protection/auditing/event-4778.md | 2 +- windows/security/threat-protection/auditing/event-4779.md | 2 +- 21 files changed, 23 insertions(+), 23 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-printing.md b/windows/client-management/mdm/policy-csp-admx-printing.md index c831b4a527..3ed6f22a6c 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing.md +++ b/windows/client-management/mdm/policy-csp-admx-printing.md @@ -1842,11 +1842,11 @@ Available in the latest Windows 10 Insider Preview Build. Announces the presence On domains with Active Directory, shared printer resources are available in Active Directory and are not announced. -If you enable this setting, the print spooler announces shared printers to the print browse master servers. +If you enable this setting, the print spooler announces shared printers to the print browse main servers. -If you disable this setting, shared printers are not announced to print browse master servers, even if Active Directory is not available. +If you disable this setting, shared printers are not announced to print browse main servers, even if Active Directory is not available. -If you do not configure this setting, shared printers are announced to browse master servers only when Active Directory is not available. +If you do not configure this setting, shared printers are announced to browse main servers only when Active Directory is not available. > [!NOTE] > A client license is used each time a client computer announces a printer to a print browse master on the domain. diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md index 608f2041b2..47b2fc60cb 100644 --- a/windows/client-management/windows-10-mobile-and-mdm.md +++ b/windows/client-management/windows-10-mobile-and-mdm.md @@ -978,7 +978,7 @@ This is a list of attributes that are supported by DHA and can trigger the corre - **Boot Manager Version** The version of the Boot Manager running on the device. The HAS can check this version to determine whether the most current Boot Manager is running, which is more secure (trusted). - **Code integrity version** Specifies the version of code that is performing integrity checks during the boot sequence. The HAS can check this version to determine whether the most current version of code is running, which is more secure (trusted). - **Secure Boot Configuration Policy (SBCP) present** Specifies whether the hash of the custom SBCP is present. A device with an SBCP hash present is more trustworthy than a device without an SBCP hash. -- **Boot cycle whitelist** The view of the host platform between boot cycles as defined by the manufacturer compared to a published allow list. A device that complies with the allow list is more trustworthy (secure) than a device that is noncompliant. +- **Boot cycle allow list** The view of the host platform between boot cycles as defined by the manufacturer compared to a published allow list. A device that complies with the allow list is more trustworthy (secure) than a device that is noncompliant. #### Example scenario diff --git a/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md b/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md index 2876fbd034..d07348165d 100644 --- a/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md +++ b/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md @@ -32,7 +32,7 @@ This article describes how system administrators can upgrade eligible Windows Ph The Windows Phone 8.1 to Windows 10 Mobile upgrade uses an "opt-in" or "seeker" model. To determine if the device is eligible for an upgrade with MDM, see the [How to determine whether an upgrade is available for a device](#howto-upgrade-available) topic in this article. An eligible device must opt-in to be offered the upgrade. For consumers, the Windows 10 Mobile Upgrade Advisor app is available from the Windows Store to perform the opt-in. For Enterprises, Microsoft is offering a centralized management solution through MDM that can push a management policy to each eligible device to perform the opt-in. -If you use a list of allowed applications (app allow listing) with MDM, verify that system applications are allow-listed before you upgrade to Windows 10 Mobile. Also, be aware that there are [known issues](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whitelist) with app allow-lists that could adversely affect the device after you upgrade. +If you use a list of allowed applications (app allow listing) with MDM, verify that system applications are allow-listed before you upgrade to Windows 10 Mobile. Also, be aware that there are [known issues](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management) with app allow-lists that could adversely affect the device after you upgrade. Some enterprises might want to control the availability of the Windows 10 Mobile upgrade to their users. With the opt-in model, the enterprise can block the Upgrade Advisor app to prevent their users from upgrading prematurely. For more information about how to restrict the Upgrade Advisor app, see the [How to restrict the Upgrade Advisor app](#howto-restrict) section in this article. Enterprises that have restricted the Upgrade Advisor app can use the solution described in this article to select the upgrade timing on a per-device basis. diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md index f34d8e3ae4..27db3be3f3 100644 --- a/windows/security/threat-protection/auditing/event-4624.md +++ b/windows/security/threat-protection/auditing/event-4624.md @@ -286,7 +286,7 @@ For 4624(S): An account was successfully logged on. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **"New Logon\\Security ID"** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **"New Logon\\Security ID"** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **"New Logon\\Security ID"** that corresponds to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a "allow list-only" action, review the **"New Logon\\Security ID"** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a "allow list-only" action, review the **"New Logon\\Security ID"** for accounts that are outside the allow list. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **"New Logon\\Security ID"** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or "external" accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **"Subject\\Account Domain"** corresponding to accounts from another domain or "external" accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **"New Logon\\Security ID"** that you are concerned about. | diff --git a/windows/security/threat-protection/auditing/event-4648.md b/windows/security/threat-protection/auditing/event-4648.md index 8483ee08ac..44eb565de4 100644 --- a/windows/security/threat-protection/auditing/event-4648.md +++ b/windows/security/threat-protection/auditing/event-4648.md @@ -179,7 +179,7 @@ The following table is similar to the table in [Appendix A: Security monitoring | **High-value accounts**: You might have high value domain or local accounts for which you need to monitor each action.
Examples of high value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that correspond to the high value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** and “**Account Whose Credentials Were Used\\Security ID**” (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that correspond to the accounts that should never be used. | -| **Account allow list**: You might have a specific allow list of accounts that are allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** and “**Account Whose Credentials Were Used\\Security ID**” for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** and “**Account Whose Credentials Were Used\\Security ID**” for accounts that are outside the allow list. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform the action corresponding to this event. | Monitor for the **“Subject\\Account Domain”** or “**Account Whose Credentials Were Used\\Security ID**” corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that you are concerned about.
For example, you might monitor to ensure that “**Account Whose Credentials Were Used\\Security ID**” is not used to log on to a certain computer. | | **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** and “**Account Whose Credentials Were Used\\Security ID**” for names that don’t comply with naming conventions. | diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md index 39167d9431..6e90a42a1e 100644 --- a/windows/security/threat-protection/auditing/event-4688.md +++ b/windows/security/threat-protection/auditing/event-4688.md @@ -193,7 +193,7 @@ For 4688(S): A new process has been created. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor all events with the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor all events with the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** that corresponds to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a "whitelist-only" action, review the **"Creator Subject\\Security ID"** and **"Target Subject\\Security ID"** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a "allow list-only" action, review the **"Creator Subject\\Security ID"** and **"Target Subject\\Security ID"** for accounts that are outside the allow list. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or "external" accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor the specific events for the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** corresponding to accounts from another domain or "external" accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** that you are concerned about. | diff --git a/windows/security/threat-protection/auditing/event-4696.md b/windows/security/threat-protection/auditing/event-4696.md index 520d0d5d1e..e35c7d44e0 100644 --- a/windows/security/threat-protection/auditing/event-4696.md +++ b/windows/security/threat-protection/auditing/event-4696.md @@ -153,7 +153,7 @@ For 4696(S): A primary token was assigned to process. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that corresponds to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** and **“New Token Information\\Security ID”** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** and **“New Token Information\\Security ID”** for accounts that are outside the allow list. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that you are concerned about. | diff --git a/windows/security/threat-protection/auditing/event-4703.md b/windows/security/threat-protection/auditing/event-4703.md index 243fa17ce2..3d024b8ccf 100644 --- a/windows/security/threat-protection/auditing/event-4703.md +++ b/windows/security/threat-protection/auditing/event-4703.md @@ -195,7 +195,7 @@ Otherwise, see the recommendations in the following table. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\Security ID**” that correspond to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. Also check the “**Target Account\\Security ID**” and **“Enabled Privileges”** to see what was enabled. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. Also check the “**Target Account\\Security ID**” and **“Enabled Privileges”** to see what was enabled. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about.
Also check **“Target Account\\Security ID”** to see whether the change in privileges should be made on that computer for that account. | diff --git a/windows/security/threat-protection/auditing/event-4704.md b/windows/security/threat-protection/auditing/event-4704.md index 4dc7eb2c64..a4e0e07aa3 100644 --- a/windows/security/threat-protection/auditing/event-4704.md +++ b/windows/security/threat-protection/auditing/event-4704.md @@ -153,7 +153,7 @@ For 4704(S): A user right was assigned. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\ Account Name**” that correspond to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. Also check the “**Target Account\\Account Name**” and **“New Right”** to see what was enabled. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. Also check the “**Target Account\\Account Name**” and **“New Right”** to see what was enabled. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about.
Also check **“Target Account\\ Account Name”** to see whether the change in rights should be made on that computer for that account. | diff --git a/windows/security/threat-protection/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md index 9478ffd125..83accc384e 100644 --- a/windows/security/threat-protection/auditing/event-4705.md +++ b/windows/security/threat-protection/auditing/event-4705.md @@ -152,7 +152,7 @@ For 4705(S): A user right was removed. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\Account Name**” that correspond to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.
If you have specific user rights policies, for example, an allow list of accounts that can perform certain actions, monitor this event to confirm that it was appropriate that the “**Removed Right**” was removed from “**Target** **Account\\Account Name**.” | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.
If you have specific user rights policies, for example, an allow list of accounts that can perform certain actions, monitor this event to confirm that it was appropriate that the “**Removed Right**” was removed from “**Target** **Account\\Account Name**.” | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Target Account\\Account Name”** to see whether the account type is as expected.
For example, if some accounts have critical user rights which should never be removed, monitor this event for the **“Target** **Account\\Account Name”** and the appropriate rights.
As another example, if non-administrative accounts should never be granted certain user rights (for example, **SeAuditPrivilege**), you might monitor this event, because a right can be removed only after it was previously granted. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Target Account\\Account Name**” to see whether user rights should be removed from that account (or whether that account should have any rights on that computer).
For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Removed Right**” should be removed from “**Target** **Account\\Account Name**” in each case. | diff --git a/windows/security/threat-protection/auditing/event-4717.md b/windows/security/threat-protection/auditing/event-4717.md index 32576cdc3b..3b438e68d4 100644 --- a/windows/security/threat-protection/auditing/event-4717.md +++ b/windows/security/threat-protection/auditing/event-4717.md @@ -127,7 +127,7 @@ For 4717(S): System security access was granted to an account. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** that correspond to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.
If you have specific user logon rights policies, for example, an allow list of accounts that can log on to certain computers, monitor this event to confirm that any “**Access Right**” was granted only to the appropriate “**Account Modified\\Account Name**.” | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.
If you have specific user logon rights policies, for example, an allow list of accounts that can log on to certain computers, monitor this event to confirm that any “**Access Right**” was granted only to the appropriate “**Account Modified\\Account Name**.” | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** to see whether the account type is as expected.
For example, if non-service accounts should never be granted certain logon rights (for example, **SeServiceLogonRight**), monitor this event for those accounts and rights. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Account Modified\\Account Name**” to see whether logon rights should be granted to that account.
For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Access Right**” should be granted to “**Account Modified\\Account Name**” in each case. | diff --git a/windows/security/threat-protection/auditing/event-4718.md b/windows/security/threat-protection/auditing/event-4718.md index 2c7f91f8c7..75f96131fe 100644 --- a/windows/security/threat-protection/auditing/event-4718.md +++ b/windows/security/threat-protection/auditing/event-4718.md @@ -127,7 +127,7 @@ For 4718(S): System security access was removed from an account. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** that correspond to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.
If you have specific user logon rights policies, for example, an allow list of accounts that can log on to certain computers, monitor this event to confirm that it was appropriate that the “**Access Right**” was removed from “**Account Modified\\Account Name**.” | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.
If you have specific user logon rights policies, for example, an allow list of accounts that can log on to certain computers, monitor this event to confirm that it was appropriate that the “**Access Right**” was removed from “**Account Modified\\Account Name**.” | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** to see whether the account type is as expected.
For example, if critical remote network service accounts have user logon rights which should never be removed (for example, **SeNetworkLogonRight**), monitor this event for the **“Account Modified\\Account Name”** and the appropriate rights.
As another example, if non-service accounts should never be granted certain logon rights (for example, **SeServiceLogonRight**), you might monitor this event, because a right can be removed only after it was previously granted. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Account Modified\\Account Name**” to see whether logon rights should be removed from that account.
For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Access Right**” should be removed from “**Account Modified\\Account Name**” in each case. | diff --git a/windows/security/threat-protection/auditing/event-4732.md b/windows/security/threat-protection/auditing/event-4732.md index 43c74c4d05..543455432e 100644 --- a/windows/security/threat-protection/auditing/event-4732.md +++ b/windows/security/threat-protection/auditing/event-4732.md @@ -154,7 +154,7 @@ For 4732(S): A member was added to a security-enabled local group. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. | diff --git a/windows/security/threat-protection/auditing/event-4733.md b/windows/security/threat-protection/auditing/event-4733.md index b7bad044d0..2b749c0511 100644 --- a/windows/security/threat-protection/auditing/event-4733.md +++ b/windows/security/threat-protection/auditing/event-4733.md @@ -161,7 +161,7 @@ For 4733(S): A member was removed from a security-enabled local group. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. | diff --git a/windows/security/threat-protection/auditing/event-4751.md b/windows/security/threat-protection/auditing/event-4751.md index a6ac4afde8..39888ce838 100644 --- a/windows/security/threat-protection/auditing/event-4751.md +++ b/windows/security/threat-protection/auditing/event-4751.md @@ -158,7 +158,7 @@ For 4751(S): A member was added to a security-disabled global group. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. | diff --git a/windows/security/threat-protection/auditing/event-4752.md b/windows/security/threat-protection/auditing/event-4752.md index 7a81d28e4f..a1e4dff838 100644 --- a/windows/security/threat-protection/auditing/event-4752.md +++ b/windows/security/threat-protection/auditing/event-4752.md @@ -149,7 +149,7 @@ For 4752(S): A member was removed from a security-disabled global group. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. | diff --git a/windows/security/threat-protection/auditing/event-4768.md b/windows/security/threat-protection/auditing/event-4768.md index d4de56e2c7..cea554341c 100644 --- a/windows/security/threat-protection/auditing/event-4768.md +++ b/windows/security/threat-protection/auditing/event-4768.md @@ -305,7 +305,7 @@ For 4768(S, F): A Kerberos authentication ticket (TGT) was requested. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“User ID”** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“User ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“User ID”** that corresponds to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“User ID”** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“User ID”** for accounts that are outside the allow list. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Supplied Realm Name”** corresponding to another domain or “external” location. | | **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**User ID”** for names that don’t comply with naming conventions. | diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md index ec7a4064e5..c5aea23ecb 100644 --- a/windows/security/threat-protection/auditing/event-4771.md +++ b/windows/security/threat-protection/auditing/event-4771.md @@ -274,7 +274,7 @@ For 4771(F): Kerberos pre-authentication failed. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Security ID”** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Security ID”** that corresponds to the accounts that should never be used. | -| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Security ID”** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Security ID”** for accounts that are outside the allow list. | | **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | - You can track all [4771](event-4771.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges. diff --git a/windows/security/threat-protection/auditing/event-4776.md b/windows/security/threat-protection/auditing/event-4776.md index d5d1fcdf4f..75dc6a4a69 100644 --- a/windows/security/threat-protection/auditing/event-4776.md +++ b/windows/security/threat-protection/auditing/event-4776.md @@ -130,7 +130,7 @@ For 4776(S, F): The computer attempted to validate the credentials for an accoun | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Logon Account”** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Logon Account”** value (with other information) to monitor how or when a particular account is being used.
To monitor activity of specific user accounts outside of working hours, monitor the appropriate **Logon Account + Source Workstation** pairs. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Logon Account”** that should never be used. | -| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Logon Account”** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Logon Account”** for accounts that are outside the allow list. | | **Restricted-use computers**: You might have certain computers from which certain people (accounts) should not log on. | Monitor the target **Source Workstation** for credential validation requests from the **“Logon Account”** that you are concerned about. | | **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Logon Account”** for names that don’t comply with naming conventions. | diff --git a/windows/security/threat-protection/auditing/event-4778.md b/windows/security/threat-protection/auditing/event-4778.md index 74b7630bc6..8293e41487 100644 --- a/windows/security/threat-protection/auditing/event-4778.md +++ b/windows/security/threat-protection/auditing/event-4778.md @@ -127,7 +127,7 @@ For 4778(S): A session was reconnected to a Window Station. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Account Name”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the accounts that should never be used. | -| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Account Name”** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Account Name”** for accounts that are outside the allow list. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Account Name”** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Account Name”** that you are concerned about. | diff --git a/windows/security/threat-protection/auditing/event-4779.md b/windows/security/threat-protection/auditing/event-4779.md index 7cf0dec285..f9c2757ab6 100644 --- a/windows/security/threat-protection/auditing/event-4779.md +++ b/windows/security/threat-protection/auditing/event-4779.md @@ -131,7 +131,7 @@ For 4779(S): A session was disconnected from a Window Station. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Account Name”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Account Name”** for accounts that are outside the whitelist. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Account Name”** for accounts that are outside the allow list. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Account Name”** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.
For example, you might have computers to which connections should not be made from certain accounts or addresses. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Account Name”** that you are concerned about.
If you have a target **Computer:** (or other target device) to which connections should not be made from certain accounts or addresses, monitor this event for the corresponding **Client Name** or **Client Address**. | From 40664b79fbf7f9d650ee4220890c3ef2fe8a574b Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 28 Jun 2021 08:57:46 -0700 Subject: [PATCH 272/370] term up --- windows/client-management/mdm/policy-csp-admx-printing.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-admx-printing.md b/windows/client-management/mdm/policy-csp-admx-printing.md index 3ed6f22a6c..0781ec7432 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing.md +++ b/windows/client-management/mdm/policy-csp-admx-printing.md @@ -1838,7 +1838,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Announces the presence of shared printers to print browse master servers for the domain. +Available in the latest Windows 10 Insider Preview Build. Announces the presence of shared printers to print browse main servers for the domain. On domains with Active Directory, shared printer resources are available in Active Directory and are not announced. From 5133474ae4de73b40857afd285a5cf408e0d2686 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 28 Jun 2021 09:48:04 -0700 Subject: [PATCH 273/370] I added the Getting started with commandlets section. --- .../select-types-of-rules-to-create.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index b3aeeaf2ec..ee3192a969 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -27,6 +27,13 @@ ms.technology: mde Windows Defender Application Control (WDAC) can control what runs on Windows 10 by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how applications are identified and trusted. +## Getting started with commdlets +Some of the [SKUs](feature-availability.md) that support our PowerShell commandlets [(ConfigCI Module | Microsoft Docs)](powershell/module/configci) support but do not have the module installed on the box. + +**Steps to install the module:** +- Install-Module "ConfigCI" +- Import-Module "ConfigCI" + ## Windows Defender Application Control policy rules To modify the policy rule options of an existing WDAC policy XML, use [Set-RuleOption](/powershell/module/configci/set-ruleoption). The following examples show how to use this cmdlet to add and remove a rule option on an existing WDAC policy: From 6243c7987c3dbc7c8594428897aff7ced287c61f Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 28 Jun 2021 18:26:32 +0100 Subject: [PATCH 274/370] Update essential-services-and-connected-experiences.md --- .../essential-services-and-connected-experiences.md | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md index c0255242e2..d887a20743 100644 --- a/windows/privacy/essential-services-and-connected-experiences.md +++ b/windows/privacy/essential-services-and-connected-experiences.md @@ -18,15 +18,13 @@ ms.date: 6/28/2021 # Essential Services and Connected Experiences for Windows 10 -Applies to: +**Applies to:** - Windows 10, version 1903 and later -Windows includes features that connect to the internet to provide enhanced experiences and additional service based capabilities. These are called “connected experiences”. For example, Microsoft Defender Antivirus is a connected experience that delivers updated protection to keep the devices in your organization secure. Required service data is collected to enables us provide these cloud-based connected experiences and it's crucial to help keep them secure, up to date and performing properly. Windows diagnostic data is separate from required service data.For more information on Windows diagnostic data see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). +Windows includes features that connect to the internet to provide enhanced experiences and additional service based capabilities. These are called “connected experiences”. For example, Microsoft Defender Antivirus is a connected experience that delivers updated protection to keep the devices in your organization secure. When a connected experience is used, data is sent to and processed by Microsoft to provide that connected experiences. This data is crucial because this information enables us to deliver these cloud-based connected experiences. We refer to this data as required service data. Required service data can include information related to the operation of the connected experience that is needed to keep the underlying service secure, up to date, and performing as expected. Required service data is separate from Windows diagnostic data. For more information on Windows diagnostic data see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). -Connected experiences that are critical to the proper functioning of Windows are called “essential services”. For example, the Windows licensing service confirms that you are properly licensed to use Windows. - -While you can control many of the connected experiences that are available to you and your organization, we recommend that you carefully assess the impact of turning off essential services. +Connected experiences that are critical to the proper functioning of Windows are called “essential services”. For example, the Windows licensing service confirms that you are properly licensed to use Windows. While you can control many of the connected experiences that are available to you and your organization, we recommend that you carefully assess the impact of turning off essential services. Windows connected experiences and essential services transfer data to Microsoft network endpoints. The article [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) provides details about the different ways to control traffic to these endpoints. Where applicable, each connected experience or essential service includes a link to the specific details on how to control that traffic. @@ -55,7 +53,6 @@ If automatic updates are turned off, applications and websites may stop working

To turn it off, see Automatic Root Certificates Update

-Configuration Service Services Configuration

Services Configuration is used by Windows components and apps, such as the telemetry service, to dynamically update their configuration. If you turn off this service, apps using this service may stop working.

To turn it off, see Services Configuration.

@@ -73,9 +70,9 @@ If automatic updates are turned off, applications and websites may stop working Networking

Networking in Windows provides connectivity to and from your devices to the local intranet and internet. If you turn off networking, Windows 10 devices will lose network connectivity.

To turn off Network Adapters, see Disable-NetAdapter

- -Setup Service Device setup +Device setup

The first time a user sets up a new device, the Windows out-of-box experience (OOBE) guides the user through the steps to accept the license agreement, connect to the internet, sign in to (or sign up for) a Microsoft account, and takes care of other important tasks. Most settings can also be changed after setup is completed.

To customize the initial setup experience, see Customize Setup

From 6c795d046171f634cb9ce4dcff38fa7af202ad1a Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 28 Jun 2021 18:28:01 +0100 Subject: [PATCH 275/370] updates-dpsw --- .../privacy/essential-services-and-connected-experiences.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md index d887a20743..6248a9e940 100644 --- a/windows/privacy/essential-services-and-connected-experiences.md +++ b/windows/privacy/essential-services-and-connected-experiences.md @@ -229,10 +229,6 @@ Note: Apart from ActiveX Filtering, which is an essential service, all other fea Auto-complete feature for web addresses The auto-complete feature suggests possible matches when users are typing web addresses in the browser address bar. - - - - Compatibility logging This feature is designed for use by developers and IT professionals to determine the compatibility of their websites with Internet Explorer. It is disabled by default and needs to be enabled to start logging Internet Explorer events in the Windows Event Viewer. These events describe failures that might have happened on the site and can include information about specific controls and webpages that failed. From 6d52b9b2c51d029a930e117fa7a3b71fca4af698 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 28 Jun 2021 18:34:15 +0100 Subject: [PATCH 276/370] Update essential-services-and-connected-experiences.md --- windows/privacy/essential-services-and-connected-experiences.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md index 6248a9e940..1e45b7afda 100644 --- a/windows/privacy/essential-services-and-connected-experiences.md +++ b/windows/privacy/essential-services-and-connected-experiences.md @@ -53,6 +53,7 @@ If automatic updates are turned off, applications and websites may stop working

To turn it off, see Automatic Root Certificates Update

+Services Configuration

Services Configuration is used by Windows components and apps, such as the telemetry service, to dynamically update their configuration. If you turn off this service, apps using this service may stop working.

To turn it off, see Services Configuration.

From 69c8580b7110cb2a8743e7c3f037fcd51c0b5578 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 28 Jun 2021 20:21:59 +0100 Subject: [PATCH 277/370] Update essential-services-and-connected-experiences.md --- ...essential-services-and-connected-experiences.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md index 1e45b7afda..adb832d45c 100644 --- a/windows/privacy/essential-services-and-connected-experiences.md +++ b/windows/privacy/essential-services-and-connected-experiences.md @@ -22,7 +22,11 @@ ms.date: 6/28/2021 - Windows 10, version 1903 and later -Windows includes features that connect to the internet to provide enhanced experiences and additional service based capabilities. These are called “connected experiences”. For example, Microsoft Defender Antivirus is a connected experience that delivers updated protection to keep the devices in your organization secure. When a connected experience is used, data is sent to and processed by Microsoft to provide that connected experiences. This data is crucial because this information enables us to deliver these cloud-based connected experiences. We refer to this data as required service data. Required service data can include information related to the operation of the connected experience that is needed to keep the underlying service secure, up to date, and performing as expected. Required service data is separate from Windows diagnostic data. For more information on Windows diagnostic data see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). +Windows includes features that connect to the internet to provide enhanced experiences and additional service based capabilities. These are called “connected experiences”. For example, Microsoft Defender Antivirus is a connected experience that delivers updated protection to keep the devices in your organization secure. + +When a connected experience is used, data is sent to and processed by Microsoft to provide that connected experiences. This data is crucial because this information enables us to deliver these cloud-based connected experiences. We refer to this data as required service data. Required service data can include information related to the operation of the connected experience that is needed to keep the underlying service secure, up to date, and performing as expected. + +Required service data is separate from Windows diagnostic data. For more information on Windows diagnostic data see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). Connected experiences that are critical to the proper functioning of Windows are called “essential services”. For example, the Windows licensing service confirms that you are properly licensed to use Windows. While you can control many of the connected experiences that are available to you and your organization, we recommend that you carefully assess the impact of turning off essential services. @@ -55,7 +59,7 @@ If automatic updates are turned off, applications and websites may stop working Services Configuration

Services Configuration is used by Windows components and apps, such as the telemetry service, to dynamically update their configuration. If you turn off this service, apps using this service may stop working.

-

To turn it off, see Services Configuration.

+

To turn it off, see Services Configuration.

Date and Time @@ -116,7 +120,7 @@ If automatic updates are turned off, applications and websites may stop working Speech Recognition

Microsoft provides a cloud-based (online) speech recognition technology that allows users to write text by speaking or interact with this system using your voice. It functions by converting speech audio into transcribed text. Turning on the online speech recognition setting enables the use of Microsoft cloud-based speech recognition in Cortana, the Mixed Reality Portal, dictation in Windows from the software keyboard, supported Microsoft Store apps, and in other parts of Windows 10.

-

To turn it off, see Speech Recognition.

+

To turn it off, see Speech Recognition.

Find My Device @@ -126,7 +130,7 @@ If automatic updates are turned off, applications and websites may stop working Windows Insider Program

The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to releases of Windows 10. Once you've registered for the program, you can run Insider Preview builds on as many devices as you want, each in the channel of your choice. Learn how to join the Windows Insider program by visiting the program’s website.

-

To turn it off, see Windows Insider Program.

+

To turn it off, see Windows Insider Program.

Location services @@ -142,7 +146,7 @@ If automatic updates are turned off, applications and websites may stop working Microsoft Defender Antivirus

Microsoft Defender Antivirus provides cloud-delivered protection against new and emerging threats for the devices in your organization.

Turning off Microsoft Defender Antivirus will potentially leave your Windows devices in a vulnerable state and more prone to security threats.

-

To turn it off, see Microsoft Defender Antivirus.

+

To turn it off, see Microsoft Defender Antivirus.

Microsoft Defender SmartScreen From 4d4b75f0bc10e3d9ce65b83fe68e68261f6f6b79 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 28 Jun 2021 20:35:29 +0100 Subject: [PATCH 278/370] Update essential-services-and-connected-experiences.md --- .../privacy/essential-services-and-connected-experiences.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md index adb832d45c..71770ac219 100644 --- a/windows/privacy/essential-services-and-connected-experiences.md +++ b/windows/privacy/essential-services-and-connected-experiences.md @@ -24,7 +24,7 @@ ms.date: 6/28/2021 Windows includes features that connect to the internet to provide enhanced experiences and additional service based capabilities. These are called “connected experiences”. For example, Microsoft Defender Antivirus is a connected experience that delivers updated protection to keep the devices in your organization secure. -When a connected experience is used, data is sent to and processed by Microsoft to provide that connected experiences. This data is crucial because this information enables us to deliver these cloud-based connected experiences. We refer to this data as required service data. Required service data can include information related to the operation of the connected experience that is needed to keep the underlying service secure, up to date, and performing as expected. +When a connected experience is used, data is sent to and processed by Microsoft to provide that connected experience. This data is crucial because this information enables us to deliver these cloud-based connected experiences. We refer to this data as required service data. Required service data can include information related to the operation of the connected experience that is needed to keep the underlying service secure, up to date, and performing as expected. Required service data is separate from Windows diagnostic data. For more information on Windows diagnostic data see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). @@ -59,12 +59,12 @@ If automatic updates are turned off, applications and websites may stop working Services Configuration

Services Configuration is used by Windows components and apps, such as the telemetry service, to dynamically update their configuration. If you turn off this service, apps using this service may stop working.

-

To turn it off, see Services Configuration.

+

To turn it off, see Services Configuration.

Date and Time

The Windows Time service is used to synchronize and maintain the most accurate date and time on your devices. It is installed by default and starts automatically on devices that are part of a domain. It can be started manually on other devices. If this service is stopped, date and time synchronization will be unavailable and any services that explicitly depend on it will fail to start.

-

To turn it off, see Date and Time

+

To turn it off, see Date and Time

Licensing From 213795e4ba375fb38d95579d5c2a46cbf3f77d7a Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 28 Jun 2021 20:42:06 +0100 Subject: [PATCH 279/370] Update essential-services-and-connected-experiences.md --- ...tial-services-and-connected-experiences.md | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md index 71770ac219..3e9c11626f 100644 --- a/windows/privacy/essential-services-and-connected-experiences.md +++ b/windows/privacy/essential-services-and-connected-experiences.md @@ -24,7 +24,7 @@ ms.date: 6/28/2021 Windows includes features that connect to the internet to provide enhanced experiences and additional service based capabilities. These are called “connected experiences”. For example, Microsoft Defender Antivirus is a connected experience that delivers updated protection to keep the devices in your organization secure. -When a connected experience is used, data is sent to and processed by Microsoft to provide that connected experience. This data is crucial because this information enables us to deliver these cloud-based connected experiences. We refer to this data as required service data. Required service data can include information related to the operation of the connected experience that is needed to keep the underlying service secure, up to date, and performing as expected. +When a connected experience is used, data is sent to and processed by Microsoft to provide that connected experiences. This data is crucial because this information enables us to deliver these cloud-based connected experiences. We refer to this data as required service data. Required service data can include information related to the operation of the connected experience that is needed to keep the underlying service secure, up to date, and performing as expected. Required service data is separate from Windows diagnostic data. For more information on Windows diagnostic data see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). @@ -48,23 +48,23 @@ Windows connected experiences and essential services transfer data to Microsoft Authentication

The authentication service is required to enable sign in to work or school accounts. It validates a user’s identity and provides access to multiple apps and system components like OneDrive and activity history. Using a work or school account to sign in to Windows 10 enables Microsoft to provide a consistent experience across your devices. If the authentication service is turned off, many apps and components may lose functionality and users may not be able to sign in.

-

To turn it off, see Microsoft Account

+

To turn it off, see Microsoft Account.

Certificates

Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates that are publicly known to be fraudulent. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.

-

To turn it off, see Automatic Root Certificates Update

+

To turn it off, see Automatic Root Certificates Update.

Services Configuration

Services Configuration is used by Windows components and apps, such as the telemetry service, to dynamically update their configuration. If you turn off this service, apps using this service may stop working.

-

To turn it off, see Services Configuration.

+

To turn it off, see Services Configuration.

Date and Time

The Windows Time service is used to synchronize and maintain the most accurate date and time on your devices. It is installed by default and starts automatically on devices that are part of a domain. It can be started manually on other devices. If this service is stopped, date and time synchronization will be unavailable and any services that explicitly depend on it will fail to start.

-

To turn it off, see Date and Time

+

To turn it off, see Date and Time

Licensing @@ -74,12 +74,12 @@ If automatic updates are turned off, applications and websites may stop working Networking

Networking in Windows provides connectivity to and from your devices to the local intranet and internet. If you turn off networking, Windows 10 devices will lose network connectivity.

-

To turn off Network Adapters, see Disable-NetAdapter

+

To turn off Network Adapters, see Disable-NetAdapter.

Device setup

The first time a user sets up a new device, the Windows out-of-box experience (OOBE) guides the user through the steps to accept the license agreement, connect to the internet, sign in to (or sign up for) a Microsoft account, and takes care of other important tasks. Most settings can also be changed after setup is completed.

-

To customize the initial setup experience, see Customize Setup

+

To customize the initial setup experience, see Customize Setup.

Telemetry @@ -90,7 +90,7 @@ If automatic updates are turned off, applications and websites may stop working Windows Update

Windows Update ensures devices are kept up to date and secure by downloading the latest updates and security patches for Windows. This service also enables users download apps from the Microsoft Store and keep them up to date.

Turning off Windows Update will potentially leave your Windows devices in a vulnerable state and more prone to security threats.

-

To turn it off, see Windows Update

+

To turn it off, see Windows Update.

@@ -115,38 +115,38 @@ If automatic updates are turned off, applications and websites may stop working

Delivery Optimization is a cloud-managed, peer-to-peer client and a downloader service for Windows updates, upgrades, and applications to an organization's networked devices. Delivery Optimization allows devices to download updates from alternate sources (such as other peers on the network), in addition to Microsoft servers. This helps when you have a limited or unreliable Internet connection and reduces the bandwidth needed to keep all your organization's devices up to date.

If you have Delivery Optimization Peer-to-Peer option turned on, devices on your network may send and receive updates and apps to other devices on your local network, if you choose, or to devices on the Internet.

By default, devices running Windows 10 will only use Delivery Optimization to get and receive updates for devices and apps on your local network.

-

To turn it off, see Delivery Optimization.

+

To turn it off, see Delivery Optimization.

Speech Recognition

Microsoft provides a cloud-based (online) speech recognition technology that allows users to write text by speaking or interact with this system using your voice. It functions by converting speech audio into transcribed text. Turning on the online speech recognition setting enables the use of Microsoft cloud-based speech recognition in Cortana, the Mixed Reality Portal, dictation in Windows from the software keyboard, supported Microsoft Store apps, and in other parts of Windows 10.

-

To turn it off, see Speech Recognition.

+

To turn it off, see Speech Recognition.

Find My Device

Find My Device is a feature that can help users locate their Windows 10 device if it's lost or stolen. This feature only works if a Microsoft account is used to logon to the device, the user is an administrator on the device and when location is turned on for the device. Users can find their device by logging in to https://account.microsoft.com/devices under the Find My Device tab.

-

To turn it off, see Find My Device.

+

To turn it off, see Find My Device.

Windows Insider Program

The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to releases of Windows 10. Once you've registered for the program, you can run Insider Preview builds on as many devices as you want, each in the channel of your choice. Learn how to join the Windows Insider program by visiting the program’s website.

-

To turn it off, see Windows Insider Program.

+

To turn it off, see Windows Insider Program.

Location services

The device location setting enables certain Windows features such as auto setting the time zone or Find My Device to function properly. When the device location setting is enabled, the Microsoft location service will use a combination of global positioning service (GPS), nearby wireless access points, cell towers, and IP address to determine the device’s location. Depending on the capabilities of the device, its location can be determined with varying degrees of accuracy and may in some cases be determined precisely.

-

To turn it off, see Location Services.

+

To turn it off, see Location Services.

Microsoft Store

Microsoft Store enables users to purchase and download apps, games, and digital content. The Store also enables the developers of these apps to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to store apps in a power-efficient and dependable way. The Store can also revoke malicious apps.

-

To turn it off, see Microsoft Store.

+

To turn it off, see Microsoft Store.

Microsoft Defender Antivirus

Microsoft Defender Antivirus provides cloud-delivered protection against new and emerging threats for the devices in your organization.

Turning off Microsoft Defender Antivirus will potentially leave your Windows devices in a vulnerable state and more prone to security threats.

-

To turn it off, see Microsoft Defender Antivirus.

+

To turn it off, see Microsoft Defender Antivirus..

Microsoft Defender SmartScreen @@ -163,23 +163,23 @@ If automatic updates are turned off, applications and websites may stop working Windows Spotlight

Windows Spotlight displays new background images on the lock screen each day. Additionally, it provides feature suggestions, fun facts, and tips on the lock screen background.

Administrators can turn off Windows Spotlight features to prevent users from using the Windows Spotlight background.

-

To turn it off, see Windows Spotlight.

+

To turn it off, see Windows Spotlight.

Activity History

Activity History shows a history of activities a user has performed and can even synchronize activities across multiple devices for the same user.

Synchronization across devices only works when a user signs in with the same account.

-

To turn it off, see Activity History.

+

To turn it off, see Activity History..

Settings Synchronization

With settings synchronization is turned on, a user's settings are synced across all Windows 10 devices when they sign in with the same account.

-

To turn it off, see Sync Your Settings

+

To turn it off, see Sync Your Settings.

Cloud Clipboard

Cloud Clipboard enables users to copy images and text across all Windows 10 devices when they sign in with the same account. Users can paste from their clipboard history and also pin items.

-

To turn it off, see Cloud Clipboard

+

To turn it off, see Cloud Clipboard.

OneDrive From 7817b987f75462c82fc7d34787be04d87fddc23c Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 28 Jun 2021 20:48:22 +0100 Subject: [PATCH 280/370] Update essential-services-and-connected-experiences.md --- .../essential-services-and-connected-experiences.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md index 3e9c11626f..edb5b8d8af 100644 --- a/windows/privacy/essential-services-and-connected-experiences.md +++ b/windows/privacy/essential-services-and-connected-experiences.md @@ -52,8 +52,8 @@ Windows connected experiences and essential services transfer data to Microsoft Certificates -

Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates that are publicly known to be fraudulent. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
-If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.

+

Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates that are publicly known to be fraudulent. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.

+

If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.

To turn it off, see Automatic Root Certificates Update.

@@ -146,7 +146,7 @@ If automatic updates are turned off, applications and websites may stop working Microsoft Defender Antivirus

Microsoft Defender Antivirus provides cloud-delivered protection against new and emerging threats for the devices in your organization.

Turning off Microsoft Defender Antivirus will potentially leave your Windows devices in a vulnerable state and more prone to security threats.

-

To turn it off, see Microsoft Defender Antivirus..

+

To turn it off, see Microsoft Defender Antivirus.

Microsoft Defender SmartScreen @@ -169,7 +169,7 @@ If automatic updates are turned off, applications and websites may stop working Activity History

Activity History shows a history of activities a user has performed and can even synchronize activities across multiple devices for the same user.

Synchronization across devices only works when a user signs in with the same account.

-

To turn it off, see Activity History..

+

To turn it off, see Activity History.

Settings Synchronization From 2e8ded285f3d5efbea683bd150c8f569da17b0b1 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Mon, 28 Jun 2021 13:25:30 -0700 Subject: [PATCH 281/370] fix duplicate and hook up article to toc --- windows/configuration/TOC.yml | 2 +- .../cortana-at-work-testing-scenarios.md | 12 +++--------- 2 files changed, 4 insertions(+), 10 deletions(-) diff --git a/windows/configuration/TOC.yml b/windows/configuration/TOC.yml index a5a0bbbb07..803fc6fa2a 100644 --- a/windows/configuration/TOC.yml +++ b/windows/configuration/TOC.yml @@ -138,7 +138,7 @@ - name: Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization href: cortana-at-work/cortana-at-work-o365.md - name: Testing scenarios using Cortana in your business or organization - href: cortana-at-work/cortana-at-work-testing-scenarios.md + href: cortana-at-work/testing-scenarios-using-cortana-in-business-org.md - name: Test scenario 1 - Sign into Azure AD, enable the wake word, and try a voice query href: cortana-at-work/test-scenario-1.md - name: Test scenario 2 - Perform a quick search with Cortana at work diff --git a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md index 46b62aec12..02f6340c08 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md @@ -1,5 +1,5 @@ --- -title: Testing scenarios using Cortana in your business or organization (Windows 10) +title: Cortana at work testing scenarios description: A list of suggested testing scenarios that you can use to test Cortana in your organization. ms.prod: w10 ms.mktglfcycl: manage @@ -7,25 +7,19 @@ ms.sitesec: library author: greg-lindsay ms.localizationpriority: medium ms.author: greglin -ms.date: 10/05/2017 +ms.date: 06/28/2021 ms.reviewer: manager: dansimp --- -# Testing scenarios using Cortana in your business or organization +# Cortana at work testing scenarios We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to: - [Sign into Azure AD, enable the Cortana wake word, and try a voice query](cortana-at-work-scenario-1.md) - - [Perform a Bing search with Cortana](cortana-at-work-scenario-2.md) - - [Set a reminder](cortana-at-work-scenario-3.md) - - [Use Cortana to find free time on your calendar](cortana-at-work-scenario-4.md) - - [Find out about a person](cortana-at-work-scenario-5.md) - - [Change your language and perform a quick search with Cortana](cortana-at-work-scenario-6.md) - - [Use Windows Information Protection (WIP) to secure content on a device and then try to manage your organization’s entries in the notebook](cortana-at-work-scenario-7.md) \ No newline at end of file From 4713be3c03c7b29ede68a4daefd77ceea2f1042f Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Mon, 28 Jun 2021 13:28:12 -0700 Subject: [PATCH 282/370] Update cortana-at-work-testing-scenarios.md --- .../cortana-at-work/cortana-at-work-testing-scenarios.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md index 02f6340c08..8137313839 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md @@ -1,6 +1,6 @@ --- title: Cortana at work testing scenarios -description: A list of suggested testing scenarios that you can use to test Cortana in your organization. +description: Suggested testing scenarios that you can use to test Cortana in your organization. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library From 6de0f33c286c674a4b828cd55a5d6367120c5544 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Mon, 28 Jun 2021 13:31:49 -0700 Subject: [PATCH 283/370] toc rename node --- windows/configuration/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/TOC.yml b/windows/configuration/TOC.yml index 803fc6fa2a..867a205b26 100644 --- a/windows/configuration/TOC.yml +++ b/windows/configuration/TOC.yml @@ -117,7 +117,7 @@ items: - name: Set up and test Cortana in Windows 10, version 2004 and later href: cortana-at-work/set-up-and-test-cortana-in-windows-10.md - - name: Testing scenarios using Cortana in your business or organization + - name: Cortana at work testing scenarios href: cortana-at-work/cortana-at-work-testing-scenarios.md - name: Test scenario 1 - Sign into Azure AD, enable the wake word, and try a voice query href: cortana-at-work/cortana-at-work-scenario-1.md From 6c2c743438e594ae16a330447e065e3a41ad08f5 Mon Sep 17 00:00:00 2001 From: Joe Davies Date: Mon, 28 Jun 2021 16:04:52 -0700 Subject: [PATCH 284/370] Removal of ransomware-malware article --- .openpublishing.redirection.json | 5 ++ windows/security/threat-protection/TOC.yml | 2 +- .../threat-protection/intelligence/TOC.yml | 2 +- .../intelligence/criteria.md | 2 +- .../intelligence/phishing-trends.md | 2 +- .../intelligence/ransomware-malware.md | 77 ------------------- .../intelligence/understanding-malware.md | 2 +- .../ltsc/whats-new-windows-10-2019.md | 1 - 8 files changed, 10 insertions(+), 83 deletions(-) delete mode 100644 windows/security/threat-protection/intelligence/ransomware-malware.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 8dbea776cc..25d94e8125 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -18920,6 +18920,11 @@ "redirect_url": "/microsoft-365/security/defender-endpoint/device-control-report", "redirect_document_id": false }, + { + "source_path": "windows/security/threat-protection/intelligence/ransomware-malware.md", + "redirect_url": "/security/compass/human-operated-ransomware", + "redirect_document_id": false + }, { "source_path": "windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md", "redirect_url": "/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows", diff --git a/windows/security/threat-protection/TOC.yml b/windows/security/threat-protection/TOC.yml index e310d0d993..60b48e0739 100644 --- a/windows/security/threat-protection/TOC.yml +++ b/windows/security/threat-protection/TOC.yml @@ -193,7 +193,7 @@ - name: Phishing href: intelligence/phishing.md - name: Ransomware - href: intelligence/ransomware-malware.md + href: /security/compass/human-operated-ransomware - name: Rootkits href: intelligence/rootkits-malware.md - name: Supply chain attacks diff --git a/windows/security/threat-protection/intelligence/TOC.yml b/windows/security/threat-protection/intelligence/TOC.yml index eb239b51c5..78fea4eba3 100644 --- a/windows/security/threat-protection/intelligence/TOC.yml +++ b/windows/security/threat-protection/intelligence/TOC.yml @@ -18,7 +18,7 @@ - name: Phishing trends and techniques href: phishing-trends.md - name: Ransomware - href: ransomware-malware.md + href: /security/compass/human-operated-ransomware - name: Rootkits href: rootkits-malware.md - name: Supply chain attacks diff --git a/windows/security/threat-protection/intelligence/criteria.md b/windows/security/threat-protection/intelligence/criteria.md index 8f05e1c296..381dc66ce4 100644 --- a/windows/security/threat-protection/intelligence/criteria.md +++ b/windows/security/threat-protection/intelligence/criteria.md @@ -62,7 +62,7 @@ Microsoft classifies most malicious software into one of the following categorie * **Password stealer:** A type of malware that gathers your personal information, such as usernames and passwords. It often works along with a keylogger, which collects and sends information about the keys you press and websites you visit. -* **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your device. It then displays a ransom note that states you must pay money or perform other actions before you can use your device again. [See more information about ransomware](ransomware-malware.md). +* **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your device. It then displays a ransom note that states you must pay money or perform other actions before you can use your device again. [See more information about ransomware](/security/compass/human-operated-ransomware). * **Rogue security software:** Malware that pretends to be security software but doesn't provide any protection. This type of malware usually displays alerts about nonexistent threats on your device. It also tries to convince you to pay for its services. diff --git a/windows/security/threat-protection/intelligence/phishing-trends.md b/windows/security/threat-protection/intelligence/phishing-trends.md index 9645672acd..1785d95a38 100644 --- a/windows/security/threat-protection/intelligence/phishing-trends.md +++ b/windows/security/threat-protection/intelligence/phishing-trends.md @@ -41,7 +41,7 @@ An attacker sends a fraudulent email requesting you to open or download a docume ## Phishing emails that deliver other threats -Phishing emails are often effective, so attackers sometimes use them to distribute [ransomware](ransomware-malware.md) through links or attachments in emails. When run, the ransomware encrypts files and displays a ransom note, which asks you to pay a sum of money to access to your files. +Phishing emails are often effective, so attackers sometimes use them to distribute [ransomware](/security/compass/human-operated-ransomware) through links or attachments in emails. When run, the ransomware encrypts files and displays a ransom note, which asks you to pay a sum of money to access to your files. We have also seen phishing emails that have links to [tech support scam](support-scams.md) websites. These websites use various scare tactics to trick you into calling hotlines and paying for unnecessary "technical support services" that supposedly fix contrived device, platform, or software problems. diff --git a/windows/security/threat-protection/intelligence/ransomware-malware.md b/windows/security/threat-protection/intelligence/ransomware-malware.md deleted file mode 100644 index 5a04348f87..0000000000 --- a/windows/security/threat-protection/intelligence/ransomware-malware.md +++ /dev/null @@ -1,77 +0,0 @@ ---- -title: Ransomware -ms.reviewer: -description: Learn how to protect your computer and network from ransomware attacks, which can stop you from accessing your files. -keywords: security, malware, ransomware, encryption, extortion, money, key, infection, prevention, tips, WDSI, MMPC, Microsoft Malware Protection Center, ransomware-as-a-service, ransom, ransomware downloader, protection, prevention, solution, exploit kits, backup, Cerber, Locky, WannaCry, WannaCrypt, Petya, Spora -ms.prod: m365-security -ms.mktglfcycl: secure -ms.sitesec: library -ms.localizationpriority: medium -ms.author: dansimp -author: dansimp -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article -search.appverid: met150 -ms.technology: mde ---- -# Ransomware - -Ransomware is a type of malware that encrypts files and folders, preventing access to important files. Ransomware attempts to extort money from victims by asking for money, usually in form of cryptocurrencies, in exchange for the decryption key. But cybercriminals won't always follow through and unlock the files they encrypted. - -The trend towards increasingly sophisticated malware behavior, highlighted by the use of exploits and other attack vectors, makes older platforms especially susceptible to ransomware attacks. - -## How ransomware works - -Most ransomware infections start with: - -- Email messages with attachments that try to install ransomware. - -- Websites hosting [exploit kits](exploits-malware.md) that attempt to use vulnerabilities in web browsers and other software to install ransomware. - -Once ransomware infects a device, it starts encrypting files, folders, entire hard drive partitions using encryption algorithms like RSA or RC4. - -Ransomware is one of the most lucrative revenue channels for cybercriminals, so malware authors continually improve their malware code to better target enterprise environments. Ransomware-as-a-service is a cybercriminal business model where malware creators sell their ransomware and other services to cybercriminals, who then operate the ransomware attacks. The business model also defines profit sharing between the malware creators, ransomware operators, and other parties that may be involved. For cybercriminals, ransomware is big business at the expense of individuals and businesses. - -### Examples - -Sophisticated ransomware like **Spora**, **WannaCrypt** (also known as WannaCry), and **Petya** (also known as NotPetya) spread to other computers via network shares or exploits. - -- Spora drops ransomware copies in network shares. - -- WannaCrypt exploits the Server Message Block (SMB) vulnerability CVE-2017-0144 (also called EternalBlue) to infect other computers. - -- A Petya variant exploits the same vulnerability, in addition to CVE-2017-0145 (also known as EternalRomance), and uses stolen credentials to move laterally across networks. - -Older ransomware like **Reveton** (nicknamed "Police Trojan" or "Police ransomware") locks screens instead of encrypting files. They display a full screen image and then disable Task Manager. The files are safe, but they're effectively inaccessible. The image usually contains a message claiming to be from law enforcement that says the computer has been used in illegal cybercriminal activities and a fine needs to be paid. - -Ransomware like **Cerber** and **Locky** search for and encrypt specific file types, typically document and media files. When the encryption is complete, the malware leaves a ransom note using text, image, or an HTML file with instructions to pay a ransom to recover files. - -**Bad Rabbit** ransomware was discovered attempting to spread across networks using hardcoded usernames and passwords in brute force attacks. - -## How to protect against ransomware - -Organizations can be targeted specifically by attackers, or they can be caught in the wide net cast by cybercriminal operations. Large organizations are high value targets because attackers can demand bigger ransoms. - -To provide the best protection against ransomware attacks, Microsoft recommends that you: - -- Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite. - -- Apply the latest updates to your operating systems and apps. - -- Educate your employees so they can identify social engineering and spear-phishing attacks. - -- [Implement controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). It can stop ransomware from encrypting files and holding the files for ransom. - -For more general tips, see [prevent malware infection](prevent-malware-infection.md). - -## Human-operated ransomware - -Unlike auto-spreading ransomware like WannaCry or NotPetya, human-operated ransomware is the result of active and ongoing attacks that target an organization rather than a single device. Cybercriminals use their knowledge of common system and security misconfigurations and vulnerabilities to infiltrate the organization, navigate the enterprise network, adapt to the environment, and exploit its weaknesses as they go. - -Hallmarks of these human-operated ransomware attacks typically include credential theft and lateral movement and can result in deployment of ransomware payloads to high business impact resources that attackers choose. Once deployed, the attackers contact the organization with their ransom demands. - -The same primary prevention techniques described in this article should be implemented to prevent human-operated ransomware. For additional preventative measures against human-operated ransomware, see this [article](/security/compass/human-operated-ransomware). - -See [this blog post](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) from the Microsoft 365 Defender Threat Intelligence Team for more information and attack chain analysis of actual human-operated ransomware attacks. diff --git a/windows/security/threat-protection/intelligence/understanding-malware.md b/windows/security/threat-protection/intelligence/understanding-malware.md index 63477837e9..f98d44ceb7 100644 --- a/windows/security/threat-protection/intelligence/understanding-malware.md +++ b/windows/security/threat-protection/intelligence/understanding-malware.md @@ -32,7 +32,7 @@ There are many types of malware, including: - [Exploits and exploit kits](exploits-malware.md) - [Macro malware](macro-malware.md) - [Phishing](phishing.md) -- [Ransomware](ransomware-malware.md) +- [Ransomware](/security/compass/human-operated-ransomware) - [Rootkits](rootkits-malware.md) - [Supply chain attacks](supply-chain-malware.md) - [Tech support scams](support-scams.md) diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index cd82d2c618..b9b73c1bcb 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -141,7 +141,6 @@ This also means you’ll see more links to other security apps within **Windows You can read more about ransomware mitigations and detection capability at: - [Averting ransomware epidemics in corporate networks with Microsoft Defender for Endpoint](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/) -- [Ransomware security intelligence](/windows/security/threat-protection/intelligence/ransomware-malware) - [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/) Also see [New capabilities of Microsoft Defender for Endpoint further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97) From 86c3b2f3618f0fc57c970fbef3ea98156e732255 Mon Sep 17 00:00:00 2001 From: Joe Davies Date: Mon, 28 Jun 2021 16:06:14 -0700 Subject: [PATCH 285/370] Update whats-new-windows-10-version-1703.md --- windows/whats-new/whats-new-windows-10-version-1703.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index 2c639ff2a3..b05bba2289 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -150,7 +150,7 @@ New features for Microsoft Defender AV in Windows 10, version 1703 include: In Windows 10, version 1607, we [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment in version 1703 with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus). -You can read more about ransomware mitigations and detection capability in Microsoft Defender AV in the [ransomware information topic](/windows/security/threat-protection/intelligence/ransomware-malware) and at the [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/). +You can read more about ransomware mitigations and detection capability in Microsoft Defender AV in the [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/). ### Device Guard and Credential Guard From f5fb120b36094e6a5ee3bcf57a2da0890a15cc62 Mon Sep 17 00:00:00 2001 From: Joe Davies Date: Mon, 28 Jun 2021 16:10:22 -0700 Subject: [PATCH 286/370] Update whats-new-windows-10-2019.md --- windows/whats-new/ltsc/whats-new-windows-10-2019.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index b9b73c1bcb..2b62e7fc98 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -36,7 +36,7 @@ The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC use ## Microsoft Intune -Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows 10 Update Rings Device profiles do not support LTSC releases, therefore you should use [Policy configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update), WSUS, or Configuration Manager for patching. +Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows 10 Update Rings Device profiles do not support LTSC releases, therefore you should use [Policy configuration service provider](/windows/client-management/mdm/policy-csp-update), WSUS, or Configuration Manager for patching. ## Security From 31939be3bc76a31327092f1d4b8c7831ac0356ad Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 28 Jun 2021 17:41:55 -0700 Subject: [PATCH 287/370] Corrected note styles, adjusted layout, added punctuation, minor fixes --- .../hello-feature-pin-reset.md | 41 +++++++++++++------ .../threat-protection/auditing/event-4627.md | 15 ++++--- 2 files changed, 38 insertions(+), 18 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index c772362fa2..6d78a9e26b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -50,17 +50,17 @@ Destructive and non-destructive PIN reset use the same entry points for initiati For Azure AD joined devices: 1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon. -1. Click **I forgot my PIN** from the PIN credential provider -1. Select an authentication option from the list of presented options. This list will be based on the different authentication methods enabled in your tenant (i.e. Password, PIN, Security key) -1. Follow the instructions provided by the provisioning process +1. Click **I forgot my PIN** from the PIN credential provider. +1. Select an authentication option from the list of presented options. This list will be based on the different authentication methods enabled in your tenant (i.e., Password, PIN, Security key). +1. Follow the instructions provided by the provisioning process. 1. When finished, unlock your desktop using your newly created PIN. For Hybrid Azure AD joined devices: 1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon. -1. Click **I forgot my PIN** from the PIN credential provider +1. Click **I forgot my PIN** from the PIN credential provider. 1. Enter your password and press enter. -1. Follow the instructions provided by the provisioning process +1. Follow the instructions provided by the provisioning process. 1. When finished, unlock your desktop using your newly created PIN. > [!NOTE] @@ -94,13 +94,20 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se ### Connect Azure Active Directory with the PIN reset service 1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant. + 1. After you have logged in, choose **Accept** to give consent for the PIN reset service to access your account. + ![PIN reset service application in Azure](images/pinreset/pin-reset-service-prompt.png) + 1. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant. + 1. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account. - ![PIN reset client application in Azure](images/pinreset/pin-reset-client-prompt.png) - > [!NOTE] - > After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant. + + ![PIN reset client application in Azure](images/pinreset/pin-reset-client-prompt.png) + + > [!NOTE] + > After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant. + 1. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant. > [!div class="mx-imgBorder"] @@ -122,7 +129,7 @@ You configure Windows 10 to use the Microsoft PIN Reset service using the comput 1. Set **Enable PIN recovery** to **Yes**. > [!NOTE] -> You can also setup PIN recovery using configuration profiles. +> You can also set up PIN recovery using configuration profiles. > > 1. Sign in to Endpoint Manager. > 1. Click **Devices** > **Configuration Profiles** > Create a new profile or edit an existing profile using the Identity Protection profile type. @@ -141,7 +148,7 @@ The PIN reset configuration for a user can be viewed by running [**dsregcmd /sta #### Sample User state Output for Destructive PIN Reset -``` +```console +----------------------------------------------------------------------+ | User State | +----------------------------------------------------------------------+ @@ -160,7 +167,7 @@ The PIN reset configuration for a user can be viewed by running [**dsregcmd /sta #### Sample User state Output for Non-Destructive PIN Reset -``` +```console +----------------------------------------------------------------------+ | User State | +----------------------------------------------------------------------+ @@ -189,21 +196,29 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au ### Configuring Policy Using Intune 1. Sign-in to [Endpoint Manager admin center](https://endpoint.microsoft.com/) using a Global administrator account. + 1. Click **Devices**. Click **Configuration profiles**. Click **Create profile**. + 1. For Platform select **Windows 10 and later** and for Profile type select **Templates**. In the list of templates that is loaded, select **Custom** and click Create. + 1. In the **Name** field type **Web Sign In Allowed URLs** and optionally provide a description for the configuration. Click Next. + 1. On the Configuration settings page, click **Add** to add a custom OMA-URI setting. Provide the following information for the custom settings + - **Name:** Web Sign In Allowed URLs - **Description:** (Optional) List of domains that are allowed during PIN reset flows. - **OMA-URI:** ./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls - **Data type:** String - - **Value**: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be signin.contoso.com;portal.contoso.com (no double quotes) + - **Value**: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be _signin.contoso.com;portal.contoso.com_ (without quotation marks) - ![Custom Configuration for ConfigureWebSignInAllowedUrls policy](images/pinreset/allowlist.png) + :::image type="content" alt-text="Custom Configuration for ConfigureWebSignInAllowedUrls policy" source="images/pinreset/allowlist.png" lightbox="images/pinreset/allowlist.png"::: 1. Click the Save button to save the custom configuration. + 1. On the Assignments page, use the Included groups and Excluded groups sections to define the groups of users or devices that should receive this policy. Once you have completed configuring groups click the Next button. + 1. On the Applicability rules page, click Next. + 1. Review the configuration that is shown on the Review + create page to make sure that it is accurate. Click create to save the profile and apply it to the configured groups. > [!NOTE] diff --git a/windows/security/threat-protection/auditing/event-4627.md b/windows/security/threat-protection/auditing/event-4627.md index 0ae5e51990..8831845dfa 100644 --- a/windows/security/threat-protection/auditing/event-4627.md +++ b/windows/security/threat-protection/auditing/event-4627.md @@ -33,12 +33,14 @@ You must also enable the Success audit for [Audit Logon](audit-logon.md) subcate Multiple events are generated if the group membership information cannot fit in a single security audit event. -> **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. +> [!NOTE] +> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
***Event XML:*** -``` + +```xml - - @@ -86,7 +88,8 @@ Multiple events are generated if the group membership information cannot fit in - **Security ID** \[Type = SID\]**:** SID of account that reported information about successful logon or invokes it. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. -> **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). +> [!NOTE] +> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about successful logon or invokes it. @@ -122,7 +125,8 @@ Multiple events are generated if the group membership information cannot fit in - **Security ID** \[Type = SID\]**:** SID of account for which logon was performed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. -> **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). +> [!NOTE] +> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account for which logon was performed. @@ -148,7 +152,8 @@ Multiple events are generated if the group membership information cannot fit in For 4627(S): Group membership information. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). +> [!IMPORTANT] +> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - Typically this action is reported by the NULL SID account, so we recommend reporting all events with **“Subject\\Security ID”** not equal “**NULL SID**”. From f3348d35ac9613cb2b4142d1aaf6411cbd2c0032 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 28 Jun 2021 19:05:04 -0700 Subject: [PATCH 288/370] Acrolinx "multi-factor " --- .../hello-for-business/hello-feature-pin-reset.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 6d78a9e26b..154ea379e1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -23,7 +23,7 @@ ms.reviewer: - Windows 10, version 1709 or later -Windows Hello for Business provides the capability for users to reset forgotten PINs using the "I forgot my PIN link" from the Sign-in options page in Settings or from above the lock screen. User's are required to authenticate and complete multi-factor authentication to reset their PIN. +Windows Hello for Business provides the capability for users to reset forgotten PINs using the "I forgot my PIN link" from the Sign-in options page in Settings or from above the lock screen. User's are required to authenticate and complete multifactor authentication to reset their PIN. There are two forms of PIN reset called destructive and non-destructive. Destructive PIN reset is the default and does not require configuration. During a destructive PIN reset, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned. For non-destructive PIN reset, you must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. @@ -79,7 +79,7 @@ Visit the [Windows Hello for Business Videos](./hello-videos.md) page and watch - Azure AD registered, Azure AD joined, and Hybrid Azure AD joined - Windows 10, version 1709 to 1809, **Enterprise Edition**. There is no licensing requirement for this feature since version 1903. -When non-destructive PIN reset is enabled on a client, a 256-bit AES key is generated locally and added to a user's Windows Hello for Business container and keys as the PIN reset protector. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication to Azure, and completes multi-factor authentication, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it is then cleared from memory. +When non-destructive PIN reset is enabled on a client, a 256-bit AES key is generated locally and added to a user's Windows Hello for Business container and keys as the PIN reset protector. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication to Azure, and completes multifactor authentication, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it is then cleared from memory. Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment. From bed8791d8c1c644bd1f85cba485d4244bcfc2b7d Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 28 Jun 2021 19:07:34 -0700 Subject: [PATCH 289/370] Add option for lightbox view --- .../hello-for-business/hello-feature-pin-reset.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 154ea379e1..0ecc622ba4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -110,8 +110,7 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se 1. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant. - > [!div class="mx-imgBorder"] - > ![PIN reset service permissions page](images/pinreset/pin-reset-applications.png) + :::image type="content" alt-text="PIN reset service permissions page" source="images/pinreset/pin-reset-applications.png" lightbox="images/pinreset/pin-reset-applications.png"::: ### Configure Windows devices to use PIN reset using Group Policy From 29f9abbe8a1f1765aa6cac4f6da234a27788fae3 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 28 Jun 2021 19:11:51 -0700 Subject: [PATCH 290/370] Indented list item and content in list items --- .../threat-protection/auditing/event-4627.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4627.md b/windows/security/threat-protection/auditing/event-4627.md index 8831845dfa..4a4fce1919 100644 --- a/windows/security/threat-protection/auditing/event-4627.md +++ b/windows/security/threat-protection/auditing/event-4627.md @@ -88,8 +88,8 @@ Multiple events are generated if the group membership information cannot fit in - **Security ID** \[Type = SID\]**:** SID of account that reported information about successful logon or invokes it. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. -> [!NOTE] -> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). + > [!NOTE] + > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about successful logon or invokes it. @@ -107,10 +107,10 @@ Multiple events are generated if the group membership information cannot fit in - **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4672](event-4672.md)(S): Special privileges assigned to new logon.” -**Logon Type** \[Type = UInt32\]**:** the type of logon which was performed. The table below contains the list of possible values for this field: +- **Logon Type** \[Type = UInt32\]**:** the type of logon which was performed. The table below contains the list of possible values for this field: -| Logon Type | Logon Title | Description | -|------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Logon Type | Logon Title | Description | +|------------|-------------------|----------------------| | 2 | Interactive | A user logged on to this computer. | | 3 | Network | A user or computer logged on to this computer from the network. | | 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. | @@ -125,8 +125,8 @@ Multiple events are generated if the group membership information cannot fit in - **Security ID** \[Type = SID\]**:** SID of account for which logon was performed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. -> [!NOTE] -> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). + > [!NOTE] + > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account for which logon was performed. From 87b9f5377dcd60cc32db75e6c80bf096cfdf0728 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 29 Jun 2021 09:31:40 +0530 Subject: [PATCH 291/370] removed invalid link , added correct link as per user report issue #9747 , so I added correct link and removed invalid link --- windows/client-management/connect-to-remote-aadj-pc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 89776f9222..9de7a6f1c2 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -87,4 +87,4 @@ The table below lists the supported configurations for remotely connecting to an ## Related topics -[How to use Remote Desktop](https://support.microsoft.com/instantanswers/ff521c86-2803-4bc0-a5da-7df445788eb9/how-to-use-remote-desktop) \ No newline at end of file +[How to use Remote Desktop](https://support.microsoft.com/en-us/windows/how-to-use-remote-desktop-5fe128d5-8fb1-7a23-3b8a-41e636865e8c) From 4991d4fcf561c25e7dce64ef278f213db686ca64 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Tue, 29 Jun 2021 10:46:21 +0100 Subject: [PATCH 292/370] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...perating-system-components-to-microsoft-services.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 2e5dcae25d..e4aef3529a 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -295,7 +295,7 @@ You can also apply the Group Policies using the following registry keys: > [!IMPORTANT] > Using the Group Policy editor these steps are required for all supported versions of Windows 10, however they are not required for devices running Windows 10, version 1607 or Windows Server 2016. -1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Microsoft Defender Antivirus Firewall with Advanced Security** > **Microsoft Defender Antivirus Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**. +1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Defender Firewall with Advanced Security** > **Windows Defender Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**. 2. Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts. @@ -427,7 +427,7 @@ To turn off Insider Preview builds for Windows 10: | Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the Address Bar.
**Set Value to: Disabled**| | Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the Address Bar.
**Set Value to: Enabled**
You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.| | Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer.
**Set Value to: Enabled**| -| Prevent managing Microsoft Defender Antivirus SmartScreen | Choose whether employees can manage the Microsoft Defender Antivirus SmartScreen in Internet Explorer.
**Set Value to: Enabled** and then set **Select Microsoft Defender Antivirus SmartScreen mode** to **Off**.| +| Prevent managing Microsoft Defender SmartScreen | Choose whether employees can manage the Microsoft Defender SmartScreen in Internet Explorer.
**Set Value to: Enabled** and then set **Select Windows Defender SmartScreen mode** to **Off**.| | Registry Key | Registry path | @@ -436,7 +436,7 @@ To turn off Insider Preview builds for Windows 10: | Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer
REG_DWORD: AllowServicePoweredQSA
**Set Value to: 0**| | Turn off the auto-complete feature for web addresses |HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\CurrentVersion\\Explorer\\AutoComplete
REG_SZ: AutoSuggest
Set Value to: **no** | | Turn off browser geolocation | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation
REG_DWORD: PolicyDisableGeolocation
**Set Value to: 1** | -| Prevent managing Microsoft Defender Antivirus SmartScreen | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\PhishingFilter
REG_DWORD: EnabledV9
**Set Value to: 0** | +| Prevent managing Microsoft Defender SmartScreen | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\PhishingFilter
REG_DWORD: EnabledV9
**Set Value to: 0** | There are more Group Policy objects that are used by Internet Explorer: @@ -573,7 +573,7 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g | Configure Do Not Track | Choose whether employees can send Do Not Track headers.
**Set to Enabled** | | Configure Password Manager | Choose whether employees can save passwords locally on their devices.
**Set to Disabled** | | Configure search suggestions in Address Bar | Choose whether the Address Bar shows search suggestions.
**Set to Disabled** | -| Configure Microsoft Defender Antivirus SmartScreen (Windows 10, version 1703) | Choose whether Microsoft Defender Antivirus SmartScreen is turned on or off.
**Set to Disabled** | +| Configure Microsoft Defender SmartScreen (Windows 10, version 1703) | Choose whether Microsoft Defender SmartScreen is turned on or off.
**Set to Disabled** | | Allow web content on New Tab page | Choose whether a new tab page appears.
**Set to Disabled** | | Configure Start pages | Choose the Start page for domain-joined devices.
**Enabled** and **Set this to <>** | | Prevent the First Run webpage from opening on Microsoft Edge | Choose whether employees see the First Run webpage.
**Set to: Enable** | @@ -589,7 +589,7 @@ Alternatively, you can configure the following Registry keys as described: | Configure Do Not Track | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_DWORD name: DoNotTrack
REG_DWORD: **1** | | Configure Password Manager | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_SZ name: FormSuggest Passwords
REG_SZ: **No** | | Configure search suggestions in Address Bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes
REG_DWORD name: ShowSearchSuggestionsGlobal
Value: **0**| -| Configure Microsoft Defender Antivirus SmartScreen (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter
REG_DWORD name: EnabledV9
Value: **0** | +| Configure Microsoft Defender SmartScreen (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter
REG_DWORD name: EnabledV9
Value: **0** | | Allow web content on New Tab page | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI
REG_DWORD name: AllowWebContentOnNewTabPage
Value: **0** | | Configure corporate Home pages | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Internet Settings
REG_SZ name: ProvisionedHomePages
Value: **<>**| | Prevent the First Run webpage from opening on Microsoft Edge | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_DWORD name: PreventFirstRunPage
Value: **1**| From 7c1681a7cd620e9ac8eee39d242d162a951e8ec0 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Tue, 29 Jun 2021 11:08:19 +0100 Subject: [PATCH 293/370] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...ng-system-components-to-microsoft-services.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index e4aef3529a..da8ed579e1 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -573,7 +573,7 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g | Configure Do Not Track | Choose whether employees can send Do Not Track headers.
**Set to Enabled** | | Configure Password Manager | Choose whether employees can save passwords locally on their devices.
**Set to Disabled** | | Configure search suggestions in Address Bar | Choose whether the Address Bar shows search suggestions.
**Set to Disabled** | -| Configure Microsoft Defender SmartScreen (Windows 10, version 1703) | Choose whether Microsoft Defender SmartScreen is turned on or off.
**Set to Disabled** | +| Configure Windows Defender SmartScreen (Windows 10, version 1703) | Choose whether Microsoft Defender SmartScreen is turned on or off.
**Set to Disabled** | | Allow web content on New Tab page | Choose whether a new tab page appears.
**Set to Disabled** | | Configure Start pages | Choose the Start page for domain-joined devices.
**Enabled** and **Set this to <>** | | Prevent the First Run webpage from opening on Microsoft Edge | Choose whether employees see the First Run webpage.
**Set to: Enable** | @@ -589,7 +589,7 @@ Alternatively, you can configure the following Registry keys as described: | Configure Do Not Track | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_DWORD name: DoNotTrack
REG_DWORD: **1** | | Configure Password Manager | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_SZ name: FormSuggest Passwords
REG_SZ: **No** | | Configure search suggestions in Address Bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes
REG_DWORD name: ShowSearchSuggestionsGlobal
Value: **0**| -| Configure Microsoft Defender SmartScreen (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter
REG_DWORD name: EnabledV9
Value: **0** | +| Configure Windows Defender SmartScreen (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter
REG_DWORD name: EnabledV9
Value: **0** | | Allow web content on New Tab page | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI
REG_DWORD name: AllowWebContentOnNewTabPage
Value: **0** | | Configure corporate Home pages | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Internet Settings
REG_SZ name: ProvisionedHomePages
Value: **<>**| | Prevent the First Run webpage from opening on Microsoft Edge | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_DWORD name: PreventFirstRunPage
Value: **1**| @@ -917,7 +917,7 @@ To turn off **Let apps use my advertising ID for experiences across apps (turnin - Create a REG_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one). -To turn off **Turn on Microsoft Defender Antivirus SmartScreen to check web content (URLs) that Microsoft Store apps use**: +To turn off **Turn on Microsoft Defender SmartScreen to check web content (URLs) that Microsoft Store apps use**: - Turn off the feature in the UI. @@ -1691,21 +1691,21 @@ You can turn off **Enhanced Notifications** as follows: - Create a new REG_DWORD registry setting named **DisableEnhancedNotifications** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Reporting** and enter the decimal value **1**. -### 24.1 Microsoft Defender Antivirus SmartScreen +### 24.1 Microsoft Defender SmartScreen -To disable Microsoft Defender Antivirus SmartScreen: +To disable Microsoft Defender SmartScreen: In Group Policy, configure: -- **Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus SmartScreen > Explorer > Configure Microsoft Defender Antivirus SmartScreen** to be **Disabled** +- **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure Windows Defender SmartScreen** to be **Disabled** -and- -- **Computer Configuration > Administrative Templates > Windows Components > File Explorer > Configure Microsoft Defender Antivirus SmartScreen** : **Disable** +- **Computer Configuration > Administrative Templates > Windows Components > File Explorer > Configure Windows Defender SmartScreen** : **Disable** -and- -- **Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus SmartScreen > Explorer > Configure app install control** : **Enable**, and select **Turn off app recommendations** +- **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure app install control** : **Enable**, and select **Turn off app recommendations** -OR- From 54678d570858669b6ca439c703746fb1b8b40e1c Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Tue, 29 Jun 2021 11:21:30 +0100 Subject: [PATCH 294/370] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index da8ed579e1..fcadb6f4e3 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1936,7 +1936,7 @@ For China releases of Windows 10 there is one additional Regkey to be set to pre ### 30. Cloud Clipboard -Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access. Also, when this is allowed, a new clipboard item on the cloud is downloaded to a device so that user can paste on the device. +Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access it. Clipboard items in the cloud can be downloaded and pasted across your Windows 10 devices. Most restricted value is 0. From a2b22b9e83bfaab9faf72a0098df0be3f622455c Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 29 Jun 2021 17:41:56 +0530 Subject: [PATCH 295/370] typo correction as per user report issue #9750 , so I corrected word --- .../bitlocker/bitlocker-network-unlock-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml index 17c1035e0b..10287fc220 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml @@ -35,6 +35,6 @@ sections: BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before you can use it. Network Unlock uses two protectors, the TPM protector and the one provided by the network or by your PIN, whereas automatic unlock uses a single protector, the one stored in the TPM. If the computer is joined to a network without the key protector it will prompt you to enter your PIN. If the PIN is - not available you will need to use the recovery key to unlock the computer if it can ot be connected to the network. + not available you will need to use the recovery key to unlock the computer if it can not be connected to the network. For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). From 0cff94693ae41c30ebb1b4924655ccdb51cd2942 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 29 Jun 2021 19:17:31 +0530 Subject: [PATCH 296/370] Update windows/client-management/connect-to-remote-aadj-pc.md thanks for pointing out. Today I forgotted to remove localisation. Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/connect-to-remote-aadj-pc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 9de7a6f1c2..275869bf99 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -87,4 +87,4 @@ The table below lists the supported configurations for remotely connecting to an ## Related topics -[How to use Remote Desktop](https://support.microsoft.com/en-us/windows/how-to-use-remote-desktop-5fe128d5-8fb1-7a23-3b8a-41e636865e8c) +[How to use Remote Desktop](https://support.microsoft.com/windows/how-to-use-remote-desktop-5fe128d5-8fb1-7a23-3b8a-41e636865e8c) From 72e5c293c3d9b20db903c059c860342b52af49dd Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 29 Jun 2021 09:36:42 -0700 Subject: [PATCH 297/370] hardware req --- windows/whats-new/windows-11-requirements.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index 8c87b2c454..54e1400de4 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -38,7 +38,7 @@ To install or upgrade to Windows 11, devices must meet the following minimum har - Internet connection: Internet connectivity is necessary to perform updates, and to download and use some features. - Windows 11 Home edition requires an Internet connection and a Microsoft Account to complete device setup on first use. -\* There might be additional requirements over time for updates, and to enable specific features within the operating system. For more information, see [Keeping Windows 11 up-to-date](https://www.microsoft.com/windows/windows-10-specifications#primaryR5). +\* There might be additional requirements over time for updates, and to enable specific features within the operating system. For more information, see [Keeping Windows 11 up-to-date](https://www.microsoft.com/windows/windows-11-specifications). Also see [Update on Windows 11 minimum system requirements] (https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/). For information about tools to evaluate readiness, see [Determine eligibility](windows-11-plan.md#determine-eligibility). @@ -86,5 +86,6 @@ Some features in Windows 11 have requirements beyond those listed above. See the ## See also +[Windows minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview)
[Windows 11 overview](windows-11.md) From 931d5be5a65a7fbcb72d4c60a47169e82f46a617 Mon Sep 17 00:00:00 2001 From: Saurabh Koshta Date: Tue, 29 Jun 2021 11:51:33 -0500 Subject: [PATCH 298/370] Update bitlocker-csp.md https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5707 greg-lindsay commented on Dec 18, 2019 @lXbalanque I understand the issue :) I've confirmed that the MDM stack (Intune profile settings) currently supports only used space encryption. You can probably see that by going through all the settings that you've shown above. There is no available choice for "encrypt entire drive" or "full encryption" even though there are a lot of other settings. --- windows/client-management/mdm/bitlocker-csp.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index f19bba4d59..e9bd144485 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -172,6 +172,10 @@ If you want to disable this policy, use the following SyncML: ``` + +> [!NOTE] +> Currently only used space encryption is supported when using this CSP. + **EncryptionMethodByDriveType** @@ -1405,4 +1409,4 @@ The following example is provided to show proper format and should not be taken ``` - \ No newline at end of file + From 3fc77d46d66876d7ac2db48b7372f9fcf1f8c665 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 29 Jun 2021 13:21:18 -0700 Subject: [PATCH 299/370] fix link --- windows/whats-new/windows-11-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index 54e1400de4..368dd33786 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -38,7 +38,7 @@ To install or upgrade to Windows 11, devices must meet the following minimum har - Internet connection: Internet connectivity is necessary to perform updates, and to download and use some features. - Windows 11 Home edition requires an Internet connection and a Microsoft Account to complete device setup on first use. -\* There might be additional requirements over time for updates, and to enable specific features within the operating system. For more information, see [Keeping Windows 11 up-to-date](https://www.microsoft.com/windows/windows-11-specifications). Also see [Update on Windows 11 minimum system requirements] (https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/). +\* There might be additional requirements over time for updates, and to enable specific features within the operating system. For more information, see [Keeping Windows 11 up-to-date](https://www.microsoft.com/windows/windows-11-specifications). Also see [Update on Windows 11 minimum system requirements](https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/). For information about tools to evaluate readiness, see [Determine eligibility](windows-11-plan.md#determine-eligibility). From 64bd2ba149bd2ea66a52a83cecf73dfe73ed1d92 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 29 Jun 2021 13:29:24 -0700 Subject: [PATCH 300/370] udpate tree --- windows/client-management/mdm/euiccs-csp.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md index 9ce12f6be8..97ae6b939f 100644 --- a/windows/client-management/mdm/euiccs-csp.md +++ b/windows/client-management/mdm/euiccs-csp.md @@ -25,6 +25,10 @@ eUICCs --------IsActive --------PPR1Allowed --------PPR1AlreadySet +--------DownloadServers +------------ServerName +----------------DiscoveryState +----------------AutoEnable --------Profiles ------------ICCID ----------------ServerName From 4ff59a54710e1006b8474d21a7b9fc2885be990a Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 29 Jun 2021 13:31:11 -0700 Subject: [PATCH 301/370] formatting --- windows/whats-new/windows-11-requirements.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index 368dd33786..c6338640b5 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -38,7 +38,9 @@ To install or upgrade to Windows 11, devices must meet the following minimum har - Internet connection: Internet connectivity is necessary to perform updates, and to download and use some features. - Windows 11 Home edition requires an Internet connection and a Microsoft Account to complete device setup on first use. -\* There might be additional requirements over time for updates, and to enable specific features within the operating system. For more information, see [Keeping Windows 11 up-to-date](https://www.microsoft.com/windows/windows-11-specifications). Also see [Update on Windows 11 minimum system requirements](https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/). +\* There might be additional requirements over time for updates, and to enable specific features within the operating system. For more information, see [Keeping Windows 11 up-to-date](https://www.microsoft.com/windows/windows-11-specifications). + +Also see [Update on Windows 11 minimum system requirements](https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/). For information about tools to evaluate readiness, see [Determine eligibility](windows-11-plan.md#determine-eligibility). From 4b4f05d4f15dde1f5cae5e6c1db484e294da31b2 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 29 Jun 2021 13:58:01 -0700 Subject: [PATCH 302/370] Acrolinx "Multi-factor" --- windows/deployment/windows-10-subscription-activation.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index dfb7ea6b10..f2dbfeb5b5 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -103,9 +103,9 @@ For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 E If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://www.microsoft.com/en-us/microsoft-365/blog/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/) -#### Multi-factor authentication +#### Multifactor authentication -An issue has been identified with Hybrid Azure AD joined devices that have enabled [multi-factor authentication](/azure/active-directory/authentication/howto-mfa-getstarted) (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device will not successfully upgrade to their Windows Enterprise subscription. +An issue has been identified with Hybrid Azure AD joined devices that have enabled [multifactor authentication](/azure/active-directory/authentication/howto-mfa-getstarted) (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device will not successfully upgrade to their Windows Enterprise subscription. To resolve this issue: From 17bdc36489d8f7199805cd308bb83c89acaf83fa Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 29 Jun 2021 13:59:33 -0700 Subject: [PATCH 303/370] Corrected note markup, spacing, punctuation --- windows/deployment/windows-10-subscription-activation.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index f2dbfeb5b5..af4d82ad1b 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -226,7 +226,8 @@ When you have the required Azure AD subscription, group-based licensing is the p If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise. -Caution: Firmware-embedded Windows 10 activation happens automatically only when we go through OOBE(Out Of Box Experience) +> [!CAUTION] +> Firmware-embedded Windows 10 activation happens automatically only when we go through OOBE (Out Of Box Experience). If you are using Windows 10, version 1607, 1703, or 1709 and have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you can seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key. From bbcb845f9e40aecc8d7abd57782d42440a53f689 Mon Sep 17 00:00:00 2001 From: lmqferreira Date: Tue, 29 Jun 2021 22:10:14 +0100 Subject: [PATCH 304/370] Update hello-hybrid-cert-whfb-settings-pki.md fixed typo on group name --- .../hello-for-business/hello-hybrid-cert-whfb-settings-pki.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 25a3d96332..98cb3003ec 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -193,7 +193,7 @@ Sign-in to a certificate authority or management workstation with _Domain Admin 10. On the **Request Handling** tab, select the **Renew with same key** check box. -11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**. +11. On the **Security** tab, click **Add**. Type **Windows Hello for Business Users** in the **Enter the object names to select** text box and click **OK**. 12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Read**, **Enroll**, and **AutoEnroll** permissions. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. From 644c15d06715e50ec31d0bccbd36c68ec8cf5c96 Mon Sep 17 00:00:00 2001 From: JackD Date: Tue, 29 Jun 2021 17:25:25 -0400 Subject: [PATCH 305/370] Add link to CSP in alignment with above CSPs Link missing to CSP documentation similar to other CSPs listed above. --- .../deployment/update/update-compliance-configuration-manual.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md index 10b6032442..e15c04a0eb 100644 --- a/windows/deployment/update/update-compliance-configuration-manual.md +++ b/windows/deployment/update/update-compliance-configuration-manual.md @@ -47,7 +47,7 @@ Each MDM Policy links to its documentation in the CSP hierarchy, providing its e |**System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |Integer | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. | |**System/**[**ConfigureTelemetryOptInSettingsUx**](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) |Integer |1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. | |**System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) |Integer | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. | -| **System/AllowUpdateComplianceProcessing** |Integer | 16 - Allowed | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. | +| **System/**[**AllowUpdateComplianceProcessing**](/windows/client-management/mdm/policy-csp-system#system-allowUpdateComplianceProcessing) |Integer | 16 - Allowed | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. | ### Group policies From 52aa9452f44e2eeb52338308e1ac2a3f3de9161f Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 29 Jun 2021 17:16:49 -0700 Subject: [PATCH 306/370] Acrolinx: 16 instances of "Bitlocker" --- .../client-management/mdm/bitlocker-csp.md | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index e9bd144485..e3f6b2bd85 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -180,7 +180,7 @@ If you want to disable this policy, use the following SyncML: **EncryptionMethodByDriveType** -Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)". +Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the BitLocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)". @@ -208,7 +208,7 @@ ADMX Info:
  • GP English name: Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)
  • GP name: EncryptionMethodWithXts_Name
    • -
  • GP path: Windows Components/Bitlocker Drive Encryption
    • +
  • GP path: Windows Components/BitLocker Drive Encryption
  • GP ADMX file name: VolumeEncryption.admx
@@ -264,7 +264,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **SystemDrivesRequireStartupAuthentication** -This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup". +This setting is a direct mapping to the BitLocker Group Policy "Require additional authentication at startup".
@@ -293,7 +293,7 @@ ADMX Info:
  • GP English name: Require additional authentication at startup
  • GP name: ConfigureAdvancedStartup_Name
    • -
  • GP path: Windows Components/Bitlocker Drive Encryption/Operating System Drives
    • +
  • GP path: Windows Components/BitLocker Drive Encryption/Operating System Drives
  • GP ADMX file name: VolumeEncryption.admx
@@ -372,7 +372,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **SystemDrivesMinimumPINLength** -This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup". +This setting is a direct mapping to the BitLocker Group Policy "Configure minimum PIN length for startup".
@@ -401,7 +401,7 @@ ADMX Info:
  • GP English name:Configure minimum PIN length for startup
  • GP name: MinimumPINLength_Name
    • -
  • GP path: Windows Components/Bitlocker Drive Encryption/Operating System Drives
    • +
  • GP path: Windows Components/BitLocker Drive Encryption/Operating System Drives
  • GP ADMX file name: VolumeEncryption.admx
@@ -448,7 +448,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **SystemDrivesRecoveryMessage** -This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL" +This setting is a direct mapping to the BitLocker Group Policy "Configure pre-boot recovery message and URL" (PrebootRecoveryInfo_Name). @@ -478,7 +478,7 @@ ADMX Info:
  • GP English name: Configure pre-boot recovery message and URL
  • GP name: PrebootRecoveryInfo_Name
    • -
  • GP path: Windows Components/Bitlocker Drive Encryption/Operating System Drives
    • +
  • GP path: Windows Components/BitLocker Drive Encryption/Operating System Drives
  • GP ADMX file name: VolumeEncryption.admx
@@ -538,7 +538,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **SystemDrivesRecoveryOptions** -This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name). +This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).
@@ -567,7 +567,7 @@ ADMX Info:
  • GP English name: Choose how BitLocker-protected operating system drives can be recovered
  • GP name: OSRecoveryUsage_Name
    • -
  • GP path: Windows Components/Bitlocker Drive Encryption/Operating System Drives
    • +
  • GP path: Windows Components/BitLocker Drive Encryption/Operating System Drives
  • GP ADMX file name: VolumeEncryption.admx
@@ -635,7 +635,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **FixedDrivesRecoveryOptions** -This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" (). +This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" ().
@@ -664,7 +664,7 @@ ADMX Info:
  • GP English name: Choose how BitLocker-protected fixed drives can be recovered
  • GP name: FDVRecoveryUsage_Name
    • -
  • GP path: Windows Components/Bitlocker Drive Encryption/Fixed Drives
    • +
  • GP path: Windows Components/BitLocker Drive Encryption/Fixed Drives
  • GP ADMX file name: VolumeEncryption.admx
@@ -741,7 +741,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **FixedDrivesRequireEncryption** -This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name). +This setting is a direct mapping to the BitLocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).
@@ -770,7 +770,7 @@ ADMX Info:
  • GP English name: Deny write access to fixed drives not protected by BitLocker
  • GP name: FDVDenyWriteAccess_Name
    • -
  • GP path: Windows Components/Bitlocker Drive Encryption/Fixed Drives
    • +
  • GP path: Windows Components/BitLocker Drive Encryption/Fixed Drives
  • GP ADMX file name: VolumeEncryption.admx
@@ -810,7 +810,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **RemovableDrivesRequireEncryption** -This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name). +This setting is a direct mapping to the BitLocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).
@@ -839,7 +839,7 @@ ADMX Info:
  • GP English name: Deny write access to removable drives not protected by BitLocker
  • GP name: RDVDenyWriteAccess_Name
    • -
  • GP path: Windows Components/Bitlocker Drive Encryption/Removeable Drives
    • +
  • GP path: Windows Components/BitLocker Drive Encryption/Removeable Drives
  • GP ADMX file name: VolumeEncryption.admx
From 6d8c5dd4bba6e9bf65ad57fd1ab0eb1fbef97b9c Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 29 Jun 2021 23:16:30 -0700 Subject: [PATCH 307/370] title --- windows/whats-new/windows-11-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index c6338640b5..6f7a2364b6 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -38,7 +38,7 @@ To install or upgrade to Windows 11, devices must meet the following minimum har - Internet connection: Internet connectivity is necessary to perform updates, and to download and use some features. - Windows 11 Home edition requires an Internet connection and a Microsoft Account to complete device setup on first use. -\* There might be additional requirements over time for updates, and to enable specific features within the operating system. For more information, see [Keeping Windows 11 up-to-date](https://www.microsoft.com/windows/windows-11-specifications). +\* There might be additional requirements over time for updates, and to enable specific features within the operating system. For more information, see [Windows 11 specifications](https://www.microsoft.com/windows/windows-11-specifications). Also see [Update on Windows 11 minimum system requirements](https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/). From 10aad7f0a310d68776dcfa95b9a4f9f490d8d854 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 29 Jun 2021 23:20:49 -0700 Subject: [PATCH 308/370] fix title --- windows/whats-new/windows-11-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index 6f7a2364b6..aa0532e98d 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -19,7 +19,7 @@ ms.custom: seo-marvel-apr2020 **Applies to** -- Windows 11 +- Windows 11 This article lists the system requirements for Windows 11. Windows 11 is also supported on a virtual machine (VM). From 94a34870288fe792549bdf36e7cdd23aa80abc91 Mon Sep 17 00:00:00 2001 From: "Boris I. Bendovsky" Date: Wed, 30 Jun 2021 13:15:11 +0300 Subject: [PATCH 309/370] Fix typo --- windows/client-management/troubleshoot-tcpip-port-exhaust.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md index e41c64b649..ca8551b1dd 100644 --- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md +++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md @@ -90,7 +90,7 @@ If you suspect that the machine is in a state of port exhaustion: ![Screenshot of event id 4231 in Event Viewer](images/tcp-ts-19.png) -3. Collect a `netstat -anob output` from the server. The netstat output will show you a huge number of entries for TIME_WAIT state for a single PID. +3. Collect a `netstat -anob` output from the server. The netstat output will show you a huge number of entries for TIME_WAIT state for a single PID. ![Screenshot of netstate command output](images/tcp-ts-20.png) @@ -196,4 +196,4 @@ goto loop - [Port Exhaustion and You!](/archive/blogs/askds/port-exhaustion-and-you-or-why-the-netstat-tool-is-your-friend) - this article gives a detail on netstat states and how you can use netstat output to determine the port status -- [Detecting ephemeral port exhaustion](/archive/blogs/yongrhee/windows-server-2012-r2-ephemeral-ports-a-k-a-dynamic-ports-hotfixes): this article has a script which will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10) \ No newline at end of file +- [Detecting ephemeral port exhaustion](/archive/blogs/yongrhee/windows-server-2012-r2-ephemeral-ports-a-k-a-dynamic-ports-hotfixes): this article has a script which will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10) From 780cd79c510cee80c6299ed39180ca0fc2981110 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Wed, 30 Jun 2021 11:34:46 +0100 Subject: [PATCH 310/370] Update windows-10-and-privacy-compliance.md --- windows/privacy/windows-10-and-privacy-compliance.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index 2b896c075b..cec31902a8 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -65,7 +65,7 @@ The following table provides an overview of the Windows 10 privacy settings pres An administrator can also use the Diagnostic Data Viewer for PowerShell module to view the diagnostic data collected from the device instead of using the Diagnostic Data Viewer UI. The [Diagnostic Data Viewer for PowerShell Overview](microsoft-diagnosticdataviewer.md) provides further information. > [!Note] -> If the Windows diagnostic data processor configuration is enabled, IT administrators should use the admin portal to fulfill data subject requests to access or export Windows diagnostic data associated with a particular user’s use of a device. See [The process for exercising data subject rights](#3-the-process-for-exercising-data-subject-rights). +> If the Windows diagnostic data processor configuration is enabled, IT administrators should use the admin portal to fulfill data subject requests to access or export Windows diagnostic data associated with a particular user’s device usage. See [The process for exercising data subject rights](#3-the-process-for-exercising-data-subject-rights). ## 2. Windows 10 data collection management @@ -134,7 +134,6 @@ For more information, see [Manage connections from Windows operating system comp An organization may want to minimize the amount of data sent back to Microsoft or shared with Microsoft apps by managing the connections and configuring additional settings on their devices. Similar to [Windows security baselines](/windows/security/threat-protection/windows-security-baselines), Microsoft has released a limited functionality baseline focused on configuring settings to minimize the data sent back to Microsoft. However, the functionality of the device could be impacted by applying these settings. The [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) article provides details on how to apply the baseline, along with the full list of settings covered in the baseline and the functionality that would be impacted. Administrators that don’t want to apply the baseline can still find details on how to configure each setting individually to find the right balance between data sharing and impact to functionality for their organization. >[!IMPORTANT] - > - We recommend that you fully test any modifications to these settings before deploying them in your organization. > - We also recommend that if you plan to enable the Windows diagnostic data processor configuration, adjust the limited configuration baseline before deploying to ensure the Windows diagnostic setting is not turned off. From 50787a11cc4a540861b8cb84c89cbaa601635322 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Wed, 30 Jun 2021 11:39:49 +0100 Subject: [PATCH 311/370] Update windows-10-and-privacy-compliance.md --- windows/privacy/windows-10-and-privacy-compliance.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index cec31902a8..41228e335e 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -160,7 +160,7 @@ An administrator can disable a user’s ability to delete their device’s diagn - Windows 10 Enterprise, Pro, Education editions, version 1809 with July 2021 update and newer -The Windows diagnostic data processor configuration enables IT administrators to be the controller, under the definition of the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows 10 devices that are Azure Active Directory (AAD) joined and meet the configuration requirements. For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) in [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). Windows diagnostic data does not include data processed by Microsoft in connection with providing the service based capabilities of essential services and connected experiences. +The Windows diagnostic data processor configuration enables IT administrators to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows 10 devices that are Azure Active Directory (AAD) joined and meet the configuration requirements. For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) in [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). Windows diagnostic data does not include data processed by Microsoft in connection with providing the service based capabilities of essential services and connected experiences. The Windows diagnostic data collected from devices enabled with the Windows diagnostic data processor configuration may be associated with a specific AAD User ID or device ID. The Windows diagnostic data processor configuration provides you with controls that help respond to data subject requests (DSRs) to delete diagnostic data, at user account closure, for a specific AAD User ID. Additionally, you’re able to execute an export DSR for diagnostic data related to a specific AAD User ID. For more information, see [The process for exercising data subject rights](#3-the-process-for-exercising-data-subject-rights). Microsoft also will accommodate a tenant account closure, either because you decide to close your Azure or Azure AD tenant account, or because you decide you no longer wish to be the data controller for Windows diagnostic data, but still wish to remain an Azure customer. From 1f240ce9030c321c989cf994b0f7f0ee66954b19 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Wed, 30 Jun 2021 11:58:03 +0100 Subject: [PATCH 312/370] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...ndows-operating-system-components-to-microsoft-services.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index fcadb6f4e3..70fa555981 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -602,8 +602,8 @@ For a complete list of the Microsoft Edge policies, see [Microsoft Edge and priv > [!Important] > - The following settings are applicable to Microsoft Edge version 77 or later. -> - For details on supported Operating Systems see Microsoft Edge supported Operating Systems -> - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge see Configure Microsoft Edge policy settings on Windows +> - For details on supported Operating Systems see [Microsoft Edge supported Operating Systems](/deployedge/microsoft-edge-supported-operating-systems). +> - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge see [Configure Microsoft Edge policy settings on Windows](/deployedge/configure-microsoft-edge). > - Devices must be domain joined for some of the policies to take effect. | Policy | Group Policy Path | Registry Path | From f29a09e44a93a349e7d59c8f75aab7761d9b0f1d Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Wed, 30 Jun 2021 13:54:30 +0100 Subject: [PATCH 313/370] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...ndows-operating-system-components-to-microsoft-services.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 70fa555981..a92f1c32cf 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -602,8 +602,8 @@ For a complete list of the Microsoft Edge policies, see [Microsoft Edge and priv > [!Important] > - The following settings are applicable to Microsoft Edge version 77 or later. -> - For details on supported Operating Systems see [Microsoft Edge supported Operating Systems](/deployedge/microsoft-edge-supported-operating-systems). -> - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge see [Configure Microsoft Edge policy settings on Windows](/deployedge/configure-microsoft-edge). +> - For details on supported Operating Systems, see [Microsoft Edge supported Operating Systems](/deployedge/microsoft-edge-supported-operating-systems). +> - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge, see [Configure Microsoft Edge policy settings on Windows](/deployedge/configure-microsoft-edge). > - Devices must be domain joined for some of the policies to take effect. | Policy | Group Policy Path | Registry Path | From 4af1dd1bb58d923162ef3ed4bd2db31dd9b6f844 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Wed, 30 Jun 2021 14:31:37 +0100 Subject: [PATCH 314/370] Update windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index a92f1c32cf..8e4e81d422 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -598,7 +598,7 @@ Alternatively, you can configure the following Registry keys as described: ### 13.2 Microsoft Edge Enterprise -For a complete list of the Microsoft Edge policies, see [Microsoft Edge and privacy: FAQ](https://docs.microsoft.com/en-us/microsoft-edge/deploy/available-policies). +For a complete list of the Microsoft Edge policies, see [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies). > [!Important] > - The following settings are applicable to Microsoft Edge version 77 or later. From a5b85c2178031c86399f6e13ecad3228660e91e0 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Wed, 30 Jun 2021 14:35:00 +0100 Subject: [PATCH 315/370] Update windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 8e4e81d422..189ace9071 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -600,7 +600,7 @@ Alternatively, you can configure the following Registry keys as described: For a complete list of the Microsoft Edge policies, see [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies). -> [!Important] +> [!IMPORTANT] > - The following settings are applicable to Microsoft Edge version 77 or later. > - For details on supported Operating Systems, see [Microsoft Edge supported Operating Systems](/deployedge/microsoft-edge-supported-operating-systems). > - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge, see [Configure Microsoft Edge policy settings on Windows](/deployedge/configure-microsoft-edge). From 16c3429dde3ae20c6df12d1880ccd6ca53a2f4d3 Mon Sep 17 00:00:00 2001 From: Brent Kendall Date: Wed, 30 Jun 2021 10:21:55 -0700 Subject: [PATCH 316/370] Update system-guard-secure-launch-and-smm-protection.md Clarified that some Intel fTPMs (technically "integrated" TPMs) are now supported. Intel has had an integrated hardware TPM in its CPUs for a while. It is not usually enabled on. They call it Platform Trust Technology or PTT, and it meets the TPM 2.0 spec. OEMs can use this PTT instead of a discrete TPM. The Core i5-10310U is one of these Comet Lake chips with PTT. --- .../system-guard-secure-launch-and-smm-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index 570641d7b7..161f4fd5cc 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -74,7 +74,7 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic |For Intel® vPro™ processors starting with Intel® Coffeelake, Whiskeylake, or later silicon|Description| |--------|-----------| |64-bit CPU|A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).| -|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0. Integrated/firmware TPMs are not supported.| +|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0. Integrated/firmware TPMs are not supported, with the exception of Intel chips that support Platform Trust Technology (PTT), which is a type of integrated hardware TPM that meets the TPM 2.0 spec.| |Windows DMA Protection|Platforms must meet the Windows DMA Protection Specification (all external DMA ports must be off by default until the OS explicitly powers them).| |SMM communication buffers| All SMM communication buffers must be implemented in EfiRuntimeServicesData ,EfiRuntimeServicesCode , EfiACPIMemoryNVS, or EfiReservedMemoryType memory types. | |SMM Page Tables| Must NOT contain any mappings to EfiConventionalMemory (e.g. no OS/VMM owned memory).
Must NOT contain any mappings to code sections within EfiRuntimeServicesCode.
Must NOT have execute and write permissions for the same page
Must allow ONLY that TSEG pages can be marked executable and the memory map must report TSEG EfiReservedMemoryType.
BIOS SMI handler must be implemented such that SMM page tables are locked on every SMM entry. | @@ -94,4 +94,4 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic |Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. | > [!NOTE] -> For more details around AMD processors, see [Microsoft Security Blog: Force firmware code to be measured and attested by Secure Launch on Windows 10](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/). \ No newline at end of file +> For more details around AMD processors, see [Microsoft Security Blog: Force firmware code to be measured and attested by Secure Launch on Windows 10](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/). From a1f4a13defbba1e3dfcf717558f65b571115e66a Mon Sep 17 00:00:00 2001 From: mapalko Date: Wed, 30 Jun 2021 14:12:35 -0700 Subject: [PATCH 317/370] add note for hololens support --- windows/client-management/mdm/policy-csp-devicelock.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 7ab4c6bf71..a77a4a7b4f 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -757,7 +757,7 @@ PIN enforces the following behavior for desktop and mobile devices: - 1 - Digits only - 2 - Digits and lowercase letters are required - 3 - Digits, lowercase letters, and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts. -- 4 - Digits, lowercase letters, uppercase letters, and special characters are required. Not supported in desktop. +- 4 - Digits, lowercase letters, uppercase letters, and special characters are required. Not supported in desktop or Hololens. The default value is 1. The following list shows the supported values and actual enforced values: From b937fdf6257ab9c4d561a044765925497305407c Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 30 Jun 2021 15:15:40 -0700 Subject: [PATCH 318/370] =?UTF-8?q?Acrolinx/branding:=20"Hololens"=20?= =?UTF-8?q?=C3=97=202?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- windows/client-management/mdm/policy-csp-devicelock.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index a77a4a7b4f..730e173e27 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -114,7 +114,7 @@ manager: dansimp > [!NOTE] -> Currently, this policy is supported only in HoloLens 2, Hololens (1st gen) Commercial Suite, and HoloLens (1st gen) Development Edition. +> Currently, this policy is supported only in HoloLens 2, HoloLens (1st gen) Commercial Suite, and HoloLens (1st gen) Development Edition. Specifies whether the user must input a PIN or password when the device resumes from an idle state. @@ -757,7 +757,7 @@ PIN enforces the following behavior for desktop and mobile devices: - 1 - Digits only - 2 - Digits and lowercase letters are required - 3 - Digits, lowercase letters, and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts. -- 4 - Digits, lowercase letters, uppercase letters, and special characters are required. Not supported in desktop or Hololens. +- 4 - Digits, lowercase letters, uppercase letters, and special characters are required. Not supported in desktop or HoloLens. The default value is 1. The following list shows the supported values and actual enforced values: @@ -1128,4 +1128,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - \ No newline at end of file + From bbef9b3f23a7182467866c5df90bd7e1394425b6 Mon Sep 17 00:00:00 2001 From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com> Date: Wed, 30 Jun 2021 16:16:50 -0700 Subject: [PATCH 319/370] Update reqs-md-app-guard.md Removed reference to Internet Explorer as a system requirement --- .../microsoft-defender-application-guard/reqs-md-app-guard.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index 0c9b491dc5..44f32cf759 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -40,6 +40,6 @@ Your environment needs the following software to run Microsoft Defender Applicat |Software|Description| |--------|-----------| -|Operating system|Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version 1803 or higher
Windows 10 Professional Education edition version 1803 or higher
Windows 10 Education edition, version 1903 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with WDAG for Professional editions. | -|Browser|Microsoft Edge and Internet Explorer| +|Operating system|Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version 1803 or higher
Windows 10 Professional Education edition version 1803 or higher
Windows 10 Education edition, version 1903 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. | +|Browser|Microsoft Edge| |Management system
(only for managed devices)|[Microsoft Intune](/intune/)

**-OR-**

[Microsoft Endpoint Configuration Manager](/configmgr/)

**-OR-**

[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

**-OR-**

Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| From 542eaaa383f9e87fcc1c2606bb8ffd70fcb8eb33 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 1 Jul 2021 16:14:08 +0530 Subject: [PATCH 320/370] typo correction as per user report #9766, so i corrected the word from **changed** to **cached** --- ...e-of-passwords-and-credentials-for-network-authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md index b22b8e05fe..18fe88ca82 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md @@ -92,7 +92,7 @@ Overwriting the administrator's password does not help the attacker access data Enable the **Network access: Do not allow storage of passwords and credentials for network authentication** setting. -To limit the number of changed domain credentials that are stored on the computer, set the **cachedlogonscount** registry entry. By default, the operating system caches the verifier for each unique user's ten most recent valid logons. This value can be set to any value between 0 and 50. By default, all versions of the Windows operating system remember 10 cached logons, except Windows Server 2008 and later, which are set at 25. +To limit the number of cached domain credentials that are stored on the computer, set the **cachedlogonscount** registry entry. By default, the operating system caches the verifier for each unique user's ten most recent valid logons. This value can be set to any value between 0 and 50. By default, all versions of the Windows operating system remember 10 cached logons, except Windows Server 2008 and later, which are set at 25. When you try to log on to a domain from a Windows-based client device, and a domain controller is unavailable, you do not receive an error message. Therefore, you may not notice that you logged on with cached domain credentials. You can set a notification of logon that uses cached domain credentials with the ReportDC registry entry. From 2c2ab9127603dc37fb703b7b00db63c80dd47dd3 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Thu, 1 Jul 2021 12:40:28 +0100 Subject: [PATCH 321/370] update to remove connected experiences --- ...tial-services-and-connected-experiences.md | 293 ------------------ .../windows-10-and-privacy-compliance.md | 20 +- 2 files changed, 8 insertions(+), 305 deletions(-) delete mode 100644 windows/privacy/essential-services-and-connected-experiences.md diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md deleted file mode 100644 index edb5b8d8af..0000000000 --- a/windows/privacy/essential-services-and-connected-experiences.md +++ /dev/null @@ -1,293 +0,0 @@ ---- -title: Essential Services and Connected Experiences for Windows 10 -description: This article provides information to help IT on the essential services and connected experiences for Windows 10. -keywords: privacy, GDPR, compliance -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: high -audience: ITPro -author: siosulli -ms.author: siosulli -manager: dansimp -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 6/28/2021 ---- - -# Essential Services and Connected Experiences for Windows 10 - -**Applies to:** - -- Windows 10, version 1903 and later - -Windows includes features that connect to the internet to provide enhanced experiences and additional service based capabilities. These are called “connected experiences”. For example, Microsoft Defender Antivirus is a connected experience that delivers updated protection to keep the devices in your organization secure. - -When a connected experience is used, data is sent to and processed by Microsoft to provide that connected experiences. This data is crucial because this information enables us to deliver these cloud-based connected experiences. We refer to this data as required service data. Required service data can include information related to the operation of the connected experience that is needed to keep the underlying service secure, up to date, and performing as expected. - -Required service data is separate from Windows diagnostic data. For more information on Windows diagnostic data see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). - -Connected experiences that are critical to the proper functioning of Windows are called “essential services”. For example, the Windows licensing service confirms that you are properly licensed to use Windows. While you can control many of the connected experiences that are available to you and your organization, we recommend that you carefully assess the impact of turning off essential services. - -Windows connected experiences and essential services transfer data to Microsoft network endpoints. The article [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) provides details about the different ways to control traffic to these endpoints. Where applicable, each connected experience or essential service includes a link to the specific details on how to control that traffic. - ->[!Note] ->The information in this article describes the most common connected experiences and essential services. We will continue to update our list of connected experiences over time as Windows evolves. - -## Windows 10 Essential Services - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Essential ServiceDescription
Authentication

The authentication service is required to enable sign in to work or school accounts. It validates a user’s identity and provides access to multiple apps and system components like OneDrive and activity history. Using a work or school account to sign in to Windows 10 enables Microsoft to provide a consistent experience across your devices. If the authentication service is turned off, many apps and components may lose functionality and users may not be able to sign in.

-

To turn it off, see Microsoft Account.

Certificates

Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates that are publicly known to be fraudulent. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.

-

If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.

-

To turn it off, see Automatic Root Certificates Update.

Services Configuration

Services Configuration is used by Windows components and apps, such as the telemetry service, to dynamically update their configuration. If you turn off this service, apps using this service may stop working.

-

To turn it off, see Services Configuration.

Date and Time

The Windows Time service is used to synchronize and maintain the most accurate date and time on your devices. It is installed by default and starts automatically on devices that are part of a domain. It can be started manually on other devices. If this service is stopped, date and time synchronization will be unavailable and any services that explicitly depend on it will fail to start.

-

To turn it off, see Date and Time

Licensing

Licensing services are used for the activation of Windows, and apps purchased from the Microsoft Store. If you disable the Windows License Manager Service or the Software Protection Platform Service, it may prevent activation of genuine Windows as well as store applications.

-

To turn it off, see License Manager and Software Protection Platform.

Networking

Networking in Windows provides connectivity to and from your devices to the local intranet and internet. If you turn off networking, Windows 10 devices will lose network connectivity.

-

To turn off Network Adapters, see Disable-NetAdapter.

Device setup

The first time a user sets up a new device, the Windows out-of-box experience (OOBE) guides the user through the steps to accept the license agreement, connect to the internet, sign in to (or sign up for) a Microsoft account, and takes care of other important tasks. Most settings can also be changed after setup is completed.

-

To customize the initial setup experience, see Customize Setup.

Telemetry

Microsoft collects diagnostic data including error data about your device with the help of the telemetry service. Diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 behaves in the real world, focus on user priorities, find, and fix problems, and improve services. This data allows Microsoft to improve the Windows experience. Setting diagnostic data to off means important information to help fix issues and improve quality will not be available to Microsoft.

-

To turn it off, see Telemetry Services.

Windows Update

Windows Update ensures devices are kept up to date and secure by downloading the latest updates and security patches for Windows. This service also enables users download apps from the Microsoft Store and keep them up to date.

-

Turning off Windows Update will potentially leave your Windows devices in a vulnerable state and more prone to security threats.

-

To turn it off, see Windows Update.

- -## Windows 10 Connected Experiences - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Connected ExperienceDescription
Device metadata retrieval

When Windows 10 detects a new device, it queries an online service called the Windows Metadata and Internet Services (WMIS) for a metadata package for the device. If a device metadata package is available on WMIS, the Device Metadata Retrieval Client (DMRC) that runs on the local device downloads and installs the package.

-

To turn it off, see Device Metadata Retrieval.

Delivery optimization

Delivery Optimization is a cloud-managed, peer-to-peer client and a downloader service for Windows updates, upgrades, and applications to an organization's networked devices. Delivery Optimization allows devices to download updates from alternate sources (such as other peers on the network), in addition to Microsoft servers. This helps when you have a limited or unreliable Internet connection and reduces the bandwidth needed to keep all your organization's devices up to date.

-

If you have Delivery Optimization Peer-to-Peer option turned on, devices on your network may send and receive updates and apps to other devices on your local network, if you choose, or to devices on the Internet.

-

By default, devices running Windows 10 will only use Delivery Optimization to get and receive updates for devices and apps on your local network.

-

To turn it off, see Delivery Optimization.

Speech Recognition

Microsoft provides a cloud-based (online) speech recognition technology that allows users to write text by speaking or interact with this system using your voice. It functions by converting speech audio into transcribed text. Turning on the online speech recognition setting enables the use of Microsoft cloud-based speech recognition in Cortana, the Mixed Reality Portal, dictation in Windows from the software keyboard, supported Microsoft Store apps, and in other parts of Windows 10.

-

To turn it off, see Speech Recognition.

Find My Device

Find My Device is a feature that can help users locate their Windows 10 device if it's lost or stolen. This feature only works if a Microsoft account is used to logon to the device, the user is an administrator on the device and when location is turned on for the device. Users can find their device by logging in to https://account.microsoft.com/devices under the Find My Device tab.

-

To turn it off, see Find My Device.

Windows Insider Program

The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to releases of Windows 10. Once you've registered for the program, you can run Insider Preview builds on as many devices as you want, each in the channel of your choice. Learn how to join the Windows Insider program by visiting the program’s website.

-

To turn it off, see Windows Insider Program.

Location services

The device location setting enables certain Windows features such as auto setting the time zone or Find My Device to function properly. When the device location setting is enabled, the Microsoft location service will use a combination of global positioning service (GPS), nearby wireless access points, cell towers, and IP address to determine the device’s location. Depending on the capabilities of the device, its location can be determined with varying degrees of accuracy and may in some cases be determined precisely.

-

To turn it off, see Location Services.

Microsoft Store

Microsoft Store enables users to purchase and download apps, games, and digital content. The Store also enables the developers of these apps to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to store apps in a power-efficient and dependable way. The Store can also revoke malicious apps.

-

To turn it off, see Microsoft Store.

Microsoft Defender Antivirus

Microsoft Defender Antivirus provides cloud-delivered protection against new and emerging threats for the devices in your organization.

-

Turning off Microsoft Defender Antivirus will potentially leave your Windows devices in a vulnerable state and more prone to security threats.

-

To turn it off, see Microsoft Defender Antivirus.

Microsoft Defender SmartScreen

Microsoft Defender SmartScreen is a feature of Windows, Internet Explorer, and Microsoft Edge. It helps protect users against phishing or malware websites and applications, and the downloading of potentially malicious files.

-

Turning off Microsoft Defender SmartScreen means you cannot block a website or warn users they may be accessing a malicious site.

-

To turn it off, see Microsoft Defender SmartScreen.

Windows Search

Windows Search lets users use the search box on the taskbar to find what they are looking for, whether it’s on their device, in the cloud, or on the web. Windows Search can provide results for items from the device (including apps, settings, and files), the users account(including OneDrive, SharePoint, and other Microsoft services), and the internet.

-

To turn it off, see Windows Search.

Windows Spotlight

Windows Spotlight displays new background images on the lock screen each day. Additionally, it provides feature suggestions, fun facts, and tips on the lock screen background.

-

Administrators can turn off Windows Spotlight features to prevent users from using the Windows Spotlight background.

-

To turn it off, see Windows Spotlight.

Activity History

Activity History shows a history of activities a user has performed and can even synchronize activities across multiple devices for the same user.

-

Synchronization across devices only works when a user signs in with the same account.

-

To turn it off, see Activity History.

Settings Synchronization

With settings synchronization is turned on, a user's settings are synced across all Windows 10 devices when they sign in with the same account.

-

To turn it off, see Sync Your Settings.

Cloud Clipboard

Cloud Clipboard enables users to copy images and text across all Windows 10 devices when they sign in with the same account. Users can paste from their clipboard history and also pin items.

-

To turn it off, see Cloud Clipboard.

OneDrive

OneDrive is a cloud storage system that allows you to save your files and photos, and access them from any device, anywhere.

-

To turn off OneDrive, see OneDrive.

Font Streaming

Font Streaming enables Windows 10 devices to download fonts that are included in Windows but that are not stored on the local device on demand.

-

To turn it off, see Font Streaming.

- -## Edge Essential Services and Connected Experiences - -Windows ships with Microsoft Edge and Internet Explorer on Windows 10 devices. Microsoft Edge is the default browser and is recommended for the best web browsing experience. - -You can find details on all of Edge's connected experiences and essential services [here](/microsoft-edge/privacy-whitepaper/). - -To turn off specific Edge feature, see [Microsoft Edge](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge). - -## IE Essential Services and Connected Experiences - -Internet Explorer shares many of the Windows essential services listed above. The following table provides more details on the essential services and connected experiences specific to Internet Explorer. - -Note: Apart from ActiveX Filtering, which is an essential service, all other features listed below are connected experiences. To turn off specific connected experiences, see [Internet Explorer](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#8-internet-explorer). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Connected ExperiencesDescription
ActiveX Filtering

ActiveX controls are small apps that allow websites to provide content such as videos and games, and let users interact with controls like toolbars and stock tickers. However, these apps can sometimes malfunction, and in some cases, they might be used to collect information from user devices, install software without a user's agreement, or be used to control a device remotely without user's permission.

-

ActiveX Filtering in Internet Explorer prevents sites from installing and using these apps. This can help keep users safer as they browse, but it can also affect the user experience of certain sites as interactive content might not work when ActiveX Filtering is on.

-

To further enhance security, Internet Explorer also allows you to block out-of-date ActiveX controls.

Suggested SitesSuggested Sites is an online experience that recommends websites, images, or videos a user might be interested in. When Suggested Sites is turned on, a user’s web browsing history is periodically sent to Microsoft.
Address Bar and Search suggestionsWith search suggestions enabled, users will be offered suggested search terms as they type in the Address Bar. As users type information it will be sent to the default search provider.
Auto-complete feature for web addressesThe auto-complete feature suggests possible matches when users are typing web addresses in the browser address bar.
Compatibility loggingThis feature is designed for use by developers and IT professionals to determine the compatibility of their websites with Internet Explorer. It is disabled by default and needs to be enabled to start logging Internet Explorer events in the Windows Event Viewer. These events describe failures that might have happened on the site and can include information about specific controls and webpages that failed.
Compatibility ViewCompatibility View helps make websites designed for older browsers look better when viewed in Internet Explorer. The compatibility view setting allows you to choose whether an employee can fix website display problems they encounter while browsing.
Flip aheadFlip ahead enables your users to flip through web content quickly by swiping across the page or by clicking forward. When flip ahead is turned on, web browsing history is periodically sent to Microsoft. If you turn off this setting your users will no longer be able swipe across a screen or click forward to go to the next pre-loaded page of a website.
Web SlicesA Web Slice enables users to subscribe to and automatically receive updates to content directly within a Web page. Disabling the RSS Feeds setting will turn off background synchronization for feeds and Web Slices.
Accelerators

Accelerators are menu options in Internet Explorer that help automate common browser-related tasks. In Internet Explorer, when you right-click selected text, Accelerators appear in the list of available options.

-

For example, if you select a word, you can use the "Translate with Bing" Accelerator to obtain a translation of that word.

Pinning websites to StartWhen a user pins a website to the Start menu, it displays as a tile similar to the way apps are displayed. Like Microsoft Store apps, website tiles might display updates if the website has been designed to do so. For example, an online email website might send updates to the tile indicating how many new messages a user has.
- -## Related links - -- [Manage connections from Windows 10 operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) - -- [Connected Experiences in Office.](/deployoffice/privacy/connected-experiences.md) - -- [Essential Services in Office.](/deployoffice/privacy/essential-services.md) - -## Other Windows 10 editions - -To view endpoints for Windows 10 Enterprise, see: - -- [Manage connection endpoints for Windows 10, version 20H2](manage-windows-20h2-endpoints.md) -- [Manage connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) - -To view endpoints for non-Enterprise Windows 10 editions, see: - -- [Windows 10, version 20H2, connection endpoints for non-Enterprise editions](manage-windows-20h2-endpoints.md) -- [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md) -- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md) -- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md) -- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) -- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) -- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index 41228e335e..46785e5d17 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -29,7 +29,7 @@ Applies to: At Microsoft, we are committed to data privacy across all our products and services. With this guide, we provide administrators and compliance professionals with data privacy considerations for Windows 10. -Microsoft collects data through multiple interactions with users of Windows 10 devices. This information can contain personal data that may be used to provide, secure, and improve Windows 10 and our connected experiences. To help users and organizations control the collection of personal data, Windows 10 provides comprehensive transparency features, settings choices, controls, and support for data subject requests, all of which are detailed in this article. +Microsoft collects data through multiple interactions with users of Windows 10 devices. This information can contain personal data that may be used to provide, secure, and improve Windows 10 services. To help users and organizations control the collection of personal data, Windows 10 provides comprehensive transparency features, settings choices, controls, and support for data subject requests, all of which are detailed in this article. This information allows administrators and compliance professionals to work together to better manage personal data privacy considerations and related regulations, such as the General Data Protection Regulation (GDPR) @@ -82,7 +82,7 @@ Administrators can configure and control privacy settings across their organizat The following table provides an overview of the privacy settings discussed earlier in this document with details on how to configure these policies. The table also provides information on what the default value would be for each of these privacy settings if you do not manage the setting by using policy and suppress the Out-of-box Experience (OOBE) during device setup. If you’re interested in minimizing data collection, we also provide the recommended value to set. > [!NOTE] -> This is not a complete list of settings that involve connecting to Microsoft connected experiences. For a more detailed list, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). +> This is not a complete list of settings that involve connecting to Microsoft services. For a more detailed list, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). | Feature/Setting | GP/MDM Documentation | Default State if the Setup experience is suppressed | State to stop/minimize data collection | |---|---|---|---| @@ -113,21 +113,17 @@ You can use the following articles to learn more about Autopilot and how to use - [Overview of Windows Autopilot](/windows/deployment/windows-Autopilot/windows-Autopilot) - [Windows Autopilot deployment process](/windows/deployment/windows-Autopilot/deployment-process) -#### _2.3.2 Windows 10 connected experiences and essential services_ +#### _2.3.2 Managing connections from Windows components to Microsoft services_ -Windows includes features that connect to the internet to provide enhanced experiences and additional service based capabilities. These are called “connected experiences”. For example, Microsoft Defender Antivirus is a connected experience that delivers updated protection to keep the devices in your organization secure. +Administrators can manage the data sent from their organization to Microsoft by configuring settings associated with the functionality provided by Windows components. -Connected experiences that are critical to the proper functioning of Windows are called “essential services”. For example, the Windows licensing service confirms that you are properly licensed to use Windows. +For more details, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). This topic includes the different methods available on how to configure each setting, the impact to functionality, and which versions of Windows that are applicable. -Windows connected experiences and essential services transfer data to Microsoft network endpoints, and while an administrator may want to block these endpoints for their organization to meet specific compliance objectives, we recommend that you carefully assess the impact of turning off essential services. +#### _2.3.3 Managing Windows 10 connections_ -The article [Manage connection endpoints for Windows 10, version 20H2](/windows/privacy/manage-windows-20h2-endpoints) provides a list of endpoints for the latest Windows 10 release, along with descriptions of any functionality that would be impacted by restricting data collection. Details for additional Windows versions can be found under the **Manage Windows 10 connection endpoints** section of the left-hand navigation menu. +Some Windows components, apps, and related services transfer data to Microsoft network endpoints. An administrator may want to block these endpoints for their organization to meet their specific compliance objectives. -#### _2.3.3 Managing connections from Windows connected experiences to Microsoft services_ - -Administrators can manage the data sent from their organization to Microsoft by configuring settings associated with the functionality provided by Windows connected experiences and essential services. - -For more information, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). This topic includes the different methods available on how to configure each setting, the impact to functionality, and which versions of Windows that are applicable. +[Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) provides a list of endpoints for the latest Windows 10 release, along with descriptions of any functionality that would be impacted by restricting data collection. Details for additional Windows versions can be found on the Windows Privacy site under the **Manage Windows 10 connection endpoints** section of the left-hand navigation menu. #### _2.3.4 Limited functionality baseline_ From 27d7a9cd02f932d40e6a5e722d6671092f8117e4 Mon Sep 17 00:00:00 2001 From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com> Date: Thu, 1 Jul 2021 18:01:38 +0530 Subject: [PATCH 322/370] Update windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-application-guard/reqs-md-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index 44f32cf759..18349a4197 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -40,6 +40,6 @@ Your environment needs the following software to run Microsoft Defender Applicat |Software|Description| |--------|-----------| -|Operating system|Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version 1803 or higher
Windows 10 Professional Education edition version 1803 or higher
Windows 10 Education edition, version 1903 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. | +|Operating system|Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version 1803 or higher
Windows 10 Professional Education edition, version 1803 or higher
Windows 10 Education edition, version 1903 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. | |Browser|Microsoft Edge| |Management system
(only for managed devices)|[Microsoft Intune](/intune/)

**-OR-**

[Microsoft Endpoint Configuration Manager](/configmgr/)

**-OR-**

[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

**-OR-**

Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| From 1b807b71c5ab488e6d9f8d7457e5d8831ce71d26 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Thu, 1 Jul 2021 14:03:40 +0100 Subject: [PATCH 323/370] Update .openpublishing.redirection.json --- .openpublishing.redirection.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 846b85c807..be4d1a5f5b 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -18926,8 +18926,6 @@ "redirect_document_id": false }, { - "source_path": "windows/privacy/data-processor-service-for-windows-enterprise-public-preview-terms.md", - "redirect_url": "/windows/privacy/windows-10-and-privacy-compliance", "source_path": "windows/security/threat-protection/intelligence/ransomware-malware.md", "redirect_url": "/security/compass/human-operated-ransomware", "redirect_document_id": false @@ -18937,5 +18935,10 @@ "redirect_url": "/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows", "redirect_document_id": false } + { + "source_path": "windows/privacy/data-processor-service-for-windows-enterprise-public-preview-terms.md", + "redirect_url": "/windows/privacy/windows-10-and-privacy-compliance", + "redirect_document_id": false + } ] } From 68bcf56182d52345bc0257da4648c2f806f061f2 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Thu, 1 Jul 2021 14:06:18 +0100 Subject: [PATCH 324/370] Update .openpublishing.redirection.json --- .openpublishing.redirection.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index be4d1a5f5b..dc1dd3eca7 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -18934,7 +18934,7 @@ "source_path": "windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md", "redirect_url": "/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows", "redirect_document_id": false - } + }, { "source_path": "windows/privacy/data-processor-service-for-windows-enterprise-public-preview-terms.md", "redirect_url": "/windows/privacy/windows-10-and-privacy-compliance", From 6b4189fe304824b70c61b4681204524fb39eabd3 Mon Sep 17 00:00:00 2001 From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com> Date: Thu, 1 Jul 2021 08:24:35 -0700 Subject: [PATCH 325/370] Update reqs-md-app-guard.md --- .../microsoft-defender-application-guard/reqs-md-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index 18349a4197..8bf5dfc2f6 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -40,6 +40,6 @@ Your environment needs the following software to run Microsoft Defender Applicat |Software|Description| |--------|-----------| -|Operating system|Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version 1803 or higher
Windows 10 Professional Education edition, version 1803 or higher
Windows 10 Education edition, version 1903 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. | +|Operating system|Windows 10 Enterprise edition, version 1805 or higher
Windows 10 Professional edition, version 1805 or higher
Windows 10 Professional for Workstations edition, version 1805 or higher
Windows 10 Professional Education edition, version 1805 or higher
Windows 10 Education edition, version 1805 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. | |Browser|Microsoft Edge| |Management system
(only for managed devices)|[Microsoft Intune](/intune/)

**-OR-**

[Microsoft Endpoint Configuration Manager](/configmgr/)

**-OR-**

[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

**-OR-**

Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| From 974b5a5b213a9aba86d1aae0b77b1efbb0ebdea9 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 1 Jul 2021 21:33:13 +0530 Subject: [PATCH 326/370] typo correction as per user report issue #9768 , so i corrected **sevices** to **services** Also i conformed this article is applies to Windows 11 too --- .../applocker/configure-the-application-identity-service.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md index 610728b4d6..86e25cc2f6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md @@ -46,7 +46,7 @@ Membership in the local **Administrators** group, or equivalent, is the minimum 2. Click the **Services** tab, right-click **AppIDSvc**, and then click **Start Service**. 3. Verify that the status for the Application Identity service is **Running**. -Starting with Windows 10, the Application Identity service is now a protected process. Because of this, you can no longer manually set the service **Startup type** to **Automatic** by using the Sevices snap-in. Try either of these methods instead: +Starting with Windows 10, the Application Identity service is now a protected process. Because of this, you can no longer manually set the service **Startup type** to **Automatic** by using the Services snap-in. Try either of these methods instead: - Open an elevated command prompt or PowerShell session and type: From c11057d4b61000ca78fa04542873e6a5d725d98d Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Thu, 1 Jul 2021 17:05:14 +0100 Subject: [PATCH 327/370] Update windows-10-and-privacy-compliance.md --- windows/privacy/windows-10-and-privacy-compliance.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index 46785e5d17..cfe581ed04 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -156,7 +156,7 @@ An administrator can disable a user’s ability to delete their device’s diagn - Windows 10 Enterprise, Pro, Education editions, version 1809 with July 2021 update and newer -The Windows diagnostic data processor configuration enables IT administrators to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows 10 devices that are Azure Active Directory (AAD) joined and meet the configuration requirements. For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) in [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). Windows diagnostic data does not include data processed by Microsoft in connection with providing the service based capabilities of essential services and connected experiences. +The Windows diagnostic data processor configuration enables IT administrators to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows 10 devices that are Azure Active Directory (AAD) joined and meet the configuration requirements. For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) in [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). Windows diagnostic data does not include data processed by Microsoft in connection with providing service-based capabilities. The Windows diagnostic data collected from devices enabled with the Windows diagnostic data processor configuration may be associated with a specific AAD User ID or device ID. The Windows diagnostic data processor configuration provides you with controls that help respond to data subject requests (DSRs) to delete diagnostic data, at user account closure, for a specific AAD User ID. Additionally, you’re able to execute an export DSR for diagnostic data related to a specific AAD User ID. For more information, see [The process for exercising data subject rights](#3-the-process-for-exercising-data-subject-rights). Microsoft also will accommodate a tenant account closure, either because you decide to close your Azure or Azure AD tenant account, or because you decide you no longer wish to be the data controller for Windows diagnostic data, but still wish to remain an Azure customer. From 0c5bca15f4e3f1a61081ba329beb61a8572808a6 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 1 Jul 2021 09:50:54 -0700 Subject: [PATCH 328/370] Update reqs-md-app-guard.md --- .../reqs-md-app-guard.md | 28 ++++++++++--------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index 8bf5dfc2f6..6c335a409f 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 02/11/2020 +ms.date: 07/01/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -25,21 +25,23 @@ The threat landscape is continually evolving. While hackers are busy developing > Given the technological complexity, the security promise of Microsoft Defender Application Guard (MDAG) may not hold true on VMs and in VDI environments. Hence, MDAG is currently not officially supported on VMs and in VDI environments. However, for testing and automation purposes on non-production machines, you may enable MDAG on a VM by enabling Hyper-V nested virtualization on the host. ## Hardware requirements -Your environment needs the following hardware to run Microsoft Defender Application Guard. -|Hardware|Description| +Your environment must have the following hardware to run Microsoft Defender Application Guard. + +| Hardware | Description | |--------|-----------| -|64-bit CPU|A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).| -|CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_

**-AND-**

One of the following virtualization extensions for VBS:

VT-x (Intel)

**-OR-**

AMD-V| -|Hardware memory|Microsoft requires a minimum of 8GB RAM| -|Hard disk|5 GB free space, solid state disk (SSD) recommended| -|Input/Output Memory Management Unit (IOMMU) support|Not required, but strongly recommended| +| 64-bit CPU|A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).| +| CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_

**AND**

One of the following virtualization extensions for VBS:
VT-x (Intel)
**OR**
AMD-V | +| Hardware memory | Microsoft requires a minimum of 8GB RAM | +| Hard disk | 5 GB free space, solid state disk (SSD) recommended | +| Input/Output Memory Management Unit (IOMMU) support| Not required, but strongly recommended | ## Software requirements -Your environment needs the following software to run Microsoft Defender Application Guard. -|Software|Description| + Your environment must have the following software to run Microsoft Defender Application Guard. + +| Software | Description | |--------|-----------| -|Operating system|Windows 10 Enterprise edition, version 1805 or higher
Windows 10 Professional edition, version 1805 or higher
Windows 10 Professional for Workstations edition, version 1805 or higher
Windows 10 Professional Education edition, version 1805 or higher
Windows 10 Education edition, version 1805 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. | -|Browser|Microsoft Edge| -|Management system
(only for managed devices)|[Microsoft Intune](/intune/)

**-OR-**

[Microsoft Endpoint Configuration Manager](/configmgr/)

**-OR-**

[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

**-OR-**

Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| +| Operating system | Windows 10 Enterprise edition, version 1805 or higher
Windows 10 Professional edition, version 1805 or higher
Windows 10 Professional for Workstations edition, version 1805 or higher
Windows 10 Professional Education edition, version 1805 or higher
Windows 10 Education edition, version 1805 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. | +| Browser | Microsoft Edge | +| Management system
(only for managed devices)| [Microsoft Intune](/intune/)

**OR**

[Microsoft Endpoint Configuration Manager](/configmgr/)

**OR**

[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

**OR**

Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. | From e34a92f88a10af53856b753b775b2bbca415266f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 1 Jul 2021 09:52:41 -0700 Subject: [PATCH 329/370] Update configure-the-application-identity-service.md --- .../applocker/configure-the-application-identity-service.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md index 86e25cc2f6..83c7422028 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/02/2018 +ms.date: 07/01/2021 ms.technology: mde --- From 24a79df6c5320bc8da53ba92af570b68a761d4db Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 1 Jul 2021 09:53:39 -0700 Subject: [PATCH 330/370] Update network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md --- ...e-of-passwords-and-credentials-for-network-authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md index 18fe88ca82..8cdbdc9908 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 07/01/2021 ms.technology: mde --- From 7a6aac68889f4fc06748e6f110749369ee86acd2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 1 Jul 2021 09:55:20 -0700 Subject: [PATCH 331/370] Update system-guard-secure-launch-and-smm-protection.md --- .../system-guard-secure-launch-and-smm-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index 161f4fd5cc..093a5713c8 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: dansimp -ms.date: 12/28/2020 +ms.date: 07/01/2021 ms.reviewer: manager: dansimp ms.author: dansimp From 65a9dbe20edd26f69af0083803c10263abfce039 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 1 Jul 2021 11:08:09 -0700 Subject: [PATCH 332/370] Update system-guard-secure-launch-and-smm-protection.md --- .../system-guard-secure-launch-and-smm-protection.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index 570641d7b7..12930a5921 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: dansimp -ms.date: 12/28/2020 +ms.date: 07/01/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -38,7 +38,7 @@ System Guard Secure Launch can be configured for Mobile Device Management (MDM) 2. Click **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn On Virtualization Based Security** > **Secure Launch Configuration**. - ![Secure Launch Group Policy](images/secure-launch-group-policy.png) + ![Secure Launch Configuration](images/secure-launch-group-policy.png) ### Windows Security Center @@ -64,7 +64,7 @@ Click **Start** > **Settings** > **Update & Security** > **Windows Security** > To verify that Secure Launch is running, use System Information (MSInfo32). Click **Start**, search for **System Information**, and look under **Virtualization-based Security Services Running** and **Virtualization-based Security Services Configured**. -![Windows Security Center](images/secure-launch-msinfo.png) +![Verifying Secure Launch is running in the Windows Security Center](images/secure-launch-msinfo.png) > [!NOTE] > To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs). From 62a35d4bd272e9f029889ccbac808b56d8637234 Mon Sep 17 00:00:00 2001 From: Paul Huijbregts <30799281+pahuijbr@users.noreply.github.com> Date: Thu, 1 Jul 2021 11:28:16 -0700 Subject: [PATCH 333/370] Update defender-csp.md @denisebmsft some additions --- windows/client-management/mdm/defender-csp.md | 44 ++++++++++++++++--- 1 file changed, 39 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 97561119e4..15b3e6a372 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -62,6 +62,7 @@ Defender --------PlatformUpdatesChannel (Added with the 4.18.2106.5 Defender platform release) --------EngineUpdatesChannel (Added with the 4.18.2106.5 Defender platform release) --------SignaturesUpdatesChannel (Added with the 4.18.2106.5 Defender platform release) +--------DisableGradualRelease (Added with the 4.18.2106.5 Defender platform release) ----Scan ----UpdateSignature ----OfflineScan (Added in Windows 10 version 1803) @@ -524,8 +525,7 @@ More details: - [Microsoft Defender Antivirus diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data) - [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices) -**Configuration/PlatformUpdatesChannel** - +**Configuration/PlatformUpdatesChannel** Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. @@ -549,8 +549,12 @@ Valid values are: - 3: Current Channel (Staged) - 4: Current Channel (Broad) -**Configuration/EngineUpdatesChannel** +More details: +- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout) +- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates) + +**Configuration/EngineUpdatesChannel** Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. @@ -574,8 +578,12 @@ Valid values are: - 3 - Current Channel (Staged) - 4 - Current Channel (Broad) -**Configuration/SignaturesUpdatesChannel** +More details: +- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout) +- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates) + +**Configuration/DefinitionUpdatesChannel** Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout. Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). @@ -590,6 +598,32 @@ Valid Values are: - 3: Current Channel (Staged) - 4: Current Channel (Broad) +More details: + +- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout) +- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates) + +**Configuration/DisableGradualRelease** +Enable this policy to disable gradual rollout of monthly and daily Defender updates. +Devices will be offered all Defender updates after the gradual release cycle completes. Best for datacenter machines that only receive limited updates. + +Note: This setting applies to both monthly as well as daily Defender updates and will override any previously configured channel selections for platform and engine updates. + +If you disable or do not configure this policy, the device will remain in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices. + +The data type is integer. + +Supported operations are Add, Delete, Get, Replace. + +Valid values are: +• 1 – Enabled. +• 0 (default) – Not Configured. + +More details: + +- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout) +- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates) + **Scan** Node that can be used to start a Windows Defender scan on a device. @@ -611,4 +645,4 @@ Supported operations are Get and Execute. ## Related topics -[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file +[Configuration service provider reference](configuration-service-provider-reference.md) From d35efcdadfc0bee35b3d35eb9dff74abff3c12a5 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 1 Jul 2021 11:50:54 -0700 Subject: [PATCH 334/370] Update defender-csp.md --- windows/client-management/mdm/defender-csp.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 15b3e6a372..c66d28ae30 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -604,10 +604,11 @@ More details: - [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates) **Configuration/DisableGradualRelease** -Enable this policy to disable gradual rollout of monthly and daily Defender updates. -Devices will be offered all Defender updates after the gradual release cycle completes. Best for datacenter machines that only receive limited updates. +Enable this policy to disable gradual rollout of monthly and daily Microsoft Defender updates. +Devices will be offered all Microsoft Defender updates after the gradual release cycle completes. This is best for datacenters that only receive limited updates. -Note: This setting applies to both monthly as well as daily Defender updates and will override any previously configured channel selections for platform and engine updates. +> [!NOTE] +> This setting applies to both monthly as well as daily Microsoft Defender updates and will override any previously configured channel selections for platform and engine updates. If you disable or do not configure this policy, the device will remain in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices. From 541a2983257d2da96a6d354c7e712de92e95392d Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 1 Jul 2021 11:52:15 -0700 Subject: [PATCH 335/370] Update windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../select-types-of-rules-to-create.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index ee3192a969..e99b5ddafe 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -28,7 +28,7 @@ ms.technology: mde Windows Defender Application Control (WDAC) can control what runs on Windows 10 by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how applications are identified and trusted. ## Getting started with commdlets -Some of the [SKUs](feature-availability.md) that support our PowerShell commandlets [(ConfigCI Module | Microsoft Docs)](powershell/module/configci) support but do not have the module installed on the box. +Some of the [SKUs](feature-availability.md) that support our PowerShell commandlets [(ConfigCI Module)](powershell/module/configci/?view=windowsserver2019-ps) support but do not have the module installed on the box. **Steps to install the module:** - Install-Module "ConfigCI" From c2ce37df79e3beb031ad86a038b38be6d6ac11ad Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 1 Jul 2021 15:19:56 -0700 Subject: [PATCH 336/370] Fix broken note The asterisks were rendered in preview. --- .../audit-audit-the-access-of-global-system-objects.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md index 4015f85f3f..9f9a154800 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md +++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md @@ -98,7 +98,7 @@ If the [Audit Kernel Object](../auditing/audit-kernel-object.md) setting is conf | - | - | | 560 | Access was granted to an already existing object. | | 562 | A handle to an object was closed. | -| 563 | An attempt was made to open an object with the intent to delete it.
**Note: **This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile() | +| 563 | An attempt was made to open an object with the intent to delete it.
**Note:** This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile() | | 564 | A protected object was deleted. | | 565 | Access was granted to an already existing object type. | | 567 | A permission associated with a handle was used.
**Note:** A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used. | From c1999346b7134f8aaac64d67c825f641c5963ef2 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Fri, 2 Jul 2021 11:19:22 +0100 Subject: [PATCH 337/370] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...erating-system-components-to-microsoft-services.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 189ace9071..50a249906b 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -42,7 +42,7 @@ Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline] > - To restrict a device effectively (first time or subsequently), it is recommended to apply the Restricted Traffic Limited Functionality Baseline settings package in offline mode. > - During update or upgrade of Windows, egress traffic may occur. -To use Microsoft Intune cloud-based device management for restricting traffic please refer to the [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server](./manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm.md). +To use Microsoft Intune cloud-based device management for restricting traffic please refer to the [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server](./manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm). We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting **telmhelp**@**microsoft.com**. @@ -1293,7 +1293,7 @@ To turn off **Let your apps use your trusted devices (hardware you've already co ### 18.16 Feedback & diagnostics -In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). +In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization). To change how frequently **Windows should ask for my feedback**: @@ -1876,11 +1876,9 @@ For a comprehensive list of Delivery Optimization Policies, see [Delivery Optimi - Create a new REG_DWORD registry setting named **DODownloadMode** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization** to a value of **99 (Ninety-nine)**. - For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730684). -For IT Professionals, information about Delivery Optimization is available here: [Delivery Optimization for Windows 10 updates] -(https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization). +For IT Professionals, information about Delivery Optimization is available here: [Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization). ### 29. Windows Update @@ -1948,7 +1946,8 @@ ADMX Info: - GP ADMX file name: OSPolicy.admx
The following list shows the supported values:
-0 – Not allowed. 1 (default) – Allowed.
+ - 0 – Not allowed
+ - 1 (default) – Allowed
### 31. Services Configuration From 68c9a286072a4b5ddc68d983ad9b1d3f3737c4ef Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Fri, 2 Jul 2021 11:24:57 +0100 Subject: [PATCH 338/370] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...ndows-operating-system-components-to-microsoft-services.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 50a249906b..d55e34120b 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -42,7 +42,7 @@ Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline] > - To restrict a device effectively (first time or subsequently), it is recommended to apply the Restricted Traffic Limited Functionality Baseline settings package in offline mode. > - During update or upgrade of Windows, egress traffic may occur. -To use Microsoft Intune cloud-based device management for restricting traffic please refer to the [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server](./manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm). +To use Microsoft Intune cloud-based device management for restricting traffic please refer to the [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server](manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm.md). We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting **telmhelp**@**microsoft.com**. @@ -1293,7 +1293,7 @@ To turn off **Let your apps use your trusted devices (hardware you've already co ### 18.16 Feedback & diagnostics -In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization). +In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). To change how frequently **Windows should ask for my feedback**: From d03e2338d4aba5636a3ef3f09f08f432ae88e006 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Fri, 2 Jul 2021 11:41:19 +0100 Subject: [PATCH 339/370] Update policy-csp-system.md --- .../mdm/policy-csp-system.md | 52 +++++++++---------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 2a6aaac456..446f7de318 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -216,7 +216,7 @@ The following list shows the supported values: -This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms. +This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the [Product Terms](https://www.microsoft.com/licensing/terms/productoffering). To enable this behavior, you must complete two steps: @@ -264,7 +264,7 @@ The following list shows the supported values: -This policy setting, in combination with the Allow Telemetry and Configure the Commercial ID policy settings, enables organizations to configure the device so that Microsoft is the processor for Windows diagnostic data collected from the device, subject to the Product Terms. +This policy setting, in combination with the Allow Telemetry and Configure the Commercial ID policy settings, enables organizations to configure the device so that Microsoft is the processor for Windows diagnostic data collected from the device, subject to the [Product Terms](https://www.microsoft.com/licensing/terms/productoffering). To enable this behavior, you must complete three steps: @@ -303,7 +303,7 @@ The following list shows the supported values: Pro - check mark5 + check mark5 11 Enterprise @@ -372,7 +372,7 @@ The following list shows the supported values: Pro - check mark + check mark11 Enterprise @@ -428,7 +428,7 @@ The following list shows the supported values: Pro - check mark + check mark11 Enterprise @@ -489,7 +489,7 @@ The following list shows the supported values: Pro - check mark2 + check mark2 11 Enterprise @@ -564,7 +564,7 @@ To verify if System/AllowFontProviders is set to true: Pro - check mark + check mark11 Enterprise @@ -656,7 +656,7 @@ If you disable this policy setting, devices may not appear in Microsoft Managed Pro - check mark + check mark11 Enterprise @@ -712,7 +712,7 @@ The following list shows the supported values: Pro - check mark + check mark11 Enterprise @@ -841,7 +841,7 @@ ADMX Info: Pro - check mark6 + check mark6 11 Enterprise @@ -867,7 +867,7 @@ ADMX Info: -This policy setting, in combination with the Allow Telemetry and Configure the Commercial ID policy settings, enables organizations to configure the device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms. +This policy setting, in combination with the Allow Telemetry and Configure the Commercial ID policy settings, enables organizations to configure the device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the [Product Terms](https://www.microsoft.com/licensing/terms/productoffering). To enable this behavior, you must complete three steps: @@ -915,7 +915,7 @@ The following list shows the supported values: Pro - check mark + check mark11 Enterprise @@ -964,7 +964,7 @@ The following list shows the supported values: -This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms. +This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the [Product Terms](https://www.microsoft.com/licensing/terms/productoffering). To enable this behavior, you must complete three steps: @@ -993,7 +993,7 @@ If you disable or do not configure this policy setting, devices enrolled to the Pro - check mark + check mark11 Enterprise @@ -1065,7 +1065,7 @@ ADMX Info: Pro - check mark5 + check mark5 11 Enterprise @@ -1135,7 +1135,7 @@ ADMX Info: Pro - check mark4 + check mark4 11 Enterprise @@ -1198,7 +1198,7 @@ The following list shows the supported values: Pro - check mark4 + check mark4 11 Enterprise @@ -1266,7 +1266,7 @@ The following list shows the supported values: Pro - check mark5 + check mark5 11 Enterprise @@ -1333,7 +1333,7 @@ ADMX Info: Pro - check mark5 + check mark5 11 Enterprise @@ -1400,7 +1400,7 @@ ADMX Info: Pro - check mark3 + check mark3 11 Enterprise @@ -1456,7 +1456,7 @@ ADMX Info: Pro - check mark2 + check mark2 11 Enterprise @@ -1534,7 +1534,7 @@ To validate on Desktop, do the following: Pro - check mark + check mark 11 Enterprise @@ -1606,7 +1606,7 @@ ADMX Info: Pro - check mark4 + check mark4 11 Enterprise @@ -1660,7 +1660,7 @@ The following list shows the supported values: Pro - check mark3 + check mark3 11 Enterprise @@ -1730,7 +1730,7 @@ ADMX Info: Pro - check mark + check mark 11 Enterprise @@ -1788,7 +1788,7 @@ ADMX Info: Pro - check mark6 + check mark6 11 Enterprise From 67223e7719814809d217487105a21aaf2d6250dd Mon Sep 17 00:00:00 2001 From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com> Date: Fri, 2 Jul 2021 09:36:53 -0700 Subject: [PATCH 340/370] Update reqs-md-app-guard.md --- .../microsoft-defender-application-guard/reqs-md-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index 6c335a409f..a54f8667cd 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -42,6 +42,6 @@ Your environment must have the following hardware to run Microsoft Defender Appl | Software | Description | |--------|-----------| -| Operating system | Windows 10 Enterprise edition, version 1805 or higher
Windows 10 Professional edition, version 1805 or higher
Windows 10 Professional for Workstations edition, version 1805 or higher
Windows 10 Professional Education edition, version 1805 or higher
Windows 10 Education edition, version 1805 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. | +| Operating system | Windows 10 Enterprise edition, version 1809 or higher
Windows 10 Professional edition, version 1809 or higher
Windows 10 Professional for Workstations edition, version 1809 or higher
Windows 10 Professional Education edition, version 1809 or higher
Windows 10 Education edition, version 1809 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. | | Browser | Microsoft Edge | | Management system
(only for managed devices)| [Microsoft Intune](/intune/)

**OR**

[Microsoft Endpoint Configuration Manager](/configmgr/)

**OR**

[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

**OR**

Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. | From d98ebe6e68ebf891177a768ecdc307d9cfd1f31c Mon Sep 17 00:00:00 2001 From: tramcrazy <81013186+tramcrazy@users.noreply.github.com> Date: Fri, 2 Jul 2021 18:48:00 +0100 Subject: [PATCH 341/370] Add capital letter Minor capitalisation fix --- windows/whats-new/windows-11-plan.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md index 17d61a7125..5af0900b7e 100644 --- a/windows/whats-new/windows-11-plan.md +++ b/windows/whats-new/windows-11-plan.md @@ -39,7 +39,7 @@ If you are looking for ways to optimize your approach to deploying Windows 11, o As a first step, you will need to know which of your current devices meet the Windows 11 hardware requirements. Most devices purchased in the last 18-24 months will be compatible with Windows 11. Verify that your device meets or exceeds [Windows 11 requirements](windows-11-requirements.md) to ensure it is compatible. -Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows 11 hardware requirements. When Windows 11 reaches general availability, end-users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the **PC Health Check** app to determine their eligibility for Windows 11. end-users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.  +Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows 11 hardware requirements. When Windows 11 reaches general availability, end-users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the **PC Health Check** app to determine their eligibility for Windows 11. End-users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.  Enterprise organizations looking to evaluate device readiness in their environments can expect this capability to be integrated into existing Microsoft tools, such as Endpoint analytics and Update Compliance. This capability will be available when Windows 11 is generally available. Microsoft is also working with software publishing partners to facilitate adding Windows 11 device support into their solutions. From 1ca2ae82bbaad95d17957f9c9e3331a0aa0c8b56 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 2 Jul 2021 15:13:33 -0700 Subject: [PATCH 342/370] Applied proper "> [!NOTE]" style --- .../mdm/policy-csp-system.md | 29 ++++++++++++++----- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 446f7de318..a16101aa46 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -774,12 +774,19 @@ In Windows 10, you can configure this policy setting to decide what level of dia The following list shows the supported values for Windows 10 version 1809 and older, choose the value that is applicable to your OS version (older OS values are displayed in the brackets): -- 0 – **Off (Security)** This turns Windows diagnostic data off. - **Note**: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), HoloLens 2, and Windows Server 2016 (and later versions). Using this setting on other devices editions of Windows is equivalent to setting the value of 1. -- 1 – **Required (Basic)** Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date. -- 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows apps are used, how they perform, and advanced reliability data, such as limited crash dumps. - **Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1. -- 3 – **Optional (Full)** Sends the same data as a value of 2, plus additional data necessary to identify and fix problems with devices such as enhanced error logs. +- 0 – **Off (Security)** This turns Windows diagnostic data off. + + > [!NOTE] + > This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), HoloLens 2, and Windows Server 2016 (and later versions). Using this setting on other devices editions of Windows is equivalent to setting the value of 1. + +- 1 – **Required (Basic)** Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date. + +- 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows apps are used, how they perform, and advanced reliability data, such as limited crash dumps. + + > [!NOTE] + > **Enhanced** is no longer an option for Windows Holographic, version 21H1. + +- 3 – **Optional (Full)** Sends the same data as a value of 2, plus additional data necessary to identify and fix problems with devices such as enhanced error logs. Most restrictive value is 0. @@ -1689,9 +1696,15 @@ This policy setting, in combination with the Allow Telemetry policy setting, ena To enable this behavior, you must complete two steps: - 1. Enable this policy setting + 1. Enable this policy setting. + 2. Set the **AllowTelemetry** level: - - For Windows 10 version 1809 and older: set **AllowTelemetry** to Enhanced. (**Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1) + + - For Windows 10 version 1809 and older: set **AllowTelemetry** to Enhanced. + + > [!NOTE] + > **Enhanced** is no longer an option for Windows Holographic, version 21H1. + - For Windows 10 version 19H1 and later: set **AllowTelemetry** to Optional (Full) From 510f2a2891edb668452b6be08ac22866b997e30a Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 2 Jul 2021 17:05:34 -0700 Subject: [PATCH 343/370] Adjusted placement of some notes --- ...system-components-to-microsoft-services.md | 35 +++++++++---------- 1 file changed, 17 insertions(+), 18 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index d55e34120b..aad2616468 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -634,9 +634,8 @@ You can turn off NCSI by doing one of the following: - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests** - -> [!NOTE] -> After you apply this policy, you must restart the device for the policy setting to take effect. + > [!NOTE] + > After you apply this policy, you must restart the device for the policy setting to take effect. -or- @@ -692,8 +691,9 @@ To remove the News app: - Right-click the app in Start, and then click **Uninstall**. -or- -> [!IMPORTANT] -> If you have any issues with these commands, restart the system and try the scripts again. + + > [!IMPORTANT] + > If you have any issues with the following commands, restart the system and try the scripts again. - Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** @@ -863,11 +863,11 @@ Use Settings > Privacy to configure some settings that may be important to yo To turn off **Let apps use advertising ID to make ads more interesting to you based on your app usage (turning this off will reset your ID)**: -> [!NOTE] -> When you turn this feature off in the UI, it turns off the advertising ID, not just resets it. - - Turn off the feature in the UI. + > [!NOTE] + > When you turn this feature off in the UI, it turns off the advertising ID, not just resets it. + -or- - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**. @@ -900,11 +900,11 @@ To turn off **Let Windows track app launches to improve Start and search results To turn off **Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)**: -> [!NOTE] -> When you turn this feature off in the UI, it turns off the advertising ID, not just resets it. - - Turn off the feature in the UI. + > [!NOTE] + > When you turn this feature off in the UI, it turns off the advertising ID, not just resets it. + -or- - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**. @@ -1295,11 +1295,10 @@ To turn off **Let your apps use your trusted devices (hardware you've already co In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). -To change how frequently **Windows should ask for my feedback**: - > [!NOTE] > Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device. +To change how frequently **Windows should ask for my feedback**: - To change from **Automatically (Recommended)**, use the drop-down list in the UI. @@ -1579,11 +1578,11 @@ You can control if your settings are synchronized: To turn off Messaging cloud sync: -> [!NOTE] -> There is no Group Policy corresponding to this registry key. - - Create a REG_DWORD registry setting named **CloudServiceSyncEnabled** in **HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Messaging** and set to a **value of 0 (zero)**. + > [!NOTE] + > There is no Group Policy corresponding to this registry key. + ### 22. Teredo You can disable Teredo by using Group Policy or by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](/previous-versions/windows/it-pro/windows-vista/cc722030(v=ws.10)). @@ -1674,8 +1673,8 @@ You can turn off **Malicious Software Reporting Tool (MSRT) diagnostic data**: - Set the REG_DWORD value **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to **1**. -> [!NOTE] -> There is no Group Policy to turn off the Malicious Software Reporting Tool diagnostic data. + > [!NOTE] + > There is no Group Policy to turn off the Malicious Software Reporting Tool diagnostic data. You can turn off **Enhanced Notifications** as follows: From 3c5c4e12aeb8282e8ec4500bcb3e9aca6d69dbd1 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 2 Jul 2021 17:13:46 -0700 Subject: [PATCH 344/370] Removed extra indentation of notes --- windows/client-management/mdm/policy-csp-system.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index a16101aa46..f199fbc4c1 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -776,15 +776,15 @@ The following list shows the supported values for Windows 10 version 1809 and ol - 0 – **Off (Security)** This turns Windows diagnostic data off. - > [!NOTE] - > This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), HoloLens 2, and Windows Server 2016 (and later versions). Using this setting on other devices editions of Windows is equivalent to setting the value of 1. + > [!NOTE] + > This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), HoloLens 2, and Windows Server 2016 (and later versions). Using this setting on other devices editions of Windows is equivalent to setting the value of 1. - 1 – **Required (Basic)** Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date. - 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows apps are used, how they perform, and advanced reliability data, such as limited crash dumps. - > [!NOTE] - > **Enhanced** is no longer an option for Windows Holographic, version 21H1. + > [!NOTE] + > **Enhanced** is no longer an option for Windows Holographic, version 21H1. - 3 – **Optional (Full)** Sends the same data as a value of 2, plus additional data necessary to identify and fix problems with devices such as enhanced error logs. From aa62b6e5391931a44bc607367692416ddee2e5f3 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sun, 4 Jul 2021 21:04:33 +0530 Subject: [PATCH 345/370] added MECM and WSUS links are added as per user feedback #9778 , so i added below two links **https://docs.microsoft.com/mem/configmgr/** **https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus** --- windows/whats-new/windows-11-prepare.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index 5ccbff2c5b..a1176e6d14 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -33,12 +33,12 @@ The tools that you use for core workloads during Windows 10 deployments can stil #### On-premises solutions -- If you use Windows Server Update Service (WSUS), you will need to sync the new **Windows 11** product category. After you sync the product category, you will see Windows 11 offered as an option. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well. +- If you use [Windows Server Update Service (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), you will need to sync the new **Windows 11** product category. After you sync the product category, you will see Windows 11 offered as an option. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well. > [!NOTE] > During deployment, you will be prompted to agree to the End User License Agreement on behalf of your users. Additionally, you will not see an x86 option because Windows 11 is not supported on 32-bit architecture. -- If you use Microsoft Endpoint Configuration Manager, you can sync the new **Windows 11** product category and begin upgrading eligible devices. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well. +- If you use [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/), you can sync the new **Windows 11** product category and begin upgrading eligible devices. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well. > [!NOTE] > Configuration Manager will prompt you to accept the End User License Agreement on behalf of the users in your organization. From 410525fef1cb81c15a0176ab0393acefb2d8922d Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 5 Jul 2021 13:08:19 +0530 Subject: [PATCH 346/370] Update windows/whats-new/windows-11-prepare.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/whats-new/windows-11-prepare.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index a1176e6d14..81b9b3d6a9 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -33,7 +33,7 @@ The tools that you use for core workloads during Windows 10 deployments can stil #### On-premises solutions -- If you use [Windows Server Update Service (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), you will need to sync the new **Windows 11** product category. After you sync the product category, you will see Windows 11 offered as an option. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well. +- If you use [Windows Server Update Service (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), you will need to sync the new **Windows 11** product category. After you sync the product category, you will see Windows 11 offered as an option. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well. > [!NOTE] > During deployment, you will be prompted to agree to the End User License Agreement on behalf of your users. Additionally, you will not see an x86 option because Windows 11 is not supported on 32-bit architecture. From cc5d8b7d7692fe93b019054569af3d6c085cb3b8 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 5 Jul 2021 13:08:55 +0530 Subject: [PATCH 347/370] Update windows/whats-new/windows-11-prepare.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/whats-new/windows-11-prepare.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index 81b9b3d6a9..b114202776 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -38,7 +38,7 @@ The tools that you use for core workloads during Windows 10 deployments can stil > [!NOTE] > During deployment, you will be prompted to agree to the End User License Agreement on behalf of your users. Additionally, you will not see an x86 option because Windows 11 is not supported on 32-bit architecture. -- If you use [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/), you can sync the new **Windows 11** product category and begin upgrading eligible devices. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well. +- If you use [Microsoft Endpoint Configuration Manager](/mem/configmgr/), you can sync the new **Windows 11** product category and begin upgrading eligible devices. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well. > [!NOTE] > Configuration Manager will prompt you to accept the End User License Agreement on behalf of the users in your organization. From 89376c584e3f9f9033c72ef457bc412fb255d826 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Tue, 6 Jul 2021 11:29:26 -0700 Subject: [PATCH 348/370] Updated the URL link as recommended. --- .../select-types-of-rules-to-create.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index ee3192a969..744330910a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -28,7 +28,7 @@ ms.technology: mde Windows Defender Application Control (WDAC) can control what runs on Windows 10 by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how applications are identified and trusted. ## Getting started with commdlets -Some of the [SKUs](feature-availability.md) that support our PowerShell commandlets [(ConfigCI Module | Microsoft Docs)](powershell/module/configci) support but do not have the module installed on the box. +Some of the [SKUs](feature-availability.md) that support our PowerShell commandlets [(ConfigCI Module | Microsoft Docs)](powershell/module/configci/?view=windowsserver2019-ps) support but do not have the module installed on the box. **Steps to install the module:** - Install-Module "ConfigCI" From a8fccf0b71550c18ead87d7152f418e551f7746f Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 7 Jul 2021 21:32:51 -0700 Subject: [PATCH 349/370] Fix approximately 21 links --- .../ltsc/whats-new-windows-10-2019.md | 73 +++++++++++-------- 1 file changed, 43 insertions(+), 30 deletions(-) diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index 2b62e7fc98..d71b6e5778 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -52,9 +52,11 @@ The [Microsoft Defender for Endpoint](/windows/security/threat-protection/index) ##### Attack surface reduction -Attack surface reduction includes host-based intrusion prevention systems such as [controlled folder access](/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard). - - This feature can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether. - - When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Click **Allow an app through Controlled folder access**. After the prompt, click the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page. +Attack surface reduction includes host-based intrusion prevention systems such as [controlled folder access]/microsoft-365/security/defender-endpoint/enable-controlled-folders). + +- This feature can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether. + +- When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Click **Allow an app through Controlled folder access**. After the prompt, click the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page. ###### Windows Defender Firewall @@ -74,34 +76,42 @@ But these protections can also be configured separately. And, unlike HVCI, code Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Microsoft Defender for Endpoint portal. - Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/microsoft-365/security/defender-endpoint/utilize-microsoft-cloud-protection-microsoft-defender-antivirus). - - We've also [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). The new library includes information on: -- [Deploying and enabling AV protection](/windows/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus) -- [Managing updates](/windows/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) -- [Reporting](/windows/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus) -- [Configuring features](/windows/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features) -- [Troubleshooting](/windows/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus) +Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus). - Some of the highlights of the new library include [Evaluation guide for Microsoft Defender AV](/windows/threat-protection/microsoft-defender-antivirus//evaluate-microsoft-defender-antivirus) and [Deployment guide for Microsoft Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus). +We've also [increased the breadth of the documentation library for enterprise security admins](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows). The new library includes information on: - New features for Microsoft Defender AV in Windows 10 Enterprise LTSC 2019 include: -- [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus) -- [The ability to specify the level of cloud-protection](/windows/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) -- [Microsoft Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/microsoft-defender-antivirus/windows-defender-security-center-antivirus) +- [Deploying and enabling AV protection](/microsoft-365/security/defender-endpoint/deploy-microsoft-defender-antivirus) +- [Managing updates](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus) +- [Reporting](/microsoft-365/security/defender-endpoint/report-monitor-microsoft-defender-antivirus) +- [Configuring features](/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features) +- [Troubleshooting](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus) - We've [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus). +Some of the highlights of the new library include [Evaluation guide for Microsoft Defender AV](/microsoft-365/security/defender-endpoint/evaluate-microsoft-defender-antivirus) and [Deployment guide for Microsoft Defender AV in a virtual desktop infrastructure environment](/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus). - **Endpoint detection and response** is also enhanced. New **detection** capabilities include: -- [Use the threat intelligence API to create custom alerts](/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization. - - [Custom detection](/windows/security/threat-protection/windows-defender-atp/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. - - Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks. - - Upgraded detections of ransomware and other advanced attacks. - - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed. +New features for Microsoft Defender AV in Windows 10 Enterprise LTSC 2019 include: - **Threat response** is improved when an attack is detected, enabling immediate action by security teams to contain a breach: - - [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package. - - [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file. +- [Updates to how the Block at First Sight feature can be configured](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) +- [The ability to specify the level of cloud-protection](/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus) +- [Microsoft Defender Antivirus protection in the Windows Defender Security Center app](/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus) + +We've [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment with [updated behavior monitoring and always-on real-time protection](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus). + +**Endpoint detection and response** is also enhanced. New **detection** capabilities include: + +- [Use the threat intelligence API to create custom alerts](/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization. + +- [Custom detection](/microsoft-365/security/defender-endpoint/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. + +- Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks. + +- Upgraded detections of ransomware and other advanced attacks. + +- Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed. + +**Threat response** is improved when an attack is detected, enabling immediate action by security teams to contain a breach: + +- [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package. +- [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file. Additional capabilities have been added to help you gain a holistic view on **investigations** include: @@ -139,7 +149,8 @@ We’re continuing to work on how other security apps you’ve installed show up This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks). -You can read more about ransomware mitigations and detection capability at: +You can read more about ransomware mitigations and detection capability at: + - [Averting ransomware epidemics in corporate networks with Microsoft Defender for Endpoint](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/) - [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/) @@ -147,7 +158,9 @@ Also see [New capabilities of Microsoft Defender for Endpoint further maximizing Get a quick, but in-depth overview of Microsoft Defender for Endpoint for Windows 10: [Defender for Endpoint](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). + ### Information protection @@ -203,7 +216,7 @@ Improvements have been added are to Windows Hello for Business and Credential Gu New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you are not present. -New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification.md) include: +New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification) include: - You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). @@ -283,7 +296,7 @@ We’ve continued to work on the **Current threats** area in [Virus & threat pr [Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise LTSC 2019 (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10. -Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog) or this article for updated information. +Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog) or this article for updated information. Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly. @@ -548,7 +561,7 @@ For more info, see [Implement server-side support for mobile application managem ### MDM diagnostics -In Windows 10 Enterprise LTSC 2019, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost. +In Windows 10 Enterprise LTSC 2019, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](/message-analyzer/microsoft-message-analyzer-operating-guide) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost. ### Application Virtualization for Windows (App-V) From e8703c15359d6dddde7dd4c673e2924559385f2f Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 7 Jul 2021 21:52:10 -0700 Subject: [PATCH 350/370] Marked up all destinations as code to... ...prevent some from being treated as hyperlinks by the build and to provide consistent appearance of all --- .../privacy/manage-windows-1809-endpoints.md | 156 +++++++++--------- 1 file changed, 78 insertions(+), 78 deletions(-) diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md index 3da8139a20..20573d11ec 100644 --- a/windows/privacy/manage-windows-1809-endpoints.md +++ b/windows/privacy/manage-windows-1809-endpoints.md @@ -55,8 +55,8 @@ If you [turn off traffic to this endpoint](manage-connections-from-windows-opera | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| explorer | HTTP | tile-service.weather.microsoft.com | -| | HTTP | blob.weather.microsoft.com | +| explorer | HTTP | `tile-service.weather.microsoft.com` | +| | HTTP | `blob.weather.microsoft.com` | The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). @@ -65,7 +65,7 @@ Additionally, the Microsoft Store won't be able to revoke malicious Store apps a | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| | HTTPS | cdn.onenote.net/livetile/?Language=en-US | +| | HTTPS | `cdn.onenote.net/livetile/?Language=en-US` | The following endpoints are used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). @@ -75,7 +75,7 @@ Additionally, the Microsoft Store won't be able to revoke malicious Store apps a | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| | | HTTPS | wildcard.twimg.com | -| svchost.exe | | oem.twimg.com/windows/tile.xml | +| svchost.exe | | `oem.twimg.com/windows/tile.xml` | The following endpoint is used for Facebook updates. To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). @@ -84,7 +84,7 @@ Additionally, the Microsoft Store won't be able to revoke malicious Store apps a | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| | | star-mini.c10r.facebook.com | +| | | `star-mini.c10r.facebook.com` | The following endpoint is used by the Photos app to download configuration files, and to connect to the Microsoft 365 admin center's shared infrastructure, including Office. To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). @@ -102,7 +102,7 @@ Additionally, the Microsoft Store won't be able to revoke malicious Store apps a | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| | TLS v1.2 | candycrushsoda.king.com | +| | TLS v1.2 | `candycrushsoda.king.com` | The following endpoint is used for by the Microsoft Wallet app. To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). @@ -118,17 +118,17 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper | Source process | Protocol | Destination | |----------------|----------|------------| -| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | +| system32\AppHostRegistrationVerifier.exe | HTTPS | `mediaredirect.microsoft.com` | The following endpoints are used when using the Whiteboard app. To turn off traffic for this endpoint [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| | HTTPS | wbd.ms | -| | HTTPS | int.whiteboard.microsoft.com | -| | HTTPS | whiteboard.microsoft.com | -| | HTTP / HTTPS | whiteboard.ms | +| | HTTPS | `wbd.ms` | +| | HTTPS | `int.whiteboard.microsoft.com` | +| | HTTPS | `whiteboard.microsoft.com` | +| | HTTP / HTTPS | `whiteboard.ms` | ## Cortana and Search @@ -137,28 +137,28 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| searchui | HTTPS |store-images.s-microsoft.com | +| searchui | HTTPS | `store-images.s-microsoft.com` | The following endpoint is used to update Cortana greetings, tips, and Live Tiles. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| backgroundtaskhost | HTTPS | www.bing.com/client | +| backgroundtaskhost | HTTPS | `www.bing.com/client` | The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| backgroundtaskhost | HTTPS | www.bing.com/proactive | +| backgroundtaskhost | HTTPS | `www.bing.com/proactive` | The following endpoint is used by Cortana to report diagnostic and diagnostic data information. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| searchui
backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx | +| searchui
backgroundtaskhost | HTTPS | `www.bing.com/threshold/xls.aspx` | ## Certificates @@ -171,7 +171,7 @@ If traffic to this endpoint is turned off, Windows no longer automatically downl | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| svchost | HTTP | ctldl.windowsupdate.com | +| svchost | HTTP | `ctldl.windowsupdate.com` | ## Device authentication @@ -180,7 +180,7 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| | HTTPS | login.live.com/ppsecure | +| | HTTPS | `login.live.com/ppsecure` | ## Device metadata @@ -189,8 +189,8 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| | | dmd.metaservices.microsoft.com.akadns.net | -| | HTTP | dmd.metaservices.microsoft.com | +| | | `dmd.metaservices.microsoft.com.akadns.net` | +| | HTTP | `dmd.metaservices.microsoft.com` | ## Diagnostic Data @@ -199,22 +199,22 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| svchost | | cy2.vortex.data.microsoft.com.akadns.net | +| svchost | | `cy2.vortex.data.microsoft.com.akadns.net` | The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| svchost | HTTPS | v10.vortex-win.data.microsoft.com/collect/v1 | +| svchost | HTTPS | `v10.vortex-win.data.microsoft.com/collect/v1` | The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| wermgr | | watson.telemetry.microsoft.com | -| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | +| wermgr | | `watson.telemetry.microsoft.com` | +| | TLS v1.2 | `modern.watson.data.microsoft.com.akadns.net` | ## Font streaming @@ -223,8 +223,8 @@ If you [turn off traffic for these endpoints](manage-connections-from-windows-op | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| svchost | | fs.microsoft.com | -| | | fs.microsoft.com/fs/windows/config.json | +| svchost | | `fs.microsoft.com` | +| | | `fs.microsoft.com/fs/windows/config.json` | ## Licensing @@ -233,7 +233,7 @@ To turn off traffic for this endpoint, disable the Windows License Manager Servi | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | +| licensemanager | HTTPS | `licensing.mp.microsoft.com/v7.0/licenses/content` | ## Location @@ -242,8 +242,8 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| | HTTP | location-inference-westus.cloudapp.net | -| | HTTPS | inference.location.live.net | +| | HTTP | `location-inference-westus.cloudapp.net` | +| | HTTPS | `inference.location.live.net` | ## Maps @@ -252,7 +252,7 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| svchost | HTTPS | *g.akamaiedge.net | +| svchost | HTTPS | `*g.akamaiedge.net` | ## Microsoft account @@ -261,11 +261,11 @@ If you [turn off traffic for these endpoints](manage-connections-from-windows-op | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| | | login.msa.akadns6.net | -| | | login.live.com | -| | | account.live.com | -| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | -| | | us.configsvc1.live.com.akadns.net | +| | | `login.msa.akadns6.net` | +| | | `login.live.com` | +| | | `account.live.com` | +| system32\Auth.Host.exe | HTTPS | `auth.gfx.ms` | +| | | `us.configsvc1.live.com.akadns.net` | ## Microsoft Store @@ -274,32 +274,32 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| | HTTPS | *.wns.windows.com | +| | HTTPS | `*.wns.windows.com` | The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| | HTTP | storecatalogrevocation.storequality.microsoft.com | +| | HTTP | `storecatalogrevocation.storequality.microsoft.com` | The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net | -| backgroundtransferhost | HTTPS | store-images.microsoft.com | +| | HTTPS | `img-prod-cms-rt-microsoft-com.akamaized.net` | +| backgroundtransferhost | HTTPS | `store-images.microsoft.com` | The following endpoints are used to communicate with Microsoft Store. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| | HTTP | storeedgefd.dsx.mp.microsoft.com | -| | HTTP \ HTTPS | pti.store.microsoft.com | -||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| -| svchost | HTTPS | displaycatalog.mp.microsoft.com | +| | HTTP | `storeedgefd.dsx.mp.microsoft.com` | +| | HTTP \ HTTPS | `pti.store.microsoft.com` | +||TLS v1.2| `cy2.*.md.mp.microsoft.com.*.` | +| svchost | HTTPS | `displaycatalog.mp.microsoft.com` | ## Network Connection Status Indicator (NCSI) @@ -308,7 +308,7 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| | HTTP | www.msftconnecttest.com/connecttest.txt | +| | HTTP | `www.msftconnecttest.com/connecttest.txt` | ## Office @@ -318,13 +318,13 @@ If you turn off traffic for these endpoints, users won't be able to save documen | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| | | *.a-msedge.net | -| hxstr | | *.c-msedge.net | -| | | *.e-msedge.net | -| | | *.s-msedge.net | -| | HTTPS | ocos-office365-s2s.msedge.net | -| | HTTPS | nexusrules.officeapps.live.com | -| | HTTPS | officeclient.microsoft.com | +| | | `*.a-msedge.net` | +| hxstr | | `*.c-msedge.net` | +| | | `*.e-msedge.net` | +| | | `*.s-msedge.net` | +| | HTTPS | `ocos-office365-s2s.msedge.net` | +| | HTTPS | `nexusrules.officeapps.live.com` | +| | HTTPS | `officeclient.microsoft.com` | The following endpoint is used to connect to the Microsoft 365 admin center's shared infrastructure, including Office. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. @@ -338,14 +338,14 @@ The following endpoint is OfficeHub traffic used to get the metadata of Office a | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| +|Windows Apps\Microsoft.Windows.Photos|HTTPS| `client-office365-tas.msedge.net` | The following endpoint is used to connect the Office To-Do app to it's cloud service. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| |HTTPS|to-do.microsoft.com| +| |HTTPS| `to-do.microsoft.com` | ## OneDrive @@ -354,14 +354,14 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | +| onedrive | HTTP \ HTTPS | `g.live.com/1rewlive5skydrive/ODSUProduction` | The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| onedrive | HTTPS | oneclient.sfx.ms | +| onedrive | HTTPS | `oneclient.sfx.ms` | ## Settings @@ -370,21 +370,21 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| dmclient | | cy2.settings.data.microsoft.com.akadns.net | +| dmclient | | `cy2.settings.data.microsoft.com.akadns.net` | The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| dmclient | HTTPS | settings.data.microsoft.com | +| dmclient | HTTPS | `settings.data.microsoft.com` | The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| svchost | HTTPS | settings-win.data.microsoft.com | +| svchost | HTTPS | `settings-win.data.microsoft.com` | ## Skype @@ -392,9 +392,9 @@ The following endpoint is used to retrieve Skype configuration values. To turn o | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | -| | HTTPS | browser.pipe.aria.microsoft.com | -| | | skypeecs-prod-usw-0-b.cloudapp.net | +|microsoft.windowscommunicationsapps.exe | HTTPS | `config.edge.skype.com` | +| | HTTPS | `browser.pipe.aria.microsoft.com` | +| | | `skypeecs-prod-usw-0-b.cloudapp.net` | ## Windows Defender @@ -403,24 +403,24 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| | | wdcp.microsoft.com | +| | | `wdcp.microsoft.com` | The following endpoints are used for Windows Defender definition updates. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| | | definitionupdates.microsoft.com | -|MpCmdRun.exe|HTTPS|go.microsoft.com | +| | | `definitionupdates.microsoft.com` | +|MpCmdRun.exe|HTTPS| `go.microsoft.com` | The following endpoints are used for Windows Defender Smartscreen reporting and notifications. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender-smartscreen), Windows Defender Smartscreen notifications will no appear. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| | HTTPS | ars.smartscreen.microsoft.com | -| | HTTPS | unitedstates.smartscreen-prod.microsoft.com | -| | | smartscreen-sn3p.smartscreen.microsoft.com | +| | HTTPS | `ars.smartscreen.microsoft.com` | +| | HTTPS | `unitedstates.smartscreen-prod.microsoft.com` | +| | | `smartscreen-sn3p.smartscreen.microsoft.com` | ## Windows Spotlight @@ -429,11 +429,11 @@ If you [turn off traffic for these endpoints](manage-connections-from-windows-op | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| backgroundtaskhost | HTTPS | arc.msn.com | -| backgroundtaskhost | | g.msn.com.nsatc.net | -| |TLS v1.2| *.search.msn.com | -| | HTTPS | ris.api.iris.microsoft.com | -| | HTTPS | query.prod.cms.rt.microsoft.com | +| backgroundtaskhost | HTTPS | `arc.msn.com` | +| backgroundtaskhost | | `g.msn.com.nsatc.net` | +| |TLS v1.2| `*.search.msn.com` | +| | HTTPS | `ris.api.iris.microsoft.com` | +| | HTTPS | `query.prod.cms.rt.microsoft.com` | ## Windows Update @@ -442,23 +442,23 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | +| svchost | HTTPS | `*.prod.do.dsp.mp.microsoft.com` | The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| svchost | HTTP | *.windowsupdate.com | -| svchost | HTTP | *.dl.delivery.mp.microsoft.com | +| svchost | HTTP | `*.windowsupdate.com` | +| svchost | HTTP | `*.dl.delivery.mp.microsoft.com` | The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| svchost | HTTPS | *.update.microsoft.com | -| svchost | HTTPS | *.delivery.mp.microsoft.com | +| svchost | HTTPS | `*.update.microsoft.com` | +| svchost | HTTPS | `*.delivery.mp.microsoft.com` | These are dependent on enabling: - [Device authentication](manage-windows-1809-endpoints.md#device-authentication) @@ -469,7 +469,7 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | +| svchost | HTTPS | `tsfe.trafficshaping.dsp.mp.microsoft.com` | ## Microsoft forward link redirection service (FWLink) @@ -480,7 +480,7 @@ If you disable this endpoint, Windows Defender won't be able to update its malwa | Source process | Protocol | Destination | |----------------|:--------:|------------| -|Various|HTTPS|go.microsoft.com| +|Various|HTTPS| `go.microsoft.com` | ## Other Windows 10 editions From e11dd22df9ed88e0008cff32f0b9abf6b544cc16 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 7 Jul 2021 21:55:32 -0700 Subject: [PATCH 351/370] Marked up names of malware families to... ...prevent the build from making all of these hyperlinks. --- .../threat-protection/intelligence/macro-malware.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/intelligence/macro-malware.md b/windows/security/threat-protection/intelligence/macro-malware.md index 5bf655b20c..625498e600 100644 --- a/windows/security/threat-protection/intelligence/macro-malware.md +++ b/windows/security/threat-protection/intelligence/macro-malware.md @@ -28,12 +28,12 @@ Macro malware was fairly common several years ago because macros ran automatical We've seen macro malware download threats from the following families: -* [Ransom:MSIL/Swappa](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:MSIL/Swappa.A) -* [Ransom:Win32/Teerac](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Teerac&threatId=-2147277789) -* [TrojanDownloader:Win32/Chanitor](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Win32/Chanitor.A) -* [TrojanSpy:Win32/Ursnif](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif) -* [Win32/Fynloski](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Fynloski) -* [Worm:Win32/Gamarue](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Gamarue) +* [`Ransom:MSIL/Swappa`](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:MSIL/Swappa.A) +* [`Ransom:Win32/Teerac`](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Teerac&threatId=-2147277789) +* [`TrojanDownloader:Win32/Chanitor`](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Win32/Chanitor.A) +* [`TrojanSpy:Win32/Ursnif`](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif) +* [`Win32/Fynloski`](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Fynloski) +* [`Worm:Win32/Gamarue`](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Gamarue) ## How to protect against macro malware From 99b706288fa99be39691885e57c0e4adf8b07861 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 7 Jul 2021 21:59:29 -0700 Subject: [PATCH 352/370] Corrected font weight of table headings Table headings are bold by default. Adding formatting for bold results in a lighter weight font than is standard. --- .../overview-of-threat-mitigations-in-windows-10.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md index 8c5b01b506..8791e49d7f 100644 --- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md @@ -20,7 +20,7 @@ ms.technology: mde This topic provides an overview of some of the software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats. For information about related types of protection offered by Microsoft, see [Related topics](#related-topics). -| **Section** | **Contents** | +| Section | Contents | |--------------|-------------------------| | [The security threat landscape](#threat-landscape) | Describes the current nature of the security threat landscape, and outlines how Windows 10 is designed to mitigate software exploits and similar threats. | | [Windows 10 mitigations that you can configure](#windows-10-mitigations-that-you-can-configure) | Provides tables of configurable threat mitigations with links to more information. Product features such as Device Guard appear in [Table 1](#windows-10-mitigations-that-you-can-configure), and memory protection options such as Data Execution Prevention appear in [Table 2](#table-2). | @@ -118,7 +118,7 @@ Data Execution Prevention (DEP) does exactly that, by substantially reducing the 1. Open Task Manager: Press Ctrl+Alt+Del and select **Task Manager**, or search the Start screen. -2. Click **More Details** (if necessary), and then click the **Details** tab. +2. Click **More Details** (if necessary), and then click the **Details** tab. 3. Right-click any column heading, and then click **Select Columns**. @@ -311,9 +311,9 @@ The following table lists EMET features in relation to Windows 10 features. - - + + From 18f4d2fc1b258cf6d1616bc330487cb190a709cd Mon Sep 17 00:00:00 2001 From: Thomas Raya Date: Thu, 8 Jul 2021 09:00:07 -0700 Subject: [PATCH 353/370] Update select-types-of-rules-to-create.md --- .../select-types-of-rules-to-create.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index ff505c8beb..29cd125c84 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -29,7 +29,7 @@ Windows Defender Application Control (WDAC) can control what runs on Windows 10 ## Getting started with commdlets -Some of the [SKUs](feature-availability.md) that support our PowerShell commandlets [(ConfigCI Module)](powershell/module/configci/?view=windowsserver2019-ps) support but do not have the module installed on the box. +Some of the [SKUs](feature-availability.md) that support our PowerShell commandlets [(ConfigCI Module)](/powershell/module/configci/?view=windowsserver2019-ps) support but do not have the module installed on the box. **Steps to install the module:** - Install-Module "ConfigCI" From 744476aef5b44394e05c7426c5fadbece2a1e643 Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Fri, 9 Jul 2021 10:12:28 -0400 Subject: [PATCH 354/370] pruning dead link The 'More information' link for the ebook currently redirects to an unrelated marketing page --- windows/security/threat-protection/intelligence/phishing.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/intelligence/phishing.md b/windows/security/threat-protection/intelligence/phishing.md index 55d1b756ed..1f997dac95 100644 --- a/windows/security/threat-protection/intelligence/phishing.md +++ b/windows/security/threat-protection/intelligence/phishing.md @@ -99,4 +99,3 @@ If you feel you've been a victim of a phishing attack: - [Protect yourself from phishing](https://support.microsoft.com/help/4033787/windows-protect-yourself-from-phishing) - [Phishing trends](phishing-trends.md) -- [Microsoft e-book on preventing social engineering attacks](https://info.microsoft.com/Protectyourweakestlink.html?ls=social), especially in enterprise environments. \ No newline at end of file From 42de6f1f5288d164f0fc07e071ca322a5d6bc746 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 9 Jul 2021 21:39:42 +0530 Subject: [PATCH 355/370] fixed typo error as per user report #9790 , so I have corrected the word **Havens** to **Hagens** --- .../password-must-meet-complexity-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md index c40865f9da..adc677996b 100644 --- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md @@ -31,7 +31,7 @@ The **Passwords must meet complexity requirements** policy setting determines wh 1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Both checks are not case-sensitive. The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is fewer than three characters long, this check is skipped. - The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Havens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "havens" as a substring anywhere in the password. + The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "havens" as a substring anywhere in the password. 2. The password contains characters from three of the following categories: From ffb89f17259a2f487ae6d5753ecd12955793bb62 Mon Sep 17 00:00:00 2001 From: gkomatsu Date: Fri, 9 Jul 2021 10:14:47 -0700 Subject: [PATCH 356/370] Update configuration-service-provider-reference.md Fixed HotSpot CSP support to contain Professional, Business, Education and Enterprise. Reflecting the right applicability. --- .../mdm/configuration-service-provider-reference.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 4f9dd3d9da..4dc856f036 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -1270,10 +1270,10 @@ Additional lists: - - - - + + + +
Specific EMET featuresHow these EMET features map
-to Windows 10 features		Specific EMET featuresHow these EMET features map
+to Windows 10 features
cross markcross markcross markcross markcross markcheck markcheck markcheck markcheck mark check mark
From 6978fbd3101b634aefa66ad434e49be7b8ae0b5a Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 9 Jul 2021 11:43:41 -0700 Subject: [PATCH 357/370] Corrected bad links --- .../overview-of-threat-mitigations-in-windows-10.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md index 8791e49d7f..f98634584d 100644 --- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md @@ -25,7 +25,7 @@ This topic provides an overview of some of the software and firmware threats fac | [The security threat landscape](#threat-landscape) | Describes the current nature of the security threat landscape, and outlines how Windows 10 is designed to mitigate software exploits and similar threats. | | [Windows 10 mitigations that you can configure](#windows-10-mitigations-that-you-can-configure) | Provides tables of configurable threat mitigations with links to more information. Product features such as Device Guard appear in [Table 1](#windows-10-mitigations-that-you-can-configure), and memory protection options such as Data Execution Prevention appear in [Table 2](#table-2). | | [Mitigations that are built in to Windows 10](#mitigations-that-are-built-in-to-windows-10) | Provides descriptions of Windows 10 mitigations that require no configuration—they are built into the operating system. For example, heap protections and kernel pool protections are built into Windows 10. | -| [Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit](#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) | Describes how mitigations in the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/kb/2458544) correspond to features built into Windows 10 and how to convert EMET settings into mitigation policies for Windows 10. | +| [Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit](#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) | Describes how mitigations in the [Enhanced Mitigation Experience Toolkit (EMET)](https://www.microsoft.com/download/details.aspx?id=48240) correspond to features built into Windows 10 and how to convert EMET settings into mitigation policies for Windows 10. | This topic focuses on pre-breach mitigations aimed at device protection and threat resistance. These protections work with other security defenses in Windows 10, as shown in the following illustration: @@ -435,7 +435,7 @@ Examples: Set-ProcessMitigation -Name notepad.exe -Enable SEHOP -Disable MandatoryASLR,DEPATL ``` -- **Convert Attack surface reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMET's Attack surface reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy, as described in [Deploy Device Guard: deploy code integrity policies](/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies). This will enable protections on Windows 10 equivalent to EMET's ASR protections. +- **Convert Attack surface reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMET's Attack surface reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy, as described in [Deploy Device Guard: deploy code integrity policies](/windows/device-security/device-guard/deploy-windows-defender-application-control). This will enable protections on Windows 10 equivalent to EMET's ASR protections. - **Convert Certificate Trust settings to enterprise certificate pinning rules**: If you have an EMET "Certificate Trust" XML file (pinning rules file), you can also use ConvertTo-ProcessMitigationPolicy to convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling that file as described in [Enterprise Certificate Pinning](/windows/access-protection/enterprise-certificate-pinning). For example: From 8b304f43626766aa909719130b3d5ec4fea5c64b Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 9 Jul 2021 12:26:47 -0700 Subject: [PATCH 358/370] Fixed bad link for WIP for business --- windows/whats-new/whats-new-windows-10-version-1709.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md index 6386e1bddd..128c447ff4 100644 --- a/windows/whats-new/whats-new-windows-10-version-1709.md +++ b/windows/whats-new/whats-new-windows-10-version-1709.md @@ -52,7 +52,7 @@ WUfB now has additional controls available to manage Windows Insider Program enr ### Windows Insider Program for Business -You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](/windows/deployment/update/waas-windows-insider-for-business#getting-started-with-windows-insider-program-for-business). +You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://insider.windows.com/for-business). ## Administration From 770e693e789c6d3646829e91274a7fc27fe23fcd Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 9 Jul 2021 12:27:39 -0700 Subject: [PATCH 359/370] Fixed bad links for ARSO and Remote Desktop with Biometrics --- windows/whats-new/whats-new-windows-10-version-1903.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md index 82419adcf5..371bf97c95 100644 --- a/windows/whats-new/whats-new-windows-10-version-1903.md +++ b/windows/whats-new/whats-new-windows-10-version-1903.md @@ -54,7 +54,7 @@ SetupDiag is a command-line tool that can help diagnose why a Windows 10 update ## Servicing - [**Delivery Optimization**](/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Manager content coming soon! -- [**Automatic Restart Sign-on (ARSO)**](/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. +- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. - [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. - **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally. - **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. @@ -132,7 +132,7 @@ This new feature is displayed under the Device Security page with the string “ - [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD. - [Streamlined Windows Hello PIN reset experience](/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web. - Sign-in with [Password-less](/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience! -- [Remote Desktop with Biometrics](/windows/security/identity-protection/hello-for-business/hello-features#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. +- [Remote Desktop with Biometrics](/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. ### Security management From 50b4b72e0413c266ae8cdfab6463a9abcf9fe47e Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 9 Jul 2021 12:36:16 -0700 Subject: [PATCH 360/370] Added backticks to destinations that I missed on the previous pass --- windows/privacy/manage-windows-1809-endpoints.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md index 20573d11ec..eb5e4f6104 100644 --- a/windows/privacy/manage-windows-1809-endpoints.md +++ b/windows/privacy/manage-windows-1809-endpoints.md @@ -74,7 +74,7 @@ Additionally, the Microsoft Store won't be able to revoke malicious Store apps a | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| | HTTPS | wildcard.twimg.com | +| | HTTPS | `wildcard.twimg.com` | | svchost.exe | | `oem.twimg.com/windows/tile.xml` | The following endpoint is used for Facebook updates. @@ -93,7 +93,7 @@ Additionally, the Microsoft Store won't be able to revoke malicious Store apps a | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | +| WindowsApps\Microsoft.Windows.Photos | HTTPS | `evoke-windowsservices-tas.msedge.net` | The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). @@ -111,7 +111,7 @@ Additionally, the Microsoft Store won't be able to revoke malicious Store apps a | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | +| system32\AppHostRegistrationVerifier.exe | HTTPS | `wallet.microsoft.com` | The following endpoint is used by the Groove Music app for update HTTP handler status. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app. @@ -332,7 +332,7 @@ If you turn off traffic for these endpoints, users won't be able to save documen | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| -| system32\Auth.Host.exe | HTTPS | outlook.office365.com | +| system32\Auth.Host.exe | HTTPS | `outlook.office365.com` | The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. From c5df76c96eb4fc5fb1cf4ddc04114a7f659dd072 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 9 Jul 2021 12:41:54 -0700 Subject: [PATCH 361/370] Removed useless backticks I don't know why I thought these would be helpful. I also don't know why these links weren't working when I tested them earlier, before the backticks. --- .../threat-protection/intelligence/macro-malware.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/intelligence/macro-malware.md b/windows/security/threat-protection/intelligence/macro-malware.md index 625498e600..5bf655b20c 100644 --- a/windows/security/threat-protection/intelligence/macro-malware.md +++ b/windows/security/threat-protection/intelligence/macro-malware.md @@ -28,12 +28,12 @@ Macro malware was fairly common several years ago because macros ran automatical We've seen macro malware download threats from the following families: -* [`Ransom:MSIL/Swappa`](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:MSIL/Swappa.A) -* [`Ransom:Win32/Teerac`](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Teerac&threatId=-2147277789) -* [`TrojanDownloader:Win32/Chanitor`](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Win32/Chanitor.A) -* [`TrojanSpy:Win32/Ursnif`](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif) -* [`Win32/Fynloski`](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Fynloski) -* [`Worm:Win32/Gamarue`](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Gamarue) +* [Ransom:MSIL/Swappa](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:MSIL/Swappa.A) +* [Ransom:Win32/Teerac](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Teerac&threatId=-2147277789) +* [TrojanDownloader:Win32/Chanitor](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Win32/Chanitor.A) +* [TrojanSpy:Win32/Ursnif](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif) +* [Win32/Fynloski](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Fynloski) +* [Worm:Win32/Gamarue](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Gamarue) ## How to protect against macro malware From b714910dffbd7673ffc9f7d02c94566efbd2f036 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 9 Jul 2021 12:46:21 -0700 Subject: [PATCH 362/370] Deleted apparent garbage character --- windows/whats-new/ltsc/whats-new-windows-10-2019.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index d71b6e5778..d9d11ffcb6 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -263,7 +263,7 @@ The new [security baseline for Windows 10 version 1803](/windows/security/threat #### SMBLoris vulnerability -An issue, known as “SMBLoris�?, which could result in denial of service, has been addressed. +An issue, known as _SMBLoris_, which could result in denial of service, has been addressed. #### Windows Security Center From 60d1d12590786d805ef5b518b23fcb8d6503cfcf Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 9 Jul 2021 12:48:15 -0700 Subject: [PATCH 363/370] Deleted apparent garbage character --- windows/whats-new/whats-new-windows-10-version-1709.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md index 128c447ff4..80fd32b4a9 100644 --- a/windows/whats-new/whats-new-windows-10-version-1709.md +++ b/windows/whats-new/whats-new-windows-10-version-1709.md @@ -119,7 +119,7 @@ The minimum PIN length is being changed from 6 to 4, with a default of 6. For mo Microsoft has released new [Windows security baselines](/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/device-security/security-compliance-toolkit-10). ### SMBLoris vulnerability -An issue, known as “SMBLoris�?, which could result in denial of service, has been addressed. +An issue, known as _SMBLoris_, which could result in denial of service, has been addressed. ## Windows Analytics From 061c07a4bc3658368ff7152de2bc9532b265d910 Mon Sep 17 00:00:00 2001 From: Maggie Dakeva Date: Fri, 9 Jul 2021 15:38:31 -0700 Subject: [PATCH 364/370] Update enroll-a-windows-10-device-automatically-using-group-policy.md Removing a note since it's not accurate. The note below which states that Device credential is supported for Co-management and Azure Virtual Desktop is accurate. --- ...oll-a-windows-10-device-automatically-using-group-policy.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 775e72cacd..1274fdb476 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -117,9 +117,6 @@ Requirements: 4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the Selected Credential Type to use. - > [!NOTE] - > **Device Credential** Credential Type may work, however, it is not yet supported by Intune. We don't recommend using this option until it's supported. - ![MDM autoenrollment policy](images/autoenrollment-policy.png) 5. Click **Enable**, and select **User Credential** from the dropdown **Select Credential Type to Use**, then click **OK**. From 551d62f8d74e9ba3ab19cbe963b610673c5c563b Mon Sep 17 00:00:00 2001 From: gkomatsu Date: Fri, 9 Jul 2021 17:05:29 -0700 Subject: [PATCH 365/370] Update diagnose-mdm-failures-in-windows-10.md Removed Windows Mobile specific content "Field Medic" section --- .../diagnose-mdm-failures-in-windows-10.md | 68 ------------------- 1 file changed, 68 deletions(-) diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md index 3bd7186d4f..6043b61d8c 100644 --- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md @@ -133,74 +133,6 @@ Example: Export the Debug logs ``` -**To collect logs manually** - -1. Download and install the [Field Medic]( https://go.microsoft.com/fwlink/p/?LinkId=718232) app from the store. -2. Open the Field Medic app and then click on **Advanced**. - - ![field medic screenshot 2](images/diagnose-mdm-failures2.png) - -3. Click on **Choose with ETW provider to use**. - - ![field medic screenshot 3](images/diagnose-mdm-failures3.png) - -4. Check **Enterprise** and un-check the rest. - - ![field medic screenshot 4](images/diagnose-mdm-failures4.png) - -5. In the app, click on **Start Logging** and then perform the operation that you want to troubleshoot. - - ![field medic screenshot 5](images/diagnose-mdm-failures2.png) - -6. When the operation is done, click on **Stop Logging**. - - ![field medic screenshot 6](images/diagnose-mdm-failures5.png) - -7. Save the logs. They will be stored in the Field Medic log location on the device. -8. You can send the logs via email by attaching the files from **Documents > Field Medic > Reports > ...** folder. - - ![device documents folder](images/diagnose-mdm-failures6.png)![device folder screenshot 7](images/diagnose-mdm-failures7.png)![device folder screenshot 8](images/diagnose-mdm-failures8.png) - -The following table contains a list of common providers and their corresponding GUIDs. - -| GUID | Provider Name | -|--------------------------------------|--------------------------------------------------------| -| 099614a5-5dd7-4788-8bc9-e29f43db28fc | Microsoft-Windows-LDAP-Client | -| 0f67e49f-fe51-4e9f-b490-6f2948cc6027 | Microsoft-Windows-Kernel-Processor-Power | -| 0ff1c24b-7f05-45c0-abdc-3c8521be4f62 | Microsoft-Windows-Mobile-Broadband-Experience-SmsApi | -| 10e4f0e0-9686-4e62-b2d6-fd010eb976d3 | Microsoft-WindowsPhone-Shell-Events | -| 1e39b4ce-d1e6-46ce-b65b-5ab05d6cc266 | Microsoft-Windows-Networking-RealTimeCommunication | -| 22a7b160-f6e8-46b9-8e0b-a51989c85c66 | Microsoft-WindowsPhone-Bluetooth-AG | -| 2f94e1cc-a8c5-4fe7-a1c3-53d7bda8e73e | Microsoft-WindowsPhone-ConfigManager2 | -| 331c3b3a-2005-44c2-ac5e-77220c37d6b4 | Microsoft-Windows-Kernel-Power | -| 33693e1d-246a-471b-83be-3e75f47a832d | Microsoft-Windows-BTH-BTHUSB | -| 3742be72-99a9-42e6-9fd5-c01a330e3625 | Microsoft-WindowsPhone-PhoneAudio | -| 3b9602ff-e09b-4c6c-bc19-1a3dfa8f2250 | Microsoft-WindowsPhone-OmaDm-Client-Provider | -| 3da494e4-0fe2-415C-b895-fb5265c5c83b | Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider | -| 3f471139-acb7-4a01-b7a7-ff5da4ba2d43 | Microsoft-Windows-AppXDeployment-Server | -| 4180c4f7-e238-5519-338f-ec214f0b49aa | Microsoft.Windows.ResourceManager | -| 4637124c-1d40-4b4d-892f-2aaecf24ff06 | Microsoft-Windows-WinJson | -| 4d13548f-c7b8-4174-bb7a-d7f64bf22d29 | Microsoft-WindowsPhone-LocationServiceProvider | -| 4eacb4d0-263b-4b93-8cd6-778a278e5642 | Microsoft-Windows-GenericRoaming | -| 4f386063-ef17-4629-863c-d71597af743d | Microsoft-WindowsPhone-NotificationService | -| 55404e71-4db9-4deb-a5f5-8f86e46dde56 | Microsoft-Windows-Winsock-NameResolution | -| 59819d0a-adaf-46b2-8d7c-990bc39c7c15 | Microsoft-Windows-Battery | -| 5c103042-7e75-4629-a748-bdfa67607fac | Microsoft-WindowsPhone-Power | -| 69c1c3f1-2b5c-41d0-a14a-c7ca5130640e | Microsoft-WindowsPhone-Cortana | -| 6ad52b32-d609-4be9-ae07-ce8dae937e39 | Microsoft-Windows-RPC | -| 7263516b-6eb0-477b-b64f-17b91d29f239 | Microsoft-WindowsPhone-BatterySense | -| 7dd42a49-5329-4832-8dfd-43d979153a88 | Microsoft-Windows-Kernel-Network | -| ae4bd3be-f36f-45b6-8d21-bdd6fb832853 | Microsoft-Windows-Audio | -| daa6a96b-f3e7-4d4d-a0d6-31a350e6a445 | Microsoft-Windows-WLAN-Driver | -| 4d13548f-c7b8-4174-bb7a-d7f64bf22d29 | Microsoft-WindowsPhone-LocationServiceProvider | -| 74e106b7-00be-4a55-b707-7ab58d6a9e90 | Microsoft-WindowsPhone-Shell-OOBE | -| cbda4dbf-8d5d-4f69-9578-be14aa540d22 | Microsoft-Windows-AppLocker | -| e595f735-b42a-494b-afcd-b68666945cd3 | Microsoft-Windows-Firewall | -| e5fc4a0f-7198-492f-9b0f-88fdcbfded48 | Microsoft-Windows Networking VPN | -| e5c16d49-2464-4382-bb20-97a4b5465db9 | Microsoft-Windows-WiFiNetworkManager | - - --> - ## Collect logs remotely from Windows 10 Holographic For holographic already enrolled in MDM, you can remotely collect MDM logs through the MDM channel using the [DiagnosticLog CSP](diagnosticlog-csp.md). From 00d2ef396b1bcb34f2b70bf5dcfb72b763a6d403 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sat, 10 Jul 2021 17:22:22 +0530 Subject: [PATCH 366/370] Update windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../password-must-meet-complexity-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md index adc677996b..2167a3d000 100644 --- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md @@ -31,7 +31,7 @@ The **Passwords must meet complexity requirements** policy setting determines wh 1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Both checks are not case-sensitive. The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is fewer than three characters long, this check is skipped. - The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "havens" as a substring anywhere in the password. + The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password. 2. The password contains characters from three of the following categories: From 269c72b0590e8e4deaa754a5cd70f138ed212ebc Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 12 Jul 2021 10:50:43 -0700 Subject: [PATCH 367/370] Corrected cmdlet misspellings --- .../select-types-of-rules-to-create.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 29cd125c84..33529a500c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -27,9 +27,9 @@ ms.technology: mde Windows Defender Application Control (WDAC) can control what runs on Windows 10 by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how applications are identified and trusted. -## Getting started with commdlets +## Getting started with cmdlets -Some of the [SKUs](feature-availability.md) that support our PowerShell commandlets [(ConfigCI Module)](/powershell/module/configci/?view=windowsserver2019-ps) support but do not have the module installed on the box. +Some of the [SKUs](feature-availability.md) that support our PowerShell cmdlets [(ConfigCI Module)](/powershell/module/configci/?view=windowsserver2019-ps) support but do not have the module installed on the box. **Steps to install the module:** - Install-Module "ConfigCI" From 77ed05c3409eb6a5ea1d4305dd3db2f8adb14aa8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 12 Jul 2021 12:23:32 -0700 Subject: [PATCH 368/370] Update select-types-of-rules-to-create.md --- .../select-types-of-rules-to-create.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 33529a500c..e6b9a0016a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 03/04/2020 +ms.date: 07/12/2021 ms.technology: mde --- @@ -31,7 +31,7 @@ Windows Defender Application Control (WDAC) can control what runs on Windows 10 Some of the [SKUs](feature-availability.md) that support our PowerShell cmdlets [(ConfigCI Module)](/powershell/module/configci/?view=windowsserver2019-ps) support but do not have the module installed on the box. -**Steps to install the module:** +### Steps to install the module - Install-Module "ConfigCI" - Import-Module "ConfigCI" @@ -54,7 +54,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru > [!NOTE] > We recommend that you use **Enabled:Audit Mode** initially because it allows you to test new WDAC policies before you enforce them. With audit mode, no application is blocked—instead the policy logs an event whenever an application outside the policy is started. To allow these applications, you can capture the policy information from the event log, and then merge that information into the existing policy. When the **Enabled:Audit Mode** is deleted, the policy runs in enforced mode. -**Table 1. Windows Defender Application Control policy - policy rule options** +### Table 1. Windows Defender Application Control policy - policy rule options | Rule option | Description | |------------ | ----------- | @@ -96,7 +96,7 @@ File rule levels allow administrators to specify the level at which they want to Each file rule level has its benefit and disadvantage. Use Table 2 to select the appropriate protection level for your available administrative resources and Windows Defender Application Control deployment scenario. -**Table 2. Windows Defender Application Control policy - file rule levels** +### Table 2. Windows Defender Application Control policy - file rule levels | Rule level | Description | |----------- | ----------- | @@ -172,7 +172,7 @@ File name rule levels let you specify file attributes to base a rule on. File na Use Table 3 to select the appropriate file name level for your use cases. For instance, an LOB or production application and its binaries may all share the same product name. This option lets you easily create targeted policies based on the Product Name filename rule level. -**Table 3. Windows Defender Application Control policy - filename levels** +### Table 3. Windows Defender Application Control policy - filename levels | Rule level | Description | |----------- | ----------- | From d30945490824ae56b5d8f7aae799c0e70b923ba9 Mon Sep 17 00:00:00 2001 From: gkomatsu Date: Mon, 12 Jul 2021 15:11:40 -0700 Subject: [PATCH 369/370] Update configuration-service-provider-reference.md Corrected support of UEFI CSP. Professional cross mark -> Check mark --- .../mdm/configuration-service-provider-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 4dc856f036..a780da0495 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2156,7 +2156,7 @@ Additional lists: cross mark - cross mark + check mark check mark4 check mark4 check mark4 From a5cabf972ee453c68bb15477aaafaa5ba71010b0 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 12 Jul 2021 22:04:04 -0700 Subject: [PATCH 370/370] Changes to raise the Acrolinx score This work is so that sync PR https://github.com/MicrosoftDocs/windows-docs-pr/pull/5382 can be merged. --- ...sword-must-meet-complexity-requirements.md | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md index 2167a3d000..1a74bf2b3a 100644 --- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md @@ -28,10 +28,10 @@ Describes the best practices, location, values, and security considerations for The **Passwords must meet complexity requirements** policy setting determines whether passwords must meet a series of strong-password guidelines. When enabled, this setting requires passwords to meet the following requirements: -1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Both checks are not case-sensitive. +1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Both checks aren't case-sensitive. - The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is fewer than three characters long, this check is skipped. - The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password. + The samAccountName is checked in its entirety only to determine whether it's part of the password. If the samAccountName is fewer than three characters long, this check is skipped. + The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens aren't checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it's ignored. So, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password. 2. The password contains characters from three of the following categories: @@ -47,7 +47,7 @@ Complexity requirements are enforced when passwords are changed or created. The rules that are included in the Windows Server password complexity requirements are part of Passfilt.dll, and they cannot be directly modified. -When enabled, the default Passfilt.dll may cause some additional Help Desk calls for locked-out accounts because users aren't used to passwords that contain characters that aren't in the alphabet. But this policy setting is liberal enough that all users should get used to it. +When enabled, the default Passfilt.dll may cause some more Help Desk calls for locked-out accounts, because users are used to passwords that contain only characters that are in the alphabet. But this policy setting is liberal enough that all users should get used to it. Additional settings that can be included in a custom Passfilt.dll are the use of non–upper-row characters. To type upper-row characters, you hold the SHIFT key and press one of any of the keys on the number row of the keyboard (from 1 through 9 and 0). @@ -64,7 +64,7 @@ Additional settings that can be included in a custom Passfilt.dll are the use of Set **Passwords must meet complexity requirements** to Enabled. This policy setting, combined with a minimum password length of 8, ensures that there are at least 218,340,105,584,896 different possibilities for a single password. This setting makes a brute force attack difficult, but still not impossible. -The use of ALT key character combinations can greatly enhance the complexity of a password. However, requiring all users in an organization to adhere to such stringent password requirements can result in unhappy users and an over-worked Help Desk. Consider implementing a requirement in your organization to use ALT characters in the range from 0128 through 0159 as part of all administrator passwords. (ALT characters outside of that range can represent standard alphanumeric characters that do not add additional complexity to the password.) +The use of ALT key character combinations may greatly enhance the complexity of a password. However, requiring all users in an organization to adhere to such stringent password requirements might result in unhappy users and an over-worked Help Desk. Consider implementing a requirement in your organization to use ALT characters in the range from 0128 through 0159 as part of all administrator passwords. (ALT characters outside of that range can represent standard alphanumeric characters that do not add more complexity to the password.) Passwords that contain only alphanumeric characters are easy to compromise by using publicly available tools. To prevent this, passwords should contain additional characters and meet complexity requirements. @@ -74,16 +74,16 @@ Passwords that contain only alphanumeric characters are easy to compromise by us ### Default values -The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. +The following table lists the actual and effective default policy values. Default values are also listed on the policy's property page. | Server type or Group Policy Object (GPO) | Default value | -| - | - | -| Default domain policy| Enabled| -| Default domain controller policy| Enabled| -| Stand-alone server default settings | Disabled| -| Domain controller effective default settings | Enabled| -| Member server effective default settings | Enabled| -| Effective GPO default settings on client computers | Disabled| +|---|---| +| Default domain policy | Enabled | +| Default domain controller policy | Enabled | +| Stand-alone server default settings | Disabled | +| Domain controller effective default settings | Enabled | +| Member server effective default settings | Enabled| +| Effective GPO default settings on client computers | Disabled | ## Security considerations @@ -91,21 +91,21 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Passwords that contain only alphanumeric characters are extremely easy to discover with several publicly available tools. +Passwords that contain only alphanumeric characters are easy to discover with several publicly available tools. ### Countermeasure -Configure the **Passwords must meet complexity requirements** policy setting to Enabled and advise users to use a variety of characters in their passwords. +Configure the **Passwords must meet complexity requirements** policy setting to _Enabled_ and advise users to use a variety of characters in their passwords. -When combined with a [Minimum password length](minimum-password-length.md) of 8, this policy setting ensures that the number of different possibilities for a single password is so great that it is difficult (but not impossible) for a brute force attack to succeed. (If the Minimum password length policy setting is increased, the average amount of time necessary for a successful attack also increases.) +When combined with a [Minimum password length](minimum-password-length.md) of 8, this policy setting ensures that the number of different possibilities for a single password is so great that it's difficult (but possible) for a brute force attack to succeed. (If the Minimum password length policy setting is increased, the average amount of time necessary for a successful attack also increases.) ### Potential impact -If the default password complexity configuration is retained, additional Help Desk calls for locked-out accounts could occur because users might not be accustomed to passwords that contain non-alphabetical characters, or they might have problems entering passwords that contain accented characters or symbols on keyboards with different layouts. However, all users should be able to comply with the complexity requirement with minimal difficulty. +If the default configuration for password complexity is kept, more Help Desk calls for locked-out accounts could occur because users might not be used to passwords that contain non-alphabetical characters, or they might have problems entering passwords that contain accented characters or symbols on keyboards with different layouts. However, all users should be able to follow the complexity requirement with minimal difficulty. -If your organization has more stringent security requirements, you can create a custom version of the Passfilt.dll file that allows the use of arbitrarily complex password strength rules. For example, a custom password filter might require the use of non-upper-row symbols. (Upper-row symbols are those that require you to press and hold the SHIFT key and then press any of the keys on the number row of the keyboard, from 1 through 9 and 0.) A custom password filter might also perform a dictionary check to verify that the proposed password does not contain common dictionary words or fragments. +If your organization has more stringent security requirements, you can create a custom version of the Passfilt.dll file that allows the use of arbitrarily complex password strength rules. For example, a custom password filter might require the use of non-upper-row symbols. (Upper-row symbols are those symbols that require you to press and hold the SHIFT key and then press any of the keys on the number row of the keyboard, from 1 through 9 and 0.) A custom password filter might also perform a dictionary check to verify that the proposed password doesn't contain common dictionary words or fragments. -The use of ALT key character combinations can greatly enhance the complexity of a password. However, such stringent password requirements can result in additional Help Desk requests. Alternatively, your organization could consider a requirement for all administrator passwords to use ALT characters in the 0128–0159 range. (ALT characters outside of this range can represent standard alphanumeric characters that would not add additional complexity to the password.) +The use of ALT key character combinations may greatly enhance the complexity of a password. However, such stringent password requirements might result in more Help Desk requests. Alternatively, your organization could consider a requirement for all administrator passwords to use ALT characters in the 0128–0159 range. (ALT characters outside of this range can represent standard alphanumeric characters that wouldn't add more complexity to the password.) ## Related articles