Date: Wed, 21 Dec 2022 08:27:42 -0800
Subject: [PATCH 074/110] Tweaks.
---
.../operate/windows-autopatch-wqu-overview.md | 38 +++++++++++++++----
1 file changed, 31 insertions(+), 7 deletions(-)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
index 718e1126b8..fa6ab29268 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
@@ -52,7 +52,24 @@ Windows Autopatch configures these policies differently across update rings to g
:::image type="content" source="../media/release-process-timeline.png" alt-text="Release process timeline" lightbox="../media/release-process-timeline.png":::
-## Expedited releases
+## Release management
+
+In the Release management blade, you can:
+
+- Track the [Windows quality update schedule](#release-schedule) for devices in the [four deployment rings](windows-autopatch-update-management.md#windows-autopatch-deployment-rings).
+- [Turn off expedited Windows quality updates](#turn-off-service-driven-expedited-quality-update-releases).
+- Review release announcements and knowledge based articles for regular and [Out of Band (OOB) Windows quality updates](#out-of-band-releases).
+
+### Release schedule
+
+For each [deployment ring](windows-autopatch-update-management.md#windows-autopatch-deployment-rings), the **Release schedule** tab contains:
+
+- The status of the update. Releases will appear as **Active**. The update schedule is based on the values of the [Windows 10 Update Ring policies](/mem/intune/protect/windows-update-for-business-configure), which have been configured on your behalf.
+- The date the update is available.
+- The target completion date of the update.
+- In the **Release schedule** tab, you can either [**Pause** and/or **Resume**](#pausing-and-resuming-a-release) a Windows quality update release.
+
+### Expedited releases
Threat and vulnerability information about a new revision of Windows becomes available on the second Tuesday of each month. Windows Autopatch assesses that information shortly afterwards. If the service determines that it's critical to security, it may be expedited. The quality update is also evaluated on an ongoing basis throughout the release and Windows Autopatch may choose to expedite at any time during the release.
@@ -63,10 +80,12 @@ When running an expedited release, the regular goal of 95% of devices in 21 days
| Standard release | TestFirst
Fast
Broad | 0
1
6
9 | 0
2
2
5 | 0
2
2
2 |
| Expedited release | All devices | 0 | 1 | 1 |
-### Turn off service-driven expedited quality update releases
+#### Turn off service-driven expedited quality update releases
Windows Autopatch provides the option to turn off of service-driven expedited quality updates.
+By default, the service expedites quality updates as needed. For those organizations seeking greater control, you can disable expedited quality updates for Microsoft Managed Desktop-enrolled devices using Microsoft Intune.
+
**To turn off service-driven expedited quality updates:**
1. Go to **[Microsoft Endpoint Manager portal](https://go.microsoft.com/fwlink/?linkid=2109431)** > **Devices**.
@@ -75,9 +94,9 @@ Windows Autopatch provides the option to turn off of service-driven expedited qu
> [!NOTE]
> Windows Autopatch doesn't allow customers to request expedited releases.
-## Out of Band releases
+### Out of Band releases
-Windows Autopatch schedules and deploys required Out of Band (OOB) updates released outside of the normal schedule. You can view the deployed OOB quality updates in the **Release Management** blade in the **[Microsoft Endpoint Manager portal](https://go.microsoft.com/fwlink/?linkid=2109431)**.
+Windows Autopatch schedules and deploys required Out of Band (OOB) updates released outside of the normal schedule.
**To view deployed Out of Band quality updates:**
@@ -87,13 +106,18 @@ Windows Autopatch schedules and deploys required Out of Band (OOB) updates relea
> [!NOTE]
> Announcements will be **removed** from the Release announcements tab when the next quality update is released. Further, if quality updates are paused for a deployment ring, the OOB updates will also be paused.
-## Pausing and resuming a release
+### Pausing and resuming a release
If Windows Autopatch detects a [significant issue with a release](../operate/windows-autopatch-wqu-signals.md), we may decide to pause that release.
-If we pause the release, a policy will be deployed which prevents devices from updating while the issue is investigated. Once the issue is resolved, the release will be resumed.
+In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Release management** > in the **Release schedule** tab, you can pause or resume a Windows quality update.
-You can pause or resume a Windows quality update from the **Release management** tab in the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+There are two statuses associated with paused quality updates, **Service Paused** and **Customer Paused**.
+
+| Status | Description |
+| ----- | ------ |
+| Service Paused | If the Microsoft Managed Desktop service has paused an update, the release will have the **Service Paused** status. You must [submit a support request](windows-autopatch-support-request.md) to resume the update. |
+| Customer Paused | If you've paused an update, the release will have the **Customer Paused** status. The Microsoft Managed Desktop service can't overwrite a customer-initiated pause. You must select Resume to resume the update. |
## Incidents and outages
From ec035942114fd2ba5259e1913ce8a164b023edfe Mon Sep 17 00:00:00 2001
From: tiaraquan
Date: Wed, 21 Dec 2022 08:34:19 -0800
Subject: [PATCH 075/110] Tweak
---
.../windows-autopatch/operate/windows-autopatch-wqu-overview.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
index fa6ab29268..2ef4799a5e 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
@@ -117,7 +117,7 @@ There are two statuses associated with paused quality updates, **Service Paused*
| Status | Description |
| ----- | ------ |
| Service Paused | If the Microsoft Managed Desktop service has paused an update, the release will have the **Service Paused** status. You must [submit a support request](windows-autopatch-support-request.md) to resume the update. |
-| Customer Paused | If you've paused an update, the release will have the **Customer Paused** status. The Microsoft Managed Desktop service can't overwrite a customer-initiated pause. You must select Resume to resume the update. |
+| Customer Paused | If you've paused an update, the release will have the **Customer Paused** status. The Microsoft Managed Desktop service can't overwrite a customer-initiated pause. You must select **Resume** to resume the update. |
## Incidents and outages
From 2afe77242a753b47ca091a8fc8e6a13768889bb3 Mon Sep 17 00:00:00 2001
From: Carmen Forsmann
Date: Wed, 21 Dec 2022 11:13:56 -0700
Subject: [PATCH 076/110] Update Delivery Optimization docs
---
.../mdm/policy-csp-deliveryoptimization.md | 6 +-----
windows/deployment/do/TOC.yml | 6 +++---
.../do/includes/waas-delivery-optimization-monitor.md | 8 ++++----
windows/deployment/do/index.yml | 4 ++--
.../deployment/do/waas-delivery-optimization-reference.md | 2 +-
5 files changed, 11 insertions(+), 15 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
index 828657eada..95f4178efd 100644
--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@@ -702,11 +702,7 @@ ADMX Info:
Set this policy to restrict peer selection to a specific source. Available options are: 1 = Active Directory Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = Azure Active Directory.
-When set, the Group ID will be assigned automatically from the selected source.
-
-If you set this policy, the GroupID policy will be ignored.
-
-The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored.
+When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The default behavior, when neither the GroupID or GroupIDSource policies are set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored.
For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID.
diff --git a/windows/deployment/do/TOC.yml b/windows/deployment/do/TOC.yml
index 07805dc6fb..6c21a68819 100644
--- a/windows/deployment/do/TOC.yml
+++ b/windows/deployment/do/TOC.yml
@@ -1,4 +1,4 @@
-- name: Delivery Optimization for Windows client and Microsoft Connected Cache
+- name: Delivery Optimization for Windows and Microsoft Connected Cache
href: index.yml
- name: What's new
href: whats-new-do.md
@@ -9,9 +9,9 @@
href: waas-delivery-optimization.md
- name: Delivery Optimization Frequently Asked Questions
href: waas-delivery-optimization-faq.yml
- - name: Configure Delivery Optimization for Windows clients
+ - name: Configure Delivery Optimization for Windows
items:
- - name: Windows client Delivery Optimization settings
+ - name: Windows Delivery Optimization settings
href: waas-delivery-optimization-setup.md#recommended-delivery-optimization-settings
- name: Configure Delivery Optimization settings using Microsoft Intune
href: /mem/intune/configuration/delivery-optimization-windows
diff --git a/windows/deployment/do/includes/waas-delivery-optimization-monitor.md b/windows/deployment/do/includes/waas-delivery-optimization-monitor.md
index 2828da9932..5f75f6344a 100644
--- a/windows/deployment/do/includes/waas-delivery-optimization-monitor.md
+++ b/windows/deployment/do/includes/waas-delivery-optimization-monitor.md
@@ -28,15 +28,15 @@ ms.localizationpriority: medium
| TotalBytesDownloaded | The number of bytes from any source downloaded so far |
| PercentPeerCaching |The percentage of bytes downloaded from peers versus over HTTP |
| BytesFromPeers | Total bytes downloaded from peer devices (sum of bytes downloaded from LAN, Group, and Internet Peers) |
-| BytesfromHTTP | Total number of bytes received over HTTP |
+| BytesfromHTTP | Total number of bytes received over HTTP. This represents all HTTP sources, which includes BytesFromCacheServer |
| Status | Current state of the operation. Possible values are: **Downloading** (download in progress); **Complete** (download completed, but is not uploading yet); **Caching** (download completed successfully and is ready to upload or uploading); **Paused** (download/upload paused by caller) |
| Priority | Priority of the download; values are **foreground** or **background** |
-| BytesFromCacheServer | Total number of bytes received from cache server |
+| BytesFromCacheServer | Total number of bytes received from cache server (MCC) |
| BytesFromLanPeers | Total number of bytes received from peers found on the LAN |
-| BytesFromGroupPeers | Total number of bytes received from peers found in the group |
+| BytesFromGroupPeers | Total number of bytes received from peers found in the group. (Note: Group mode is LAN + Group. If peers are found on the LAN, those bytes will be registered in 'BytesFromLANPeers'.) |
| BytesFromInternetPeers | Total number of bytes received from internet peers |
| BytesToLanPeers | Total number of bytes delivered from peers found on the LAN |
-| BytesToGroupPeers | Total number of bytes delivered from peers found in the group |
+| BytesToGroupPeers | Total number of bytes delivered from peers found in the group |
| BytesToInternetPeers | Total number of bytes delivered from peers found on the LAN |
| DownloadDuration | Total download time in seconds |
| HttpConnectionCount | |
diff --git a/windows/deployment/do/index.yml b/windows/deployment/do/index.yml
index 654cd9f309..5cbe1535a0 100644
--- a/windows/deployment/do/index.yml
+++ b/windows/deployment/do/index.yml
@@ -1,7 +1,7 @@
### YamlMime:Landing
title: Delivery Optimization # < 60 chars
-summary: Set up peer to peer downloads for Windows Updates and learn about Microsoft Connected Cache. # < 160 chars
+summary: Set up peer to peer downloads for Microsoft content supported by Delivery Optimization and learn about Microsoft Connected Cache. # < 160 chars
metadata:
title: Delivery Optimization # Required; page title displayed in search results. Include the brand. < 60 chars.
@@ -36,7 +36,7 @@ landingContent:
# Card (optional)
- - title: Configure Delivery Optimization on Windows clients
+ - title: Configure Delivery Optimization on Windows
linkLists:
- linkListType: how-to-guide
links:
diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md
index 22dff75ed5..eaebb348bc 100644
--- a/windows/deployment/do/waas-delivery-optimization-reference.md
+++ b/windows/deployment/do/waas-delivery-optimization-reference.md
@@ -146,7 +146,7 @@ Starting in Windows 10, version 1803, set this policy to restrict peer selection
- 4 = DNS Suffix
- 5 = Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
-When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored.
+When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The default behavior, when neither the GroupID or GroupIDSource policies are set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored.
### Minimum RAM (inclusive) allowed to use Peer Caching
From a9050de2c2f9da84261fbc45e08b13328e2763f7 Mon Sep 17 00:00:00 2001
From: Tarun Maganur <104856032+Tarun-Edu@users.noreply.github.com>
Date: Wed, 21 Dec 2022 12:17:45 -0800
Subject: [PATCH 077/110] Update windows-11-se-overview.md
---
education/windows/windows-11-se-overview.md | 130 ++++++++++----------
1 file changed, 65 insertions(+), 65 deletions(-)
diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
index efb6644b18..f3a1dee970 100644
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@@ -79,71 +79,71 @@ The following table lists all the applications included in Windows 11 SE and the
The following applications can also run on Windows 11 SE, and can be deployed using Intune for Education. For more information, see [Configure applications with Microsoft Intune][EDUWIN-1]
-| Application | Supported version | App Type | Vendor |
-|-----------------------------------------|-------------------|----------|------------------------------|
-| 3d builder | 15.2.10821.1070 | Win32 | Microsoft |
-|Absolute Software Endpoint Agent | 7.20.0.1 | Win32 | Absolute Software Corporation|
-| AirSecure | 8.0.0 | Win32 | AIR |
-| Alertus Desktop | 5.4.44.0 | Win32 | Alertus technologies |
-| Brave Browser | 106.0.5249.65 | Win32 | Brave |
-| Bulb Digital Portfolio | 0.0.7.0 | Store | Bulb |
-| CA Secure Browser | 14.0.0 | Win32 | Cambium Development |
-| Cisco Umbrella | 3.0.110.0 | Win32 | Cisco |
-| CKAuthenticator | 3.6+ | Win32 | Content Keeper |
-| Class Policy | 114.0.0 | Win32 | Class Policy |
-| Classroom.cloud | 1.40.0004 | Win32 | NetSupport |
-| CoGat Secure Browser | 11.0.0.19 | Win32 | Riverside Insights |
-| Dragon Professional Individual | 15.00.100 | Win32 | Nuance Communications |
-| DRC INSIGHT Online Assessments | 12.0.0.0 | Store | Data recognition Corporation |
-| Duo from Cisco | 2.25.0 | Win32 | Cisco |
-| e-Speaking Voice and Speech recognition | 4.4.0.8 | Win32 | e-speaking |
-| Epson iProjection | 3.31 | Win32 | Epson |
-| eTests | 4.0.25 | Win32 | CASAS |
-| FortiClient | 7.2.0.4034+ | Win32 | Fortinet |
-| Free NaturalReader | 16.1.2 | Win32 | Natural Soft |
-| Ghotit Real Writer & Reader | 10.14.2.3 | Win32 | Ghotit Ltd |
-| GoGuardian | 1.4.4 | Win32 | GoGuardian |
-| Google Chrome | 102.0.5005.115 | Win32 | Google |
-| Illuminate Lockdown Browser | 2.0.5 | Win32 | Illuminate Education |
-| Immunet | 7.5.0.20795 | Win32 | Immunet |
-| Impero Backdrop Client | 4.4.86 | Win32 | Impero Software |
-| Inspiration 10 | 10.11 | Win32 | TechEdology Ltd |
-| JAWS for Windows | 2022.2112.24 | Win32 | Freedom Scientific |
-| Kite Student Portal | 9.0.0.0 | Win32 | Dynamic Learning Maps |
-| Kortext | 2.3.433.0 | Store | Kortext |
-| Kurzweil 3000 Assistive Learning | 20.13.0000 | Win32 | Kurzweil Educational Systems |
-| LanSchool Classic | 9.1.0.46 | Win32 | Stoneware, Inc. |
-| LanSchool Air | 2.0.13312 | Win32 | Stoneware, Inc. |
-| Lightspeed Smart Agent | 1.9.1 | Win32 | Lightspeed Systems |
-| MetaMoJi ClassRoom | 3.12.4.0 | Store | MetaMoJi Corporation |
-| Microsoft Connect | 10.0.22000.1 | Store | Microsoft |
-| Mozilla Firefox | 99.0.1 | Win32 | Mozilla |
-| NAPLAN | 2.5.0 | Win32 | NAP |
-| Netref Student | 22.2.0 | Win32 | NetRef |
-| NetSupport Manager | 12.01.0014 | Win32 | NetSupport |
-| NetSupport Notify | 5.10.1.215 | Win32 | NetSupport |
-| NetSupport School | 14.00.0011 | Win32 | NetSupport |
-| NextUp Talker | 1.0.49 | Win32 | NextUp Technologies |
-| NonVisual Desktop Access | 2021.3.1 | Win32 | NV Access |
-| NWEA Secure Testing Browser | 5.4.356.0 | Win32 | NWEA |
-| PaperCut | 22.0.6 | Win32 | PaperCut Software International Pty Ltd |
-| Pearson TestNav | 1.10.2.0 | Store | Pearson |
-| Questar Secure Browser | 4.8.3.376 | Win32 | Questar, Inc |
-| ReadAndWriteForWindows | 12.0.60.0 | Win32 | Texthelp Ltd. |
-| Remote Desktop client (MSRDC) | 1.2.3213.0 | Win32 | Microsoft |
-| Remote Help | 3.8.0.12 | Win32 | Microsoft |
-| Respondus Lockdown Browser | 2.0.9.00 | Win32 | Respondus |
-| Safe Exam Browser | 3.3.2.413 | Win32 | Safe Exam Browser |
-| Senso.Cloud | 2021.11.15.0 | Win32 | Senso.Cloud |
-| Smoothwall Monitor | 2.8.0 | Win32 | Smoothwall Ltd
-| SuperNova Magnifier & Screen Reader | 21.02 | Win32 | Dolphin Computer Access |
-| SuperNova Magnifier & Speech | 21.02 | Win32 | Dolphin Computer Access |
-| VitalSourceBookShelf | 10.2.26.0 | Win32 | VitalSource Technologies Inc |
-| Winbird | 19 | Win32 | Winbird Co., Ltd. |
-| WordQ | 5.4.23 | Win32 | Mathetmots |
-| Zoom | 5.9.1 (2581) | Win32 | Zoom |
-| ZoomText Fusion | 2022.2109.10 | Win32 | Freedom Scientific |
-| ZoomText Magnifier/Reader | 2022.2109.25 | Win32 | Freedom Scientific |
+| Application | Supported version | App Type | Vendor |
+|-------------------------------------------|-------------------|----------|--------------------------------|
+| `3d builder` | 18.0.1931.0 | Win32 | `Microsoft` |
+| `Absolute Software Endpoint Agent` | 7.20.0.1 | Win32 | `Absolute Software Corporation`|
+| `AirSecure` | 8.0.0 | Win32 | `AIR` |
+| `Alertus Desktop` | 5.4.48.0 | Win32 | `Alertus technologies` |
+| `Brave Browser` | 106.0.5249.119 | Win32 | `Brave` |
+| `Bulb Digital Portfolio` | 0.0.7.0 | `Store` | `Bulb` |
+| `CA Secure Browser` | 14.0.0 | Win32 | `Cambium Development` |
+| `Cisco Umbrella` | 3.0.110.0 | Win32 | `Cisco` |
+| `CKAuthenticator` | 3.6+ | Win32 | `Content Keeper` |
+| `Class Policy` | 114.0.0 | Win32 | `Class Policy` |
+| `Classroom.cloud` | 1.40.0004 | Win32 | `NetSupport` |
+| `CoGat Secure Browser` | 11.0.0.19 | Win32 | `Riverside Insights` |
+| `Dragon Professional Individual` | 15.00.100 | Win32 | `Nuance Communications` |
+| `DRC INSIGHT Online Assessments` | 12.0.0.0 | `Store` | 'Data recognition Corporation` |
+| `Duo from Cisco` | 3.0.0 | Win32 | `Cisco` |
+| `e-Speaking Voice and Speech recognition` | 4.4.0.8 | Win32 | `e-speaking` |
+| `Epson iProjection` | 3.31 | Win32 | `Epson` |
+| `eTests` | 4.0.25 | Win32 | `CASAS` |
+| `FortiClient` | 7.2.0.4034+ | Win32 | `Fortinet` |
+| `Free NaturalReader` | 16.1.2 | Win32 | `Natural Soft` |
+| `Ghotit Real Writer & Reader` | 10.14.2.3 | Win32 | `Ghotit Ltd` |
+| `GoGuardian` | 1.4.4 | Win32 | `GoGuardian` |
+| `Google Chrome` | 102.0.5005.115 | Win32 | `Google` |
+| `Illuminate Lockdown Browser` | 2.0.5 | Win32 | `Illuminate Education` |
+| `Immunet` | 7.5.8.21178 | Win32 | `Immunet` |
+| `Impero Backdrop Client` | 4.4.86 | Win32 | `Impero Software` |
+| `Inspiration 10` | 10.11 | Win32 | `TechEdology Ltd` |
+| `JAWS for Windows` | 2022.2112.24 | Win32 | `Freedom Scientific` |
+| `Kite Student Portal` | 9.0.0.0 | Win32 | `Dynamic Learning Maps` |
+| `Kortext` | 2.3.433.0 | `Store` | `Kortext` |
+| `Kurzweil 3000 Assistive Learning` | 20.13.0000 | Win32 | `Kurzweil Educational Systems` |
+| `LanSchool Classic` | 9.1.0.46 | Win32 | `Stoneware, Inc.` |
+| `LanSchool Air` | 2.0.13312 | Win32 | `Stoneware, Inc.` |
+| `Lightspeed Smart Agent` | 1.9.1 | Win32 | `Lightspeed Systems` |
+| `MetaMoJi ClassRoom` | 3.12.4.0 | `Store` | `MetaMoJi Corporation` |
+| `Microsoft Connect` | 10.0.22000.1 | `Store` | `Microsoft` |
+| `Mozilla Firefox` | 105.0.0 | Win32 | `Mozilla` |
+| `NAPLAN` | 2.5.0 | Win32 | `NAP` |
+| `Netref Student` | 22.2.0 | Win32 | `NetRef` |
+| `NetSupport Manager` | 12.01.0014 | Win32 | `NetSupport` |
+| `NetSupport Notify` | 5.10.1.215 | Win32 | `NetSupport` |
+| `NetSupport School` | 14.00.0012 | Win32 | `NetSupport` |
+| `NextUp Talker` | 1.0.49 | Win32 | `NextUp Technologies` |
+| `NonVisual Desktop Access` | 2021.3.1 | Win32 | `NV Access` |
+| `NWEA Secure Testing Browser` | 5.4.356.0 | Win32 | `NWEA` |
+| `PaperCut` | 22.0.6 | Win32 | `PaperCut Software International Pty Ltd` |
+| `Pearson TestNav` | 1.10.2.0 | `Store` | `Pearson` |
+| `Questar Secure Browser` | 5.0.1.456 | Win32 | `Questar, Inc` |
+| `ReadAndWriteForWindows` | 12.0.74 | Win32 | `Texthelp Ltd.` |
+| `Remote Desktop client (MSRDC)` | 1.2.3213.0 | Win32 | `Microsoft` |
+| `Remote Help` | 4.0.1.13 | Win32 | `Microsoft` |
+| `Respondus Lockdown Browser` | 2.0.9.03 | Win32 | `Respondus` |
+| `Safe Exam Browser` | 3.3.2.413 | Win32 | `Safe Exam Browser` |
+| `Senso.Cloud` | 2021.11.15.0 | Win32 | `Senso.Cloud` |
+| `Smoothwall Monitor` | 2.8.0 | Win32 | `Smoothwall Ltd` |
+| `SuperNova Magnifier & Screen Reader` | 21.02 | Win32 | `Dolphin Computer Access` |
+| `SuperNova Magnifier & Speech` | 21.02 | Win32 | `Dolphin Computer Access` |
+| `VitalSourceBookShelf` | 10.2.26.0 | Win32 | `VitalSource Technologies Inc` |
+| `Winbird` | 19 | Win32 | `Winbird Co., Ltd.` |
+| `WordQ` | 5.4.23 | Win32 | `Mathetmots` |
+| `Zoom` | 5.12.8 (10232) | Win32 | `Zoom` |
+| `ZoomText Fusion` | 2022.2109.10 | Win32 | `Freedom Scientific` |
+| `ZoomText Magnifier/Reader` | 2022.2109.25 | Win32 | `Freedom Scientific` |
## Add your own applications
From c3834a1287b201e2bfe7596efd3fb5ccb2ac7dd1 Mon Sep 17 00:00:00 2001
From: Tarun Maganur <104856032+Tarun-Edu@users.noreply.github.com>
Date: Wed, 21 Dec 2022 12:45:27 -0800
Subject: [PATCH 078/110] Update windows-11-se-overview.md
---
education/windows/windows-11-se-overview.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
index f3a1dee970..6efaeab285 100644
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@@ -80,7 +80,7 @@ The following table lists all the applications included in Windows 11 SE and the
The following applications can also run on Windows 11 SE, and can be deployed using Intune for Education. For more information, see [Configure applications with Microsoft Intune][EDUWIN-1]
| Application | Supported version | App Type | Vendor |
-|-------------------------------------------|-------------------|----------|--------------------------------|
+|-----------------------------------------|-------------------|----------|------------------------------|
| `3d builder` | 18.0.1931.0 | Win32 | `Microsoft` |
| `Absolute Software Endpoint Agent` | 7.20.0.1 | Win32 | `Absolute Software Corporation`|
| `AirSecure` | 8.0.0 | Win32 | `AIR` |
From b6a2f357aba1105755e14d79a3b9869086a09e32 Mon Sep 17 00:00:00 2001
From: Tarun Maganur <104856032+Tarun-Edu@users.noreply.github.com>
Date: Wed, 21 Dec 2022 12:47:16 -0800
Subject: [PATCH 079/110] Update windows-11-se-overview.md
---
education/windows/windows-11-se-overview.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
index 6efaeab285..f12a68449e 100644
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@@ -79,7 +79,7 @@ The following table lists all the applications included in Windows 11 SE and the
The following applications can also run on Windows 11 SE, and can be deployed using Intune for Education. For more information, see [Configure applications with Microsoft Intune][EDUWIN-1]
-| Application | Supported version | App Type | Vendor |
+| Application | Supported version | App Type | Vendor |
|-----------------------------------------|-------------------|----------|------------------------------|
| `3d builder` | 18.0.1931.0 | Win32 | `Microsoft` |
| `Absolute Software Endpoint Agent` | 7.20.0.1 | Win32 | `Absolute Software Corporation`|
From 47fd00ca609024e84223014bad0d823ff53fc646 Mon Sep 17 00:00:00 2001
From: Tarun Maganur <104856032+Tarun-Edu@users.noreply.github.com>
Date: Wed, 21 Dec 2022 12:47:55 -0800
Subject: [PATCH 080/110] Update windows-11-se-overview.md
---
education/windows/windows-11-se-overview.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
index f12a68449e..fe1763a6af 100644
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@@ -79,7 +79,7 @@ The following table lists all the applications included in Windows 11 SE and the
The following applications can also run on Windows 11 SE, and can be deployed using Intune for Education. For more information, see [Configure applications with Microsoft Intune][EDUWIN-1]
-| Application | Supported version | App Type | Vendor |
+| Application | Supported version | App Type | Vendor |
|-----------------------------------------|-------------------|----------|------------------------------|
| `3d builder` | 18.0.1931.0 | Win32 | `Microsoft` |
| `Absolute Software Endpoint Agent` | 7.20.0.1 | Win32 | `Absolute Software Corporation`|
From 0c09c063c3b6588424c2cc50d0d4bf05eb3d5a54 Mon Sep 17 00:00:00 2001
From: Tarun Maganur <104856032+Tarun-Edu@users.noreply.github.com>
Date: Wed, 21 Dec 2022 13:01:54 -0800
Subject: [PATCH 081/110] Update windows-11-se-overview.md
---
education/windows/windows-11-se-overview.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
index fe1763a6af..3a53c1a7c3 100644
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@@ -137,9 +137,9 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Senso.Cloud` | 2021.11.15.0 | Win32 | `Senso.Cloud` |
| `Smoothwall Monitor` | 2.8.0 | Win32 | `Smoothwall Ltd` |
| `SuperNova Magnifier & Screen Reader` | 21.02 | Win32 | `Dolphin Computer Access` |
-| `SuperNova Magnifier & Speech` | 21.02 | Win32 | `Dolphin Computer Access` |
-| `VitalSourceBookShelf` | 10.2.26.0 | Win32 | `VitalSource Technologies Inc` |
-| `Winbird` | 19 | Win32 | `Winbird Co., Ltd.` |
+| `SuperNova Magnifier & Speech` | 21.02 | Win32 | `Dolphin Computer Access` |
+| `VitalSourceBookShelf` | 10.2.26.0 | Win32 | `VitalSource Technologies Inc` |
+| `Winbird` | 19 | Win32 | `Winbird Co., Ltd.` |
| `WordQ` | 5.4.23 | Win32 | `Mathetmots` |
| `Zoom` | 5.12.8 (10232) | Win32 | `Zoom` |
| `ZoomText Fusion` | 2022.2109.10 | Win32 | `Freedom Scientific` |
From 90bd11ff0870502df29b6b5dbe2c02de57def883 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 21 Dec 2022 16:09:32 -0500
Subject: [PATCH 082/110] Update windows-11-se-overview.md
---
education/windows/windows-11-se-overview.md | 128 ++++++++++----------
1 file changed, 64 insertions(+), 64 deletions(-)
diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
index 3a53c1a7c3..bac848962f 100644
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@@ -79,71 +79,71 @@ The following table lists all the applications included in Windows 11 SE and the
The following applications can also run on Windows 11 SE, and can be deployed using Intune for Education. For more information, see [Configure applications with Microsoft Intune][EDUWIN-1]
-| Application | Supported version | App Type | Vendor |
-|-----------------------------------------|-------------------|----------|------------------------------|
-| `3d builder` | 18.0.1931.0 | Win32 | `Microsoft` |
-| `Absolute Software Endpoint Agent` | 7.20.0.1 | Win32 | `Absolute Software Corporation`|
-| `AirSecure` | 8.0.0 | Win32 | `AIR` |
-| `Alertus Desktop` | 5.4.48.0 | Win32 | `Alertus technologies` |
-| `Brave Browser` | 106.0.5249.119 | Win32 | `Brave` |
-| `Bulb Digital Portfolio` | 0.0.7.0 | `Store` | `Bulb` |
-| `CA Secure Browser` | 14.0.0 | Win32 | `Cambium Development` |
-| `Cisco Umbrella` | 3.0.110.0 | Win32 | `Cisco` |
-| `CKAuthenticator` | 3.6+ | Win32 | `Content Keeper` |
-| `Class Policy` | 114.0.0 | Win32 | `Class Policy` |
-| `Classroom.cloud` | 1.40.0004 | Win32 | `NetSupport` |
-| `CoGat Secure Browser` | 11.0.0.19 | Win32 | `Riverside Insights` |
-| `Dragon Professional Individual` | 15.00.100 | Win32 | `Nuance Communications` |
-| `DRC INSIGHT Online Assessments` | 12.0.0.0 | `Store` | 'Data recognition Corporation` |
-| `Duo from Cisco` | 3.0.0 | Win32 | `Cisco` |
-| `e-Speaking Voice and Speech recognition` | 4.4.0.8 | Win32 | `e-speaking` |
-| `Epson iProjection` | 3.31 | Win32 | `Epson` |
-| `eTests` | 4.0.25 | Win32 | `CASAS` |
-| `FortiClient` | 7.2.0.4034+ | Win32 | `Fortinet` |
-| `Free NaturalReader` | 16.1.2 | Win32 | `Natural Soft` |
-| `Ghotit Real Writer & Reader` | 10.14.2.3 | Win32 | `Ghotit Ltd` |
-| `GoGuardian` | 1.4.4 | Win32 | `GoGuardian` |
-| `Google Chrome` | 102.0.5005.115 | Win32 | `Google` |
-| `Illuminate Lockdown Browser` | 2.0.5 | Win32 | `Illuminate Education` |
-| `Immunet` | 7.5.8.21178 | Win32 | `Immunet` |
-| `Impero Backdrop Client` | 4.4.86 | Win32 | `Impero Software` |
-| `Inspiration 10` | 10.11 | Win32 | `TechEdology Ltd` |
-| `JAWS for Windows` | 2022.2112.24 | Win32 | `Freedom Scientific` |
-| `Kite Student Portal` | 9.0.0.0 | Win32 | `Dynamic Learning Maps` |
-| `Kortext` | 2.3.433.0 | `Store` | `Kortext` |
-| `Kurzweil 3000 Assistive Learning` | 20.13.0000 | Win32 | `Kurzweil Educational Systems` |
-| `LanSchool Classic` | 9.1.0.46 | Win32 | `Stoneware, Inc.` |
-| `LanSchool Air` | 2.0.13312 | Win32 | `Stoneware, Inc.` |
-| `Lightspeed Smart Agent` | 1.9.1 | Win32 | `Lightspeed Systems` |
-| `MetaMoJi ClassRoom` | 3.12.4.0 | `Store` | `MetaMoJi Corporation` |
-| `Microsoft Connect` | 10.0.22000.1 | `Store` | `Microsoft` |
-| `Mozilla Firefox` | 105.0.0 | Win32 | `Mozilla` |
-| `NAPLAN` | 2.5.0 | Win32 | `NAP` |
-| `Netref Student` | 22.2.0 | Win32 | `NetRef` |
-| `NetSupport Manager` | 12.01.0014 | Win32 | `NetSupport` |
-| `NetSupport Notify` | 5.10.1.215 | Win32 | `NetSupport` |
-| `NetSupport School` | 14.00.0012 | Win32 | `NetSupport` |
-| `NextUp Talker` | 1.0.49 | Win32 | `NextUp Technologies` |
-| `NonVisual Desktop Access` | 2021.3.1 | Win32 | `NV Access` |
-| `NWEA Secure Testing Browser` | 5.4.356.0 | Win32 | `NWEA` |
+| Application | Supported version | App Type | Vendor |
+|-------------------------------------------|-------------------|----------|-------------------------------------------|
+| `3d builder` | `18.0.1931.0` | Win32 | `Microsoft` |
+| `Absolute Software Endpoint Agent` | 7.20.0.1 | Win32 | `Absolute Software Corporation` |
+| `AirSecure` | 8.0.0 | Win32 | `AIR` |
+| `Alertus Desktop` | 5.4.48.0 | Win32 | `Alertus technologies` |
+| `Brave Browser` | 106.0.5249.119 | Win32 | `Brave` |
+| `Bulb Digital Portfolio` | 0.0.7.0 | `Store` | `Bulb` |
+| `CA Secure Browser` | 14.0.0 | Win32 | `Cambium Development` |
+| `Cisco Umbrella` | 3.0.110.0 | Win32 | `Cisco` |
+| `CKAuthenticator` | 3.6+ | Win32 | `Content Keeper` |
+| `Class Policy` | 114.0.0 | Win32 | `Class Policy` |
+| `Classroom.cloud` | 1.40.0004 | Win32 | `NetSupport` |
+| `CoGat Secure Browser` | 11.0.0.19 | Win32 | `Riverside Insights` |
+| `Dragon Professional Individual` | 15.00.100 | Win32 | `Nuance Communications` |
+| `DRC INSIGHT Online Assessments` | 12.0.0.0 | `Store` | 'Data recognition Corporation` |
+| `Duo from Cisco` | 3.0.0 | Win32 | `Cisco` |
+| `e-Speaking Voice and Speech recognition` | 4.4.0.8 | Win32 | `e-speaking` |
+| `Epson iProjection` | 3.31 | Win32 | `Epson` |
+| `eTests` | 4.0.25 | Win32 | `CASAS` |
+| `FortiClient` | 7.2.0.4034+ | Win32 | `Fortinet` |
+| `Free NaturalReader` | 16.1.2 | Win32 | `Natural Soft` |
+| `Ghotit Real Writer & Reader` | 10.14.2.3 | Win32 | `Ghotit Ltd` |
+| `GoGuardian` | 1.4.4 | Win32 | `GoGuardian` |
+| `Google Chrome` | 102.0.5005.115 | Win32 | `Google` |
+| `Illuminate Lockdown Browser` | 2.0.5 | Win32 | `Illuminate Education` |
+| `Immunet` | 7.5.8.21178 | Win32 | `Immunet` |
+| `Impero Backdrop Client` | 4.4.86 | Win32 | `Impero Software` |
+| `Inspiration 10` | 10.11 | Win32 | `TechEdology Ltd` |
+| `JAWS for Windows` | 2022.2112.24 | Win32 | `Freedom Scientific` |
+| `Kite Student Portal` | 9.0.0.0 | Win32 | `Dynamic Learning Maps` |
+| `Kortext` | 2.3.433.0 | `Store` | `Kortext` |
+| `Kurzweil 3000 Assistive Learning` | 20.13.0000 | Win32 | `Kurzweil Educational Systems` |
+| `LanSchool Classic` | 9.1.0.46 | Win32 | `Stoneware, Inc.` |
+| `LanSchool Air` | 2.0.13312 | Win32 | `Stoneware, Inc.` |
+| `Lightspeed Smart Agent` | 1.9.1 | Win32 | `Lightspeed Systems` |
+| `MetaMoJi ClassRoom` | 3.12.4.0 | `Store` | `MetaMoJi Corporation` |
+| `Microsoft Connect` | 10.0.22000.1 | `Store` | `Microsoft` |
+| `Mozilla Firefox` | 105.0.0 | Win32 | `Mozilla` |
+| `NAPLAN` | 2.5.0 | Win32 | `NAP` |
+| `Netref Student` | 22.2.0 | Win32 | `NetRef` |
+| `NetSupport Manager` | 12.01.0014 | Win32 | `NetSupport` |
+| `NetSupport Notify` | 5.10.1.215 | Win32 | `NetSupport` |
+| `NetSupport School` | 14.00.0012 | Win32 | `NetSupport` |
+| `NextUp Talker` | 1.0.49 | Win32 | `NextUp Technologies` |
+| `NonVisual Desktop Access` | 2021.3.1 | Win32 | `NV Access` |
+| `NWEA Secure Testing Browser` | 5.4.356.0 | Win32 | `NWEA` |
| `PaperCut` | 22.0.6 | Win32 | `PaperCut Software International Pty Ltd` |
-| `Pearson TestNav` | 1.10.2.0 | `Store` | `Pearson` |
-| `Questar Secure Browser` | 5.0.1.456 | Win32 | `Questar, Inc` |
-| `ReadAndWriteForWindows` | 12.0.74 | Win32 | `Texthelp Ltd.` |
-| `Remote Desktop client (MSRDC)` | 1.2.3213.0 | Win32 | `Microsoft` |
-| `Remote Help` | 4.0.1.13 | Win32 | `Microsoft` |
-| `Respondus Lockdown Browser` | 2.0.9.03 | Win32 | `Respondus` |
-| `Safe Exam Browser` | 3.3.2.413 | Win32 | `Safe Exam Browser` |
-| `Senso.Cloud` | 2021.11.15.0 | Win32 | `Senso.Cloud` |
-| `Smoothwall Monitor` | 2.8.0 | Win32 | `Smoothwall Ltd` |
-| `SuperNova Magnifier & Screen Reader` | 21.02 | Win32 | `Dolphin Computer Access` |
-| `SuperNova Magnifier & Speech` | 21.02 | Win32 | `Dolphin Computer Access` |
-| `VitalSourceBookShelf` | 10.2.26.0 | Win32 | `VitalSource Technologies Inc` |
-| `Winbird` | 19 | Win32 | `Winbird Co., Ltd.` |
-| `WordQ` | 5.4.23 | Win32 | `Mathetmots` |
-| `Zoom` | 5.12.8 (10232) | Win32 | `Zoom` |
-| `ZoomText Fusion` | 2022.2109.10 | Win32 | `Freedom Scientific` |
-| `ZoomText Magnifier/Reader` | 2022.2109.25 | Win32 | `Freedom Scientific` |
+| `Pearson TestNav` | 1.10.2.0 | `Store` | `Pearson` |
+| `Questar Secure Browser` | 5.0.1.456 | Win32 | `Questar, Inc` |
+| `ReadAndWriteForWindows` | 12.0.74 | Win32 | `Texthelp Ltd.` |
+| `Remote Desktop client (MSRDC)` | 1.2.3213.0 | Win32 | `Microsoft` |
+| `Remote Help` | 4.0.1.13 | Win32 | `Microsoft` |
+| `Respondus Lockdown Browser` | 2.0.9.03 | Win32 | `Respondus` |
+| `Safe Exam Browser` | 3.3.2.413 | Win32 | `Safe Exam Browser` |
+| `Senso.Cloud` | 2021.11.15.0 | Win32 | `Senso.Cloud` |
+| `Smoothwall Monitor` | 2.8.0 | Win32 | `Smoothwall Ltd` |
+| `SuperNova Magnifier & Screen Reader` | 21.02 | Win32 | `Dolphin Computer Access` |
+| `SuperNova Magnifier & Speech` | 21.02 | Win32 | `Dolphin Computer Access` |
+| `VitalSourceBookShelf` | 10.2.26.0 | Win32 | `VitalSource Technologies Inc` |
+| `Winbird` | 19 | Win32 | `Winbird Co., Ltd.` |
+| `WordQ` | 5.4.23 | Win32 | `Mathetmots` |
+| `Zoom` | 5.12.8 (10232) | Win32 | `Zoom` |
+| `ZoomText Fusion` | 2022.2109.10 | Win32 | `Freedom Scientific` |
+| `ZoomText Magnifier/Reader` | 2022.2109.25 | Win32 | `Freedom Scientific` |
## Add your own applications
From 948ecabac7ec192ab52cf606d675c47ffe6800d0 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 21 Dec 2022 16:15:11 -0500
Subject: [PATCH 083/110] Update windows-11-se-overview.md
---
education/windows/windows-11-se-overview.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
index bac848962f..41a3aec43a 100644
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@@ -94,7 +94,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Classroom.cloud` | 1.40.0004 | Win32 | `NetSupport` |
| `CoGat Secure Browser` | 11.0.0.19 | Win32 | `Riverside Insights` |
| `Dragon Professional Individual` | 15.00.100 | Win32 | `Nuance Communications` |
-| `DRC INSIGHT Online Assessments` | 12.0.0.0 | `Store` | 'Data recognition Corporation` |
+| `DRC INSIGHT Online Assessments` | 12.0.0.0 | `Store` | `Data recognition Corporation` |
| `Duo from Cisco` | 3.0.0 | Win32 | `Cisco` |
| `e-Speaking Voice and Speech recognition` | 4.4.0.8 | Win32 | `e-speaking` |
| `Epson iProjection` | 3.31 | Win32 | `Epson` |
From 99992caaa905bdcc3b4beffe02706a578601bd29 Mon Sep 17 00:00:00 2001
From: Aaron Czechowski
Date: Thu, 22 Dec 2022 13:51:36 -0800
Subject: [PATCH 084/110] revise
---
.../tpm/trusted-platform-module-overview.md | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
index 9c25f71d16..1c694b1729 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
@@ -75,15 +75,14 @@ Some things that you can check on the device are:
- Is SecureBoot supported and enabled?
> [!NOTE]
-> Windows 11, Windows 10, Windows Server 2016, and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected.
+> Windows 11, Windows 10, Windows Server 2016, and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows 10, version 1607. TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected.
## Supported versions for device health attestation
| TPM version | Windows 11 | Windows 10 | Windows Server 2022 | Windows Server 2019 | Windows Server 2016 |
|-------------|-------------|-------------|---------------------|---------------------|---------------------|
-| TPM 1.2 | | >= ver 1607 | | | >= ver 1607 |
-| TPM 2.0 | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** |
-
+| TPM 1.2 | | >= ver 1607 | | Yes | >= ver 1607 |
+| TPM 2.0 | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** |
## Related topics
From 3e18ff60e706f7fa98e6205a156a06f2b3ec60d0 Mon Sep 17 00:00:00 2001
From: Aaron Czechowski
Date: Thu, 22 Dec 2022 14:00:44 -0800
Subject: [PATCH 085/110] fix link
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/deployment/do/mcc-isp-faq.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/do/mcc-isp-faq.yml b/windows/deployment/do/mcc-isp-faq.yml
index 74c8351979..30982a78c1 100644
--- a/windows/deployment/do/mcc-isp-faq.yml
+++ b/windows/deployment/do/mcc-isp-faq.yml
@@ -37,7 +37,7 @@ sections:
- Ubuntu 20.04 LTS on a physical server or VM of your choice.
> [!NOTE]
- > The Microsoft Connected Cache is deployed and managed using Azure IoT Edge and Ubuntu 20.04 is an [Azure IoT Edge Tier 1 operating system](https://learn.microsoft.com/en-us/azure/iot-edge/support?view=iotedge-2020-11#tier-1). Additionally, the Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS.
+ > The Microsoft Connected Cache is deployed and managed using Azure IoT Edge and Ubuntu 20.04 is an [Azure IoT Edge Tier 1 operating system](/azure/iot-edge/support?view=iotedge-2020-11#tier-1). Additionally, the Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS.
The following are recommended hardware configurations:
From dfa3662f265e9d40fc6df0c0b395e2d917d9f150 Mon Sep 17 00:00:00 2001
From: Aaron Czechowski
Date: Thu, 22 Dec 2022 18:00:50 -0800
Subject: [PATCH 086/110] Update
windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../bitlocker/bitlocker-management-for-enterprises.md | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
index 3acad9a900..5c994ae869 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
@@ -37,11 +37,10 @@ Starting with Windows 10 version 1703, the enablement of BitLocker can be trigge
For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if necessary. For older devices that aren't yet encrypted, beginning with Windows 10 version 1703, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD. This process and feature is applicable to Azure Hybrid AD as well.
-Note:
-Managing BitLocker except for enabling and disabling it requires one of the following licenses to be assigned to your users:
--Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
--Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
-
+> [!NOTE]
+> To manage Bitlocker, except to enable and disable it, one of the following licenses must be assigned to your users:
+> - Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, and E5).
+> - Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 and A5).
## Managing workplace-joined PCs and phones
From 5d16d00140a06cd64fc9ab1fdce27b2c08cf71e6 Mon Sep 17 00:00:00 2001
From: Aaron Czechowski
Date: Thu, 22 Dec 2022 20:12:23 -0800
Subject: [PATCH 087/110] reword
---
.../deployment/update/wufb-reports-configuration-intune.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/update/wufb-reports-configuration-intune.md b/windows/deployment/update/wufb-reports-configuration-intune.md
index f6e00ead05..5f07d75c3e 100644
--- a/windows/deployment/update/wufb-reports-configuration-intune.md
+++ b/windows/deployment/update/wufb-reports-configuration-intune.md
@@ -8,7 +8,7 @@ author: mestew
ms.author: mstewart
ms.localizationpriority: medium
ms.topic: article
-ms.date: 12/05/2022
+ms.date: 12/22/2022
ms.technology: itpro-updates
---
@@ -49,7 +49,7 @@ Create a configuration profile that will set the required policies for Windows U
- **Setting**: Configure Telemetry Opt In Settings Ux
- **Value**: Disabled (*By turning this setting on you are disabling the ability for a user to potentially override the diagnostic data level of devices such that data won't be available for those devices in Windows Update for Business reports*)
- **Setting**: Configure Telemetry Opt In Change Notification
- - **Value**: Disabled (*By turning this setting on you are disabling notifications of telemetry changes*)
+ - **Value**: Disabled (*By turning this setting on you are disabling notifications of diagnostic data changes*)
- **Setting**: Allow device name to be sent in Windows diagnostic data (*If this policy is disabled, the device name won't be sent and won't be visible in Windows Update for Business reports*)
- **Value**: Allowed
From dc17776e592b0d2bbe4531dfe4766f9e5cadc97d Mon Sep 17 00:00:00 2001
From: Aaron Czechowski
Date: Thu, 22 Dec 2022 22:07:37 -0800
Subject: [PATCH 088/110] add powershell code block
---
.../windows-sandbox/windows-sandbox-overview.md | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
index cbbc3389e5..3987f694a9 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
@@ -49,7 +49,7 @@ Windows Sandbox has the following properties:
- If you're using a virtual machine, run the following PowerShell command to enable nested virtualization:
```powershell
- Set-VMProcessor -VMName \ -ExposeVirtualizationExtensions $true
+ Set-VMProcessor -VMName -ExposeVirtualizationExtensions $true
```
3. Use the search bar on the task bar and type **Turn Windows Features on or off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted.
@@ -57,7 +57,11 @@ Windows Sandbox has the following properties:
If the **Windows Sandbox** option is unavailable, your computer doesn't meet the requirements to run Windows Sandbox. If you think this analysis is incorrect, review the prerequisite list and steps 1 and 2.
> [!NOTE]
- > To enable Sandbox using PowerShell, open PowerShell as Administrator and run **Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online**.
+ > To enable Sandbox using PowerShell, open PowerShell as Administrator and run the following command:
+ >
+ > ```powershell
+ > Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online
+ > ```
4. Locate and select **Windows Sandbox** on the Start menu to run it for the first time.
From 0980646e28931b160181627235af499c655271cd Mon Sep 17 00:00:00 2001
From: Aaron Czechowski
Date: Thu, 22 Dec 2022 22:27:25 -0800
Subject: [PATCH 089/110] fix registry path
---
windows/configuration/kiosk-single-app.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md
index 1fe629ddd5..3724425208 100644
--- a/windows/configuration/kiosk-single-app.md
+++ b/windows/configuration/kiosk-single-app.md
@@ -337,7 +337,7 @@ To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then si
If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key:
-`HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI`
+`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI`
To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
From 89dfa36ede376883d959a84822faf30616c1e8a7 Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Fri, 23 Dec 2022 17:34:33 +0530
Subject: [PATCH 090/110] added windows 11
after reading this article, i conformed windows 11 is supported
---
.../security-policy-settings/security-options.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/security/threat-protection/security-policy-settings/security-options.md b/windows/security/threat-protection/security-policy-settings/security-options.md
index 6a88de5b89..b7b56bf6a8 100644
--- a/windows/security/threat-protection/security-policy-settings/security-options.md
+++ b/windows/security/threat-protection/security-policy-settings/security-options.md
@@ -19,6 +19,7 @@ ms.topic: conceptual
# Security Options
**Applies to**
+- Windows 11
- Windows 10
Provides an introduction to the **Security Options** settings for local security policies and links to more information.
From 45303a8ee382d0ce6f8b429a2faf01142784f1ff Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Fri, 23 Dec 2022 17:36:42 +0530
Subject: [PATCH 091/110] added windows 11
after reading this article, i confirmed windows 11 is supported
---
.../accounts-administrator-account-status.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md
index 03e09cb0e4..e247a80951 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Accounts: Administrator account status
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, and security considerations for the **Accounts: Administrator account status** security policy setting.
From 9803c5447d638288073a0f93fab0601f5ec23dfe Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Fri, 23 Dec 2022 17:37:45 +0530
Subject: [PATCH 092/110] added windows 11
after reading this article, i confirmed windows 11 is supported
---
.../accounts-block-microsoft-accounts.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
index 31ea250022..bd80ebe594 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Accounts: Block Microsoft accounts
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, management, and security considerations for the **Accounts: Block Microsoft accounts** security policy setting.
From 7c01db55502734238112bce4c65a5f9437ec2c90 Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Fri, 23 Dec 2022 17:38:39 +0530
Subject: [PATCH 093/110] added windows 11
after reading this article, i confirmed windows 11 is supported
---
.../security-policy-settings/accounts-guest-account-status.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md
index e8296570ec..f23fc8dd7e 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Accounts: Guest account status - security policy setting
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, and security considerations for the **Accounts: Guest account status** security policy setting.
From 0025691668a91ba529d96acfb9b3492606c0ea09 Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Fri, 23 Dec 2022 17:40:05 +0530
Subject: [PATCH 094/110] added windows 11
after reading this article, i confirmed windows 11 is supported
---
...local-account-use-of-blank-passwords-to-console-logon-only.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
index 632ece9ddd..6b3f24d9e6 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Accounts: Limit local account use of blank passwords to console logon only
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, and security considerations for the **Accounts: Limit local account use of blank passwords to console logon only** security policy setting.
From bdb14bf7d959d5c72862927636d43c9afba68021 Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Fri, 23 Dec 2022 17:41:09 +0530
Subject: [PATCH 095/110] added windows 11
after reading this article, i confirmed windows 11 is supported
---
.../accounts-rename-administrator-account.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md
index dedf4c2e88..bd8090dfe7 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Accounts: Rename administrator account
**Applies to**
+- Windows 11
- Windows 10
This security policy reference topic for the IT professional describes the best practices, location, values, and security considerations for this policy setting.
From 904db045a85cf314dd0424bde7c5854db6351cb6 Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Fri, 23 Dec 2022 17:42:10 +0530
Subject: [PATCH 096/110] added windows 11
after reading this article, i confirmed windows 11 is supported
---
.../security-policy-settings/accounts-rename-guest-account.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md
index 53052044e5..6bfcf412ae 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Accounts: Rename guest account - security policy setting
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, and security considerations for the **Accounts: Rename guest account** security policy setting.
From b11de88be609aa3eb2ad86b73309be441fba9348 Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Fri, 23 Dec 2022 17:43:57 +0530
Subject: [PATCH 097/110] added windows 11
after reading this article, i confirmed windows 11 is supported
---
.../audit-audit-the-use-of-backup-and-restore-privilege.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md
index 25d16578cf..7d38765755 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Audit: Audit the use of Backup and Restore privilege
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, and security considerations for the **Audit: Audit the use of Backup and Restore privilege** security policy setting.
From 90373e03e43de8030ca6237e6e27324f3c51b19e Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Fri, 23 Dec 2022 17:44:59 +0530
Subject: [PATCH 098/110] added windows 11
after reading this article, i confirmed windows 11 is supported
---
.../audit-force-audit-policy-subcategory-settings-to-override.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
index 17ed033d50..42e645eb95 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, and security considerations for the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** security policy setting.
From 61c7695b48e316ccc606a8d168ff41a45d929b57 Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Fri, 23 Dec 2022 17:46:20 +0530
Subject: [PATCH 099/110] added windows 11
after reading this article, i confirmed windows 11 is supported
---
...t-down-system-immediately-if-unable-to-log-security-audits.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
index a470ec0246..614fbe0d12 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Audit: Shut down system immediately if unable to log security audits
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, management practices, and security considerations for the **Audit: Shut down system immediately if unable to log security audits** security policy setting.
From 038e5987f11bef8da2f8623252586bce1163e7a0 Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Fri, 23 Dec 2022 17:49:38 +0530
Subject: [PATCH 100/110] added windows 11
after reading this article, i confirmed windows 11 is supported
---
...ons-in-security-descriptor-definition-language-sddl-syntax.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
index e9ee7fcc6c..e549425217 100644
--- a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
+++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, and security considerations for the **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** security policy setting.
From ed22195359255784c51de7d20531ae566276fda9 Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Fri, 23 Dec 2022 17:51:14 +0530
Subject: [PATCH 101/110] added windows 11
after reading this article, i confirmed windows 11 is supported
---
.../devices-allow-undock-without-having-to-log-on.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md
index 1b00fd452b..42bcd1198e 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Devices: Allow undock without having to log on
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, and security considerations for the **Devices: Allow undock without having to log on** security policy setting.
From 25cb7f60c0c3bafc6b49fa1413a5c39387d5239b Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Fri, 23 Dec 2022 17:52:12 +0530
Subject: [PATCH 102/110] added windows 11
after reading this article, i confirmed windows 11 is supported
---
.../devices-allowed-to-format-and-eject-removable-media.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md
index 1a2d4569b1..f27b736149 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Devices: Allowed to format and eject removable media
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, and security considerations for the **Devices: Allowed to format and eject removable media** security policy setting.
From eacb0fb990dff233514745899177417ae2b54cc9 Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Fri, 23 Dec 2022 17:53:24 +0530
Subject: [PATCH 103/110] added windows 11
after reading this article, i confirmed windows 11 is supported
---
.../devices-prevent-users-from-installing-printer-drivers.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md
index c23872dd05..48ec7ee37d 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Devices: Prevent users from installing printer drivers
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, and security considerations for the **Devices: Prevent users from installing printer drivers** security policy setting.
From b330f20677efe021ab0d8e11e7a6dd8e5cbbbd90 Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Fri, 23 Dec 2022 17:54:19 +0530
Subject: [PATCH 104/110] added windows 11
after reading this article, i confirmed windows 11 is supported
---
...ices-restrict-cd-rom-access-to-locally-logged-on-user-only.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
index b7bf3097f3..606f90388d 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Devices: Restrict CD-ROM access to locally logged-on user only
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, and security considerations for the **Devices: Restrict CD-ROM access to locally logged-on user only** security policy setting.
From 8eaaabdcc9be9b42178060d7ed3992cd3df687f9 Mon Sep 17 00:00:00 2001
From: Office Content Publishing
<34616516+officedocspr@users.noreply.github.com>
Date: Sat, 24 Dec 2022 23:31:23 -0800
Subject: [PATCH 105/110] Uploaded file: education-content-updates.md -
2022-12-24 23:31:23.1583
---
education/includes/education-content-updates.md | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md
index ca2950ff0a..1b6cd93ec5 100644
--- a/education/includes/education-content-updates.md
+++ b/education/includes/education-content-updates.md
@@ -2,6 +2,14 @@
+## Week of December 19, 2022
+
+
+| Published On |Topic title | Change |
+|------|------------|--------|
+| 12/22/2022 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
+
+
## Week of December 12, 2022
From 3e080a5bbf9465c62cd7b400c4835137a3de3dbb Mon Sep 17 00:00:00 2001
From: Jeff Borsecnik <36546697+jborsecnik@users.noreply.github.com>
Date: Tue, 27 Dec 2022 08:59:53 -0800
Subject: [PATCH 106/110] Update event-4661.md
---
windows/security/threat-protection/auditing/event-4661.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/auditing/event-4661.md b/windows/security/threat-protection/auditing/event-4661.md
index a49b9f501e..6cc68892c8 100644
--- a/windows/security/threat-protection/auditing/event-4661.md
+++ b/windows/security/threat-protection/auditing/event-4661.md
@@ -158,7 +158,7 @@ This event generates only if Success auditing is enabled for the [Audit Handle M
**Access Request Information:**
-- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same the **Transaction ID**, such as “[4660](event-4660.md)(S): An object was deleted.”
+- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same **Transaction ID**, such as “[4660](event-4660.md)(S): An object was deleted.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
From 80325a556b3096e528f6d4d0a9c51e3ff465887a Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 28 Dec 2022 08:55:03 -0500
Subject: [PATCH 107/110] updated feature description
---
.../hello-for-business/hello-faq.yml | 16 ++++++++--------
.../hello-for-business/hello-overview.md | 4 ++--
.../whats-new-windows-10-version-1809.md | 7 +++++--
3 files changed, 15 insertions(+), 12 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml
index 97b2ab5354..7110c8ac4c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@@ -1,7 +1,7 @@
### YamlMime:FAQ
metadata:
title: Windows Hello for Business Frequently Asked Questions (FAQ)
- description: Use these frequently asked questions (FAQ) to learn important details about Windows Hello for Business.
+ description: Use these frequently asked questions (FAQ) to learn important details about Windows Hello for Business.
keywords: identity, PIN, biometric, Hello, passport
ms.prod: windows-client
ms.technology: itpro-security
@@ -29,16 +29,16 @@ sections:
- question: What is Windows Hello for Business cloud Kerberos trust?
answer: |
- Windows Hello for Business cloud Kerberos trust is a new trust model that is currently in preview. This trust model will enable Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [Hybrid cloud Kerberos trust Deployment (Preview)](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust).
+ Windows Hello for Business *cloud Kerberos trust* is a **trust model** that enables Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [cloud Kerberos trust deployment](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust).
- question: What about virtual smart cards?
answer: |
- Windows Hello for Business is the modern, two-factor credential for Windows 10. Microsoft will be deprecating virtual smart cards in the future, but no date is set at this time. Customers using Windows 10 and virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. Microsoft recommends that new Windows 10 deployments use Windows Hello for Business. Virtual smart cards remain supported for Windows 7 and Windows 8.
+ Windows Hello for Business is the modern, two-factor credential for Windows. Microsoft will be deprecating virtual smart cards in the future, but no date is set at this time. Customers using virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. Microsoft recommends that new Windows deployments use Windows Hello for Business.
- question: What about convenience PIN?
answer: |
- Microsoft is committed to its vision of a world without passwords. We recognize the *convenience* provided by convenience PIN, but it stills uses a password for authentication. Microsoft recommends that customers using Windows 10 and convenience PINs should move to Windows Hello for Business. New Windows 10 deployments should deploy Windows Hello for Business and not convenience PINs. Microsoft will be deprecating convenience PINs in the future and will publish the date early to ensure customers have adequate lead time to deploy Windows Hello for Business.
+ While *convenience PIN* provides a convenient way to sign in to Windows, it stills uses a password for authentication. Customers using *convenience PINs* should move to **Windows Hello for Business**. New Windows deployments should deploy Windows Hello for Business and not convenience PINs. Microsoft will be deprecating convenience PINs in the future and will publish the date early to ensure customers have adequate lead time to deploy Windows Hello for Business.
- question: Can I use Windows Hello for Business key trust and RDP?
answer: |
@@ -63,7 +63,7 @@ sections:
- question: How can a PIN be more secure than a password?
answer: |
- When using Windows Hello for Business, the PIN isn't a symmetric key, whereas the password is a symmetric key. With passwords, there's a server that has some representation of the password. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). The server doesn't have a copy of the PIN. For that matter, the Windows client doesn't have a copy of the current PIN either. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key.
+ When using Windows Hello for Business, the PIN isn't a symmetric key, whereas the password is a symmetric key. With passwords, there's a server that has some representation of the password. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). The server doesn't have a copy of the PIN. For that matter, the Windows client doesn't have a copy of the current PIN either. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key.
The statement "PIN is stronger than Password" is not directed at the strength of the entropy used by the PIN. It's about the difference between providing entropy versus continuing the use of a symmetric key (the password). The TPM has anti-hammering features that thwart brute-force PIN attacks (an attacker's continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increase the complexity of the PIN, implement the [Multifactor Unlock](feature-multifactor-unlock.md) feature.
- question: What's a container?
@@ -169,7 +169,7 @@ sections:
- question: Where is Windows Hello biometrics data stored?
answer: |
- When you enroll in Windows Hello, a representation of your face called an enrollment profile is created more information can be found on [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details, see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored).
+ When you enroll in Windows Hello, a representation of your face called an enrollment profile is created more information can be found on [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details, see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored).
- question: What is the format used to store Windows Hello biometrics data on the device?
answer: |
@@ -233,9 +233,9 @@ sections:
- question: How does PIN caching work with Windows Hello for Business?
answer: |
- Windows Hello for Business provides a PIN caching user experience by using a ticketing system. Rather than caching a PIN, processes cache a ticket they can use to request private key operations. Azure AD and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting, as long as the user is interactively signed-in. Microsoft Account sign-in keys are transactional keys, which means the user is always prompted when accessing the key.
+ Windows Hello for Business provides a PIN caching user experience by using a ticketing system. Rather than caching a PIN, processes cache a ticket they can use to request private key operations. Azure AD and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting, as long as the user is interactively signed-in. Microsoft Account sign-in keys are transactional keys, which means the user is always prompted when accessing the key.
- Beginning with Windows 10, version 1709, Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching. Each process requesting a private key operation will prompt the user for the PIN on first use. Subsequent private key operations won't prompt the user for the PIN.
+ Beginning with Windows 10, version 1709, Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching. Each process requesting a private key operation will prompt the user for the PIN on first use. Subsequent private key operations won't prompt the user for the PIN.
The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process doesn't receive the PIN, but rather the ticket that grants them private key operations. Windows 10 doesn't provide any Group Policy settings to adjust this caching.
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index 50d6d7f166..48c16385f3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -45,9 +45,9 @@ Windows stores biometric data that is used to implement Windows Hello securely o
## The difference between Windows Hello and Windows Hello for Business
-- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it's set up, but can use a password hash depending on an individual's account type. This configuration is referred to as Windows Hello convenience PIN and it's not backed by asymmetric (public/private key) or certificate-based authentication.
+- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it's set up, but can use a password hash depending on an individual's account type. This configuration is referred to as *Windows Hello convenience PIN* and it's not backed by asymmetric (public/private key) or certificate-based authentication.
-- **Windows Hello for Business**, which is configured by group policy or mobile device management (MDM) policy, always uses key-based or certificate-based authentication. This behavior makes it more secure than **Windows Hello convenience PIN**.
+- *Windows Hello for Business*, which is configured by group policy or mobile device management (MDM) policy, always uses key-based or certificate-based authentication. This behavior makes it more secure than *Windows Hello convenience PIN*.
## Benefits of Windows Hello
diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md
index 17928723f6..776e3fd5fe 100644
--- a/windows/whats-new/whats-new-windows-10-version-1809.md
+++ b/windows/whats-new/whats-new-windows-10-version-1809.md
@@ -286,9 +286,12 @@ One of the things we’ve heard from you is that it’s hard to know when you’
## Remote Desktop with Biometrics
-Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
+Windows Hello for Business supports using a certificate deployed to a Windows Hello for Business container as a supplied credential to establish a remote desktop connection to a server or another device. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol.
+Users using earlier versions of Windows 10 could authenticate to a remote desktop using Windows Hello for Business but were limited to using their PIN as their authentication gesture. Windows 10, version 1809 introduces the ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric gesture.
-To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**. Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials. Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN.
+Azure Active Directory and Active Directory users using Windows Hello for Business in a certificate trust model, can use biometrics to authenticate to a remote desktop session.
+
+To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the device you want to connect to, and select **Connect**. Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also select **More choices** to choose alternate credentials. Windows uses biometrics to authenticate the RDP session to the Windows device. You can continue to use Windows Hello for Business in the remote session, but in the remote session you must use the PIN.
See the following example:
From 710344733137f105ebe9ca3a096970ad9daf42a8 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 28 Dec 2022 10:21:38 -0500
Subject: [PATCH 108/110] updates
---
...n-on-sso-over-vpn-and-wi-fi-connections.md | 50 ++++++++++---------
1 file changed, 26 insertions(+), 24 deletions(-)
diff --git a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
index 371193641b..e44a13a1a8 100644
--- a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+++ b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
@@ -1,9 +1,9 @@
---
-title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections (Windows 10 and Windows 11)
+title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections
description: Explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections.
ms.prod: windows-client
author: paolomatarazzo
-ms.date: 03/22/2022
+ms.date: 12/28/2022
manager: aaroncz
ms.author: paoloma
ms.reviewer: pesmith
@@ -18,47 +18,49 @@ ms.topic: how-to
This article explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections. The following scenarios are typically used:
-- Connecting to a network using Wi-Fi or VPN.
-- Use credentials for WiFi or VPN authentication to also authenticate requests to access a domain resource without being prompted for your domain credentials.
+- Connecting to a network using Wi-Fi or VPN
+- Use credentials for Wi-Fi or VPN authentication to also authenticate requests to access domain resources, without being prompted for domain credentials
For example, you want to connect to a corporate network and access an internal website that requires Windows integrated authentication.
-The credentials that are used for the connection authentication are placed in Credential Manager as the default credentials for the logon session. Credential Manager stores credentials that can be used for specific domain resources. These are based on the target name of the resource:
-- For VPN, the VPN stack saves its credential as the session default.
-- For WiFi, Extensible Authentication Protocol (EAP) provides support.
+The credentials that are used for the connection authentication are placed in *Credential Manager* as the default credentials for the **logon session**. Credential Manager stores credentials that can be used for specific domain resources. These are based on the target name of the resource:
-The credentials are placed in Credential Manager as a "\*Session" credential.
-A "\*Session" credential implies that it is valid for the current user session.
-The credentials are also cleaned up when the WiFi or VPN connection is disconnected.
+- For VPN, the VPN stack saves its credential as the **session default**
+- For WiFi, Extensible Authentication Protocol (EAP) provides support
+
+The credentials are placed in Credential Manager as a *session credential*:
+
+- A *session credential* implies that it is valid for the current user session
+- The credentials are cleaned up when the WiFi or VPN connection is disconnected
> [!NOTE]
-> In Windows 10, version 21h2 and later, the "\*Session" credential is not visible in Credential Manager.
+> In Windows 10, version 21H2 and later, the *session credential* is not visible in Credential Manager.
-For example, if someone using Microsoft Edge tries to access a domain resource, Microsoft Edge has the right Enterprise Authentication capability. This allows [WinInet](/windows/win32/wininet/wininet-reference) to release the credentials that it gets from the Credential Manager to the SSP that is requesting it.
+For example, if someone using Microsoft Edge tries to access a domain resource, Microsoft Edge has the right Enterprise Authentication capability. This allows [WinInet](/windows/win32/wininet/wininet-reference) to release the credentials that it gets from Credential Manager to the SSP that is requesting it.
For more information about the Enterprise Authentication capability, see [App capability declarations](/windows/uwp/packaging/app-capability-declarations).
The local security authority will look at the device application to determine if it has the right capability. This includes items such as a Universal Windows Platform (UWP) application.
If the app isn't a UWP, it doesn't matter.
-But if the application is a UWP app, it will evaluate at the device capability for Enterprise Authentication.
+But, if the application is a UWP app, it will evaluate at the device capability for Enterprise Authentication.
If it does have that capability and if the resource that you're trying to access is in the Intranet zone in the Internet Options (ZoneMap), then the credential will be released.
This behavior helps prevent credentials from being misused by untrusted third parties.
## Intranet zone
-For the Intranet zone, by default it only allows single-label names, such as Http://finance.
+For the Intranet zone, by default it only allows single-label names, such as *http://finance*.
If the resource that needs to be accessed has multiple domain labels, then the workaround is to use the [Registry CSP](/windows/client-management/mdm/registry-csp).
### Setting the ZoneMap
The ZoneMap is controlled using a registry that can be set through MDM.
-By default, single-label names such as http://finance are already in the intranet zone.
-For multi-label names, such as http://finance.net, the ZoneMap needs to be updated.
+By default, single-label names such as *http://finance* are already in the intranet zone.
+For multi-label names, such as *http://finance.net*, the ZoneMap needs to be updated.
## MDM Policy
OMA URI example:
-./Vendor/MSFT/Registry/HKU/S-1-5-21-2702878673-795188819-444038987-2781/Software/Microsoft/Windows/CurrentVersion/Internet%20Settings/ZoneMap/Domains/``/* as an Integer Value of 1 for each of the domains that you want to SSO into from your device. This adds the specified domains to the Intranet Zone of the Microsoft Edge browser.
+`./Vendor/MSFT/Registry/HKU/S-1-5-21-2702878673-795188819-444038987-2781/Software/Microsoft/Windows/CurrentVersion/Internet%20Settings/ZoneMap/Domains/` as an `Integer` value of `1` for each of the domains that you want to SSO into from your device. This adds the specified domains to the Intranet Zone of the Microsoft Edge browser.
## Credential requirements
@@ -66,10 +68,10 @@ For VPN, the following types of credentials will be added to credential manager
- Username and password
- Certificate-based authentication:
- - TPM Key Storage Provider (KSP) Certificate
- - Software Key Storage Provider (KSP) Certificates
- - Smart Card Certificate
- - Windows Hello for Business Certificate
+ - TPM Key Storage Provider (KSP) Certificate
+ - Software Key Storage Provider (KSP) Certificates
+ - Smart Card Certificate
+ - Windows Hello for Business Certificate
The username should also include a domain that can be reached over the connection (VPN or WiFi).
@@ -79,10 +81,10 @@ If the credentials are certificate-based, then the elements in the following tab
| Template element | Configuration |
|------------------|---------------|
-| SubjectName | The user’s distinguished name (DN) where the domain components of the distinguished name reflect the internal DNS namespace when the SubjectAlternativeName does not have the fully qualified UPN required to find the domain controller. This requirement is relevant in multi-forest environments as it ensures a domain controller can be located. |
-| SubjectAlternativeName | The user’s fully qualified UPN where a domain name component of the user’s UPN matches the organizations internal domain’s DNS namespace. This requirement is relevant in multi-forest environments as it ensures a domain controller can be located when the SubjectName does not have the DN required to find the domain controller. |
+| SubjectName | The user's distinguished name (DN) where the domain components of the distinguished name reflect the internal DNS namespace when the SubjectAlternativeName does not have the fully qualified UPN required to find the domain controller. This requirement is relevant in multi-forest environments as it ensures a domain controller can be located. |
+| SubjectAlternativeName | The user's fully qualified UPN where a domain name component of the user's UPN matches the organizations internal domain's DNS namespace. This requirement is relevant in multi-forest environments as it ensures a domain controller can be located when the SubjectName does not have the DN required to find the domain controller. |
| Key Storage Provider (KSP) | If the device is joined to Azure AD, a discrete SSO certificate is used. |
-| EnhancedKeyUsage | One or more of the following EKUs is required: - Client Authentication (for the VPN) - EAP Filtering OID (for Windows Hello for Business)- SmartCardLogon (for Azure AD-joined devices) If the domain controllers require smart card EKU either:- SmartCardLogon- id-pkinit-KPClientAuth (1.3.6.1.5.2.3.4)
Otherwise:- TLS/SSL Client Authentication (1.3.6.1.5.5.7.3.2) |
+| EnhancedKeyUsage | One or more of the following EKUs is required: - Client Authentication (for the VPN)
- EAP Filtering OID (for Windows Hello for Business)
- SmartCardLogon (for Azure AD-joined devices)
If the domain controllers require smart card EKU either:- SmartCardLogon
- id-pkinit-KPClientAuth (1.3.6.1.5.2.3.4)
Otherwise:- TLS/SSL Client Authentication (1.3.6.1.5.5.7.3.2)
|
## NDES server configuration
From 71496988589b2ed0952461098b405db0ae8d381b Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Tue, 3 Jan 2023 12:16:07 -0500
Subject: [PATCH 109/110] Update install-md-app-guard.md
---
.../microsoft-defender-application-guard/install-md-app-guard.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
index 97f4e14332..57977dcbe6 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
@@ -15,6 +15,7 @@ ms.custom: asr
ms.technology: itpro-security
ms.collection:
- highpri
+ms.topic: how-to
---
# Prepare to install Microsoft Defender Application Guard
From a156149ebd870d3de481b4abf23f109d0f73a707 Mon Sep 17 00:00:00 2001
From: Aaron Czechowski
Date: Tue, 3 Jan 2023 17:15:55 -0800
Subject: [PATCH 110/110] remove old note per PM
---
windows/deployment/do/waas-delivery-optimization-setup.md | 2 --
1 file changed, 2 deletions(-)
diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md
index 44ace484d1..8b49d9f487 100644
--- a/windows/deployment/do/waas-delivery-optimization-setup.md
+++ b/windows/deployment/do/waas-delivery-optimization-setup.md
@@ -92,8 +92,6 @@ To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimiza
Many devices now come with large internal drives. You can set Delivery Optimization to take better advantage of this space (especially if you have large numbers of devices) by changing the minimum file size to cache. If you have more than 30 devices in your local network or group, change it from the default 50 MB to 10 MB. If you have more than 100 devices (and are running Windows 10, version 1803 or later), set this value to 1 MB.
-[//]: # (default of 50 aimed at consumer)
-
To do this in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Minimum Peer Caching Content File Size** to 10 (if you have more than 30 devices) or 1 (if you have more than 100 devices).
To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMinFileSizeToCache](/windows/client-management/mdm/policy-csp-deliveryoptimization#dominfilesizetocache) to 100 (if you have more than 30 devices) or 1 (if you have more than 100 devices).